For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Service Extensions with SSL Orchestrator: Advanced Blocking Pages

SSL Orchestrator Advanced Blocking Pages allow for easy customization of the block page as well as flexible policy options to trigger specific block pages.

Table of Contents

 

Introduction

Service Extensions are a new programmable capability in F5 BIG-IP SSL Orchestrator (as of F5 BIG-IP 17.0) that allow for customizable behaviors on decrypted HTTP traffic directly from within the Service Chain. 

In this article you will learn how to download, install, and configure the policy that enables the “Advanced Blocking Pages” Service Extension. 

 

Demo Video

What are Advanced Blocking Pages?

Advanced Blocking Pages allow for easy customization of the block page as well as flexible policy options to trigger specific block pages.  This Service Extension creates a Service that will return a block page when placed into a Service Chain.  It can also apply the iRule logic to dynamically inject the contents of a blocking page.

 

Deployment Prerequisites

  • F5 BIG-IP version 17.1.x
  • SSL Orchestrator version 11.1+

This article assumes you have an SSL Orchestrator configured with a Topology and Service Chain.

 

Advanced Blocking Pages Service Extension Installation

The information below is from the GitHub repository for the Advanced Blocking Pages Service Extension (click here for a direct link).  It includes an installer to create all the necessary objects.

Download the installer:

curl -sk https://raw.githubusercontent.com/f5devcentral/sslo-service-extensions/refs/heads/main/advanced-blocking-pages/advanced-blocking-pages-installer.sh -o advanced-blocking-pages-installer.sh

CLI output:

Make the script executable:

chmod +x advanced-blocking-pages-installer.sh

CLI output:

Export the BIG-IP username and password:

export BIGUSER='admin:password'

CLI output:

Note: replace “password” with your actual BIG-IP admin password

Run the script to create all the SaaS Tenant Isolation objects:

./advanced-blocking-pages-installer.sh

CLI output:

The installer creates a new Inspection Service named "ssloS_F5_Advanced-Blocking-Pages". Add this Inspection Service to any Service Chain that can receive decrypted HTTP traffic. Service Extension Services will only trigger on decrypted HTTP, so can be inserted into Service Chains that may also see TLS bypass traffic (not decrypted). SSL Orchestrator will simply bypass this Service for anything that is not decrypted HTTP.

After following the steps above, the SSL Orchestrator screen should look like this:

 

Customizing Functionality

To customize the functionality of the Blocking Pages we’ll start by editing an iRule. 

Navigate to Local Traffic > iRules > iRule List

Click on the iRule named “advanced-blocking-pages-rule” (you may need to expand the iRule List)

To enable the Advanced Blocking Pages, set the value for “GLOBAL_BLOCK” from 0 to 1.  Click Update.

NOTE: We’ll go over the other customization options later in this article.

 

Move the Advanced-Blocking-Pages Service to a Service Chain

Go to the SSL Orchestrator Configuration screen

Click Service Chains then Add

NOTE: For testing purposes, it is recommended to create a new Service Chain and add the Advanced-Blocking-Page Service to it

Give it a name, “AdvancedBlocking” in this example.

Select the ssloS_F5_Advanced-Blocking-Pages Service and click the arrow to move it to the right

Click Deploy

Click OK

 

Edit the Security Policy

From the Configuration screen, select Security Policies then click the policy you want to edit, “L3_Outbound” in this example.

Click Add to add a Rule

Give the Rule a name, “BlockThreats” in this example

Configure the Rule Conditions by selecting Category Lookup (All)

Select the Categories you wish to Block by clicking in the “Click to select” field

Select all Malware-related categories

These are all the Malware-related categories:

Advanced Malware Command and Control

Advanced Malware Payloads

Malicious Embedded Link

Malicious Embedded iFrame

Malicious Web Sites

Mobile Malware

You may want to consider adding the following Categories, too:

Spyware and Adware

Suspicious

NOTE: For testing purposes, it would be safer to add a category like “Alcohol and Tobacco” to the above rule in order to test its efficacy.

 

Set the Action to Allow (this is counterintuitive)

Set the SSL Proxy Action to Intercept

Set the Service Chain to the one created previously, “AdvancedBlocking”

Click OK

The Security Policy should look like this:

Click Deploy

Click Deploy

Click OK

 

Test the Advanced Blocking Page

Assuming you have added the “Alcohol and Tobacco” Category to the Security Policy, go to a client computer and test it now.

An attempt to view the Products page on www.marlboro.com results in the following:

Note: remember to remove the “Alcohol and Tobacco” category from the Security Policy.

 

Customizing the Blocking Page

First, you need an html file to use as the custom Blocking Page.  You can use a sample file from the GitHub repository.

Expand the folder “blocking-page-samples” and click “blocking-page-sample1.html”.

Click the Download button on the right.

To Customize the Blocking Page, go to System > File Management > iFile List > Import

Choose the Blocking Page sample file in your Downloads folder.

Choose Overwrite Existing, then click Import.

Test the Blocking Page again and it should look like the following:

 

Injecting Dynamic Messages

To inject a dynamic message in the block page, edit the “advanced-blocking-pages-rule” iRule.

Find “set static::GLOBAL_BLOCK_MESSAGE” in the iRule and replace all the text within the quotation marks:

Click Update when done

Test the Blocking Page again and it should look like the following:

 

Handling Server-Side Certificate Errors

SSL Orchestrator can also be customized to handle different server-side certificate validation errors.  To configure this, start by editing the SSL Configuration.

Click the Edit icon

Click Show Advanced Settings

Near the bottom, set Expire Certificate Response and Untrusted Certificate Authority from Drop to Mask.

Click Save & Next when done.

The Mask option tells SSL Orchestrator to send a good/valid certificate to the client when these certificate errors occur.  This allows a custom blocking page to be presented to the client.

Click OK

Click Deploy

Click OK

Next, edit the Interception Rule for this Topology

Click the Edit icon

In the Resources section near the bottom, move the “ssl-tls-verify-rule” from Available to Selected.

Click Save & Next

Click Deploy

Click OK

NOTE: The blocking page iRule (when GLOBAL_BLOCK is 0) will read this context array variable and trigger the blocking page if the certificate verification code is not ‘ok’. It also injects the verification code string into the page.

 

You can test this using the site, https://badssl.com

Under Certificate, try “expired” and “self-signed”

Example of Expired Certificate:

Example of Self-Signed Certificate:

 

Handling Custom Blocking Page Triggers

The included iRule is intentionally sparse to include the two primary blocking page use cases (global blocking and server-side certificate validation errors):

when HTTP_REQUEST {
    if { $static::GLOBAL_BLOCK } {
        call GEN_BLOCK_PAGE ${static::GLOBAL_BLOCK_MESSAGE}
        event disable all
    } else {
        sharedvar ctx
        if { ( [info exists ctx(tlsverify)] ) and ( $ctx(tlsverify) ne "ok" ) } {
            call GEN_BLOCK_PAGE "This request has been blocked due to a server side TLS issue: <br /></br>[string toupper $ctx(tlsverify)]"
            event disable all
        }
    }
}

To customize this for additional triggers, add iRule logic inside the “else” block as required:

if { some-condition } {
    call GEN_BLOCK_PAGE "message to send into blocking page `receive_msg` variable"
    event disable all
}

 

Conclusion

SSL Orchestrator Advanced Blocking Pages allow for easy customization of the block page as well as flexible policy options to trigger specific block pages. 

 

Related Content

Service Extensions with SSL Orchestrator SaaS Tenant Isolation

Service Extensions with SSL Orchestrator User Coaching of AI Related Content

SSL Orchestrator Service Extensions: DoH Guardian

Office 365 Tenant Restrictions

Introduction to BIG-IP SSL Orchestrator

Integrating Security Solutions with F5 BIG-IP SSL Orchestrator

Updated Dec 09, 2025
Version 2.0
security
Verified Designs
KevinGallaugher's avatar
Icon for Employee rankEmployee
Technical Marketing Engineer for SSL Orchestrator. I have over 25 years experience in Cybersecurity, with over 15 years spent as a Technical Marketing Engineer. Prior to F5 I worked at Blue Coat, Gigamon and Fortinet.
View Profile
No CommentsBe the first to comment