How to Serve a URL Response Page Over an HTTPS Session Without SSL Decryption

Environment

• Palo Alto Firewall.

• PAN-OS 7.1 and above.

• Response Pages.

Procedure

Details

This document describes how to configure the Palo Alto Networks device to serve a URL response page over an HTTPS session without SSL decryption.

Requirements

• Create a URL Filtering profile that blocks the unwanted HTTP and HTTPS websites. Create a Security Policy with an action of "allow" and then link the URL Filtering profile to it.

• Response pages must be enabled. This cannot be performed on a VWire interface, VWire requires SSL decryption to be able to serve a response page:

  1. Network > Network Profiles > Interface-Mgmt
     Create an interface management profile with response pages enabled

  2. Network > Interfaces > Ethernet?/? > Advanced > Management Profile
     Select your management profile

• A certificate to be used for Forward Trust on the Palo Alto Networks device, where it is one of the following:

  • A self-signed/self-generated certificate with which the box for Certificate Authority has been checked.
    Note: If using a self-signed/self-generated certificate it will be necessary to import this certificate into the client machine's certificate store to avoid unwanted browser certificate errors.

  • An intermediate CA certificate installed on the Palo Alto Networks device which was generated by an organization's internal CA.

• A certificate to be used for Forward Untrust, which is a self-sign/self-generated certificate with which the box for Certificate Authority has been checked. This certificate is NOT to be trusted by any client that receives it.

• If using dynamic URL filtering with BrightCloud, be sure to enable dynamic URL filtering on all URL filtering profiles as well as dynamic URL filtering globally. From the configure mode on the CLI of the device, enter the command listed below. If PAN-DB URL filtering is used, skip this step and proceed for the next step as the command will work only if the firewall is licensed for BrightCloud URL Filtering and not for PAN-DB URL filtering.

• To enable the Palo Alto Networks device's ability to inject URL filtering response pages within an HTTPS session with the following configuration command. This command works with either BrightCloud or PAN-DB URL filter:

Note: Both the commands above are only available through the CLI.

Note: For the block page to be shown the HTTP GET request should come to the firewall
In the case of HTTPS, the SSL handshake should get completed and HTTP GET come to the firewall and the firewall will respond with a block page.
If we take the packet capture we will probably be able to see the RST from the upstream device or any other issue related to the SSL handshake.

for example, If you are getting the below error messages please check if there is any upstream device that could be blocking the site for https.

For the same site if we try in HTTP it will show the block page.

We can verify from the browser in the developer tool for HTTPs.

For HTTP
.

If the configuration is correct we should be seeing this page below.



Successful completion of the setup allows the firewall to serve a URL filtering response to client machines within an HTTPS session triggered by the URL Filtering policy.

Caveats with Continue and Override

Today's websites server content comes from many sources. If serving a URL Response Page for an action of type Continue or Override, it is possible that some content on the page may not be rendered properly. This will happen if the content is coming from a site that is in a category for which the action is set to Block, Continue or Override. The firewall will not present the Continue and Override page for each embedded link.

Note: After you replace the certificate to renew the expiration date, restart Dataplane or the device. It removes the expired certificate cache in the Dataplane.

Additional Information

Note : In the traffic log, it is normal to see this traffic as being decrypted.