Guide
TrainingSupportCommunity

Customize error pages

Suggest Edits

Error pages appear when a user violates ​SIA​ policy. For example, when a user attempts to access content that is blocked by the AUP or attempts to access a blocked domain or IP address. An error page warns users that website access is prohibited and a violation occurred.

📘

The first time a policy is deployed with a Block action and an Error Page response, it may take up to 30 minutes for the error page to appear to the user.

​SIA​ includes error pages that you can customize the appearance of or you can select to show error pages that are hosted by your organization.

For a complete list of settings that you can modify in ​SIA​ error pages, see Error page customization. To use a hosted error page instead of ​SIA​ error pages, see Use a hosted error page.

Error pages appear in the language that is associated with the end-user's browser. These pages are translated by the browser.

Know the following:

  • If you deployed ​ETP Client​, a custom or hosted error page does not appear to end users who make requests from unidentified IP locations. Instead, the users see the Website Access Prohibited message without any customization.

  • If you configure a DNS Only policy, users who access blocked HTTPS websites will see a browser error page instead of a ​​SIA​​ error page by default. To show HTTPS error pages for blocked web traffic, enable the Enable HTTPS block pages for DNS only policies setting on the Connection Info page.

    Before you enable this setting, make sure you:

    • Create and distribute a proxy certificate to use the HTTPS block pages.
    • If you are using Zero Trust Client, enable Transparent Traffic Interception for Threat Protection.

    This page only appears in known locations. Users who make requests from unknown locations or from clients that are off your organization’s network cannot see the HTTPS block pages. If you can enable SIA proxy to show HTTPS error pages, select DNS + Proxy as the policy type instead of using this option.

    This feature is currently in limited availability. To show the Enable HTTPS block pages for DNS only policies setting, contact your ​Akamai​ representative.

Types of error pages

If you choose to use ​SIA​ error pages, these error pages are available:

  • Website Access Prohibited
  • Threat Website Warning
  • Acceptable User Policy Violation
  • Error Warning
  • User Authentication Error

Website Access Prohibited

IMAGE_STUB

This page warns that the website has been blocked based on the organization’s policy. The error page also indicates what URL was blocked.

This error page appears in these situations:

  • When a user from an Unidentified IPs location attempts to access a domain that may be a security risk. These users are typically remote users who access content from IP addresses that are not already configured as locations in ​SIA​.

  • When ​SIA​ proxy is disabled and malicious HTTP or HTTPS traffic is directed to Enterprise Security Connector version 2.5.0.

Threat Website Warning

IMAGE_STUB

This message appears when a user attempts to access a domain that is a known or suspected threat. If the proxy is enabled, these error pages also appear for malicious HTTP or HTTPS traffic. The message is specific to the threat type. For example, any one of these warnings may appear on this page:

  • Phishing Website Warning. Appears when a user attempts to access a domain that is known or suspected to perform phishing attacks.

  • Malware Website Warning. Appears when a user attempts to access a domain that is known to host malware.

  • C&C Website Warning. Appears when a user attempts to access a domain that is known to perform C&C communications.

Regardless of threat type, the error page also shows what URL was blocked.

Acceptable User Policy (AUP) or Application Visibility and Control (AVC) Violation

IMAGE_STUB

This message appears when a user violates the AUP or AVC settings in a policy. The message indicates which AUP or AVC category was violated. It also shows what URL was blocked.

If a file is blocked as a result of a DLP configuration, this message appears:

IMAGE_STUB

Error Warning

IMAGE_STUB

An error message similar to this one appears when ​SIA​ or ​SIA​ Proxy cannot connect to the requested website. This may occur in any of these situations:

  • Connectivity issue to the origin website.

  • TLS certificate issue. This includes cases where ​SIA​ Proxy cannot validate an origin certificate. If an ​SIA​ administrator chooses to block origin certificates that cannot be verified, this error page appears to the user.

  • Unknown user or group attempting to access a website.

The blocked URL is shown in the error page.

Depending on the situation, the error message may differ. For example, this error message appears when there is an issue with the TLS certificate:

IMAGE_STUB

The blocked URL is shown on the error page.

