Setting up your Block Page and your Block Page Bypass
An important step when configuring policies is to ensure that you're giving the right information to your users if they are blocked under Security or Content categories. As the Umbrella administrator, you may wish to exempt users from being blocked during certain times and you can set up the rights to do that as well.
Some helpful terms to know:
- Block Page—The page that's displayed in the browser when a user of your Umbrella service tries to go to a website that's been blocked under the category defined by the policy for the Identity that user falls under.
- Block Page Bypass—The method by which certain users who have been given special authority can bypass a normal block page. There are two ways you can bypass a block page: having a user account (a bypass user) or having a special code (a bypass code).
- Block Page Bypass User—A special user account that gives the rights to certain individuals or a group of individuals to go to blocked sites while still being part of the enforcement given to the larger policy group to which they they belong.
- Block Page Bypass Code—A code that can be given to individuals or groups of individuals to allow them to go to some or all blocked websites until such time as the code expires.
Not all categories can be bypassed. If a user is blocked for a Security or Malware category, the site is considered malicious and should not be accessed under any circumstances. If you think a domain shouldn't be blocked, please email us at security-block@opendns.com.
If you'd like to know more about a block or have us review it in more detail, open a case by emailing umbrella-support@cisco.com with information about the domain and our support and security teams will review.
The following policy settings can be bypassed:
- Content category blocks
- Destination list blocks—these are destination lists you've created
Getting Started with Block Page Appearance Settings
- Navigate to Policies > Block Page Appearance and click the + (Add) icon.
-
Give your block page a meaningful name and then select how to treat block pages: The Same or Differently.
If you select Differently, you can select contextual block pages for different types of blocking: Blocked by Category Setting, Blocked by Destination List Setting, Blocked by Phishing Setting or Blocked by Security Setting.
If you set a custom message, you may insert [domain] into a custom message, which is substituted with the actual domain name that the end user attempted to browse to.
Optionally select for display a default message, select a custom message, or redirect users to a URL. -
Click Preview Block Page at any time to see what your Block page will look like.
-
You can optionally check Allow blocked users to contact an admin from the block page and add a graphics file to display as a custom logo on the block page.
This brands the block page, making it clear where the block is coming from.
- Click Save.
This block page becomes available for selection when configuring policies. - Navigate to Policies > Policy List and click the + (Add) icon.
- Click through the wizard (making configuration selections as needed) until you reach the Block Pages step.
- Select Use a Custom Appearance and choose the block page you configured above.
- Click Next, review your policy and then click Save.
Using a Block Page Redirect Instead of a Block Page
As an alternative to having a static block page, you can redirect users to another page such as the website for your organization's acceptable use policy.
If you redirect users to a different URL, you do not need to include http://. However, if you wish to send them to an encrypted web page, you should include https:// before the URL.
Note:
If a policy has a Block Page User or a Block Page Code applied to it, the Block Page Redirect will be disabled because it is not possible to bypass a block when the block immediate redirects to another page.
Setting up a Block Page Bypass User
A "Block Page Bypass" user is special username and password that can be given to one or more users in order to provide them with rights to bypass pages that are typically blocked through policy settings. This user can be thought of as being a special set of rights that are given to individuals as required. The Block Page Bypass user has no ability to log into the dashboard or do any administrative functions other than bypass blocked sites.
- Navigate to Policies > Block Page Settings > Bypass Users. Alternately, the block page bypass user can be created by editing the Block Page Appearance in the summary of a policy. The edit for this setting is in the lower right corner of the policy summary.
-
From the Bypass User drop-down list, choose a <user>.
When a block page shows up, the user then enters their credentials and bypasses it. - Select how the user can bypass a block page.
- Click Save.
The "Block Page Bypass" user gives the rights to certain individual people, or a group of people to go to blocked sites while still being part of the enforcement given to the larger policy group they belong to.
To setup a brand new bypass user, that is, an account with rights to authenticate against the block page and continue browsing, first, create the user with the Block Page Bypass role.
- Navigate to Settings > Accounts and click the + (Add) icon.
- Choose BPB User from the drop-down list.
- Click Create and in the pop-up modal click Yes to configure Block Page Bypass settings for the user. The Add New Bypass User page opens (Policies > Bypass Users).
- If you click No Thanks, you can change the settings for the user you've created under Block Page Settings > Bypass Users or add the settings as part of the policy summary as described earlier.
- Add a new bypass user and click Save.
Creating a Block Page Bypass Code
A Block Page Bypass Code is a code that can be given to users through email, instant messenger or the phone to allow an instant bypass of a particular blocked page.
