Website block message customization not working


We are migrating from UTM to XG using the migration tool. We generated the config and imported it into our spare SG. Until now, all good.

We were polishing the install, creating rules, customizations and so on, and we found a weird problem. We customised the web proxy error messages in "Web -> User notifications" (see picture below) and the preview shows what we want, but when we try to access a blocked website, the message it displays is completely different, and it's shown twice!

Also, it's trying to show a picture at the top and bottom, which are the "Custom images" I tried setting, but removed in the end. Somehow it still thinks it should display them although the box is clearly unchecked.

Note that I had to go to "Web -> Categories" and in every single category go to Advanced Settings and UNCHECK the "Override default notification page". It was checked by default in every category with a message that was displaying correctly, only once, but was really crappy without HTML or any colours.

Anyone can help us fix this?


Expected (preview):


  • By the way, the "Warning" message works as expected on sites that are not blocked but just warned. It's just the block message that is affected for some reason.

  • This looks like an issue with the migration.  It tried to migrate the UTM block pages and somehow its been screwed up.

    Can you try turning off the custom block messages.  Save.  Then turn them on again.  Or making some change and saving.  It needs to regenerate the page templates.

  • In reply to Michael Dunn:

    Thanks for your answer. Unfortunately we already tried that.

    Do you know any other way of resetting that? Maybe SSH into the device and delete the template files so they get regenerated or something similar?

  • In reply to Michael Dunn:

    Hi Michael. I have exactly the same problem. Was there a solution?

  • In reply to Zac C:

    Hi Zac,

    Yes, there is a solution, it's some kind of known error with the migration process. There is a command you should execute in the shell but since Michael sent it through PM I don't think I should post it here...

    Hopefully he will contact you too.


  • Go to Authentication>Services>Web Policy action for unauthenticated users>Login prompt method> Select "Display a custom message".  Then insert custom message via text/HTML.

  • In reply to Deo Angelo Lim:

    Hi Deo,

    That's the captive portal screen, not the proxy filter ("website blocked") screen.

    For this issue in particular, there is a confirmed problem with the migration. Sophos support can help with it, they fixed it in my case.


  • In reply to ZLogistics:

    Thanks ZLogistics. I've been provided with the command and will try it tomorrow.

  • In reply to ZLogistics:

    Hi Mate,


    This is a work around and on Cyberoam days this method is always use until now it is working. You may try it. :) But still you have to create a User Firewall Rule above the Dropped Rule.





  • In reply to Michael Dunn:

    Hi Michael

    I am having exactly the same problem with a config that was migrated from our old UTM.

    Is there any chance you could provide me with the command to fix too please?

    I have another session coming up with Sophos PS to finalise our migration but I would like to get some of these niggly things sorted before that happens so that we can spend the PS hours on bigger issues :)

    Thanks in advance


  • In reply to Ben.:

    The UTM to XG migration tool is in Alpha.  Not even Beta.  It should not be used by customers on production systems.  Partners should not handing it out because it has numerous problems.  Though I know how to clean up this issue, I am concerned because there are other issues that have been flagged against the current tool that you might experience and may not know it.  As far as I know it is not production ready.  If you have a partner who is encouraging you to use that tool then the partner should be aware of the issues and resolutions that are required for it - and if the partner is not then that is a red flag that they are playing in dangerous waters.

    Please - for anyone else reading this thread - do not ask for the migration tool from Sophos or your partners.  I know people are eager but be patient and wait for the tool finish development and testing.

  • In reply to Michael Dunn:

    Thanks Michael for the feedback, but the tool was used by Sophos Professional Services to migrate the config from our old box onto a new one, and the new one isn't in production yet. So I understand your concern, but at this stage it's unwarranted, in our case at least.

    I am currently testing the new XG box and it's not in production yet. Like I said, I'm just trying to get a couple of these things sorted out before our next engagement with Sophos. I'm not actually asking for the migration tool either - just some info on how to fix the issue with these block pages being misconfigured in the migrated config.

  • In reply to Ben.:

    If Sophos Professional Services is performing the migration, then Sophos Professional Services should know how to resolve all issues related to it.  And if they don't, it's the perfect time for them to learn.  :)

  • In reply to Michael Dunn:

    I'm sure they do, and I'm currently waiting for a response from them (the engineer I've been dealing with has been on leave). But seeing as I found this thread and it appeared other people had been given the solution, I thought I would ask in order to speed up the process.