Block pages can cause HTTPS (SSL) traffic to use wrong security rule

Block pages can cause HTTPS (SSL) traffic to use wrong security rule

36510
Created On 09/27/18 07:01 AM - Last Modified 07/25/19 22:45 PM


Symptom


  • When users access a website such as "https://exchange.leapfile.com/", the rule called "Deny-App" rule is hitting as expected. The app is being correctly identified and blocked as a result of the security rules
===========================================================================
 traffic logs
===========================================================================
Receive_T  Dest_addr       Rule       App          S_Port D_Port Action  Category
 8/25 9:56  54.227.253.124  Deny-App   leapfile     55895  443    deny     online-storage-and-backup
 
  • When creating a new security rule called "url block" to present block pages based on URL categories, the url block security rule is hit instead
User-added image
User-added image

User-added image
 
  • The traffic logs then show the traffic now hitting the rule "url block" with a category as "online-storage-and-backup"
===========================================================================
 traffic logs 
===========================================================================
Receive_T  Dest_addr       Rule       App          S_Port D_Port Action  Category
 8/25 9:55  54.227.253.124  url block  web-browsing 55888  443    allow    online-storage-and-backup

Environment


  • PAN-OS
  • URL Filtering
  • The command to inject URL filtering response pages within an HTTPS session is configured, set deviceconfig setting ssl-decrypt url-proxy yes

Cause


The traffic log shows that the session for accessing the URL https://exchange.leapfile.com contains the category as "online-storage-and-backup" which is part of the block page for URL filtering 
===========================================================================
 traffic logs 
===========================================================================
Receive_T  Dest_addr       Rule       App          S_Port D_Port Action  Category
 8/25 9:55  54.227.253.124  url block  web-browsing 55888  443    allow    online-storage-and-backup

In this scenario, the firewall sends the URL block page before the application "leapfile" is able to be identified. This causes the traffic to no longer match against the original security rule "Deny-App"

Resolution


The behavior seen in the traffic logs is expected. The firewall displays a response block page, which does not allow the application data to be sent through the firewall. The SSL application data is needed in order for the application "leapfile" to be identified. 

Additional Information


For more information on configuring response pages over HTTPS connection, see the following link: How to Configure the Palo Alto Networks Device to Serve a URL Response page Over an HTTPS Session without SSL Decryption
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm7ZCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language