When you block a user’s HTTP web request using an access control
rule, setting the rule action to
Interactive Block or
Interactive Block with reset
gives that user a chance to bypass the block by clicking
through a warning
HTTP response page. You can display a generic
system-provided response page or you can enter custom HTML.
You configure the interactive HTTP response page
separately from the response page you configure for Block rules. For example,
you could display the system-provided page to users whose sessions are blocked
without interaction, but a custom page to users who can click to continue.
By default, the system allows users to bypass blocks for 10
minutes (600 seconds) without displaying the warning page on subsequent visits.
You can set the duration to as long as a year, or you can force the user to
bypass the block every time. This limit applies to every Interactive Block rule
in the policy. You cannot set the limit per rule.
If the user does not bypass the block, matching traffic is
denied without further inspection; you can also reset the connection. On the
other hand, if a user bypasses the block, the system allows the traffic.
Allowing this traffic means that you can continue to inspect unencrypted
payloads for intrusions, malware, prohibited files, and discovery data. Note
that users may have to refresh after bypassing the block to load page elements
that did not load.
Logging options for interactively blocked traffic
are identical to those in allowed traffic, but if a user does not bypass the
interactive block, the system can log only beginning-of-connection events. When
the system initially warns the user, it marks any logged
beginning-of-connection event with the Interactive Block or Interactive Block
with reset action. If the user bypasses the block, additional connection events
logged for the session have an action of Allow.
In the following situations, the response page
does
not appear and traffic is blocked without
interaction, even if the session matches an Interactive Block rule:
-
if the session was or is encrypted; this
includes sessions decrypted by the system
-
after a connection has been established and
allowed to flow for a few packets so the system can inspect it for requested
URLs and application details.
Tip |
To quickly disable interactive blocking for all
rules in an access control policy, display neither the system-provided page nor
a custom page. This causes the system to block all connections that match an
Interactive Block rule without interaction.
|