Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
9413
Views
35
Helpful
19
Replies

Block response page not displaying for blocked SSL (https://) URL

Go to solution
jacenkoj33
Level 1
Level 1

‎10-14-2015 05:51 AM - edited ‎03-12-2019 05:47 AM

We have a pair of  ASA 5525 with sourcefire enabled. I'm tasked with blocking access to some websites capable of file uploads like facebook or linked in. The issue I'm having is sites using http:// get the block response page. SSL sites using the https:// time out eventually then display page cannot be displayed.

So the sourcefire is doing it's job blocking access to restricted sites but the concern is that users will get page cannot be displayed and cause in influx of unnecessary calls to our helpdesk thinking the internet access is down... 

 

I've scoured the user guide but there doesn't seem to be an obvious answer how to get the SSL sites to display the block response page. If anyone knows the fix for this please do share I'd be greatly appreciative. Thanks

4 people had this problem
Labels:
0 Helpful
19 Replies 19

Go to solution
Claudiu Cismaru
Cisco Employee
Cisco Employee
In response to chawkideeb

‎02-24-2017 07:38 AM

Nothing in special. Just use a Decrypt with Resign policy.

0 Helpful

Go to solution
Gamaquifor
Level 1
Level 1
In response to chawkideeb

‎02-24-2017 07:52 AM

As Claudiu mentioned, the key here is to decrypt the traffic first. For that you need to have an SSL Policy, this can found under Polcies>Access Contro> SSL. Key things to have in mind when deciding to decrypt SSL traffic:

- There some web apps who DO NOT LIKE you decrypting the traffic. (i.e. Office 365). It is key that you add the respective SSL polices to Not Decrypt this traffic. You can use certificates CNs to white-list the traffic. O365 is just an example, you will need to observe your network so you know which applications will need to be white-listed

- I would recommend to only decrypt traffic of interest and not all traffic. The more decryption/resigning you have going on, the bigger the hit on performance. I wouldn't go too crazy if you are just running a 5506.

- Be sure you have distributed the firewall's Certificate to your clients (computers, servers) before you put an SSL policy in play.

Once you create SSL policy, you need to assign it to your Access Control Policy. When you open your Policy you will see on the top an option that says "SSL Policy:" here you can assign the policy you just created.

Lastly, a lot can go wrong with SSL decryption if not done right. Although I have done on a few appliances, I always run tests on each environment before production.

0 Helpful

Go to solution
msamadpour
Level 1
Level 1
In response to Gamaquifor

‎06-22-2017 04:41 AM

We have created an SSL Policy that matches interesting traffic utilizing the decrypt-resign action. A corresponding Access Control Policy blocking the interesting traffic with an HTTP responder has also created.

When browsing to an SSL/HTTPS site using Internet Explorer, the site is properly blocked and we receive the HTTP response page. 

However, when using Chrome/Firefox browsers, the page does not properly inject. Each browser complains about HTTP Strict Transport Security (HSTS)

Anyone else running into this issue? Any fixes?

0 Helpful

Go to solution
Dennis Perto
Level 5
Level 5
In response to msamadpour

‎06-27-2017 10:56 AM

If the webpage uses HSTS I do not think that you will be able to "fix" this. 

It is working as intended. 

Go to solution
bcoverstone
Level 1
Level 1
In response to saifuddin.miyaji

‎09-06-2021 08:31 AM

As long as SSL Decryption is running, then yes, you can display a block response for HTTPS websites.

However, for HSTS websites, SSL Decryption can't work, because it's basically viewed as a "Man In The Middle" attack.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card