Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alebay
Staff
Staff

Created on ‎05-16-2018 03:26 AM Edited on ‎10-24-2025 02:47 AM By Moderator

Article Id 192906

Technical Tip: Block replacement message for policy with action Deny and certificate used for this replacement message

Description


This article describes how to configure the block-notification replacement messages on FortiGate that show when a firewall policy is configured with action DENY.

 

Scope

 

FortiGate.


Solution


To enable the block-notification message (for the client accessing that site) configure the firewall policy in the FortiGate CLI:

 

config firewall policy

    edit <policy_ID>

        set block-notification enable

        set action deny <-- Shown here only to demonstrate a DENY policy being edited.

end

 

Block notifications can also be enabled from the GUI in a ZTNA proxy policy:

 

AlexCFTNT_4-1665411066487.png

 

The block-notification message provides a blocked page for both HTTP and HTTPS. This happens when the firewall policy is in flow mode inspection, firewall policy in proxy mode inspection, and also for explicit web proxy.

 

AlexCFTNT_1-1665410536618.png

 

The following error appears if no block-notification message is enabled:

 

AlexCFTNT_3-1665410721457.png

 

In wad debugs, it is observed that the following occurs when policy is denied:

 

[V]2024-04-09 13:46:09.319087 [p:350] wad_dns_parse_name_resp :323 www.brinkmannshof.de: resp_type=1 notify=1 cdata=1 81.169.145.160

[I]2024-04-09 13:46:09.319089 [p:350][s:2077451613][r:72452733] wad_http_dns_request_done :11386 [0x7f3d7ca4b700] DNS resolved: 81.169.145.160

24-04-09 13:46:09.319167 [p:350][s:2077451613][r:72452733] wad_http_req_policy_set :9643 match pid=350 policy-id=8 vd=0 in_if=34, out_if=33 172.17.10.8:55408 -> 81.169.145.160:443==================>>>Policy id 8 is matched

[E]2024-04-09 13:46:09.319178 [p:350][s:2077451613][r:72452733] wad_http_req_proc_policy :9377 POLICY DENIED

 

However, the following can be seen if there is an additional line added to the policy:

 

config firewall policy

    edit <id>

        set send-deny-packet enable

end

 

This returns a faster response to the client (compared to the Timeout version) since FortiGate will reply with a TCP RST packet. This is also displayed for HTTP sites when the block notification is set to 'disabled'.

 

AlexCFTNT_5-1665411235619.png

 

IPv6:

The 'send-deny-packet' parameter is also valid for firewall policies handling IPv6 traffic. However, on platforms with Linux kernel 4.19, no TCP RST packet is sent in FortiOS v7.4.8 and earlier. This is tracked by issue ID 1162875 and resolved in v7.4.9 and v7.6.4, see FortiOS v7.4.9 Release Notes | Resolved Issues.

 

Note:

If the parameter 'set deny-tcp-with-icmp' is enabled, FortiOS will send an ICMP type 3 code 13 message, 'Communication administratively filtered' message rather than a TCP RST packet. Since client browsers will generally not be able to receive this packet, they will display timeout errors rather than connection refused errors.

 

A packet sniffer on the client or FortiOS will show the ICMP packet:

 

diagnose sniffer packet any 'host 10.255.200.77 and (port 443 or icmp)' 4 10
Using Original Sniffing Mode
interfaces=[any]
filters=[host 10.255.200.77 and (port 443 or icmp)]
2.952036 port1 in10.255.200.77.49535 -> 10.255.201.27.443: syn 2736751704
2.952072 port1 out 10.255.201.27 -> 10.255.200.77: icmp: host 10.255.201.27 unreachable - admin prohibited filter
2.952328 port1 in 10.255.200.77.49536 -> 10.255.201.27.443: syn 1645945845
2.952348 port1 out 10.255.201.27 -> 10.255.200.77: icmp: host 10.255.201.27 unreachable - admin prohibited filter
2.952720 port1 out 10.255.201.27 -> 10.255.200.77: icmp: host 10.255.201.27 unreachable - admin prohibited filter
3.208434 port1 in 10.255.200.77.49538 -> 10.255.201.27.443: syn 2212372131

 

In most environments, it is recommended to leave 'set deny-tcp-with-icmp' as the default 'disable'.

 

config system settings

set deny-tcp-with-icmp {disable | enable}

end

 

Certificates:
If hitting an implicit deny policy (id=0) or a policy with action DENY, the certificate configured in 'config web-proxy global' will be used to sign the certificate, which is used in the replacement message.


config web-proxy global
    set ssl-ca-cert "CERT_NAME"

 

If another certificate is observed in the replacement message, issue 1103272 has fixed this problem in FortiOS version 7.4.9.

Workaround:
Step 1:


config firewall proxy-policy
    edit 1
        set action accept
        unset ssl-ssh-profile
end

 

Step 2:


config firewall proxy-policy
    edit 1
        set action deny
end

 

However, if any changes that it will be made to this policy, the issue might be faced again.

 

Related article:

Technical Tip: Customize replacement messages for individual web filter profiles

11618
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.