As a new feature in Sophos UTM/SG 9.6 the Webserver Protection (WAF) allows to customize the web pages users see when a page is blocked or intercepted by the WAF.
You can create themes for every type of error page individually or for more than one type. The templates configured in a theme will be rendered and delivered in response to requests that are blocked by the WAF. You can either use the default theme or edit it. If you want to create a new theme, you have to provide a template HTML page and CSS files, JavaScript files, or images if required.
Create a Theme
To create a theme, proceed as follows:
- Click the New Theme button.
The Add Theme dialog box opens. - Make the following settings:
- Name: Enter a descriptive name for the theme.
- Default Page: Upload an HTML file which will be presented to the user if no page is defined for that particular event under Customized Error Pages.
- Customized Error Pages: Upload an HTML file for each error page where you want to replace the default page configured above.
- Authorization: This template will be presented when a request is blocked by authentication or access control.
- URL hardening: This template will be presented when a request is blocked by URL hardening.
- Form hardening: This template will be presented when a request is blocked by form hardening.
- Bad reputation: This template will be presented when a request is blocked by bad reputation.
- Antivirus: This template will be presented when a request is blocked by antivirus.
- True file type control: This template will be presented when a request is blocked by true file type control.
- Common threats filter: This template will be presented when a request is blocked by common threats filter.
- Common resources: Upload images, JavaScript, or CSS files which are used by an error page or the default page.
- Comment (optional): Add a description or other information.
- Click Save.
The theme is added to the Themes list.
You can now use it in your virtual webservers.
To either edit or delete a theme, click the corresponding buttons.
Using Variables in Themes
All occurrences of <?assets_path?>
will be replaced by the path containing all assets which have been uploaded alongside the theme. This allows for cleaner templates by placing stylesheets, images, etc. outside the actual template, e.g. <link rel="stylesheet" type="text/css" href="<?assets_path?>/stylesheet.css">
.
All occurrences of <?company_text?>
, <?admin_message?>
and <?admin_contact?>
will be replaced by the defined messages, e.g. <p>If you encounter any problems or questions, please contact <b><?admin_contact?></b>.</p>
.
All occurrences of <?company_logo?>
will be replaced by the path leading to the uploaded image, e.g. <img src="<?company_logo?>" alt="">
.
All occurrences of <?reason?>
will be replaced by the name of the feature that caused the request to get blocked, e.g. <p>Your request was blocked: <?reason?></p>
.
All occurrences of <?reason_extra?> will be replaced by a short explanation what exactly caused the request to get blocked, e.g. <p>Details: <?reason_extra?></p>.
All occurrences of <?uid?>
will be replaced by unique identifier of the request, e.g. <p>Request ID: <?uid?></p>
. This identifier is also used in the log files.
All occurrences of <?av_direction?>
will be replaced by “upload” or “download” depending on the scanning direction. It can be used only in antivirus templates, e.g. <p>Your file <?av_direction?> got blocked by antivirus</p>
.
All occurrences of <?path?>
will be replaced by the blocked request’s path including its query string, e.g. <p>Your request to <?path?> got blocked</p>
. Please note that using this variable is not recommended because it could make your web server vulnerable to reflected content spoofing attacks.
Exposing the requested path via the <?path?>
variable is considered to be a security risk.