A simple post today, explaining how you're able to manage different replacement messages within FortiOS. In my deployment schemes, I'm used to leverage different types of replacement messages based on the Virtual Domain function. Especially so on WAN fronting Virtual Domains.
For example, here is a view of a system default IPS Block Page being sent once the IPS Engine had triggered on some offending bytes:
While this might be informative inside your perimeters of control, I wouldn't exactly advise to broadcast all the information seen above on the outside. This on IPS denials triggering on your own services hosted behind a FortiGate for example.
Within FortiOS you can enable the Replacement Message Groups by making the feature visible from: System > Feature Visibility > Replacement Message Groups
Once the feature is enabled either on the complete FortiGate or your VDOM context, you can then create two type of Replacement Message Groups types:
- Authentication --> RMG's mapped on Firewall Policies
- Security --> RMG's mapped on Security Profiles
As shown above, I've created two "WAN Facing" Auth & Security RMG's.
In order to map the newly created RMG's you'll have to either map your Identity Based Policies to the Authentication based RMG and your Security Profiles (Web Filtering, IPS, AppControl etc.) to the Security based RMG. Let me illustrate this with two examples...
A WAN fronting IPS Sensor mapped to our WAN fronting Security based RMG:
config ips sensor
edit "IPS_HTTPS_SERVER"
...
set replacemsg-group "RMG-WAN-Facing-Sec"
....And here an Identity Based Policy making use of our Authentication based RMG:
config firewall policy
edit 1
...
set replacemsg-override-group "RMG-WAN-Facing-Auth"
...Another point to mention here is that if you're using VDOMs and have previously changed your global context replacement messages, these modified RM's will become the new default within any further created RMG's.
These are the pages I'm usually editing for everything WAN fronting:
config vdom
edit WAN-Fronting-VDOM
config system replacemsg-group
edit "default"
set comment "Default replacement message group."
set group-type default
config utm
edit "waf-html"
set buffer "<!DOCTYPE HTML>...
set header http
set format html
next
end
next
edit "RMG-WAN-Security"
set comment ''
set group-type utm
config http
edit "url-block"
set buffer "<!DOCTYPE HTML>...
set header http
set format html
next
end
config fortiguard-wf
edit "ftgd-block"
set buffer "<!DOCTYPE HTML>...
set header http
set format html
next
end
config nac-quar
edit "nac-quar-ips"
set buffer "<!DOCTYPE HTML>...
set header http
set format html
next
edit "nac-quar-app"
set buffer "<!DOCTYPE HTML>...
set header http
set format html
next
end
config utm
edit "ipsblk-html"
set buffer "<!DOCTYPE HTML>...
set header http
set format html
next
edit "appblk-html"
set buffer "<!DOCTYPE HTML>...
set header http
set format html
next
end
next
endNote that I couldn't find ways to address RMG's on the WAF Security Profiles settings, hence why the default RM is updated.
You're then free to populate your buffers with any HTML code you think would make sense on the outside. You might find some examples here.
Hope you found this useful.
Cheers,
Obuno
Image Credits: Artist's concept of interstellar object1I/2017 U1 ('Oumuamua)