Description
This article describes how to configure the block-notification replacement messages on FortiGate that show when a deny policy is used to deny traffic. A web filter block page can alternatively be used to handle block pages.
Scope
FortiGate.
Solution
Since version 5.2.3, the traffic matching the deny policy is silently dropped for the client by default (though it is logged if logging is configured for the deny policy).
To enable the block-notification message (for the client accessing that site) configure the firewall policy in the FortiGate CLI:
config firewall policy
edit <policy_ID>
set block-notification enable
set action deny (shown here only to demonstrate a DENY policy being edited)
end
When enabling the block-notification message for HTTP traffic, enable a policy to allow DNS traffic above the deny policy.
For example:
config firewall policy
edit 2
set name "DNS Allow"
set uuid eb0ce1a8-9634-51ed-3970-934308a4a0ad
set srcintf "LAN(a)"
set dstintf "INTERNET(wan)"
set action accept
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "DNS"
set nat enable
next
edit 1
set name "Blocked End PC"
set uuid c711cde0-956c-51ed-1c67-ab4586ef30c8
set srcintf "LAN(a)"
set dstintf "INTERNET(wan)"
set srcaddr "all"
set dstaddr "all"
set schedule "always"
set service "ALL"
set block-notification enable
next
end
This step is not necessary to enable block notifications for traffic in a ZTNA proxy policy.
Block notifications can also be enabled from the GUI:
Note:
Configure the correct DNS resolution on FortiGate to display a block page message with a custom HTTP page.
The block-notification message in this case provides a blocked page for HTTP. All other protocols are silently dropped.
The following example was created with a block-notification message enabled where HTTP is blocked. A block-notification message is shown when traffic is blocked:
set block-notification enable
The following occurs instead if no block-notification message is enabled, or if a protocol other than HTTP is used:
However, the following can be seen if there is an additional line added to the policy:
set send-deny-packet enable
This returns a faster response to the client (compared to the Timeout version). This is also displayed for HTTP sites when the block notification is set to 'disabled'.
Note:
'set deny-tcp-with-icmp' is obsolete and no longer used.
Related article:
Technical Tip: Customize replacement messages for individual web filter profiles
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.