Handbook

Introduction
Chapter 1: What's New
Chapter 2: Key Concepts and Features
- Server load balancing
- Link load balancing
- Global load balancing
- Security
- High availability
- Virtual Domain (VDOM) and Administrative Domain (ADOM)
Chapter 3: Getting Started
- Step 1: Install the appliance
- Step 2: Configure the management interface
- Step 3: Configure basic network settings
- Step 4: Test connectivity to destination servers
- Step 5: Complete product registration, licensing, and upgrades
- Step 6: Configure a basic server load balancing policy
- Step 7: Test the deployment
- Step 8: Back up the configuration
Chapter 4: Server Load Balancing
- Server load balancing basics
- Server load balancing configuration overview
- Configuring virtual servers
- Using content rewriting rules
- HSTS and HPKP support
- Configuring content routes
- Using source pools
- Using schedule pools
- Using clone pools
- Configuring Application profiles
- WebSocket load-balancing
- Configuring MSSQL profiles
- Configuring MySQL profiles
- Configuring client SSL profiles
- Configuring HTTP2 profiles
- Configuring HTTP3 profiles
- Configuring load-balancing (LB) methods
- Configuring persistence rules
- Configuring error pages
- Configuring decompression rules
- Configuring Captcha
- Creating a PageSpeed configuration
- Creating PageSpeed profiles
- PageSpeed support and restrictions
- Configuring compression rules
- Compression and decompression
- Configuring caching rules
- Using real server pools
- Configuring real servers
- Configuring real server SSL profiles
- Using HTTP scripting
- Configuring an L2 exception list
- Creating a Web Filter Profile configuration
- Using the Web Category tab
- Configuring certificate caching
- TCP multiplexing
Chapter 5: Link Load Balancing
- Link load balancing basics
- Link load balancing configuration overview
- Configuring link policies
- Configuring a link group
- Configuring gateway links
- Configuring persistence rules
- Configuring proximity route settings
- Configuring a virtual tunnel group
Chapter 6: Global Load Balancing
- Global load balancing basics
- Global load balancing configuration overview
- Configuring servers
- Configuring a global load balance link
- Configuring data centers
- Configuring hosts
- Configuring wizard
- Configuring virtual server pools
- Configuring location lists
- Logical Topology
- Configuring a Global DNS policy
- Configuring DNS zones
- Configuring general settings
- Configuring DNS over HTTPS and DNS over TLS
- Configuring the trust anchor key
- Configuring DNS64
- Configuring the DSSET list
- Configuring an address group
- Configuring remote DNS servers
- Configuring the response rate limit
Chapter 7: Network Security
- Security features basics
- Managing IP Reputation policy settings
- Configure IP reputation exception
- Configure IP reputation block list
- Using the Geo IP block list
- Using the Geo IP allowlist
- Special Geo codes
- Enabling denial of service protection
- Configuring an IPv4 firewall policy
- Configuring an IPv6 firewall policy
- Configuring an IPv4 connection limit policy
- Configuring an IPv6 connection limit policy
- Anti-virus
- Configuring IPS
- Zero Trust Network Access (ZTNA)
Chapter 8: DoS Protection
- Configuring DoS Protection Profile
- Configuring HTTP access limit policy
- Configuring HTTP connection flood policy
- Configuring an HTTP request flood policy
- Configuring an IP fragmentation policy
- Configuring a TCP SYN flood protection policy
- Configuring a TCP slow data flood protection policy
Chapter 9: Web Application Firewall
- Web application firewall basics
- Web application firewall configuration overview
- Configuring an OWASP TOP10 profile
- Configuring a WAF Profile
- Configuring WAF Action objects
- Configuring WAF Exception objects
- Configuring a Web Attack Signature policy
- Using the Signature Creation Wizard
- Configuring a URL Protection policy
- Configuring an Advanced Protection policy
- Configuring an HTTP Protocol Constraint policy
- Configuring CSRF protection
- Configuring brute force attack detection
- Configuring an SQL/XSS Injection Detection policy
- Configuring a Bot Detection policy
- Configuring a Threshold Based Detection policy
- Configuring a Biometrics Based Detection policy
- Configuring a Fingerprint Based Detection policy
- Configuring a Credential Stuffing Defense Policy
- Configuring a Cookie Security policy
- Configuring sensitive data protection
- Configuring Cross-Origin Resource Sharing (CORS) protection
- Configuring XML Detection
- Configuring JSON detection
- Importing XML schema
- Uploading WSDL files
- Importing JSON schema
