system replacemsg http
Use this command to change default replacement messages added to web pages when the antivirus engine blocks a file in an HTTP session because of a matching file pattern or because a virus is detected; or when web filter blocks a web page.
The FortiGate unit sends the HTTP replacement messages listed to web browsers using the HTTP protocol when an event occurs such as antivirus blocking a file that contains a virus in an HTTP session. HTTP replacement messages are HTML pages.
If the FortiGate unit supports SSL content scanning and inspection these replacement messages can also replace web pages downloaded using the HTTPS protocol.
config system replacemsg http edit {msg-type} # Replacement messages. set msg-type {string} Message type. size[28] set buffer {string} Message string. size[32768] set header {none | http | 8bit} Header flag. none No header type. http HTTP 8bit 8 bit. set format {none | text | html | wml} Format flag. none No format type. text Text format. html HTML format. wml WML format next end
Additional information
The following section is for those options that require additional explanation.
buffer <message>
Type a new replacement message to replace the current replacement message. Maximum length 32,768 characters.
http message types
bannedword
Web content blocking is enabled in a web filter profile, and blocks a web page being downloaded with an HTTP GET that contains content matching an entry in the selected Web Content Block list. The blocked page is replaced with the bannedword web page.
http-archive-block
A transfer contained a blocked DLP archive. In DLP archiving, the DLP engine examines email, FTP, IM, NNTP, and web traffic. When enabled, the FortiGate unit records all occurrences of these traffic types when they are detected by the sensor.
http-block
Antivirus File Filter is enabled for HTTP or HTTPS in a web filter profile, and blocks a file being downloaded using an HTTP GET that matches an entry in the selected file filter list. The file is replaced with the httpblock web page that is displayed by the client browser.
http-client-archive-block
The user is not allowed to upload the file.
http-client-bannedword
Web content blocking enabled in a web filter profile blocks a web page being uploaded with an HTTP PUT that contains content that matches an entry in the selected Web Content Block list. The client browser displays the http-client-bannedword web page.
http-client-block
Antivirus File Filter is enabled for HTTP or HTTPS in an antivirus profile blocks a file being uploaded by an HTTP POST that matches an entry in the selected file filter list and replaces it with the http-client-block web page that is displayed by the client browser.
http-client-filesize
Oversized File/Email is set to Block for HTTP or HTTPS and an oversized file that is being uploaded with an HTTP PUT is blocked and replaced with the http-client-filesize web page.
http-contenttype-block
When a specific type of content is not allowed, it is replaced with the http-contenttype-block web page.
http-dlp-ban
In a DLP sensor, a rule with action set to Ban replaces a blocked web page or file with the http-dlp-ban web page. This web page also replaces any additional web pages or files that the banned user attempts to access until the user is removed from the banned user list.
http-filesize
Antivirus Oversized File/Email is set to Block for HTTP or HTTPS and blocks an oversized file being downloaded using an HTTP GET. The file is replaced with the http-filesize web page that is displayed by the client browser.
http-post-block
HTTP POST Action is set to Block and the FortiGate unit blocks an HTTP POST and displays the http-post-block web page.
https-invalid-certblock
When an invalid security certificate is detected, the https-invalidcert-block page is displayed.
infcache-block
Client comforting is enabled and the FortiGate unit blocks a URL added to the client comforting URL cache. It replaces the blocked URL with the infcache-block web page.
url-block
Web URL filtering is enabled and blocks a web page with a URL that matches an entry in the selected URL Filter list. The blocked page is replaced with the url-block web page.
Replacement message tags
Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.
%%FILE%%
The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages.
%%VIRUS%%
The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages.
%%QUARFILENAME%%
The name of a file that has been removed from a content stream and added to the quarantine. This could be a file that contained a virus or was blocked by antivirus file blocking. %%QUARFILENAME%% can be used in virus and file block messages.
%%URL%%
The URL of a web page. This can be a web page that is blocked by web filter content or URL blocking. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked.
%%PROTOCOL%%
The protocol (HTTP, FTP, POP3, IMAP, SMTP) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages.
%%SOURCE_IP%%
The IP address of the web page from which a virus was received.
%%DEST_IP%%
The IP address of the computer that would have received the blocked file. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed.