we made a URL filtering rule (to block some URL categories) and set HTTP response page. And it is working ok.
But in order to show users a response page when they are blocked accessing HTTPS site, SSL decryption needs to be activated (so manual says).
We decided not to use SSL decryption due to an impact to traffic speed, but nevertheless we would like HTTPS response page.
Is there an option to activate SSl decryption only on URLs that are in our URL filtering block rule?
As far as I understand if we block URL with URL filtering, it won't even come to SSL decryption part.
SSL decryption has to configured to show block page for https sites.
SSL decryption would happen first and then the URL filtering rule would be applied. If you are concerned with performance. You can create a rule with specific URL categories (which are supposed to be blocked) in SSL policy to be decrypted and rest all goes to default rule which is to do not decrypt.
thanx for replying.
We did create a rule with specific URL categories (which are supposed to be blocked) in SSL policy to be decrypted and applied this SSL policy to main Access Control policy.
But decryption was applied to all users on the network and cuts our https traffic, even we put only one IP address of test PC inside networks inside SSl policy settings.
I'm interested in doing this too and have a ticket open with the TAC, but they cannot figure this out. Do you know of any documentation or examples in doing this?
I have an ACL created today that blocks access to "Personal Storage", for example.
I then tried to add a SSL policy from my ACL policy and deploy but it will not deploy. My SSL policy is very simple and calls for re-sign of the cert using certs from our CA.
I'm trying to find any documentation or examples from a working setup on how the SSL Policy should be setup. The online documentation is horrible.
Thanks for any feedback.
unfortunately I must agree with you regarding online documentation.
We are still not able to resolve this issue and still have only HTTP response set.
We are facing the similar issue. Configured SSL decryption for the URL filtering of the https sites. But the behavior is very weird. The same user is able to open site-a using IE and getting blocked using Chrome. For few other sites, its vise versa. We are having a second thought if buying Firpower was wise decision.