Fortinet black logo

CLI Reference

system replacemsg http

system replacemsg http

Use this command to change default replacement messages added to web pages when the antivirus engine blocks a file in an HTTP session because of a matching file pattern or because a virus is detected; or when web filter blocks a web page.

The FortiGate unit sends the HTTP replacement messages listed to web browsers using the HTTP protocol when an event occurs such as antivirus blocking a file that contains a virus in an HTTP session. HTTP replacement messages are HTML pages.

If the FortiGate unit supports SSL content scanning and inspection these replacement messages can also replace web pages downloaded using the HTTPS protocol.

config system replacemsg http
    edit {msg-type}
    # Replacement messages.
        set msg-type {string}   Message type. size[28]
        set buffer {string}   Message string. size[32768]
        set header {none | http | 8bit}   Header flag.
                none  No header type.
                http  HTTP
                8bit  8 bit.
        set format {none | text | html | wml}   Format flag.
                none  No format type.
                text  Text format.
                html  HTML format.
                wml   WML format
    next
end

Additional information

The following section is for those options that require additional explanation.

buffer <message>

Type a new replacement message to replace the current replacement message. Maximum length 32,768 characters.

http message types

bannedword

Web content blocking is enabled in a web filter profile, and blocks a web page being downloaded with an HTTP GET that contains content matching an entry in the selected Web Content Block list. The blocked page is replaced with the bannedword web page.

http-archive-block

A transfer contained a blocked DLP archive. In DLP archiving, the DLP engine examines email, FTP, IM, NNTP, and web traffic. When enabled, the FortiGate unit records all occurrences of these traffic types when they are detected by the sensor.

http-block

Antivirus File Filter is enabled for HTTP or HTTPS in a web filter profile, and blocks a file being downloaded using an HTTP GET that matches an entry in the selected file filter list. The file is replaced with the httpblock web page that is displayed by the client browser.

http-client-archive-block

The user is not allowed to upload the file.

http-client-bannedword

Web content blocking enabled in a web filter profile blocks a web page being uploaded with an HTTP PUT that contains content that matches an entry in the selected Web Content Block list. The client browser displays the http-client-bannedword web page.

http-client-block

Antivirus File Filter is enabled for HTTP or HTTPS in an antivirus profile blocks a file being uploaded by an HTTP POST that matches an entry in the selected file filter list and replaces it with the http-client-block web page that is displayed by the client browser.

http-client-filesize

Oversized File/Email is set to Block for HTTP or HTTPS and an oversized file that is being uploaded with an HTTP PUT is blocked and replaced with the http-client-filesize web page.

http-contenttype-block

When a specific type of content is not allowed, it is replaced with the http-contenttype-block web page.

http-dlp-ban

In a DLP sensor, a rule with action set to Ban replaces a blocked web page or file with the http-dlp-ban web page. This web page also replaces any additional web pages or files that the banned user attempts to access until the user is removed from the banned user list.

http-filesize

Antivirus Oversized File/Email is set to Block for HTTP or HTTPS and blocks an oversized file being downloaded using an HTTP GET. The file is replaced with the http-filesize web page that is displayed by the client browser.

http-post-block

HTTP POST Action is set to Block and the FortiGate unit blocks an HTTP POST and displays the http-post-block web page.

https-invalid-certblock

When an invalid security certificate is detected, the https-invalidcert-block page is displayed.

infcache-block

Client comforting is enabled and the FortiGate unit blocks a URL added to the client comforting URL cache. It replaces the blocked URL with the infcache-block web page.

url-block

Web URL filtering is enabled and blocks a web page with a URL that matches an entry in the selected URL Filter list. The blocked page is replaced with the url-block web page.

Replacement message tags

Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.

%%FILE%%

The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages.

%%VIRUS%%

The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages.

%%QUARFILENAME%%

The name of a file that has been removed from a content stream and added to the quarantine. This could be a file that contained a virus or was blocked by antivirus file blocking. %%QUARFILENAME%% can be used in virus and file block messages.

%%URL%%

The URL of a web page. This can be a web page that is blocked by web filter content or URL blocking. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked.

%%PROTOCOL%%

The protocol (HTTP, FTP, POP3, IMAP, SMTP) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages.

%%SOURCE_IP%%

The IP address of the web page from which a virus was received.

