cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Ask the Expert- SD-WAN

233
Views
0
Helpful
5
Replies
Highlighted
cg3 Beginner
Beginner

No blocked by category page showing when user accesses https site

Hi All,

 

Have a user who is trying to access a https website that is blocked. The policy trace is showing blocked by Category. However they are not being shown the standard blocked by URL category page. Instead they get The website declined to show this website. 

 

Would this be because we do not have the HTTPS Proxy enabled on WSA? 

 

Thanks

Everyone's tags (3)
5 REPLIES 5
VIP Advisor

Re: No blocked by category page showing when user accesses https site

Nope. Is this a problem for all https websites or only this.
cg3 Beginner
Beginner

Re: No blocked by category page showing when user accesses https site

I've only seen it with this one site. We have just put in WSA's and are going through a testing stage. At this point its only this one site and the others I have seen are showing the standard URL category block page.

 

 

cg3 Beginner
Beginner

Re: No blocked by category page showing when user accesses https site

Does anyone have any suggestions for this?

 

If user goes to http://www.facebook.com they get the URL blocked by category page.

 

If they go to https://www.facebook.com they get page can't be displayed.

 

We are not doing any SSL inspection. HTTPS proxy is not enabled.

 

thanks

Cisco Employee

Re: No blocked by category page showing when user accesses https site

Hi,

 

Might need to check the accesslogs from the WSA when processing those traffic to see what identity and policy it is hitting and how been handled.

 

If you have https proxy disabled, means the the https traffic will be processed using CONNECT tunnel method from access policy.

You need to make sure in that specific access policy you have port 443 listed as CONNECT port (access policy -> Protocols and User Agents column), otherwise it will not listen to it.

 

To get accesslogs from CLI:

1. Grep
2. Enter the number of the log you wish to grep: 1 (for access logs)
3. Enter the regular expression to grep: <client IP>
4. Do you want this search to be case insensitive?: Y
5. Do you want to search for non-matching lines? [N]> N
6. Do you want to tail the logs?: Y
7. Do you want to paginate the output?: N

Best Regards

Handy Putra

cg3 Beginner
Beginner

Re: No blocked by category page showing when user accesses https site

Thank you Handy.

I've logged a TAC case. They are indicating it wont show a blocked page if it is https traffic and https proxy is not enabled.

Confirm ports 443 in connect method of policy.

 

Thank you