Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] Internal Web Filtering with SurfControl via HTTPS Fails When URL is Included in Custom Category

0

0

Article ID: KB15583 KB Last Updated: 26 Nov 2019Version: 4.0
Summary:

HTTPS requests result in Page Not Found error when URL is included in Custom Category for Web Filtering. This article provides a workaround.

Note: This article applies to all ScreenOS versions.

Symptoms:
  • Only URLs specified in custom categories are permitted.  All other sites are to be blocked.

  • Web filtering via HTTP is working.

  • Web filtering via HTTPS is intermittently failing.

Cause:

This is a limitation with Integrated Web Filtering with HTTPS because Dynamic DNS resolution for Integrated Web Filtering is not supported with SSL. HTTPS with predefined categories will work fine because the destination IP address is sent directly to the SurfControl server for URL categorization, but when a custom category is used, the problem is seen to occur.

With HTTPS with Integrated Web Filtering, the URL cannot be extracted since it is encrypted. In this scenario, HTTPS will need to search for a DNS cache to relay the DNS name for web filter categorization. With custom categories, if this is defined by URL and if the DNS cache is not successful, the category search will fail; the HTTPS request will fail, typically with a Page Not Found error. This may occur if the DNS TTL has expired, and therefore, the DNS entry will no longer match. 

The problem also does not occur when using HTTP, because the URL can be extracted because it is not encrypted.

Solution:

Workaround

If you want to rely only on Custom Profiles, you can specify the URL by IP Address, instead of DNS name, and this will be able to match with the custom profile you create. Otherwise, let the predefined category do its comparison, and then permit/deny based on the category. 

Note: This article applies to all ScreenOS versions.

Modification History:

2019-11-26: Added cause and removed unsupported devices from the list of categories

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search