04-13-2018 11:49 AM - edited 02-21-2020 07:37 AM
FMC 6.2.2
FTD's 6.2.2
We have a custom HTTP Block Response Page which does what it is supposed to do. However, we don't want that custom block page to be displayed outside of our network/Intranet.
So, the Block Response page is a part of the Access Control Policy, to which the blocks are happening according to ACL rules which is expected. From that, how or is it possible to over ride the block page from going out to the internet for HTTP blocks?
Thanks,
*EDIT*
More info -- In the specific ACL rules that are generating these blocks, we have specifically set the configuration of "Block with Reset", but the Response page still goes out.
04-18-2018 04:27 AM
Hello,
The requirement is not clear.
Is it that you want the traffic destined for internet to be exempted from being whitlisted from URL filtering. Do you have plans for only sending specific non-internet traffic to HTTP filtering. If my understanding is not correct, please elaborate with the subnet examples maybe.
Just to add, the URL filtering works on the basis of source and destination zones, interfaces, ip addresses and ports. We can play around with these values to allow or block traffic.
-
AJ
04-20-2018 07:33 AM
We have Geo Blocking in place... meaning, traffic from the internet is being blocked depending on Geographical source.
The issue is, our http custom block page is being displayed when we block. The block rule in our ACL says "block with reset", however the http custom block page is still displayed to users on the Internet which is not desirable.
Hope that makes better sense.
04-21-2018 01:34 AM
Hello,
The 'block with reset' rule should not cause http custom page to be displayed. Is the geo blocking rule on top of all the rules eg line 1 wherein no other rule could potentially be causing the http custom page to be displayed. Also, we can refer to events in FMC to figure out the reason for the custom page to be displayed.
For sure, there is a different rule in same policy which is causing this behavior.
-
HTH
AJ
04-23-2018 06:56 AM
I ran a test from china through the FTD to a webserver http, and this is the result.
The FTD was run in debug mode to trace the Source IP from China to the webserver.
From the command -- system support firewall-engine-debug
I can see the source IP 112.124.45.3 traverse the rules, and eventually gets blocked by the Geo Blocking rule. We see below the action is to send a reset, and below that says "sending block response" which is what we do not want. The rule states to block with reset, so I'm not sure why it is doing this extra step of sending the http block response page.
112.124.45.3-47023 > x.x.x.x-80 6 AS 7 I 27 no match rule order 48, 'Geo Block Allow', src network and GEO
112.124.45.3-47023 > x.x.x.x-80 6 AS 7 I 27 match rule order 49, 'Geo Block Block', action Reset
112.124.45.3-47023 > x.x.x.x-80 6 AS 7 I 27 sending block response of 743 bytes
112.124.45.3-47023 > x.x.x.x-80 6 AS 7 I 27 Deleting session
10-15-2019 01:47 PM
Bumping this post as we are having the same issue. We have a custom block page which we've designed to be helpful to our users who are browsing to websites that they shouldn't. It goes something like this:
"Access Denied. This site has been blocked by <our company>. If you have a legitimate business need to access this site, please click here <internal link to ServiceNow form> to submit a request via ServiceNow."
However, we have discovered that when Firepower blocks HTTP traffic to our public addresses from the Internet, these users are being served up this same page. We are not OK with the information on the page being seen outside the company.
Today I put in a firewall rule that was designed to pre-empt this behavior by having forbidden outside traffic get a "Block with Reset" rather than falling through the policy and hitting the default "Block All Traffic" action. This did not work. When I tested, Firepower logs showed that a "Block with Reset" did happen, but I still got the same HTTP response page.
Firepower offers one HTTP response page per policy. We cannot have different pages for internal and external users. So our only options are to either make the page generic and unhelpful to internal users, or to continue to attach company information to our public IPs for anyone to find.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: