Why is Application Block Page not displayed for the blocked session of "web-browsing" App-ID?

23574

Created On 07/13/21 04:14 AM - Last Modified 02/15/24 03:25 AM

Response Page

App-ID

8.1

9.0

9.1

10.0

10.1

PAN-OS

Question

Why is Application Block Page not displayed for the blocked session of "web-browsing" App-ID?
Details

Action for "Application Block Page" is set to "Enabled"
Security Policy is configured to deny "web-browsing" or "SSL" traffic
The "Response pages" are no displayed in client's Web Browser when the clients access to the external servers via HTTP or HTTPS,
This happens even though the target traffic is denied by the configured Security Policy based on the application classification.

Palo Alto Firewalls
Supported PAN-OS
Application Block Page Enabled
Security Policy targeting the "web-browsing" or "ssl" traffic is configured with "Deny" or "Drop" Action.

Application Block Page works for the applications that needs CTD (Content-ID Decoder) inspection
"Web-browsing" or "SSL" application is classified earlier than the transaction in CTD.
Hence when a security policy to deny or drop "web-browsing" or "SSL" traffic is configured, the corresponding traffic would be blocked before CTD inspection.
Thus the Application Block Page is not displayed for that denied session.
For the application block page to work, deny the actual application (such as facebook) in the policy instead of blocking "web-browsing" or "SSL"