User Authentication Error

If authentication is enabled and configured in an acceptable use policy, this error message appears when a user enters invalid credentials to access a website.

IMAGE_STUB

The blocked URL is shown on the error page.

Error page customization

If you choose to use ​SIA​ error pages instead of an error that is hosted by your organization, you can modify these areas of the ​SIA​ error pages:

  • Logo. Area at the top-left of the page that is reserved for the logo image. You can upload an image in JPEG or PNG format.

  • Title. Title header of the page that indicates website access is prohibited. You can select the background color and the color of the text. You can also modify the font, font size, and style of the text.

  • Message Area. Area of the page that is reserved for:

    • The reason or cause of the error

    • The category associated with the error

    • A message and explanation

    • IT help desk contact information such as the email, phone, and the ticket URL

      In this area of the page, you can:

    • Modify the color, font, font size, and font style of the text.

    • Select a background color for the message.

    • Enter the IT email address, phone number, and ticket URL.

    • Show or hide the IT email address, phone number, or ticket URL.

  • Window Background. Setting where you can select the background color of top and bottom of the page where no text is provided. You can also select whether you want to show the corner image.

Any modification you make to these areas impacts all error messages. For example, if you modify the font style of the message, the message in all of the error pages then uses the new font style.

Change the appearance of ​SIA​ error pages

If you're an ​Secure Internet Access Enterprise​ administrator, you can configure the appearance of ​SIA​ error pages. An error page appears when a user attempts to go to a website that violates access control settings or is a known or suspected malware, phishing, or C&C communication security threat. Error pages appear for known or suspected domains that are configured in the policy with a Block action and the Error Page response. For details, see Error page customization.

Any modification that you make to an element or item of an error page is applied to all ​SIA​ error pages. For example, if you select a specific font for the message that is provided in an error page, all error pages use that font for the message.

To change the appearance of error pages:

  1. In the Threat Protection menu of Enterprise Center, select Policies > Error Pages.

  2. To upload a logo, click the Upload File and locate the image that you want to upload.

  3. To modify the Title heading:

    1. Navigate to the Title area.

    2. For the background color, click the color swatch and select the color that you want from the provided palette.

    3. To format the heading text, click the link that shows font style and formatting currently applied to the title, and in the toolbar that appears, select a new font, font size, or font format.

  4. To modify the background color of the message area:

    1. In the Message Area, go to the swatch that is associated with the background color.

    2. Click the color swatch and select the color that you want from the provided palette.

  5. To modify the text color and formatting associated with the Reason, Category, Explanation, or Communication parts of the message:

    1. To change the background color of the message area items, click the associated color, and select the color that you want from the provided palette.

    2. To format the text associated with an item in the message area, click the link that shows the applied font style and format, and in the formatting bar that appears, select a new font, font size, and font style as needed.

    3. Repeat step 5a and 5b for each message area item you want to modify.

  6. To show or hide communication information on the error pages:

    • To show the Mail, Phone, or Ticket information, ensure that the fields are selected.

    • To hide the Mail, Phone, or Ticket information, deselect the field.

  7. To enter communication information for your IT help desk:

    1. In the Mail field, enter an email address.

    2. In the Phone field, enter a phone number.

    3. In the Ticket field, enter the ticket URL.

  8. To modify the background color of the top or bottom of the error page:

    1. To modify the top of the page, for the gradient, click the color swatch and select a color from the provided palette.

    2. To modify the bottom of the page, for the gradient, click the color swatch and select a color from the provided palette.

  9. To show a corner image at the bottom right-hand side of the page, select Display Corner Image.

  10. To restore the default settings of the error pages, click Back to Default.

  11. Click Save.

Use a hosted error page

If your organization maintains its own error pages, you can choose to show users a hosted error page instead of ​SIA​ error pages. When you enable this feature, users are redirected to the hosted error page for all blocked websites.

To use a hosted error page:

  1. In the Threat Protection navigation menu, select Policies > Error Pages.

  2. Enable Self Hosted Error Page.

  3. In the provided field for the host, enter the URL where your organization hosts the error page.

  4. Click Save.

Parameters in an error page URL

While an error page indicates that access is denied to a website, the URL of the page also provides additional information to your users and help desk administrators. This information includes the error type, host or URI that the user attempted to access, the type of error that occurred, and more. These parameters are available in the URL of ​SIA​ error pages and in the URL of the error page that's hosted by your organization.

