Description

This article describes the replacement message page fails to appear for clients when traffic is blocked by a DPI-enabled proxy mode in a firewall policy with application control.

Scope

FortiGate.

Solution

Navigate to the Application Control section and block the Social Media category.

When the firewall policy is applied with application control and deep inspection is enabled in flow-based inspection mode, Facebook is blocked and the application blocked replacement page appears.


When the inspection mode is switched to proxy-based with deep inspection, the replacement page is no longer visible, instead showing the message 'ERR_CONNECTION_RESET' or a timeout.


Note:

The application was being identified correctly and the traffic was blocked as expected, and block logs were generated, but the application blocked replacement page did not appear, instead showing 'ERR_CONNECTION_RESET' or a timeout.

If a web filter is applied, the firewall policy and the web filter profile should be in the same inspection mode.

Check if the mentioned application requires deep inspection if not the app control can work with flow flow-based policy with a certificate inspection profile as well.

Some applications required deep inspection profiles; in that case, use proxy mode policy with a deep inspection profile. If the above options are not helpful, move to steps below.

This issue related to replacement messages has been resolved in v7.4.5.

Refer to BUG ID 723764 in the release notes for further details:
Resolved issues

After upgrading to firmware v7.4.5, the expected replacement message is visible after switching the inspection mode to proxy-based with deep inspection.