Guide
Start typing to search…
  1. Manage SIA
  2. Configure general settings

Customize error pages

Error pages appear when a user violates ​SIA​ policy. For example, when a user attempts to access content that is blocked by the AUP or attempts to access a blocked domain or IP address. An error page warns users that website access is prohibited and a violation occurred.

📘

The first time a policy is deployed with a Block action and an Error Page response, it may take up to 30 minutes for the error page to appear to the user.

​SIA​ includes error pages that you can customize. You can customize the appearance of these pages, the language of text, and some of the text that’s provided. If you don’t want to use a SIA error page, you can also choose to show an error page that’s hosted by your organization.

For a complete list of settings that you can modify in ​SIA​ error pages, see Error page customization. To use a hosted error page instead of ​SIA​ error pages, see Use a hosted error page.

Error pages appear in the language that is associated with the end-user's browser. These pages are translated by the browser.

Know the following:

  • If you deployed ​ETP Client​, a custom or hosted error page does not appear to end users who make requests from unidentified IP locations. Instead, the users see the Website Access Prohibited message without any customization.

  • If you configure a DNS Only policy, users who access blocked HTTPS websites will see a browser error page instead of a ​​SIA​​ error page by default. To show HTTPS error pages for blocked web traffic, enable the Enable HTTPS block pages for DNS only policies setting on the Connection Info page.

    Before you enable this setting, make sure you:

    • Create and distribute a proxy certificate to use the HTTPS block pages.
    • If you are using Zero Trust Client or Guardicore Platform Agent, enable Transparent Traffic Interception for Threat Protection.

    This page only appears in known locations. Users who make requests from unknown locations cannot see the HTTPS block pages. If you are using the Zero Trust Client, this page does not appear for blocked traffic that’s outside your organization’s network. To resolve this issue, your organization can now deploy the latest client that’s called Guardicore Platform Agent. For more information on Guardicore Platform Agent, see the Guardicore Platform Agent documentation.

Types of error pages

If you choose to use ​SIA​ error pages, these error pages are available:

  • Website Access Prohibited
  • Threat Website Warning
  • Acceptable User Policy Violation
  • Error Warning
  • User Authentication Error

Website Access Prohibited

This page warns that the website has been blocked based on the organization’s policy. The error page also indicates what URL was blocked.

This error page appears in these situations:

  • When a user from an Unidentified IPs location attempts to access a domain that may be a security risk. These users are typically remote users who access content from IP addresses that are not already configured as locations in ​SIA​.

  • When ​SIA​ proxy is disabled and malicious HTTP or HTTPS traffic is directed to Enterprise Security Connector version 2.5.0.

Threat Website Warning

IMAGE_STUB

This message appears when a user attempts to access a domain that is a known or suspected threat. If the proxy is enabled, these error pages also appear for malicious HTTP or HTTPS traffic. The message is specific to the threat type. For example, any one of these warnings may appear on this page:

  • Phishing Website Warning. Appears when a user attempts to access a domain that is known or suspected to perform phishing attacks.

  • Malware Website Warning. Appears when a user attempts to access a domain that is known or suspected to host malware.

  • C&C Website Warning. Appears when a user attempts to access a domain that is known to perform C&C communications.

  • Risky Domains. Appears when a user attempts to access a domain that is known or suspected to be a risk to your organization. These domains are considered risky because they belong to these threat categories: Adware, Coin Mining, Newly Registered, Newly Seen, Potentially Harmful, and DNS Tunneling.

Regardless of threat type, the error page also shows what URL was blocked.

For more information on ​SIA​ threat categories, see Threat categories.

Acceptable User Policy (AUP) or Application Visibility and Control (AVC) Violation

IMAGE_STUB

This message appears when a user violates the AUP or AVC settings in a policy. The message indicates which AUP or AVC category was violated. It also shows what URL was blocked.

If a file is blocked as a result of a DLP configuration, this message appears:

Error Warning

An error message similar to this one appears when ​SIA​ or ​SIA​ Proxy cannot connect to the requested website. This may occur in any of these situations:

  • Connectivity issue to the origin website.

  • TLS certificate issue. This includes cases where ​SIA​ Proxy cannot validate an origin certificate. If an ​SIA​ administrator chooses to block origin certificates that cannot be verified, this error page appears to the user.

  • Unknown user or group attempting to access a website.

The blocked URL is shown in the error page.

Depending on the situation, the error message may differ. For example, this error message appears when there is an issue with the TLS certificate:

The blocked URL is shown on the error page.

User Authentication Error

If authentication is enabled and configured in an acceptable use policy, this error message appears when a user enters invalid credentials to access a website.

IMAGE_STUB

The blocked URL is shown on the error page.

Error page customization

If you choose to use ​SIA​ error pages instead of an error that is hosted by your organization, you can modify these areas of the ​SIA​ error pages:

  • Logo. Area at the top-left of the page that is reserved for the logo image. You can upload an image in JPEG or PNG format.

  • Title. Title header of the page that indicates website access is prohibited. You can select the background color and the color of the text. You can also modify the font, font size, and style of the text.

  • Message Area. Area of the page that is reserved for:

    • The reason or cause of the error

    • The category associated with the error

    • A message and explanation

    • IT help desk contact information such as the email, phone, and the ticket URL

    In this area of the page, you can:

    • Select a supported language or languages for the error message.

    • Select the default language for the error page. If the user’s browser is not set to one of the selected languages, the error page appears in the default language.

    • Modify the color, font, font size, and font style of the text that appears on the page.

    • Select a background color for the message.

    • Define the explanation text that describes why the error occurred or the violation was detected.

    • Provide text that describes who users should contact for assistance.

    • Enter the IT email address, phone number, and ticket URL.

    • Show or hide the IT email address, phone number, or ticket URL.

      📘

      Many of these settings for customization are in limited availability. To try out these settings, contact your Akamai representative.

  • Window Background. Setting where you can select the background color of top and bottom of the page where no text is provided. You can also select whether you want to show the corner image.

Any modification you make to these areas impacts all error messages. For example, if you modify the font style of the message, the message in all of the error pages then uses the new font style.

Customize the ​SIA​ error pages

You can configure the appearance, language, and some of the text that appears for a SIA error page. An error page appears when a user attempts to go to a website that violates access control settings or is a known or suspected malware, phishing, or C&C communication security threat. Error pages appear for known or suspected domains that are configured in the policy with a Block action and the Error Page response. For details, see Error page customization.

Any modification that you make to an element or item of an error page is applied to all ​SIA​ error pages. For example, if you select a specific font for the message that is provided in an error page, all error pages use that font for the message.

To change the appearance of error pages:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Error Pages.

  2. To define images for the logo or favicon, click Upload and locate the image that you want to upload for each element. The image that’s used for the favicon cannot exceed 10 KB, and the image for the logo cannot exceed 100 KB.

  3. To define the Support information that appears in the error page, do the following:

    1. To show an email address, select Email and enter an email address in the provided field.
    2. To show a phone number, select Phone and enter a phone number in the provided field.
    3. To show a ticket URL, select Ticket URL and enter the URL in the provided field.

  4. To customize the language that’s used in the error page, complete these steps.

    1. Click the Texts tab.
    2. Click the plus sign icon to add a language.
    3. In the dialog that appears, select the language or languages.
    4. Click Add.
    5. Select the language that you want to set as the primary language and enable the This is the primary language toggle.

  5. To customize the text that explains the error and indicates who users should contact for assistance, complete these steps:

    1. In the Explanation field, enter text that explains why this error or violation was detected.
    2. In the Contact Reference field, enter text that describes who users should contact for further assistance.
      📘

      You cannot modify text for the title, reason, and category areas of the error page.

  6. To modify the appearance of the error page, complete these steps:

    1. Click the Color and fonts tab.
    2. Define the page background. You can upload an image or select a background color. If you upload an image, the image file cannot exceed 500 KB.
    3. For the page header (banner), select the background color, as well as the font color, font, font style, and font size.
    4. For the message modal, select the background color for the modal.
    5. For each area of the modal (reason, category, explanation, and contact reference), select the font color, font, font style, and font size of text.
    6. For the action buttons, select the button background color, the color of the button border, as well as the font, font color, font style, and font size for the button label.

  7. Click Save.

Use a hosted error page

If your organization maintains its own error pages, you can choose to show users a hosted error page instead of ​SIA​ error pages. When you enable this feature, users are redirected to the hosted error page for all blocked websites.