- Configuring OpenAPI Detection
- Importing OpenAPI schema
- Configuring API Gateway
- Configuring API Discovery
- Configuring Input Validation
- Web Vulnerability Scanner
  - WVS Profile
  - WVS Login
  - WVS Exceptions
  - Scan History
  - Scan Integration
- Web Anti-Defacement
Chapter 10: User Authentication
- Configuring AD FS Proxy
- Configuring authentication policies
- Configuring user groups
- Configuring customized authentication form
- Using the local authentication server
- Using an LDAP authentication server
- Using a RADIUS authentication server
- Using a TACACS+ authentication server
- Configuring an NTLM authentication server
- Configuring Duo authentication server support
- Using Kerberos Authentication Relay
- Two-factor authentication
- OAuth 2.0 authentication
- Using HTTP Basic SSO
- SAML and SSO
  - Configure a SAML service provider
  - Import IDP Metadata
Chapter 11: Shared Resources
- Configuring health checks
- Configuring health check monitor
- Creating schedule groups
- Creating IP address objects
- Configuring address groups
- Creating IPv6 address objects
- Configuring address groups
- Managing the ISP address books
- Creating service objects
- Creating service groups
- Configuring WCCP
Chapter 12: Basic Networking
- Configuring network interfaces
- Configuring management interface
- Linking VDOMs for inter-VDOM routing
- Configuring static routes
- Configuring policy routes
Chapter 13: System Management
- Configuring basic system settings
- Configuring system time
- Configuring pre-login disclaimer messages
- Updating firmware
- Configuring an SMTP mail server
- Connecting to FortiGuard services
- Configuring FortiGuard service settings
- Pushing/pulling configurations
- Backing up and restoring the configuration
- SCP support for configuration backup
- Rebooting, resetting, and shutting down the system
- Create a traffic group
- Manage administrator users
- Configuring SNMP
- Managing and validating certificates
- Validating certificates
- HSM Integration
Chapter 14: Logging and Reporting
- Downloading logs
- Using the security log
- Using the traffic log
- Using the script log
- Configuring local log settings
- Configuring syslog settings
- Configuring OFTP settings for FortiAnalyzer logs
- Configuring fast stats log settings
- Configuring report email
- Configuring reports
- Configuring report queries
- Configuring fast reports
- Display logs via CLI
Chapter 15: High Availability Deployments
- HA feature overview
- HA system requirements
- HA synchronization
- Configuring HA settings
- Monitoring an HA cluster
- Updating firmware for an HA cluster
- Deploying an active-passive cluster
- Deploying an active-active cluster
- Advantages of HA Active-Active-VRRP
- Deploying an active-active-VRRP cluster
Chapter 16: Virtual Domain
- Virtual Domain (VDOM) and Administrative Domain (ADOM) overview
- Enabling the Virtual Domain feature and selecting the Virtual Domain Mode
- Creating a virtual domain
- Assigning administrator users and network interfaces to VDOMs
- Virtual domain policies
- Disabling a virtual domain
Chapter 17: SSL Offloading
- SSL offloading
- SSL decryption by forward proxy
- SSL profile configurations
- Certificate guidelines
- SSL/TLS versions and cipher suites
- Exceptions list
- SSL traffic mirroring
Chapter 18: Advanced Networking
- NAT
  - Configure source NAT
  - Configuring 1-to-1 NAT
- QoS
- OSPF
- ISP Routes
  - Reverse path route caching
- BGP
- Access list vs. prefix list
- Configuring an IPv4 access list
- Configuring an IPv6 access list
- Configuring an IPv4 prefix list
- Configuring an IPv6 prefix list
- Transparent mode
Chapter 19: Best Practices and Fine-tuning
- Regular backups
- Security
- Performance tips
- High availability
Chapter 20: Troubleshooting
- Logs
- Tools
- Save debug file
- Solutions by issue type
- Resetting the configuration
- Restoring firmware (“clean install”)
- Additional resources
Chapter 21: System Dashboard
- Widgets
- Dashboard management tools
Chapter 22: FortiView
- Physical Topology
- HA Status
- Server Load Balance
- Link Load Balance
  - Logical Topology
  - Link Group
- Global Load Balance
  - Logical Topology
  - Host
- Security
- All Segments
- ZTNA FortiClient endpoint
Chapter 23: Security Fabric
- Automation
- Fabric connectors
- External connectors
Appendix A: Fortinet MIBs
Appendix B: Port Numbers
Appendix C: Scripts
- Scripting application
- Events and actions
- Predefined commands
- Predefined scripts
- Control structures
- Operators
- String library
- Function
- Special characters
- Examples
Appendix D: Maximum Configuration Values
Change Log

