Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiProxy 7.6.1 Administration Guide
    7.6.1
    7.6.1
    7.6.0
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.0
    7.0.19
    7.0.17
    7.0.0
    2.0.0
    1.2.0
    1.1.0
    1.0.0

    Custom replacement message for ZTNA virtual hosts

    Custom replacement message for ZTNA virtual hosts

    Each ZTNA virtual host can be configured to display messages from a custom replacement message group.

    First create a replacement message group, and customize one ore more messages in the group. Then configure one or more ZTNA virtual hosts to use the replacement message group.

    config firewall access-proxy-virtual-host
    edit <host name>
        set replacemsg-group <replacemsg group>
    next
end

    When a client fails a ZTNA check with the virtual host, the replacement message is displayed.

    Example

    In this example, a ZTNA virtual host named 10.1.1.12 is mapped to a replacement message group named test-vhost, and the group includes a customized ZTNA Empty Certificate Error Page message. The message is customized with a Company Y logo.

    When clients fail a ZTNA check with the ZTNA virtual host (10.1.1.12) because of an empty certificate, the custom replacement message is displayed.

    Go to System > Feature Visibility and enable Replacement Message Groups. See Feature Visibility for more information.
    To customize replacement messages for ZTNA virtual hosts:

    1. Upload a logo to the FortiProxy to use in replacement messages:

      1. Go to System > Replacement Messages and click Manage Images.

      2. Click Create New.

      3. Name and upload an image file.

      4. Click OK. The logo is uploaded to the FortiProxy.

    2. Create a replacement message group named, for example, test-vhost:

      1. Go to System > Replacement Message Groups and click Create New.

      2. Specify a name for the group, such as test-vhost.

      3. Set Group Type to Security.

      4. Click OK.

    3. Customize one or more messages in the test-vhost group:

      In this example, the ZTNA Empty Certificate Error Page message is edited to add a custom logo.

      1. Double-click the test-vhost replacement message group to open it for editing.

      2. Select the ZTNA Empty Certificate Error Page message and click Edit.

      3. In the right pane, edit the URL for the .logo section by typing the logo name to select the uploaded logo, for example, logo-company-y. 

        ...
}
.logo {
  background: url(%%IMAGE:logo-company-y%%) no-repeat left center;
  height: 267px;
  object-fit: contain;
}
...

      4. Click Save. A green checkmark is displayed in the Modified column to indicate a customized message.

    4. Configure a ZTNA server with a ZTNA virtual host named 10.1.1.12. See Configure a ZTNA server.

      In the Service/server mapping, be sure to set Virtual Host to Specify, and enter the name or IP address of the host that the request must match. For example, if 10.1.1.12 is entered as the host, then only requests to 10.1.1.12 will match.

    5. Map the ZTNA virtual host to the replacement message group in the CLI.

      In this example, the ZTNA virtual host named 10.1.1.12 is configured to use the test-vhost replacement message group.

    6. Create a ZTNA rule to allow traffic to the ZTNA server. See Configure a ZTNA rule .

    7. When a client fails to access the ZTNA virtual host named 10.1.1.12 because of an empty certificate error, the following custom replacement message with the Company Y logo is displayed.

    Previous
    Next

    Custom replacement message for ZTNA virtual hosts

    Custom replacement message for ZTNA virtual hosts

    Each ZTNA virtual host can be configured to display messages from a custom replacement message group.

    First create a replacement message group, and customize one ore more messages in the group. Then configure one or more ZTNA virtual hosts to use the replacement message group.

    config firewall access-proxy-virtual-host
    edit <host name>
        set replacemsg-group <replacemsg group>
    next
end

    When a client fails a ZTNA check with the virtual host, the replacement message is displayed.

    Example

    In this example, a ZTNA virtual host named 10.1.1.12 is mapped to a replacement message group named test-vhost, and the group includes a customized ZTNA Empty Certificate Error Page message. The message is customized with a Company Y logo.

    When clients fail a ZTNA check with the ZTNA virtual host (10.1.1.12) because of an empty certificate, the custom replacement message is displayed.

    Go to System > Feature Visibility and enable Replacement Message Groups. See Feature Visibility for more information.
    To customize replacement messages for ZTNA virtual hosts:

    1. Upload a logo to the FortiProxy to use in replacement messages:

      1. Go to System > Replacement Messages and click Manage Images.

      2. Click Create New.

      3. Name and upload an image file.

      4. Click OK. The logo is uploaded to the FortiProxy.

    2. Create a replacement message group named, for example, test-vhost:

      1. Go to System > Replacement Message Groups and click Create New.

      2. Specify a name for the group, such as test-vhost.

      3. Set Group Type to Security.

      4. Click OK.

    3. Customize one or more messages in the test-vhost group:

      In this example, the ZTNA Empty Certificate Error Page message is edited to add a custom logo.

      1. Double-click the test-vhost replacement message group to open it for editing.

      2. Select the ZTNA Empty Certificate Error Page message and click Edit.

      3. In the right pane, edit the URL for the .logo section by typing the logo name to select the uploaded logo, for example, logo-company-y. 

        ...
}
.logo {
  background: url(%%IMAGE:logo-company-y%%) no-repeat left center;
  height: 267px;
  object-fit: contain;
}
...

      4. Click Save. A green checkmark is displayed in the Modified column to indicate a customized message.

    4. Configure a ZTNA server with a ZTNA virtual host named 10.1.1.12. See Configure a ZTNA server.

      In the Service/server mapping, be sure to set Virtual Host to Specify, and enter the name or IP address of the host that the request must match. For example, if 10.1.1.12 is entered as the host, then only requests to 10.1.1.12 will match.

    5. Map the ZTNA virtual host to the replacement message group in the CLI.

      In this example, the ZTNA virtual host named 10.1.1.12 is configured to use the test-vhost replacement message group.

    6. Create a ZTNA rule to allow traffic to the ZTNA server. See Configure a ZTNA rule .

    7. When a client fails to access the ZTNA virtual host named 10.1.1.12 because of an empty certificate error, the following custom replacement message with the Company Y logo is displayed.

    Previous
    Next