To use a hosted error page:

  1. In the Threat Protection navigation menu, select Policies > Error Pages.

  2. Enable Self Hosted Error Page.

  3. In the provided field for the host, enter the URL where your organization hosts the error page.

  4. Click Save.

Parameters in an error page URL

While an error page indicates that access is denied to a website, the URL of the page also provides additional information to your users and help desk administrators. This information includes the error type, host or URI that the user attempted to access, the type of error that occurred, and more. These parameters are available in the URL of ​SIA​ error pages and in the URL of the error page that's hosted by your organization.

The parameters in the URL may look like this:

https://error.etp.akamai.com/error.html?lang=en_US&cust=<ID>&category=CONTROL&class=NO_AUTH&host=<www.example.com>&uri=&source=<IP_ADDRESS>&unauthenticated_reason=auth_declined

This error page URL includes the configuration ID, the specific threat category, domain that the user tried to access, the source IP address, and the reason why access was denied.

Depending on the error, these parameters may appear in the error page URL:

ParameterDescription
langLanguage that's displayed for the error page
categoryShows the category that was blocked. One of these values may appear for this parameter:
  • THREAT. Indicates the website was blocked based on a threat category.
  • MALWARE. Indicates the website was blocked as malware.
  • CNC. Indicates the website was blocked as a command and control communication threat.
  • PHISHING. Indicates the website was blocked as a phishing threat.
  • CONTROL. Indicates the website was blocked as a result of an access control configuration.
  • AUP. Indicates the website was blocked as a result of an acceptable use policy configuration.
  • ERROR. Indicates an error occurred.
classValues that show additional details about the category. When a category is THREAT, the class parameter value includes three numerical values (for example, &class=1-2-3), where the middle numerical value represents the specific category ID. The category ID maps to these threat categories:
  • 1. Malware
  • 2. Phishing
  • 3. C&C
  • 4. Other
  • 5. DNS Exfiltration
  • 6. Risky domains
  • 7. File sharing AUP category

When the category is either AUP or CONTROL, the class parameter provides more details on the reason for the block. If the value is a numeric ID, this is the specific AUP or access control category ID that caused the block action. For more information on these IDs, see AUP and Access Control Category IDs.

If the category is ERROR, the error_type parameter will show the specific value.

error_typeType of error that occurred. Possible values for this parameter include:
  • DNS. Indicates there was a DNS error, such as the inability to resolve a domain.
  • Internal. Indicates an internal error occurred that prevented resolution.
  • TLS. Indicates a TLS error occurred such as an error with the MITM certificate.
  • IDP. Indicates an error occurred with an identity provider.
  • CONFIGURATION. Indicates there was a configuration error.
  • ORIGIN_CONNECTIVITY. Indicates there was an issue connecting to the origin or destination.
codeIf error_type information is provided, a code also appears with more specific information. Any one of these codes can appear:
  • 1. Indicates the error was a DNS resolution failure.
  • 6. Indicates that ciphers are not secure.
  • 7. Indicates there’s a invalid common name. The common name in the TLS certificate does not match the requested domain.
  • 8. Indicates there’s an invalid signature in the TLS certificate.
  • 9. Indicates there’s an invalid date associated with the TLS certificate. The date is before the “Not Valid Before” date.
  • 10. Indicates there’s an invalid date associated with the TLS certificate. The certificate has likely expired.
  • 11. Indicates there’s a self-signed certificate error and as a result, the connection is not trusted.
  • 12. Indicates an untrusted certificate authority (CA) was detected and as a result, the connection cannot be established with the origin.
  • 13. Indicates the origin certificate was revoked and as a result, the connection cannot be established.
  • 14. Indicates there was a problem performing a certificate revocation check.
  • 15. Indicates that an SSL failure occurred.
  • 16. Indicates that the SSL version is not secure.
  • 17. Indicates that an SSL handshake between the browser and the origin server failed.
  • 18. Indicates that the connection method is not allowed.
  • 19. Indicates there was a failure connecting to the origin.
  • 20. Indicates an identity provider is not configured but was required.
  • 21. Indicates an origin port is not allowed by the policy.
  • 140. Indicates there was an error at the origin.
  • 141. Indicates there was an error validating the origin certificate.
  • 142. Indicates there was a TLS error at the origin.
  • 143. Indicates there was a refused connection at the origin.
  • 144. Indicates that the connection was reset at the origin.
  • 145. Indicates there was a timeout error that occurred at the origin.
  • 200. Indicates there was an invalid identity provider response.
  • 201. Indicates that the identity provider response is stale and the request should be attempted again.
unauthenticated_reasonIndicates why an authentication failure occurred. Any of these reasons may appear:
  • unsupported_onramp. Indicates that traffic was not delivered from a source that supports user authentication.
  • noip. Indicates there’s no detected IP address and as a result, traffic does not appear to be from a trusted source.
  • auth_error_resp. Indicates there was an error verifying user identity for authentication.
  • session_creation_error. Indicates there was a session creation error and as a result, user identity cannot be confirmed.
  • session_store_error. Indicates there was a session store error.
  • auth_declined. Indicates the user skipped authentication.
hashThatCausedBlockThe hash value of the file that was blocked.
hostHost that user attempted to access.
uriURI that user attempted to access.

