Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.3 Administration Guide
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Custom replacement message for ZTNA virtual hosts

Custom replacement message for ZTNA virtual hosts

Each ZTNA virtual host can be configured to display messages from a custom replacement message group.

First create a replacement message group, and customize one ore more messages in the group. Then configure one or more ZTNA virtual hosts to use the replacement message group.

config firewall access-proxy-virtual-host
    edit <host name>
        set replacemsg-group <replacemsg group>
    next
end

When a client fails a ZTNA check with the virtual host, the replacement message is displayed.

Example

In this example, a ZTNA virtual host named server1.ztna.local is mapped to a replacement message group named test-vhost, and the group includes a customized ZTNA Empty Certificate Error Page message. The message is customized with a Company Y logo.

When clients fail a ZTNA check with the ZTNA virtual host (server1.ztna.local) because of an empty certificate, the custom replacement message is displayed.

Note

Go to System > Feature Visibility and enable Replacement Message Groups. See Feature visibility for more information.
To customize replacement messages for ZTNA virtual hosts:

  1. Upload a logo to the FortiGate to use in replacement messages:

    1. Go to System > Replacement Messages and click Manage Images.

    2. Click Create New.

    3. Name and upload an image file.

    4. Click OK. The logo is uploaded to the FortiGate.

  2. Create a replacement message group named, for example, test-vhost:

    1. Go to System > Replacement Message Groups and click Create New.

    2. Specify a name for the group, such as test-vhost.

    3. Set Group Type to Security.

    4. Click OK.

  3. Customize one or more messages in the test-vhost group:

    In this example, the ZTNA Empty Certificate Error Page message is edited to add a custom logo.

    1. Double-click the test-vhost replacement message group to open it for editing.

    2. Select the ZTNA Empty Certificate Error Page message and click Edit.

    3. In the right pane, edit the URL for the .logo section by typing the logo name to select the uploaded logo, for example, logo-company-y. 

      ...
}
.logo {
  background: url(%%IMAGE:logo-company-y%%) no-repeat left center;
  height: 267px;
  object-fit: contain;
}
...

    4. Click Save. A green checkmark is displayed in the Modified column to indicate a customized message.

  4. Configure a ZTNA server with a ZTNA virtual host named server1.ztna.local. See Configure a ZTNA server.

    In the Service/server mapping, be sure to set Virtual Host to Specify, and enter the name or IP address of the host that the request must match. For example, if server1.ztna.local is entered as the host, then only requests to server1.ztna.local will match.

  5. Map the ZTNA virtual host to the replacement message group in the CLI.

    In this example, the ZTNA virtual host named server1.ztna.local is configured to use the test-vhost replacement message group.

    config firewall access-proxy-virtual-host
    edit "server1.ztna.local"        
        set replacemsg-group "test-vhost"
    next
end

  6. Create a ZTNA policy to allow traffic to the ZTNA server. See Configure a ZTNA policy.

  7. When a client fails to access the ZTNA virtual host named server1.ztna.local because of an empty certificate error, the following custom replacement message with the Company Y logo is displayed.

Previous
Next

Custom replacement message for ZTNA virtual hosts

Each ZTNA virtual host can be configured to display messages from a custom replacement message group.

First create a replacement message group, and customize one ore more messages in the group. Then configure one or more ZTNA virtual hosts to use the replacement message group.

config firewall access-proxy-virtual-host
    edit <host name>
        set replacemsg-group <replacemsg group>
    next
end

When a client fails a ZTNA check with the virtual host, the replacement message is displayed.

Example

In this example, a ZTNA virtual host named server1.ztna.local is mapped to a replacement message group named test-vhost, and the group includes a customized ZTNA Empty Certificate Error Page message. The message is customized with a Company Y logo.

When clients fail a ZTNA check with the ZTNA virtual host (server1.ztna.local) because of an empty certificate, the custom replacement message is displayed.

Note

Go to System > Feature Visibility and enable Replacement Message Groups. See Feature visibility for more information.
To customize replacement messages for ZTNA virtual hosts:

  1. Upload a logo to the FortiGate to use in replacement messages:

    1. Go to System > Replacement Messages and click Manage Images.

    2. Click Create New.

    3. Name and upload an image file.

    4. Click OK. The logo is uploaded to the FortiGate.

  2. Create a replacement message group named, for example, test-vhost:

    1. Go to System > Replacement Message Groups and click Create New.

    2. Specify a name for the group, such as test-vhost.

    3. Set Group Type to Security.

    4. Click OK.

  3. Customize one or more messages in the test-vhost group:

    In this example, the ZTNA Empty Certificate Error Page message is edited to add a custom logo.

    1. Double-click the test-vhost replacement message group to open it for editing.

    2. Select the ZTNA Empty Certificate Error Page message and click Edit.

    3. In the right pane, edit the URL for the .logo section by typing the logo name to select the uploaded logo, for example, logo-company-y. 

      ...
}
.logo {
  background: url(%%IMAGE:logo-company-y%%) no-repeat left center;
  height: 267px;
  object-fit: contain;
}
...

    4. Click Save. A green checkmark is displayed in the Modified column to indicate a customized message.

  4. Configure a ZTNA server with a ZTNA virtual host named server1.ztna.local. See Configure a ZTNA server.

    In the Service/server mapping, be sure to set Virtual Host to Specify, and enter the name or IP address of the host that the request must match. For example, if server1.ztna.local is entered as the host, then only requests to server1.ztna.local will match.

  5. Map the ZTNA virtual host to the replacement message group in the CLI.

    In this example, the ZTNA virtual host named server1.ztna.local is configured to use the test-vhost replacement message group.

    config firewall access-proxy-virtual-host
    edit "server1.ztna.local"        
        set replacemsg-group "test-vhost"
    next
end

  6. Create a ZTNA policy to allow traffic to the ZTNA server. See Configure a ZTNA policy.

  7. When a client fails to access the ZTNA virtual host named server1.ztna.local because of an empty certificate error, the following custom replacement message with the Company Y logo is displayed.

Previous
Next