Palo Alto Networks Knowledgebase: How are URL Block Pages Sent to the Client in VWire Mode on the Palo Alto Networks Firewall?

How are URL Block Pages Sent to the Client in VWire Mode on the Palo Alto Networks Firewall?

2362
Created On 02/07/19 23:42 PM - Last Updated 02/07/19 23:43 PM
URL Filtering
Resolution

This document describes two scenarios for URL block page behavior in VWire mode.

Scenario 1 - Palo Alto Networks firewall does not have the URL Categorization

The diagram below shows the traffic when the firewall does not have the URL categorization. The GET request is forwarded to the server. By the time the firewall receives an ACK back from the server it has resolved the category and identified it as a block. A RST is sent to the server, while a URL BLOCK PAGE is sent to the client. The MAC address from the ACK packet is used for the block page, keeping the same IP.

Capture.PNG.png

Scenario 2 - Palo Alto Networks firewall has the URL Categorization

The diagram below shows the traffic when the firewall does have the URL categorization. The firewall does not forward the GET request to the server and instead drops it. The firewall sends a RST-ACK to the server and a URL BLOCK PAGE is sent to the client. The MAC address from the GET packet is used for the block page, keeping the same IP.

Capture.PNG.png

owner: mbutt



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm0zCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language