AUP and Access Control Category IDs

In a class parameter (for example, &class=1-2-3) of an error page URL, the middle numerical value represents the specific category ID. These numerical values map to the category ID that’s associated with AUP and access control operation categories.

For more information on AUP categories, see Acceptable use policy categories.

Numeric IDAUP Category or Access Control Operation Category
1Uploading
2Downloading
3Posting
4Sharing
5Editing
6Viewing Contents
7Chatting
8File Transfer
9Listening
10Viewing Mail
11Sending Mail
12Sending Attachments
13Calling
14Searching
15Login/Authentication
16Alcohol/Tobacco
17Broadcasting
18Paying and Transferring Money
19Inviting
20File Sharing
22Healthcare
23Financing & Investing
31Chat
33Virtual Community
34Forums & Message Boards
35Blogging
37Personals & Dating
38Gore
39Hate
40Violence
46Weapons Related
47Lingerie
49Nudism & Naturism
50Hacking
51Plagiarism
52Criminal Skills
53Peer to Peer
54Anonymizers
55Streaming Websites
56Pornography Websites
60Self Harm
70Sex Education
71Motor Vehicles
72Real Estate
73Business & Economy
74Marijuana
75Abortion
76Kids
77Military
78Legal
79Government
80Travel
81Entertainment & Arts
82Local Information
83Hunting & Fishing
84Recreation & Hobbies
85Music
86Image & Video Search
87Fashion & Beauty
88News & Media
89Political Advocacy
90Cult & Occult
91Religion
92Training & Tools
93Job Search
94Translation
95Reference & Research
96Educational Institutes
97Search Engines
98Web Advertisements
99Auctions
100Shopping
101Home & Garden
102Online Greeting Cards
103Computer & Internet Security
104Computer & Internet Info
105Keyloggers & Monitoring
106Dead Sites
107Shareware & Freeware
108Pay to Surf
109Internet Portals
110Web-Based Email
111Spyware & Adware
112Content Delivery Networks
113Confirmed Spam Sources
114Spam URLs
115Dynamic Content
116Parked Domains
117Web Hosting
118DNS-over-HTTPS Providers
119IT Services
120Productivity and CRM Tools
121Sales and Marketing
122System & Development
123Collaboration and Online Meetings
124General Internet (News, Utilities, Misc)
125Document Management
127Individual Stock Advice & Tools
128Child Abuse / Exploitation

Enable HTTPS block pages for DNS only policies

Complete this procedure to show HTTPS block pages for web traffic when DNS Only is selected as the policy type. This page only appears in known locations. Users who make requests from unknown or unidentified locations cannot see the HTTPS block page.

Before you begin:

  • If you haven’t done so already, make sure you create and distribute a proxy certificate. For more information, see Create a SIA Proxy MITM certificate.
  • Make sure Transparent Traffic Interception is enabled for Zero Trust Client.

To enable HTTPS block pages for DNS only policies:

  1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Connection Info.
  2. Turn on the toggle for Enable HTTPS block pages for DNS only policies.
  3. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next Steps:

If you haven’t deployed the policy, make sure you deploy it to the ​​SIA​​ network. For instructions, see Deploy configuration changes.

Updated 3 days ago