- Navigate to Policies > Block Page Settings > Bypass Codes and click the + (Add) icon.
You can also access this page from the Summary page of a policy. Click Edit for the Block page applied. - Set the code to either allow access to all sites or a subset of the content category or destination lists you've defined.
- The code can be set to expire at a day in the future and at an hour of that date.
- Click Save.
Tip:
If you want a code to never expire, set it for 10 years in the future as in the example below

WARNING!
If a policy does not have a Block Page User or a Block Page Code applied to it, the Block Page Redirect will be disabled and the standard block page will appear. Codes and Users will not work unless they are first enabled.
Removing a Bypass Code
- Navigate to Policies > Block Page Settings > Bypass Codes.
- Expand the code you want to delete and click Delete.
Interacting with a Block Page As a User
As an administrator, you can preview the block page; however, not all elements of the page will be accurately reflected in Preview Mode. This is a problem that's being worked on and will change in the future.
As a standard (non-bypass) user, if you were to go to a website blocked under your Umbrella policy, you would see a standard block page like this. This example has a custom block page message that includes a link to an acceptable use policy from this organization, as well as a custom logo for this organization.
Note:
Keep in mind that the block page bypass will not work with domains blocked due to malicious activity (such as malware or phishing). You can only access the bypass block page if the domain was blocked due to content category settings or domain block lists. The "Admin" link will not appear if the domain was blocked as malicious activity.
At the bottom of the block page, there are two hyperlinks that may appear:
- Contact your network administrator—Allows a user to email the administrator if the user thinks the block is in error.
- Admin—This allows a user with a bypass user or a code to access the part of the page that asks for that information. Below is the same block page for a policy that has both a user and a code configured for it.
Destination Lists and Allow-Only Mode
Destination lists allow the customization of filtering by creating a list of destinations that are explicitly blocked or allowed. When a user goes to a destination (for example, a web site) listed on a Block list, the user is presented with a Block page rather than the web site expected.
To create a destination list, you can add destination list as you are configuring a policy or at any other time as described below.
- Navigate to Policies > Policy Components > Destination Lists and click the + (Add) icon.
- Select whether this is a Blocked or Allowed destination list, add destinations (in this case, domains) and click Save.
If this is a Blocked destination list users will need bypass rights or a bypass code to access blocked sites. - Navigate to Policies > Policy List and click the + (Add) icon.
- Click through the wizard (making configuration selections as needed) until you reach the Destinations step.
- Select the Allowed Destination list you configured above.
- Click Next until you completed the wizard and when prompted click Save.
When enabled, Allow-Only mode blocks the whole of the internet and only domains on Allowed Destination lists can be accessed. "Allow-Only" mode should be used only in cases where you wish to allow access to a small subset of domains and block *all* other domains. Use caution when enabling this feature as you can easily block more than intended. All sites a a user goes to will result in a Bock page expect for those listed in Allowed destination lists that are part of the policy for the identity in question.
- Navigate to Policies > Policy Lists and click the + (Add) icon.
- Click Next until you reach the What should this policy do? page.
- Under Advanced Settings, enable Allow-Only Mode.
- Click Next until you reach the Destinations page and select the Allowed Destination list you configured above.
- Click Next until you completed the wizard and when prompted click Save.
Appended Umbrella HTTP Query Parameters
For templates of the information presented below, please see our template source GitHub!
When choosing to use custom block page, a qualifying event such as a bad or blocked domain name triggers Umbrella to call the URL specified and append several HTTP query parameters, including but not limited to the parameters defined in the following table.
HTTP Parameter | Description |
---|---|
url |
ROT13 and Percent encoded URL (domain) that was entered by end-user. Encoding ensures pass-through to internal resource in environments where other firewall and filtering is employed. Encoded URL: jjj.cynlobl.pbz%2Fzntnmvar%2Fsrngherf%2F |
type |
The request type that triggered the redirect event. Types include: |
cats |
When the redirection is the result of a request blocked because it matches configured Umbrella Web content filtering categories, those matches are presented as a Percent-encoded JSON object. For example, the domain entered by the user is found in the Umbrella Nudity and Pornography categories, so the following is sent: |
Umbrella performs minimal validation of custom URLs to allow the use of the widest range of internal resources. The only requirements are that the URL have a scheme (i.e. the http:// part) and a domain (one or more alpha numeric characters after the scheme and before the optional trailing forward-slash).
Comments
0 comments
Article is closed for comments.