This article applies to:
Question:
Installed new firewall, and now users aren't getting the block page
Reply
Question: After installing a new firewall, users are still getting filtered--they're not able to access blocked sites--however, they're NOT getting the block page? Why?
The most likely scenario is that your new firewall has IP anti-spoofing enabled, and is dropping spoofed packets from the R3000(s).
When a user goes to a blocked site, the R3000 sends back an HTTP 302 redirect (redirecting the workstation to the block page), while SPOOFING the IP address of the blocked site. This is meant to trick the workstation into believing that the redirect came from the blocked site.
The workstation then requests the block page from the R3000 (or if you're using a custom block page, from your web server).
If your firewall has IP anti-spoofing enabled, it is likely dropping these HTTP 302 redirect packets from the R3000. (The packets are sent from the R3000's admin/block page interface, not the listening interface).
Try disabling IP anti-spoofing on your firewall and then see if you can get the block page. Most firewalls will allow you to keep IP anti-spoofing turned on, but ALLOW spoofing from specific servers (e.g. the R3000).
- This article was previously published as:
- 8e6 KB 300313