Troubleshoot URL Filtering Response Page Display Issues

Advanced URL Filtering

Troubleshoot URL Filtering Response Page Display Issues

Table of Contents
End-of-Life (EoL)

Troubleshoot URL Filtering Response Page Display Issues

Here's how to troubleshoot URL filtering response pages that are not displaying.
URL filtering response pages may not display for various reasons, including:
  • SSL/TLS handshake inspections are enabled.
  • The website was blocked during the inspection of an SSL/TLS handshake. URL filtering response pages do not display in this case because the firewall resets the HTTPS connection.
  • The website uses the HTTPS protocol or contains content served over HTTPS (such as ads) but the website or URL category was not decrypted.
  • The custom response page is larger than the maximum supported size.
Use the following steps as a starting point for troubleshooting a URL filtering response page that fails to display. If the problem persists, contact Palo Alto Networks support.
  1. Determine the scope of the issue.
    Is the issue specific to a particular website or a subset of web pages? Check if a response page displays when you visit a different page on the website.
  2. Identify the website's protocol (HTTP or HTTPS).
    This distinction aids in further isolating and diagnosing the issue.
  3. (
    HTTPS sites or HTTP sites with HTTPS content
    ) Verify that an SSL/TLS decryption policy rule decrypts traffic to the website or URL category.
    In general, the firewall can't serve response pages on HTTPS websites unless it can decrypt the websites.
    Some websites may serve its primary page over HTTP but serve ads or other content over HTTPS. These websites should also be decrypted to ensure the display of response pages.
    1. Log in to the web interface.
    2. Select
      , and verify that the relevant rule decrypts traffic to the specific website or URL category.
      If this is not the case, update the decryption policy rule to decrypt the website or URL category.
  4. Verify that the URL category that the website belongs to has been blocked.
    If the category has been blocked in a URL Filtering profile applied to a Security policy rule or by a Security policy rule with the specific URL category as match criteria, the value in the Action column for a given entry displays
    1. Select
      URL Filtering
    2. Search for the affected website, and select the most recent log entry.
    3. Examine the Category and Action columns.
      Are the categories assigned to the website accurate? Verify its categories using Test A Site, Palo Alto Networks URL category lookup tool. If you still believe the website is categorized incorrectly, submit a change request.
      Is the Action value
      ? If not, update the URL Filtering profile or Security policy rule.
    4. For future reference, note the rule associated with this log entry.
  5. Determine if a custom response page is the cause of this issue.
    1. Select
      Response Pages
    2. Confirm that only
      is selected.
      A custom response page is active if
      is listed (in addition to
      ) in either of these places:
      • Device
        Response Pages
        : Under the Location column corresponding to a given response page.
      • Device
        Response Pages
        : Under Location.
    3. (
      is listed
      ) Revert the custom page to its default state to confirm that the custom response page is the issue.
      1. Delete
        the custom page.
      2. Commit
        your changes.
      3. Visit the affected website to see if the default response page displays.
      If the problem persists, call support for further investigation.
If the above steps fail to correct the issue, contact Palo Alto Networks support. Additional troubleshooting may be necessary to pinpoint the issue. For example, analyzing the traffic through a packet capture (pcap) tool alongside support may be helpful if a response page fails to function for some web pages but works for others.

Recommended For You