Advanced URL Filtering
Troubleshoot URL Filtering Response Page Display Issues
Table of Contents
Troubleshoot URL Filtering Response Page Display Issues
Here's how to troubleshoot URL filtering response pages that are not
displaying.
Where can I use this? | What do I need? |
---|---|
|
Note: Legacy URL filtering licenses are
discontinued, but active legacy licenses are still
supported.
|
URL filtering response pages may not display for various reasons, including:
- SSL/TLS handshake inspections are enabled.
- The website was blocked during the inspection of an SSL/TLS handshake. URL filtering response pages do not display in this case because the firewall resets the HTTPS connection.
- The website uses the HTTPS protocol or contains content served over HTTPS (such as ads) but the website or URL category was not decrypted.
- The custom response page is larger than the maximum supported size.
Use the following steps as a starting point for troubleshooting a URL filtering
response page that fails to display. If the problem persists, contact Palo Alto
Networks support.
- Determine the scope of the issue.Is the issue specific to a particular website or a subset of web pages? Check if a response page displays when you visit a different page on the website.Identify the website's protocol (HTTP or HTTPS).This distinction aids in further isolating and diagnosing the issue.(HTTPS sites or HTTP sites with HTTPS content) Verify that an SSL/TLS decryption policy rule decrypts traffic to the website or URL category.In general, the firewall can't serve response pages on HTTPS websites unless it can decrypt the websites.Some websites may serve its primary page over HTTP but serve ads or other content over HTTPS. These websites should also be decrypted to ensure the display of response pages.
- Log in to the web interface.Select PoliciesDecryption, and verify that the relevant rule decrypts traffic to the specific website or URL category.If this is not the case, update the decryption policy rule to decrypt the website or URL category.
- If SSL/TLS decryption is enabled and the response page still doesn't display, then enable inspection of SSL/TLS handshakes.
- To serve a URL filtering response page over an HTTPS session without enabling SSL/TLS decryption, follow these steps.
Verify that the URL category that the website belongs to has been blocked.If the category has been blocked in a URL Filtering profile applied to a Security policy rule or by a Security policy rule with the specific URL category as match criteria, the value in the Action column for a given entry displays block-url.- Select MonitorURL Filtering.Search for the affected website, and select the most recent log entry.Examine the Category and Action columns.Are the categories assigned to the website accurate? Verify its categories using Test A Site, Palo Alto Networks URL category lookup tool. If you still believe the website is categorized incorrectly, submit a change request.For future reference, note the rule associated with this log entry.Determine if a custom response page is the cause of this issue.
- Select DeviceResponse Pages.Confirm that only Predefined is selected.A custom response page is active if shared is listed (in addition to Predefined) in either of these places:
- DeviceResponse Pages: Under the Location column corresponding to a given response page.
- DeviceResponse PagesType: Under Location.
(If Shared is listed) Revert the custom page to its default state to confirm that the custom response page is the issue.- Delete the custom page.
- Commit your changes.
- Visit the affected website to see if the default response page displays.
If the problem persists, call support for further investigation.If the above steps fail to correct the issue, contact Palo Alto Networks support. Additional troubleshooting may be necessary to pinpoint the issue. For example, analyzing the traffic through a packet capture (pcap) tool alongside support may be helpful if a response page fails to function for some web pages but works for others.