Troubleshoot URL Filtering Response Page Display Issues
Here's how to troubleshoot URL filtering response pages that are not
displaying.
Where can I use
this? | What do I need? |
NGFW (PAN-OS or Panorama Managed)
|
Note: Legacy URL filtering licenses are
discontinued, but active legacy licenses are still
supported. |
URL filtering response pages may not display for various reasons, including:
SSL/TLS handshake inspections are enabled.
The website was blocked during the inspection of an SSL/TLS handshake. URL
filtering response pages do not display in this case because the firewall resets
the HTTPS connection.
The website uses the HTTPS protocol or contains content served over HTTPS (such
as ads) but the website or URL category was not decrypted.
The custom response page is larger than the maximum supported size.
Use the following steps as a starting point for troubleshooting a URL filtering
response page that fails to display. If the problem persists, contact Palo Alto
Networks support.
Determine the scope of the issue.
Is the issue specific to a particular website or a subset of web pages? Check
if a response page displays when you visit a different page on the
website.
Identify the website's protocol (HTTP or HTTPS).
This distinction aids in further isolating and diagnosing the
issue.
(
HTTPS sites or HTTP sites with HTTPS content
) Verify that an SSL/TLS
decryption policy rule decrypts traffic to the website or URL category.
In general, the firewall can't serve response pages on HTTPS websites
unless it can decrypt the websites.
Some websites may serve its primary page over HTTP but serve ads or other
content over HTTPS. These websites should also be decrypted to ensure
the display of response pages.
Log in to the web interface.
Select , and verify that the relevant rule decrypts traffic to
the specific website or URL category.
To serve a URL filtering response page over an HTTPS session without
enabling SSL/TLS decryption,
follow these steps.
Verify that the URL category that the website belongs to has been
blocked.
If the category has been blocked in a URL Filtering profile applied to a
Security policy rule or by a Security policy rule with the specific URL category
as match criteria, the value in the Action column for a given entry displays
block-url
.
Search for the affected website, and select the most recent log
entry.
Examine the Category and Action columns.
Are the categories assigned to the website accurate? Verify its
categories using
Test A Site, Palo Alto Networks URL
category lookup tool. If you still believe the website is
categorized incorrectly,
submit a change
request.
For future reference, note the rule associated with this log
entry.
Determine if a custom response page is the cause of this issue.
Confirm that only
Predefined
is selected.
A custom response page is active if
shared
is
listed (in addition to
Predefined
) in either of
these places:
: Under the Location column corresponding to a
given response page.
: Under Location.
(
) Revert the
custom page to its default state to confirm that the custom response
page is the issue.
Visit the affected website to see if the default response page
displays.
If the problem persists, call support for further investigation.
If the above steps fail to correct the issue, contact Palo Alto Networks support.
Additional troubleshooting may be necessary to pinpoint the issue. For example,
analyzing the traffic through a packet capture (pcap) tool alongside support may be
helpful if a response page fails to function for some web pages but works for
others.
