Blocked site get the "Network Authentication" page instead of "Blocked Request" page...

I just figured out to set the XG Firewall to used it only with Web Filtering.
Now when I have hit on a blocked policy, I'm redirected to the Captive Portal and I get the Network Authenticaion to login.
But I want to get the " Blocked Request" page and not the Network Authenticaion page.
How do I accplish this?

  • Hi PabloDiablo,

    Under page System > System Services > Authentication Services in section Captive Portal Settings change the option "Unauthenticated users redirection" to No ( Access Denied )
  • In reply to CarlosCesario:

    I too have the same problem! but disabling redirection "Unauthenticated users redirection" to No looks always the login page! I also tried to do a hard reset of the device but the problem persists!
  • In reply to MarioRossi:

    Configure Access Denied under Captive portal, create a policy user where you allow certain users to a website, under this policy create a denied policy for http/https protocols.

  • Same here, still Network Authentication page.
    Your advice: "Configure Access Denied under Captive portal, create a policy user where you allow certain users to a website, under this policy create a denied policy for http/https protocols."
    I don't understand where I can find "policy user" or where I should create it. Could you please clear this out for me?
  • In reply to PabloDiablo:

    Sorry for my quick reply (from iPhone).
    Anyway you need to create a Policy Rule to allow user to access https/https website then under this policy create another Policy denying http/https for internal networks.
    See attachment.
  • Thanks for the reply.
    This is to allow the traffic to go through the proxy. But the point is that when a site is blocked it should show "Blocked Request"-page and not the "Network Authentication"-page. Also by disabling "Unauthenticated users redirection" (set to No) it still ain't showing....
  • In reply to PabloDiablo:


    can you share your Policy settings and Authentication settings too?

  • I am also seeing PabloDiablo's issue, and I've got about the most basic test setup you can get - two virtual machines - one XG one debian - freshly installed. Debian is behind the XG.

    The only policies are one allowing HTTP/HTTPS traffic for unauthenticated users that goes through the "Deny All" web filter, and then a default policy blocking traffic. That's it.

    Under "Authtication Services" "Captive Portal Settings" I have "unauthenticated users redirection" set to NO.

    browsing to any website from debian yields a login screen, not an access denied message.

    I _HAVE_ seen an access denied message... as I could have SWORN i had this working on my "live" xg box - but it just redirects as well regardless of the setting, hence my virtual test... so there is something wrong here.
  • In reply to ChavousCamp:

    i can as well achnowledge the behavior. I don´t get the blocked request screen from the proxy. But i had it too.
    I only get the custom screen of the captive portal.
    And the messages are only with category and username if logged in even if not access is given.
  • Just came across this (since I am seeing the same issue). I just want to make things clear for those trying to follow along.

    Webfiltering is supposed to throw a block page when a blocked website is requested.

    1. If webfiltering is enabled, but captive portal is disabled for the zone.. all you will get is nothing. The brower will sit there requesting some page from the gateway that never gets served up.

    2. If you have captive portal enabled; you get one of two pages (according to a setting). The setting is Gear Icon -> Authentication -> Authentication Services -> Unauthenticated users settings (at the bottom).
    2A. If the radio button is set to "captive portal", the requester will see a login page
    2Aa. If the requester can log into the captive portal, they will see the proper block page.
    2B. If the radio button is set to "Custom Message", they will see a page that says "You are not authorized to access.."

    The only way to currently get some sort of a "block page" is to change the settings as described in 2B, and change the custom message to something like this:

    <p align="center">The web site you are trying to access: {url}</font> is currently blocked.<br>If you believe it's been blocked in error, please contact your IT department.</p>

    The "{url}" entry will display the url the requester is trying to access.

  • In reply to AlanMoser:

    Agreed, Alan, I found the same, and I do understand what Sophos is after - every user, authenticated, every time.   I imagine we'd get a nice, pretty block screen if we logged in with a user that did not have access...

    Per the per the docs, at least, per my understanding of the docs, that's not "how it's supposed to work."  When Redirection is set to no, the user should not be redirected AT ALL - and should just receive a message saying it is blocked.


    Captive Portal Settings

    Unauthenticated users redirection
    Select "Yes" to redirect the access request of unauthenticated user either to the Captive Portal or Custom Message page.
    Select "No" to display "Access Denied" message to unauthorized user.

    I've opened a ticket w/ Sophos support.   I'll let you guys know what they say.

  • In reply to ChavousCamp:

    Hi PabloDiablo :)

    Can you try disabling NTLM authentication ?
    Edit your LAN Zone, and under Devices Access / Authentication Services => uncheck NTLM

    Retry, and it should roxxx :)
  • In reply to ArnaudDEMUYNCK:

    it does not work for me.still the custom page of captive portal is displayed.
  • Support was able to reproduce it - or nearly enough - and has escalated the issue.