"denied" page

nenonano · May 4, 2016, 11:41pm

Hi all

it would be nice to have a “denied” page to be used when filters block a site using filters…

Tim_S · May 5, 2016, 1:01am

We are looking into this and will update when more info is available. Thanks.

Eddy_Yeung · May 8, 2016, 8:51pm

We are targeting to have this on 6.3.2 which is scheduled within Q2. The “denied” page is going to look like below capture:

Thanks,
Eddy

nenonano · July 27, 2016, 8:22pm

Hi all

this feature is available and works fine for sites on http (DPT=80) but doesn’t work for https (DPT=443)

I’m on BR1, firmware 6.3.2 build 2158

Step to reproduce:

enable all filters (or, at least, the “Update sites” category)
from a client behind the router, try to browse to http://support.apple.com

you’d get something like (expected behaviour):

now try to surf to https://support.apple.com
and you get

1366×738 61.6 KB

in the first case, in syslog I see:
Jul 28 13:01:49 2932-c98a-d227 URL Logging: Domain <support.apple.com> has been blocked by content filter category <updatesites>
Jul 28 13:01:49 2932-c98a-d227 URL Logging: URL=http://support.apple.com/ SRC=192.168.50.15 DST=23.32.10.110 SNATIP=10.0.0.174 SRCMAC=9c:b7:0d:c9:a1:db SPT=52151 DPT=80

in the second:
Jul 28 13:18:56 2932-c98a-d227 URL Logging: Domain <support.apple.com> has been blocked by content filter category <updatesites>
Jul 28 13:18:56 2932-c98a-d227 URL Logging: SSLCERT=support.apple.com SRC=192.168.50.15 DST=23.32.10.110 SNATIP=10.0.0.174 SRCMAC=9c:b7:0d:c9:a1:db SPT=52245 DPT=443

is it the expected behaviour?
is it a bug?

TIA

TK_Liew · July 28, 2016, 11:07am

Thanks for the catching! Let me check with the team whether this can be improved.

nenonano · July 31, 2016, 5:28pm

Hi

thank you for your attention… may I suggest to apply the denied page to locally/manually blacklisted sites/domains?

actually, a blacklisted domain gives the same result as an https blocked site (see above)

I’d like my users knows that they can’t go on a site and not think that something is wrong with their/our connection (the second page let them ask for help “hey, internet is not working here!”)

TIA

TK_Liew · August 1, 2016, 11:29am

We can’t inject the block page if there is an HTTPS connection. This is a common problem and happened to all the products in the market. We will see how we can improve there. Below is the URL links for the similar problem on other products.

https://www.websense.com/support/article/kbarticle/Block-pages-for-HTTPS-connections-are-not-displayed

nenonano · August 1, 2016, 6:46pm

well, I guess it won’t be feasible without a MITM approach, which I don’t like at all

anyway, can the denied page be shown on locally blacklisted domains?

TK_Liew · August 2, 2016, 12:18pm

You will see the same behavior with locally blacklisted domains with HTTPS connection.

Brett_Davidson · September 3, 2017, 8:47pm

Content filter redirects to the 8183 port, would be great if I could customize the page with a play-able mov file of my choice.