Technical Tip: No replacement message page for Application Control when DPI Proxy Mode enabled in Firewall Policy

kaman · ‎03-03-2025

Description

This article describes the replacement message page fails to appear for clients when traffic is blocked by a DPI-enabled proxy mode in a firewall policy with application control.

Scope

FortiGate.

Solution

Navigate to the Application Control section and block the Social Media category.

When the firewall policy is applied with application control and deep inspection is enabled in flow-based inspection mode, Facebook is blocked and the application blocked replacement page appears.

replacement-fb(1).png
When the inspection mode is switched to proxy-based with deep inspection, the replacement page is no longer visible, instead showing the message 'ERR_CONNECTION_RESET' or a timeout.

reset-noreplacement(1).png
Note: The application was being identified correctly and the traffic was blocked as expected, and block logs were generated, but the application blocked replacement page did not appear, instead showing 'ERR_CONNECTION_RESET' or a timeout.

This issue related to replacement messages has been resolved in FortiOS v7.4.5.

Refer to BUG ID 723764 in the release notes for further details:
Resolved issues

After upgrading to firmware version 7.4.5, the expected replacement message is visible after switching the inspection mode to proxy-based with deep inspection.

7.4.5-version.png proxy-policy7.4.5.png

Technical Tip: No replacement message page for Application Control when DPI Proxy Mode enabled in Firewall Policy

Description

Scope

Solution

You are leaving our website