This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Firewall policy "drop" shows block page on HTTP connections

When I configure a policy to "drop" on all destination IPs and ports, I expect it to drop the traffic without notifying the user. However, I am receiving the "Stop! This website is blocked" page when I try to view any HTTP website. I would like it to drop the packets silently. How do I configure this?

I am running SFOS 18.0.1 MR-1-Build396

This thread was automatically locked due to age.

Top Replies

LuCar Toni over 3 years ago in reply to Rhys Goodwin +2 verified

Edit your Default Drop rule. Switch ANY (in Source zone and Destination zone) with all zones. Do not add WAN in the Source zone, instead all other zones. That should do the trick.

Parents

0 Patrick Moubarak over 3 years ago

Hi,

I think this is part of the expected behavior from Web > User notifications.

I tested on my XG with the same build, a Drop rule would notify the user when browsing to HTTP (or decrypted HTTPS).

If you add a Reject rule instead of Drop, then the user gets a TCP RST response from the firewall instead of the HTTP block page. Not a silent drop but no notification or web redirect to a block page.

You can also add an Allow rule for HTTP with Deny All as Web Policy, then go to the Zone of the firewall and turn off the Captive Portal:

System > Administration > Device Access > remove Captive Portal*

Note:

Turning off access to captive portal stops user notifications from appearing. Example: Web filter and Sandstorm notification pages

this is a little different than Reject (TCP RST) because the user might get redirected to the XG IPS block page (in the browser URL bar) but the page will not display.

Ex: XG_HOSTNAME:8090/.../default

hope that helps,

Patrick
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Patrick Moubarak over 3 years ago

Hi,

I think this is part of the expected behavior from Web > User notifications.

I tested on my XG with the same build, a Drop rule would notify the user when browsing to HTTP (or decrypted HTTPS).

If you add a Reject rule instead of Drop, then the user gets a TCP RST response from the firewall instead of the HTTP block page. Not a silent drop but no notification or web redirect to a block page.

You can also add an Allow rule for HTTP with Deny All as Web Policy, then go to the Zone of the firewall and turn off the Captive Portal:

System > Administration > Device Access > remove Captive Portal*

Note:

Turning off access to captive portal stops user notifications from appearing. Example: Web filter and Sandstorm notification pages

this is a little different than Reject (TCP RST) because the user might get redirected to the XG IPS block page (in the browser URL bar) but the page will not display.

Ex: XG_HOSTNAME:8090/.../default

hope that helps,

Patrick
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 Michael Dunn over 3 years ago in reply to Patrick Moubarak

Patrick is correct, that is the way it is intended to work.

If you hit a firewall rule for Block on port 80 or 443, the XG will complete the TCP connection and will display an HTML block page.
If you hit a firewall rule for Reject on port 80 or 443, the XG will not complete the TCP connection.

If you are using AD SSO and there is no authenticated user:

If you hit a firewall rule for Block on port 80 or 443, the XG will complete the TCP connection and will redirect to port 8091 to in order to attempt AD SSO authentication.

This is a feature used by many customers to perform authentication. Basically it is "if you hit a block rule then authenticate".
Cancel
Vote Up 0 Vote Down

Cancel
0 ILikeFirewalls over 3 years ago in reply to Michael Dunn

Is there any way to drop the packet silently? I am currently null routing, but that's a dirty hack that I'd like to avoid.
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Dunn over 3 years ago in reply to ILikeFirewalls

AFAIK, firewall rule Reject, as I posted.
Cancel
Vote Up 0 Vote Down

Cancel