WAF Error Page Customization

As a new feature in Sophos UTM/SG 9.6 the Webserver Protection (WAF) allows to customize the web pages users see when a page is blocked or intercepted by the WAF.

You can create themes for every type of error page individually or for more than one type. The templates configured in a theme will be rendered and delivered in response to requests that are blocked by the WAF. You can either use the default theme or edit it. If you want to create a new theme, you have to provide a template HTML page and CSS files, JavaScript files, or images if required.

Create a Theme

To create a theme, proceed as follows:

  1. Click the New Theme button.
    The Add Theme dialog box opens.
  2. Make the following settings:
    • Name: Enter a descriptive name for the theme.
    • Default Page: Upload an HTML file which will be presented to the user if no page is defined for that particular event under Customized Error Pages.
    • Customized Error Pages: Upload an HTML file for each error page where you want to replace the default page configured above.
      • Authorization: This template will be presented when a request is blocked by authentication or access control.
      • URL hardening: This template will be presented when a request is blocked by URL hardening.
      • Form hardening: This template will be presented when a request is blocked by form hardening.
      • Bad reputation: This template will be presented when a request is blocked by bad reputation.
      • Antivirus: This template will be presented when a request is blocked by antivirus.
      • True file type control: This template will be presented when a request is blocked by true file type control.
      • Common threats filter: This template will be presented when a request is blocked by common threats filter.
    • Common resources: Upload images, JavaScript, or CSS files which are used by an error page or the default page.
    • Comment (optional): Add a description or other information.
  3. Click Save.
    The theme is added to the Themes list.
    You can now use it in your virtual webservers.

To either edit or delete a theme, click the corresponding buttons.

Using Variables in Themes

All occurrences of <?assets_path?> will be replaced by the path containing all assets which have been uploaded alongside the theme. This allows for cleaner templates by placing stylesheets, images, etc. outside the actual template, e.g. <link rel="stylesheet" type="text/css" href="<?assets_path?>/stylesheet.css">.

All occurrences of <?company_text?>, <?admin_message?> and <?admin_contact?> will be replaced by the defined messages, e.g. <p>If you encounter any problems or questions, please contact <b><?admin_contact?></b>.</p>.

All occurrences of <?company_logo?> will be replaced by the path leading to the uploaded image, e.g. <img src="<?company_logo?>" alt="">.

All occurrences of <?reason?> will be replaced by the name of the feature that caused the request to get blocked, e.g. <p>Your request was blocked: <?reason?></p>.

All occurrences of <?reason_extra?> will be replaced by a short explanation what exactly caused the request to get blocked, e.g. <p>Details: <?reason_extra?></p>.

All occurrences of <?uid?> will be replaced by unique identifier of the request, e.g. <p>Request ID: <?uid?></p>. This identifier is also used in the log files.

All occurrences of <?av_direction?> will be replaced by “upload” or “download” depending on the scanning direction. It can be used only in antivirus templates, e.g. <p>Your file <?av_direction?> got blocked by antivirus</p>.

All occurrences of <?path?> will be replaced by the blocked request’s path including its query string, e.g. <p>Your request to <?path?> got blocked</p>. Please note that using this variable is not recommended because it could make your web server vulnerable to reflected content spoofing attacks.

Exposing the requested path via the <?path?> variable is considered to be a security risk.

  • This is a great feature, but I surely miss that I can preview my template, without actually the need to deploy anything unwanted on my web page ;)

  • In reply to twister5800:

    Hello, everybody,
    according to KB118958, the possibilities described above do not apply to the WAF.
    For us as a company it is incomprehensible that simple functions such as the display of login problems cannot be done in WAF, especially as this is possible e.g. with a user portal.
    If a manufacturer like Sophos provides functions like WAF, then this should be done in a proper error handling.
    We would therefore like to ask Sophos to install these features and make them available!


    Thanks for helping

    wrbrgds

    TBC