Technical Tip: How to create a replacement message that redirects the user to another website with FortiGate

Enable 'Explicit Web Proxy' and configure the Proxy on the client side. Refer to this article for instructions.

In this case, on the FortiGate: 

'port1' is configured for management and Internet connectivity,

'port2' is configured for LAN connectivity.

On port2 of the FortiGate, the following IP address is configured: 10.112.4.124.

The client has the following IP address: 10.112.4.125.

To display the 'Replacement Message Group' in the GUI, go to System -> Feature Visibility -> enable Replacement Message Groups -> Apply.

After, navigate to: System -> Replacement Message Groups -> Create New. Define a name for the group and choose 'Authentication', as shown below:

Go again to System -> Replacement Message Groups, select the 'Test_group' that was created above, and then select 'Web-proxy Block Page' and paste the message shown below. Specify the URL of the website to be redirected to. In the example below, 'www.fortinet.com' is used:

<!DOCTYPE html>
<html>

<head>

<meta charset="UTF-8">

<meta http-equiv="X-UA-Compatible" content="IE=edge">

<meta name="viewport" content="width=device-width, initial-scale=1.0">

<meta http-equiv="refresh" content="4;url=https://www.fortinet.com" />

<title>

Access Denied %%URL%%

</title>

</head>

<body>

<p>

Access to %%URL%% is not allowed. Please wait for the website to be redirected.

</p>

</body>
</html>

This is how it will appear in FortiGate:

Number 4 on the 'Content' of HTML code, means that the website will be redirected after 4 seconds.

Configure two firewall addresses and two proxy policies as below. Below is given an example for: 'test.com', which will be redirected to: '*.fortinet.com', depending on what is configured on the HTML code (www.fortinet.com, community.fortinet.com, etc.). The firewall address can also be set to just: 'www.fortinet.com'.

config firewall address
   edit "test.com"

             set type fqdn

      set fqdn "test.com"
   next
   edit "*.fortinet.com"

             set type fqdn

      set fqdn "*.fortinet.com"
   next

end

config firewall proxy-policy
   edit 1

             set name "Deny_test.com"

      set proxy explicit-web

      set dstinf "port1"

      set srcaddr "all"
      set dstaddr "test.com"
      set service "webproxy"
      set action accept
      set schedule "always"
      set logtraffic all

             set replacemsg-override-group "Test_group" 
   next

   edit 2

             set name "Allow_fortinet.com"

      set proxy explicit-web

      set dstinf "port1"

      set srcaddr "all"
      set dstaddr "*.fortinet.com"
      set service "webproxy"
      set action accept
      set schedule "always"
      set logtraffic all

   next

end

How the Proxy Policies will look after they are created:

From the client, try to access 'test.com'. It will be shown as below:

After 4 seconds, it will be redirected automatically to 'www.fortinet.com', as shown below:

If the number on 'Content' is changed from 4 to 0 as below, it will be redirected directly:

<meta http-equiv="refresh" content="0;url=https://www.fortinet.com" />