%%DEST_IP%%

The IP address of the computer that would have received the blocked file. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed.

system replacemsg http

Use this command to change default replacement messages added to web pages when the antivirus engine blocks a file in an HTTP session because of a matching file pattern or because a virus is detected; or when web filter blocks a web page.

The FortiGate unit sends the HTTP replacement messages listed to web browsers using the HTTP protocol when an event occurs such as antivirus blocking a file that contains a virus in an HTTP session. HTTP replacement messages are HTML pages.

If the FortiGate unit supports SSL content scanning and inspection these replacement messages can also replace web pages downloaded using the HTTPS protocol.

config system replacemsg http
    edit {msg-type}
    # Replacement messages.
        set msg-type {string}   Message type. size[28]
        set buffer {string}   Message string. size[32768]
        set header {none | http | 8bit}   Header flag.
                none  No header type.
                http  HTTP
                8bit  8 bit.
        set format {none | text | html | wml}   Format flag.
                none  No format type.
                text  Text format.
                html  HTML format.
                wml   WML format
    next
end

Additional information

The following section is for those options that require additional explanation.

buffer <message>

Type a new replacement message to replace the current replacement message. Maximum length 32,768 characters.

http message types

bannedword

Web content blocking is enabled in a web filter profile, and blocks a web page being downloaded with an HTTP GET that contains content matching an entry in the selected Web Content Block list. The blocked page is replaced with the bannedword web page.

http-archive-block

A transfer contained a blocked DLP archive. In DLP archiving, the DLP engine examines email, FTP, IM, NNTP, and web traffic. When enabled, the FortiGate unit records all occurrences of these traffic types when they are detected by the sensor.

http-block

Antivirus File Filter is enabled for HTTP or HTTPS in a web filter profile, and blocks a file being downloaded using an HTTP GET that matches an entry in the selected file filter list. The file is replaced with the httpblock web page that is displayed by the client browser.

http-client-archive-block

The user is not allowed to upload the file.

http-client-bannedword

Web content blocking enabled in a web filter profile blocks a web page being uploaded with an HTTP PUT that contains content that matches an entry in the selected Web Content Block list. The client browser displays the http-client-bannedword web page.

http-client-block

Antivirus File Filter is enabled for HTTP or HTTPS in an antivirus profile blocks a file being uploaded by an HTTP POST that matches an entry in the selected file filter list and replaces it with the http-client-block web page that is displayed by the client browser.

http-client-filesize

Oversized File/Email is set to Block for HTTP or HTTPS and an oversized file that is being uploaded with an HTTP PUT is blocked and replaced with the http-client-filesize web page.

http-contenttype-block

When a specific type of content is not allowed, it is replaced with the http-contenttype-block web page.

http-dlp-ban

In a DLP sensor, a rule with action set to Ban replaces a blocked web page or file with the http-dlp-ban web page. This web page also replaces any additional web pages or files that the banned user attempts to access until the user is removed from the banned user list.

http-filesize

Antivirus Oversized File/Email is set to Block for HTTP or HTTPS and blocks an oversized file being downloaded using an HTTP GET. The file is replaced with the http-filesize web page that is displayed by the client browser.

http-post-block

HTTP POST Action is set to Block and the FortiGate unit blocks an HTTP POST and displays the http-post-block web page.

https-invalid-certblock

When an invalid security certificate is detected, the https-invalidcert-block page is displayed.

infcache-block

Client comforting is enabled and the FortiGate unit blocks a URL added to the client comforting URL cache. It replaces the blocked URL with the infcache-block web page.

url-block

Web URL filtering is enabled and blocks a web page with a URL that matches an entry in the selected URL Filter list. The blocked page is replaced with the url-block web page.

Replacement message tags

Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.

%%FILE%%

The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages.

%%VIRUS%%

The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages.

%%QUARFILENAME%%

The name of a file that has been removed from a content stream and added to the quarantine. This could be a file that contained a virus or was blocked by antivirus file blocking. %%QUARFILENAME%% can be used in virus and file block messages.

%%URL%%

The URL of a web page. This can be a web page that is blocked by web filter content or URL blocking. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked.

%%PROTOCOL%%

The protocol (HTTP, FTP, POP3, IMAP, SMTP) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages.

%%SOURCE_IP%%

The IP address of the web page from which a virus was received.

%%DEST_IP%%

The IP address of the computer that would have received the blocked file. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed.