system : replacemsg http
 
replacemsg http
Use this command to change default replacement messages added to web pages when the antivirus engine blocks a file in an HTTP session because of a matching file pattern or because a virus is detected; or when web filter blocks a web page.
The FortiGate unit sends the HTTP replacement messages listed to web browsers using the HTTP protocol when an event occurs such as antivirus blocking a file that contains a virus in an HTTP session. HTTP replacement messages are HTML pages.
If the FortiGate unit supports SSL content scanning and inspection these replacement messages can also replace web pages downloaded using the HTTPS protocol.
Syntax
config system replacemsg http <message-type>
set buffer <message>
set format <format>
set header <header_type>
end
Variable
Description
Default
<message-type>
HTTP replacement message type. See Table 11.
No default.
buffer <message>
Type a new replacement message to replace the current replacement message. Maximum length 8 192 characters.
Depends on message type.
format <format>
Set the format of the message:
html
text
none
No default
header <header_type>
Set the format of the message header:
8bit
http
none
Depends on message type.
Table 11: HTTP replacement messages
Message name
Description
bannedword
Web content blocking is enabled in a web filter profile, and blocks a web page being downloaded with an HTTP GET that contains content matching an entry in the selected Web Content Block list. The blocked page is replaced with the bannedword web page.
http-archive-block
A transfer contained a blocked DLP archive. In DLP archiving, the DLP engine examines email, FTP, IM, NNTP, and web traffic. When enabled, the FortiGate unit records all occurrences of these traffic types when they are detected by the sensor.
http-block
Antivirus File Filter is enabled for HTTP or HTTPS in a web filter profile, and blocks a file being downloaded using an HTTP GET that matches an entry in the selected file filter list. The file is replaced with the http-block web page that is displayed by the client browser.
http-client-archive-block
The user is not allowed to upload the file.
http-client-bannedword
Web content blocking enabled in a web filter profile blocks a web page being uploaded with an HTTP PUT that contains content that matches an entry in the selected Web Content Block list. The client browser displays the http-client-bannedword web page.
http-client-block
Antivirus File Filter is enabled for HTTP or HTTPS in an antivirus profile blocks a file being uploaded by an HTTP POST that matches an entry in the selected file filter list and replaces it with the http-client-block web page that is displayed by the client browser.
http-client-filesize
Oversized File/Email is set to Block for HTTP or HTTPS and an oversized file that is being uploaded with an HTTP PUT is blocked and replaced with the http-client-filesize web page.
http-contenttype-block
When a specific type of content is not allowed, it is replaced with the http-contenttype-block web page.
http-dlp-ban
In a DLP sensor, a rule with action set to Ban replaces a blocked web page or file with the http-dlp-ban web page.
This web page also replaces any additional web pages or files that the banned user attempts to access until the user is removed from the banned user list.
http-filesize
Antivirus Oversized File/Email is set to Block for HTTP or HTTPS and blocks an oversized file being downloaded using an HTTP GET. The file is replaced with the http-filesize web page that is displayed by the client browser.
http-post-block
HTTP POST Action is set to Block and the FortiGate unit blocks an HTTP POST and displays the http-post-block web page.
https-invalid-cert-block
When an invalid security certificate is detected, the https-invalid-cert-block page is displayed.
infcache-block
Client comforting is enabled and the FortiGate unit blocks a URL added to the client comforting URL cache. It replaces the blocked URL with the infcache-block web page. For more information about the client comforting URL cache, seefirewall policy, policy6.
url-block
Web URL filtering is enabled and blocks a web page with a URL that matches an entry in the selected URL Filter list. The blocked page is replaced with the url-block web page.
 
Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.
Table 12: Replacement message tags
Tag
Description
%%FILE%%
The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages.
%%VIRUS%%
The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages
%%QUARFILENAME%%
The name of a file that has been removed from a content stream and added to the quarantine. This could be a file that contained a virus or was blocked by antivirus file blocking. %%QUARFILENAME%% can be used in virus and file block messages. Quarantining is only available on FortiGate units with a local disk.
%%URL%%
The URL of a web page. This can be a web page that is blocked by web filter content or URL blocking. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked.
%%PROTOCOL%%
The protocol (HTTP, FTP, POP3, IMAP, SMTP) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages.
%%SOURCE_IP%%
The IP address of the web page from which a virus was received.
%%DEST_IP%%
The IP address of the computer that would have received the blocked file. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed.