Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akumarr
Staff
Staff

Created on ‎04-18-2020 07:25 AM Edited on ‎03-18-2025 11:21 AM By Moderator

Article Id 191378

Technical Tip: Customize replacement messages for individual web filter profiles

Description

 

This article describes how to customize replacement messages for individual web filter profiles.

 

Scope

 

FortiGate.


Solution

 

Replacement message groups make it possible to customize replacement messages for individual policies and profiles.

There are two types of replacement message groups:

 

  • Utm: used with UTM settings in firewall policies. Messages in the following categories can be customized: mail, http, web proxy, ftp, nntp, FortiGuard-wf, spam, alertmail, admin, sslvpn, nac-quar, traffic-quota, utm, custom-message, and icap.
  • Auth: used with authentication pages in firewall policies. Messages in the following categories can be customized: web proxy and auth.

To create a replacement message group in the GUI:

Make replacement message groups visible in the GUI with the following CLI command:

 

In FortiOS 7.0 and later:

 

config system global
    set gui-replacement-message-groups enable
end

 

In FortiOS 6.4 and earlier:

 

config system settings
    set gui-replacement-message-groups enable
end

 

  1. Two replacement message groups have been created.

 

Facebook blocking is one of the groups and Twitter blocking is the other one.

Refer to the pictures below.

Note:

Both belong to the Security group type.

 

Stephen_G_0-1708877136733.png

 

  1. Along with this, two web filter profiles have been created.

Facebook is the name of the first and Twitter is the second.

 

 

  1. The Facebook website is blocked on Facebook's web filter profile and Twitter website is blocked on Twitter's web filter profile too.

 

 

 

  1. Along with this, two policies for two hosts have been created.

One policy has Facebook's web filter profile (to block Facebook) while the other one has the Twitter web filter profile (to block Twitter).

 

Stephen_G_1-1708877368348.png

 

  1. Now as soon as the traffic is initiated, the traffic will be blocked and the replacement message will be displayed.

In PC 1:

 

 

In PC 2:

 

 

Two separate block pages are visible in the screenshots above. To set this up, follow these steps:

  1. Edit the replacement message groups (the system will redirect the user to replacement message tab) and search for the URL block page, then customize it accordingly.

  2. Navigate to the web filter profile and then map the Replacement message group.

Configuration for step 1 is shown below:

              

 

 

Stephen_G_2-1708877463723.png

 

Edit the second replacement group.

The second stage is set out below.

 

config webfilter profile

edit Facebook

set replacemsg-group Facebook\ \ block

next
edit Twitter

set replacemsg-group Twitter\ block

end

 

As soon as these settings are configured, a different web page block message will be visible.

 

Note:

There is a possibility that a certificate error may appear instead of the replacement message. Follow the instructions in Technical Tip: Certificate error when accessing blocked page to resolve the issue:

 

Related article:
Replacement message groups - FortiGate administration guide.

47575
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.