The parameters in the URL may look like this:

https://error.etp.akamai.com/error.html?lang=en_US&cust=<ID>&category=CONTROL&class=NO_AUTH&host=<www.example.com>&uri=&source=<IP_ADDRESS>&unauthenticated_reason=auth_declined

This error page URL includes the configuration ID, the specific threat category, domain that the user tried to access, the source IP address, and the reason why access was denied.

Depending on the error, these parameters may appear in the error page URL:

ParameterDescription
langLanguage that's displayed for the error page
categoryShows the category that was blocked. One of these values may appear for this parameter:
  • THREAT. Indicates the website was blocked based on a threat category.
  • MALWARE. Indicates the website was blocked as malware.
  • CNC. Indicates the website was blocked as a command and control communication threat.
  • PHISHING. Indicates the website was blocked as a phishing threat.
  • CONTROL. Indicates the website was blocked as a result of an access control configuration.
  • AUP. Indicates the website was blocked as a result of an acceptable use policy configuration.
  • ERROR. Indicates an error occurred.
classValues that show additional details about the category. When a category is THREAT, the class parameter value includes three numerical values (for example, &class=1-2-3), where the middle numerical value represents the specific category ID. The category ID maps to these threat categories:
  • 1. Malware
  • 2. Phishing
  • 3. C&C
  • 4. Other
  • 5. DNS Exfiltration
  • 6. Risky domains
  • 7. File sharing AUP category

When the category is either AUP or CONTROL, the class parameter provides more details on the reason for the block. If the value is a numeric ID, this is the specific AUP or access control category ID that caused the block action. For more information on these IDs, see AUP and Access Control Category IDs.

If the category is ERROR, the error_type parameter will show the specific value.
error_typeType of error that occurred. Possible values for this parameter include:
  • DNS. Indicates there was a DNS error, such as the inability to resolve a domain.
  • Internal. Indicates an internal error occurred that prevented resolution.
  • TLS. Indicates a TLS error occurred such as an error with the MITM certificate.
  • IDP. Indicates an error occurred with an identity provider.
  • CONFIGURATION. Indicates there was a configuration error.
  • ORIGIN_CONNECTIVITY. Indicates there was an issue connecting to the origin or destination.
codeIf error_type information is provided, a code also appears with more specific information. Any one of these codes can appear:
  • 1. Indicates the error was a DNS resolution failure.
  • 6. Indicates that ciphers are not secure.
  • 7. Indicates there’s a invalid common name. The common name in the TLS certificate does not match the requested domain.
  • 8. Indicates there’s an invalid signature in the TLS certificate.
  • 9. Indicates there’s an invalid date associated with the TLS certificate. The date is before the “Not Valid Before” date.
  • 10. Indicates there’s an invalid date associated with the TLS certificate. The certificate has likely expired.
  • 11. Indicates there’s a self-signed certificate error and as a result, the connection is not trusted.
  • 12. Indicates an untrusted certificate authority (CA) was detected and as a result, the connection cannot be established with the origin.
  • 13. Indicates the origin certificate was revoked and as a result, the connection cannot be established.
  • 14. Indicates there was a problem performing a certificate revocation check.
  • 15. Indicates that an SSL failure occurred.
  • 16. Indicates that the SSL version is not secure.
  • 17. Indicates that an SSL handshake between the browser and the origin server failed.
  • 18. Indicates that the connection method is not allowed.
  • 19. Indicates there was a failure connecting to the origin.
  • 20. Indicates an identity provider is not configured but was required.
  • 21. Indicates an origin port is not allowed by the policy.
  • 140. Indicates there was an error at the origin.
  • 141. Indicates there was an error validating the origin certificate.
  • 142. Indicates there was a TLS error at the origin.
  • 143. Indicates there was a refused connection at the origin.
  • 144. Indicates that the connection was reset at the origin.
  • 145. Indicates there was a timeout error that occurred at the origin.
  • 200. Indicates there was an invalid identity provider response.
  • 201. Indicates that the identity provider response is stale and the request should be attempted again.
unauthenticated_reasonIndicates why an authentication failure occurred. Any of these reasons may appear:
  • unsupported_onramp. Indicates that traffic was not delivered from a source that supports user authentication.
  • noip. Indicates there’s no detected IP address and as a result, traffic does not appear to be from a trusted source.
  • auth_error_resp. Indicates there was an error verifying user identity for authentication.
  • session_creation_error. Indicates there was a session creation error and as a result, user identity cannot be confirmed.
  • session_store_error. Indicates there was a session store error.
  • auth_declined. Indicates the user skipped authentication.
hashThatCausedBlockThe hash value of the file that was blocked.
hostHost that user attempted to access.
uriURI that user attempted to access.

