Fortinet black logo

CLI Reference

system replacemsg ftp

system replacemsg ftp

FortiOS sends the FTP replacement messages to FTP clients when an event occurs such as antivirus blocking a file that contains a virus in an FTP session.

By default, these are text-format messages with no header.

config system replacemsg ftp
    edit {msg-type}
    # Replacement messages.
        set msg-type {string}   Message type. size[28]
        set buffer {string}   Message string. size[32768]
        set header {none | http | 8bit}   Header flag.
                none  No header type.
                http  HTTP
                8bit  8 bit.
        set format {none | text | html | wml}   Format flag.
                none  No format type.
                text  Text format.
                html  HTML format.
                wml   WML format
    next
end

Additional information

The following section is for those options that require additional explanation.

buffer <message>

Type a new replacement message to replace the current replacement message. Maximum length 32,768 characters.

ftp message types

explicit-banner

Greeting banner for explicit FTP proxy.

ftp-dl-archive-block

FTP file transfer for DLP archiving was blocked. In DLP archiving, the DLP engine examines email, FTP, IM, NNTP, and web traffic. When enabled, the FortiGate unit records all occurrences of these traffic types when they are detected by the sensor.

ftp-dl-blocked

Antivirus File Filter enabled for FTP in an antivirus profile blocks a file being downloaded using FTP that matches an entry in the selected file filter list and sends this message to the FTP client.

ftp-dl-dlp-ban

In a DLP sensor, a rule with action set to Ban blocks an FTP session and displays this message. This message is displayed whenever the banned user attempts to access until the user is removed from the banned user list.

Replacement message tags

Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.

%%FILE%%

The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages.

%%VIRUS%%

The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages.

%%QUARFILENAME%%

The name of a file that has been removed from a content stream and added to the quarantine. This could be a file that contained a virus or was blocked by antivirus file blocking. %%QUARFILENAME%% can be used in virus and file block messages.

%%URL%%

The URL of a web page. This can be a web page that is blocked by web filter content or URL blocking. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked.

%%PROTOCOL%%

The protocol (HTTP, FTP, POP3, IMAP, SMTP) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages.

%%SOURCE_IP%%

The IP address from which a virus was received. For email this is the IP address of the email server that sent the email containing the virus. For HTTP this is the IP address of the web page that sent the virus.

%%DEST_IP%%

The IP address of the computer that would have received the blocked file. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed.

system replacemsg ftp

FortiOS sends the FTP replacement messages to FTP clients when an event occurs such as antivirus blocking a file that contains a virus in an FTP session.

By default, these are text-format messages with no header.

config system replacemsg ftp
    edit {msg-type}
    # Replacement messages.
        set msg-type {string}   Message type. size[28]
        set buffer {string}   Message string. size[32768]
        set header {none | http | 8bit}   Header flag.
                none  No header type.
                http  HTTP
                8bit  8 bit.
        set format {none | text | html | wml}   Format flag.
                none  No format type.
                text  Text format.
                html  HTML format.
                wml   WML format
    next
end

Additional information

The following section is for those options that require additional explanation.

buffer <message>

Type a new replacement message to replace the current replacement message. Maximum length 32,768 characters.

ftp message types

explicit-banner

Greeting banner for explicit FTP proxy.

ftp-dl-archive-block

FTP file transfer for DLP archiving was blocked. In DLP archiving, the DLP engine examines email, FTP, IM, NNTP, and web traffic. When enabled, the FortiGate unit records all occurrences of these traffic types when they are detected by the sensor.

ftp-dl-blocked

Antivirus File Filter enabled for FTP in an antivirus profile blocks a file being downloaded using FTP that matches an entry in the selected file filter list and sends this message to the FTP client.

ftp-dl-dlp-ban

In a DLP sensor, a rule with action set to Ban blocks an FTP session and displays this message. This message is displayed whenever the banned user attempts to access until the user is removed from the banned user list.

Replacement message tags

Replacement messages can include replacement message tags. When users receive the replacement message, the replacement message tag is replaced with content relevant to the message.

%%FILE%%

The name of a file that has been removed from a content stream. This could be a file that contained a virus or was blocked by antivirus file blocking. %%FILE%% can be used in virus and file block messages.

%%VIRUS%%

The name of a virus that was found in a file by the antivirus system. %%VIRUS%% can be used in virus messages.

%%QUARFILENAME%%

The name of a file that has been removed from a content stream and added to the quarantine. This could be a file that contained a virus or was blocked by antivirus file blocking. %%QUARFILENAME%% can be used in virus and file block messages.

%%URL%%

The URL of a web page. This can be a web page that is blocked by web filter content or URL blocking. %%URL%% can also be used in http virus and file block messages to be the URL of the web page from which a user attempted to download a file that is blocked.

%%PROTOCOL%%

The protocol (HTTP, FTP, POP3, IMAP, SMTP) in which a virus was detected. %%PROTOCOL%% is added to alert email virus messages.

%%SOURCE_IP%%

The IP address from which a virus was received. For email this is the IP address of the email server that sent the email containing the virus. For HTTP this is the IP address of the web page that sent the virus.

%%DEST_IP%%

The IP address of the computer that would have received the blocked file. For email this is the IP address of the user’s computer that attempted to download the message from which the file was removed.