Blocked site get the "Network Authentication" page instead of "Blocked Request" page...

Question

Hi,
I just figured out to set the XG Firewall to used it only with Web Filtering.
Now when I have hit on a blocked policy, I'm redirected to the Captive Portal and I get the Network Authenticaion to login.
But I want to get the " Blocked Request" page and not the Network Authenticaion page.
How do I accplish this?
TIA

This thread was automatically locked due to age.

Michael Dunn · Accepted Answer

Disabling NTLM Authentication is the only thing needed for this. 
 Basically if you have NTLM on, it is assumed that all clients are NTLM capable so it will try to authenticate with NTLM. If that fails then it displays captive portal. This ends up bypassing the Block Page altogether. 
 The "Prompt unauthenticated users of log in" controls whether the block page contains a link to log in (when the user is not authenticated). 
 
 The purpose behind both of these is that many companies have configured it so that authenticated users have more privilege to view sites than unauthenticated. So if they hit a block page they should try to authenticate because after that the policy is re-evaluated and they may no longer be blocked.

DavidWhitehead · Answer

I was able to get the "Blocked Request" screen by creating a user under "Clientless Group", however, I'm not sure if this would only work with static address or would work with leased addresses to. This may also be an issue for some who still need their users to login if needed. (since the PC already has a registered user)

sachingurung · Answer

Hi All, 
 Thanks for choosing Sophos. 
 To give a denied page when a User tries to access a blocked website, you need to select NO in unauthenticated user redirection. If you select YES, XG will prompt Captive Portal to User(s). This is useful when you have defined web filter policy-user wise. Suppose User A has access to streaming media, alongside User B is denied the access to streaming media category, during such requirement the provided settings are quite useful. But with XG, I discovered that we lack the feature to configure the "User's applied policy" within a Firewall Rule>Policy for User Applications. So the workaround to get this feature work is to create multiple Group based Firewall Rule, where we can define granular filter options for respective groups. Hence, when a User receives a Captive Portal page and authenticates himself on it, XG will check the group association and take action. 
 Hope this helps:) 
 Thanks

ChristianD · Answer

Hi everybody, 
 I had the same issue on our XG firewall with SFOS 17.5.3 MR-3. Since this thread is not marked as answered, here's my solution: 
 I had to disable Prompt unauthenticated users to log in feature 
 
 Additional I had to disable NTLM Authentication in the Device Access menue