Right - even with a hardware appliance and https decryption policy we cannot send a block page for https sites. We can only block the site silently (reset the connection).
I tried this with an AMP 8150 and confirmed with TAC that the block page function is not available for https - even with a decryption policy and trusted certificate issued from an internal PKI on the appliance..
If you were using application and URL in the same rule then it won't work and will allow the URL. That's because the rule has to match the and condition. It has to match the application and URL. In your case it will never match the application because traffic is encrypted and device won't be identify the application. So it goes to the next rule or default rule.
Even if you have SSL decryption policy it will still allow some packets, that's because device will require some packets to identify the actual application used by the client.
So you need to be very careful when you are creating your policies.
Thank You everyone for the follow up, but now im confused,
I know becasue it works right now, I can block either
http://facebook.com or applicaiton based facebook
what im trying to accomplish is to allow
url facebook.com/mycompany = which allows users to get to clients facebook company page and block everything else on facebook afterwards..
Ive setup 3 D-Cloud demos and my own lab and 2 TAC cases, and no anwser yet.
seeing if anyone in community has ever seen this or even tried something like this.
Thank You again