A simple post today, explaining how you're able to manage different replacement messages within FortiOS. In my deployment schemes, I'm used to leverage different types of replacement messages based on the Virtual Domain function. Especially so on WAN fronting Virtual Domains.
For example, here is a view of a system default IPS Block Page being sent once the IPS Engine had triggered on some offending bytes:
While this might be informative inside your perimeters of control, I wouldn't exactly advise to broadcast all the information seen above on the outside. This on IPS denials triggering on your own services hosted behind a FortiGate for example.
Within FortiOS you can enable the Replacement Message Groups by making the feature visible from: System > Feature Visibility > Replacement Message Groups
Once the feature is enabled either on the complete FortiGate or your VDOM context, you can then create two type of Replacement Message Groups types:
- Authentication --> RMG's mapped on Firewall Policies
- Security --> RMG's mapped on Security Profiles
As shown above, I've created two "WAN Facing" Auth & Security RMG's.
In order to map the newly created RMG's you'll have to either map your Identity Based Policies to the Authentication based RMG and your Security Profiles (Web Filtering, IPS, AppControl etc.) to the Security based RMG. Let me illustrate this with two examples...
A WAN fronting IPS Sensor mapped to our WAN fronting Security based RMG:
config ips sensor edit "IPS_HTTPS_SERVER" ... set replacemsg-group "RMG-WAN-Facing-Sec" ....
And here an Identity Based Policy making use of our Authentication based RMG:
config firewall policy edit 1 ... set replacemsg-override-group "RMG-WAN-Facing-Auth" ...
Another point to mention here is that if you're using VDOMs and have previously changed your global context replacement messages, these modified RM's will become the new default within any further created RMG's.
These are the pages I'm usually editing for everything WAN fronting:
config vdom edit WAN-Fronting-VDOM config system replacemsg-group edit "default" set comment "Default replacement message group." set group-type default config utm edit "waf-html" set buffer "<!DOCTYPE HTML>... set header http set format html next end next edit "RMG-WAN-Security" set comment '' set group-type utm config http edit "url-block" set buffer "<!DOCTYPE HTML>... set header http set format html next end config fortiguard-wf edit "ftgd-block" set buffer "<!DOCTYPE HTML>... set header http set format html next end config nac-quar edit "nac-quar-ips" set buffer "<!DOCTYPE HTML>... set header http set format html next edit "nac-quar-app" set buffer "<!DOCTYPE HTML>... set header http set format html next end config utm edit "ipsblk-html" set buffer "<!DOCTYPE HTML>... set header http set format html next edit "appblk-html" set buffer "<!DOCTYPE HTML>... set header http set format html next end next end
Note that I couldn't find ways to address RMG's on the WAF Security Profiles settings, hence why the default RM is updated.
You're then free to populate your buffers with any HTML code you think would make sense on the outside. You might find some examples here.
Hope you found this useful.