Home FortiADC 7.4.0 Handbook

7.4.0

Configuring error pages

You can customize an HTML error page that FortiADC can use to respond to clients attempting HTTP/HTTPS connections when the backend real servers are unavailable or the request has violated a policy (such as for security or authentication policies) and the configured action is Alert & Deny or Period Block. From the Application Resources > Error Page, you can create a customized error page by uploading an HTML error page file. You can then edit and preview the HTML file from the GUI. Once the HTML error page has been created, you can select it in virtual server configurations.

Predefined Profiles

To aid you in customizing your HTML error page, FortiADC provides all default error page files that can be downloaded from the predefined profile LB_ERROR_PAGE_DEFAULT. You may use any of these default error page files as a template for customization.

The current error page file package only requests index.html to replace 503 error message when there are no servers in the pool. We also extend the support to these files listed below:

File Name	MUST	Guidelines
Index.html	Yes	When the HTTP status code is 503 (Service Unavailable), this page will replace the error message page.
200.html	No	When the HTTP status code is 200 (OK), this page will replace the error message page.
202.html	No	When the HTTP status code is 202 (Accepted), this page will replace the error message page.
205.html	No	When the HTTP status code is 205 (Reset Content), this page will replace the error message page.
400.html	No	When the HTTP status code is 400 (Bad Request), this page will replace the error message page.
401.html	No	When the HTTP status code is 401 (Unauthorized), this page will replace the error message page.
403.html	No	When the HTTP status code is 403 (Forbidden), this page will replace the error message page.
404.html	No	When the HTTP status code is 404 (Not Found), this page will replace the error message page.
405.html	No	When the HTTP status code is 405 (Method Not Allowed), this page will replace the error message page.
406.html	No	When the HTTP status code is 406 (Not Acceptable), this page will replace the error message page.
408.html	No	When the HTTP status code is 408 (Request Timeout), this page will replace the error message page.
410.html	No	When the HTTP status code is 410 (Gone), this page will replace the error message page.
413.html	No	When the HTTP status code is 413 (Payload Too Large), this page will replace the error message page.
500.html	No	When the HTTP status code is 500 (Internal Server Error), this page will replace the error message page.
501.html	No	When the HTTP status code is 501 (Not Implemented), this page will replace the error message page.
502.html	No	When the HTTP status code is 502 (Bad Gateway), this page will replace the error message page.
504.html	No	When the HTTP status code is 504 (Gateway Timeout), this page will replace the error message page.
waf_deny.html	No	This page will replace all response to a WAF deny action. The error page will show the Message ID, Signature ID, and Client IP of the attack in the message as recorded in the attack log. The error page file does not include the related response-code.html.
default.html	No	This page will replace all other error page doesn’t include in the package (excluding 503).

Alternatively, you do not have to create an HTML error page if you want to simply send a basic text error message when backend servers are unavailable. Instead, you can enter an error message in a text box from within the virtual server configuration. See Configuring virtual servers.

