FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
alebay
Staff
Staff
Article Id 192906

Description


This article describes how to configure the block-notification replacement messages on FortiGate that show when a deny policy is used to deny traffic. A web filter block page can alternatively be used to handle block pages.

 

Scope

 

FortiGate.


Solution


Since version 5.2.3, the traffic matching the deny policy is silently dropped for the client by default (though it is logged if logging is configured for the deny policy). 


To enable the block-notification message (for the client accessing that site) configure the firewall policy in the FortiGate CLI:

 

config firewall policy
    edit <policy_ID>
        set block-notification enable
        set action deny (shown here only to demonstrate a DENY policy being edited)
end

 

When enabling the block-notification message for HTTP traffic, enable a policy to allow DNS traffic above the deny policy.

 

For example:

 

config firewall policy

    edit 2

        set name "DNS Allow"

        set uuid eb0ce1a8-9634-51ed-3970-934308a4a0ad

        set srcintf "LAN(a)"

        set dstintf "INTERNET(wan)"

        set action accept

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "DNS"

        set nat enable    

    next

    edit 1

        set name "Blocked End PC"

        set uuid c711cde0-956c-51ed-1c67-ab4586ef30c8

        set srcintf "LAN(a)"

        set dstintf "INTERNET(wan)"

        set srcaddr "all"

        set dstaddr "all"

        set schedule "always"

        set service "ALL"

        set block-notification enable

    next

end

 

This step is not necessary to enable block notifications for traffic in a ZTNA proxy policy.

Block notifications can also be enabled from the GUI:

 

AlexCFTNT_4-1665411066487.png

 

Note:

Configure the correct DNS resolution on FortiGate to display a block page message with a custom HTTP page.

 

The block-notification message in this case provides a blocked page for HTTP. All other protocols are silently dropped. 

The following example was created with a block-notification message enabled where HTTP is blocked. A block-notification message is shown when traffic is blocked:

 

set block-notification enable

 

AlexCFTNT_1-1665410536618.png

 

The following occurs instead if no block-notification message is enabled, or if a protocol other than HTTP is used:

 

AlexCFTNT_3-1665410721457.png

However, the following can be seen if there is an additional line added to the policy:

 

set send-deny-packet enable

 

This returns a faster response to the client (compared to the Timeout version). This is also displayed for HTTP sites when the block notification is set to 'disabled'.

 

AlexCFTNT_5-1665411235619.png

 

Note:

'set deny-tcp-with-icmp' is obsolete and no longer used.

 

Related article:

Technical Tip: Customize replacement messages for individual web filter profiles