Unable to display response page when SSL/TLS Handshake Inspection is enabled

Unable to display response page when SSL/TLS Handshake Inspection is enabled

4501
Created On 05/30/22 21:51 PM - Last Modified 08/06/25 09:20 AM


Symptom


  • SSL/TLS Handshake Inspection is enabled.
  • This is enabled under Device > Setup > Session > SSL Decryption Settings > Send handshake messages to ctd for inspection.
  • Client attempts to browse to a URL site that is blocked by URL filtering policy with action set as Block and Continue.
  • The client browser does not display the response page to continue, instead the browser displays a standard connection error. 
CTD inspection image

    Environment


    • PANOS 10.1 and up
    • Feature SSL/TLS Handshake Inspection enabled
    • SSL Decryption 

     

    Cause




     

    Resolution


    1. URL Filtering response pages do not display for sites blocked by the firewall during SSL/TLS handshake inspections.
    2. After detecting traffic from blocked categories, the firewall resets the HTTPS connection, ending the handshake and preventing user notification by response page.
    3. Instead, the browser displays a standard connection error message.
    Refer to the Advanced URL Filtering Inspect-SSL/TLS handshakes for more details.
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000sYfpCAE&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail