Requirement:Starting from 4.1 has supported to send HTTP 200 deny information for URL denied by URL filtering. Some customer want that client who access blocked URL should be redirected to custom page/URL. This redirected function has higher priority than original HTTP 200 function.
In 4.2 we can set redirect URL when client access URL which denied by IAP.
Numbers of custom URLs is up to 8. The format of command just like “dpi-error-page-url index http://www.google.com” and URL must be absolute URL which start with a scheme “http://” or “https://”.
Solution:In 4.2 we can set redirect URL when client access URL which denied by IAP.
Numbers of custom URLs is up to 8. The format of command just like “dpi-error-page-url index http://www.google.com” and URL must be absolute URL which start with a scheme “http://” or “https://”.
Configuration:Custom error page for web access denied by AppRF policies How to use "Custom Blocked Page URL"
WebUI configuration
Step1: Add a Custom Blocked Page URL “https://www.sohu.com/”
IAP UI - Security > Custom Blocked Page URL
Step2:binding the URL to a Roles “example”
IAP UI - Security > Roles > Rule type > Blocked Page URL
Step3: Also need to configure DPI ACL deny rule
IAP UI - Security > Roles > Rule type > Access control
CLI configuration:
9c:1c:12:c7:e5:72#configure t
9c:1c:12:c7:e5:72(config) #dpi-error-page-url 0 http://www.sohu.com
9c:1c:12:c7:e5:72(config) #wlan access-rule example
9c:1c:12:c7:e5:72(Access Rule "example") #dpi-error-page-url 0
9c:1c:12:c7:e5:72(Access Rule "example") #rule any any match app baidu deny
9c:1c:12:c7:e5:72(Access Rule "example") #no rule any any match any any any permit
9c:1c:12:c7:e5:72(Access Rule "example") #rule any any match any any any permit
9c:1c:12:c7:e5:72(Access Rule "example") #end
9c:1c:12:c7:e5:72#commit apply
Show run
wlan access-rule example
index 3
dpi-error-page-url 0
rule any any match app baidu deny
rule any any match any any any permit
Verification
- Check the VC DNS IP setting via "show summary"
ac:a3:1e:c5:9c:80# show dpi-error-page-urls
Global DPI error page URLs Config
---------------------------------
ID URL
-- ---
0 http://www.sohu.com
ac:a3:1e:c5:9c:80# show access-rule example
Access Rules
------------
Dest IP Dest Mask Dest Match Protocol (id:sport:eport) Application Action Log TOS 802.1P Blacklist App Throttle (Up:Down) Mirror DisScan ClassifyMedia Time Range Profile
------- --------- ---------- ------------------------- ----------- ------ --- --- ------ --------- ---------------------- ------ ------- ------------- ------------------
any any match app baidu deny
any any match any permit
Vlan Id :0
ACL Captive Portal:disable
ACL ECP Profile :default
CALEA :disable
DPI error page URL:0 http://www.sohu.com
- Check redirect URL on Client browser
If the clients access www.baidu.com, the following redirect URL “www.sohu.com” will happen on browser as below:
http://www.sohu.com/?user_ip=%3C192.168.1.105%3E&dest_ip=%3C115.239.210.27%3E&app_name=%3Cbaidu%3E&web_rep=%3Ctrustworthy-sites%3E&web_cat=%3Csearch-engines%3E
- Check redirect URL for Packet captured on Client.