AUP and Access Control Category IDs

In a class parameter (for example, &class=1-2-3) of an error page URL, the middle numerical value represents the specific category ID. These numerical values map to the category ID that’s associated with AUP and access control operation categories.

For more information on AUP categories, see Acceptable use policy categories.

Numeric IDAUP Category or Access Control Operation Category
1Uploading
2Downloading
3Posting
4Sharing
5Editing
6Viewing Contents
7Chatting
8File Transfer
9Listening
10Viewing Mail
11Sending Mail
12Sending Attachments
13Calling
14Searching
15Login/Authentication
16Alcohol/Tobacco
17Broadcasting
18Paying and Transferring Money
19Inviting
20File Sharing
22Healthcare
23Financing & Investing
31Chat
33Virtual Community
34Forums & Message Boards
35Blogging
37Personals & Dating
38Gore
39Hate
40Violence
46Weapons Related
47Lingerie
49Nudism & Naturism
50Hacking
51Plagiarism
52Criminal Skills
53Peer to Peer
54Anonymizers
55Streaming Websites
56Pornography Websites
60Self Harm
70Sex Education
71Motor Vehicles
72Real Estate
73Business & Economy
74Marijuana
75Abortion
76Kids
77Military
78Legal
79Government
80Travel
81Entertainment & Arts
82Local Information
83Hunting & Fishing
84Recreation & Hobbies
85Music
86Image & Video Search
87Fashion & Beauty
88News & Media
89Political Advocacy
90Cult & Occult
91Religion
92Training & Tools
93Job Search
94Translation
95Reference & Research
96Educational Institutes
97Search Engines
98Web Advertisements
99Auctions
100Shopping
101Home & Garden
102Online Greeting Cards
103Computer & Internet Security
104Computer & Internet Info
105Keyloggers & Monitoring
106Dead Sites
107Shareware & Freeware
108Pay to Surf
109Internet Portals
110Web-Based Email
111Spyware & Adware
112Content Delivery Networks
113Confirmed Spam Sources
114Spam URLs
115Dynamic Content
116Parked Domains
117Web Hosting
118DNS-over-HTTPS Providers
119IT Services
120Productivity and CRM Tools
121Sales and Marketing
122System & Development
123Collaboration and Online Meetings
124General Internet (News, Utilities, Misc)
125Document Management
127Individual Stock Advice & Tools
128Child Abuse / Exploitation

Enable HTTPS block pages for DNS only policies

Complete this procedure to show HTTPS block pages for web traffic when DNS Only is selected as the policy type. This page only appears in known locations. Users who make requests from unknown or unidentified locations cannot see the HTTPS block page.

Before you begin:

  • If you haven’t done so already, make sure you create and distribute a proxy certificate. For more information, see Create a SIA Proxy MITM certificate.
  • Make sure Transparent Traffic Interception is enabled for Zero Trust Client.

To enable HTTPS block pages for DNS only policies:

  1. In the Threat Protection menu of Enterprise Center, select Clients & Connectors > Connection Info.
  2. Turn on the toggle for Enable HTTPS block pages for DNS only policies.
  3. Click Save. If you want to save and deploy the policy, click Save and Deploy.

Next Steps:

If you haven’t deployed the policy, make sure you deploy it to the ​​SIA​​ network. For instructions, see Deploy configuration changes.

Updated 24 days ago