The error message page that displays depends on the action that triggered the response, which can have different response priority depending on whether the error is in response to WAF, server load balancing, or authentication policies. For example, if both the waf_deny and the 403 error pages are in effect, a 403 response code triggered by a WAF action will display the waf_deny page instead of the 403 error page. To learn more about how custom error pages work together with other FortiADC policies, see Understanding custom error page behavior when combined with FortiADC security and authentication policies.

Before you begin:

You must have Read-Write permission for Server Load Balance settings.
Copy the error message file to a location you can reach from your browser; the error page file must be named index.html and contained in a tar, tar.gz, or zip file. The maximum file size is 1 MB.

To upload an error message file:

Go to Server Load Balance > Application Resources.
Click the Error Page tab.
Click Create New to display the configuration editor.
Enter the name of the error page. You will use this name to select the error page in virtual server configurations. No spaces.
Click Choose File and browse and select the error message tar, tar.gz, or zip file. The maximum file size is 1MB.
Enter the Virtual Path of the error page. This virtual path will conflict with the custom authentication form base page's virtual path and also with SAML's server URL configuration and Captcha path.
Click Save.
The newly created error page will be listed in the Error Page tab.

To modify an error page:

Go to Server Load Balance > Application Resources.
Click the Error Page tab.
Double-click the error page or select the (edit) icon in the row of the error page that you want to modify.
The Error Page configuration editor displays.
From the configuration editor, you can make the following modifications:
- Upload a new error message file.
- If the uploaded file is a zip file, edit the file directly through the text editor. The GUI text editor supports HTML, CSS, and JS file types.
Optionally, click Preview to test and view your HTML error page.
Note: The preview function only supports HTML files and cannot execute any JavaScript contained in the HTML.
Click Save.

Note: While it is possible to modify the error message file, once an error page is created, you cannot modify its name.

Understanding custom error page behavior when combined with FortiADC security and authentication policies

Depending on the FortiADC policy that has triggered the response, certain response codes may take precedence despite having overlapping effective ranges. The following lists the FortiADC security and authentication policies that may affect the response priority for custom error pages.

Trigger	Response priority behavior
WAF (all response codes except 503 and 204)	When an error response is triggered by a WAF action, the waf_deny page will take precedence over any other error page (except for 503 and 204). For example, if a WAF action triggers a 403 response code, the waf_deny page will display instead of the 403 error page. If the desired behavior is to display the 403 error page, then the waf_deny page must be removed.
IP Reputation (403 response code)	If the default and index error pages have been customized: When a 403 response code is triggered, the default page will take precedence over the 403 error page. If only the default page has been customized: When a 403 response code is triggered, the system default error message will display instead of the customized default error page. If all error pages have been customized: The customized 403 error page will display when the 403 response code is triggered.
Authentication (401 response code)	If the default and index error pages have been customized: When a 401 response code is triggered, the default page will take precedence over the 401 error page. If only the default page has been customized: When a 401 response code is triggered, the system default error message will display instead of the customized default error page. If all error pages have been customized: The customized 401 error page will display when the 401 response code is triggered.

Trigger

Response priority behavior

WAF (all response codes except 503 and 204)

When an error response is triggered by a WAF action, the waf_deny page will take precedence over any other error page (except for 503 and 204).

For example, if a WAF action triggers a 403 response code, the waf_deny page will display instead of the 403 error page.

If the desired behavior is to display the 403 error page, then the waf_deny page must be removed.

IP Reputation (403 response code)

If the default and index error pages have been customized:
When a 403 response code is triggered, the default page will take precedence over the 403 error page.
If only the default page has been customized:
When a 403 response code is triggered, the system default error message will display instead of the customized default error page.
If all error pages have been customized:
The customized 403 error page will display when the 403 response code is triggered.

Authentication (401 response code)

If the default and index error pages have been customized:
When a 401 response code is triggered, the default page will take precedence over the 401 error page.
If only the default page has been customized:
When a 401 response code is triggered, the system default error message will display instead of the customized default error page.
If all error pages have been customized:
The customized 401 error page will display when the 401 response code is triggered.