Customizing error and authentication pages (replacement messages)

Advanced/optional system settings : Customizing error and authentication pages (replacement messages)

You can customize the following FortiWeb HTML pages:

• Pages that FortiWeb presents to clients when it authenticates users.

FortiWeb uses these pages when the client authentication method in a site publishing configuration is HTML Form Authentication. For more information, see “Single sign-on (SSO) (site publishing)”.

• The error page FortiWeb uses to respond to a HTTP request that violates a policy and the configured action is Alert & Deny or Period Block.

• The “Server Unavailable!” page that FortiWeb returns to the client when none of the server pool members are available either because their status is Disable or Maintenance or they have failed the configured health check.

FortiWeb uses these pages for all server policies. If you require a page content that is customized for a specific policy, create an ADOM that contains the custom pages for that policy.

Attack block page HTTP response codes

You can specify the HTTP response code that the attack block message displays. If the error status code allows an attacker to fingerprint a vulnerable application, you can customize it to display a more vague reply. (For all other pages, you cannot change the default response code.)

The following codes are examples of HTTP response codes:

• 200 — OK. Typically indicates success and accompanies resource requested by the client.

• 400 — Bad Request. Typically indicates wrong syntax.

• 403 — Forbidden. Typically indicates inaccessible files.

• 404 — File Not Found. Typically indicates missing files.

• 500 — Internal Server Error. Typically indicates one of many possible conditions such as a servlet runtime error.

• 501 — Not Implemented. Typically indicates a non-existent function on the web application.

Macros in custom error and authentication pages

When it generates error and authentication messages, FortiWeb generates some of the message content using macros. It uses two type of macros: label macros and image macros.

Although you can add the predefined macros to your custom messages, you cannot create macros and you cannot modify the label macros. You can modify an image macros to reference a predefined image or one that you have uploaded.

Label macros

You can use the following label macros anywhere in the HTML code for Attack Block Page and Server Unavailable Message messages:


Macro	Description
%%URL%%	Inserts one of the following URLs: • The URL of a web page blocked by either the web filtering or URL blocking feature. • The URL of a web page that contains a blocked file that a client has tried to download.
%%SOURCE_IP%%	The source IP address of the client that attempted to access the web service.
%%DEST_IP%%	The IP address of the web server.
%%VSERVER_IP%%	The IP address of the virtual server.
%%EVENT_ID%%	An ID number that identifies the attack type. Use this number to help you locate the log for the event in the FortiWeb attack log.

You can use the following label macros anywhere in the HTML code for the Site Publish Authentication messages:


Macro	Description
%%ORG_LOCATION_VAL%%	The original URL that the client tried to access.
%%REPLY_TAG%%	The authentication server reply message.
%%LOGIN_POST_URL%%	The login URL where users post their credentials.
%%TOKEN_POST_URL%%	The login URL where users insert their token code.
%%RSA_LOGIN_POST_URL%%	The login URL where users post their RSA SecurID credentials.
%%RSAC_POST_URL%%	The login URL where users post their RSA SecurID credentials.

Image macros

Use the following format to add an image macro anywhere in a custom error or authentication message:

%%IMAGE:<image_name>%%

where <image_name> is the name of either a predefined image or one you have uploaded. To view or upload images, go to System > Status > Replacement Message, and then click Manage Images. For more information, see “To view or add images used in error or authentication pages”.

For example, in the default Attack Block Page message, the macro %%IMAGE%%:logo_v2_fnet%% adds the predefined image logo_v2_fnet. If you add the image test to the list of images, use %%IMAGE%%:test%% to add it to the HTML code.

To customize an error or authentication page

1. If your custom page requires a custom image, see “To view or add images used in error or authentication pages”.

2. Go to System > Config > Replacement Message.

3. Select the page you want to edit in the list of pages.

4. If you selected Attack block page and want to change the HTTP response code it displays, click Edit HTTP Response Code. Enter a new value for the code, and then click Apply.

5. In the bottom-right pane, edit the HTML code as required.

The results of any changes you make are displayed immediately in the bottom-left pane.

For information about using macros in the code, see “Macros in custom error and authentication pages”.

6. Click Save to save your changes or Restore Defaults to revert to the preset version of the page.

To view or add images used in error or authentication pages

1. Go to System > Config > Replacement Message.

2. Click Manage Images, and then click Create New.

3. Specify a name for the image file, select its content type, and then click Choose File to browse to the file and select it.

Ensure the image is no larger than 24 KB and that its type matches the value you selected for Content Type.

4. Click OK, and then click Return to return to the list of pages.