About HTTP Response Pages
As part of access control, you can configure an HTTP response page to display when the system blocks web requests, using either access control rules or the access control policy default action.
You can choose a generic system-provided response page, or you can enter custom HTML. The response page displayed depends on how you block the session:
Block or Block with reset—A blocked session times out or resets. The Block Response Page overrides the default browser or server page that explains that the connection was denied.
Interactive Block or Interactive Block with reset—The system can display an Interactive Block Response Page to warn users, but also allow them to click a button (or refresh the page) to load the originally requested site. Users may have to refresh after bypassing the response page to load page elements that did not load.
HTTP response pages do not always appear when the system blocks web traffic; see Limitations to HTTP Response Pages.
Limitations to HTTP Response Pages
HTTP response pages do not always appear when the system blocks web traffic.
Configurations Other Than Access Control Rules
The system displays a response page only for unencrypted or decrypted connections blocked (or interactively blocked) either by access control rules or by the access control policy default action. The system does not display a response page for:
Tunnels and other connections blocked by a prefilter policy
Connections blacklisted by Security Intelligence
Encrypted connections blocked by an SSL policy
Promoted Access Control Rules
The system does not display a response page when web traffic is blocked as a result of a promoted access control rule (an early-placed blocking rule with only simple network conditions).
Before URL Identification
The system does not display a response page when web traffic is blocked before the system identifies the requested URL; see Guidelines and Limitations for URL Filtering.
The system displays a response page for connections decrypted by the SSL policy, then blocked (or interactively blocked) either by access control rules or by the access control policy default action. In these cases, the system encrypts the response page and sends it at the end of the reencrypted SSL stream.
However, the system does not display a response page for encrypted connections blocked by access control rules (or any other configuration). Access control rules evaluate encrypted connections if you did not configure an SSL policy, or your SSL policy passes encrypted traffic.
For example, the system cannot decrypt HTTP/2 or SPDY sessions. If web traffic encrypted using one of these protocols reaches access control rule evaluation, the system does not display a response page if the session is blocked.