PaloAlto Response Page w/ ReAuth
If you have ever encountered an issue where your user had the proper access but was denied access to a URL or APP simply because their UserID was not properly identified, then this fix will be useful for you.
Here’s your standard out-of-the-box response page that will be displayed by default when a user attempts to browse to a site in a category that is configured with the ‘block’ action in the URL filtering profile or because the URL category is blocked by a Security policy rule.
| Variable | Usage |
|---|---|
| <user/> | The firewall replaces the variable with the username (if available via User-ID) or IP address of the user when displaying the response page. |
| <url/> | The firewall replaces the variable with the requested URL when displaying the response page. |
| <category/> | The firewall replaces the variable with the URL filtering category of the blocked request. |
If the User: field contains an IP address, the PA is basically stating that it does not recognize the access request/submission as a verified user. This would be considered normal for non-domain endpoints but obviously a problem for any domain-based environments. (more info on Enable User- and Group-Based Policy)
One simple way to remedy the situation is to provide the user with a method to re-authenticate directly from the browser. This is achieved by customizing your Response page to include a link that redirects them to an intranet-hosted page; in our case PAAuthredirect.htm.
<html>
<head>
<title>Web Page Blocked</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<style>
#content{border:3px solid#aaa;background-color:#fff;margin:40;padding:40;font-family:Tahoma,Helvetica,Arial,sans-serif;font-size:12px;}
h1{font-size:20px;font-weight:bold;color:#196390;}
b{font-weight:bold;color:#196390;}
</style>
</head>
<body bgcolor="#e7e8e9">
<div id="content">
<h1>Web Page Blocked</h1>
<p>Access to the web page you were trying to visit has been blocked in accordance with company policy.</p>
<p><b>User:</b> <user/></p>
<p>If you are not this user, please click <a href="https://intranet.acme.com/PAAuthredirect.htm">here</a> to re-authenticate </p>
<p><b>URL:</b> <url/> </p>
<p><b>Category:</b> <category/> </p>
<p>To submit this blocked site for review, <a href="mailto:[email protected]?subject=review&body=User:%09<user/>%0aCategory:%09<category/>%0aBlocked Url:%09<url/>"><b>click here</b></a><b>.</b></p>
</div>
</body>
</html>
This intranet-hosted (above) page contains a meta refresh that redirects to another file hosted on the NETLOGON directory; PA_reauth.htm (below)
<html>
<head>
</head>
<title>Authentication Redirect</title>
<meta http-equiv="refresh" content="0;URL=file://acme.com/NETLOGON/PA_reauth.htm">
<body/>
</html>By accessing and displaying this redirect page, the user’s session is (re)validated against the domain and this update Security Log entry inevitably reaches the PAs. To translate the successful update to the end-user we might as well present a non-cache page to that effect along with any other useful info/tips.
<html>
<head>
<title>Credentials Updated</title>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<style>
#content{border:3px solid#aaa;background-color:#fff;margin:40;padding:40;font-family:Tahoma,Helvetica,Arial,sans-serif;font-size:12px;}
h1{font-size:20px;font-weight:bold;color:#196390;}
b{font-weight:bold;color:#196390;}
</style>
</head>
<body bgcolor="#e7e8e9">
<div id="content">
<h1>Credentials Updated</h1>
<p>Your credentials have been updated with the firewall. Please allow 1-2 minutes for this to take effect and try again.</p>
<p> </p>
<p>If you are using a laptop and are docked, or have a wired connection to the network, please disable your wireless connection and try again.</p>
<p> </p>
</div>
</body>
</html>
