Related Topics

HTTP-Proxy: Deny Message

When content is denied, the Firebox sends a default deny message that replaces the denied content. You can change the text of that deny message. You can customize the deny message with standard HTML. You can also use Unicode (UTF-8) characters in the deny message. The first line of the deny message is a component of the HTTP header. You must include an empty line between the first line and the body of the message.

You get a deny message in your web browser from the Firebox when you make a request that the HTTP-proxy does not allow. You also get a deny message when your request is allowed, but the HTTP-proxy denies the response from the remote web server. For example, if a user tries to download an .exe file and you have blocked that file type, the user sees a deny message in the web browser. If the user tries to download a web page that has an unknown content type and the proxy policy is configured to block unknown MIME types, the user sees an error message in the web browser.

The default deny message text and html code appears in the Deny Message text box. To change this to a custom message, scroll to the <body> element of the message code and add any of these variables:


Select Request or Response to show which side of the transaction caused the packet to be denied.

This variable also appears in the <title> element of the deny message.


Includes the reason the Firebox denied the content.


Includes the request method from the denied request.


Includes the server host name from the denied URL. If no host name was included, the IP address of the server is included.


Includes the path component of the denied URL.


Includes the authenticated user name.


Includes the serial number of the Firebox in the deny message.


Includes the Firebox name in the deny message.

When you change the Deny Message, make sure that the opening <html> and <body> tags and the closing </body> and </html> tags are still included in the Deny Message. If the tags are not included, the default Deny Message is displayed instead of the message you specify.

If your Deny Message includes content, such as an image, that requires the client computer to connect to another server, the content does not appear in the Deny Message unless the client computer can resolve the address and connect to the server where the content is located.

To configure the Deny Message:

  1. In the HTTP Proxy Action configuration, select Deny Message.

Screen shot of the HTTP-Client proxy action Deny Message
HTTP Proxy Action Deny Message configuration in Fireware Web UI

Screen shot of the HTTP Proxy Action Configuration dialog box, HTTP-Client Deny Message category
HTTP Proxy Action Deny Message configuration in Policy Manager

  1. In the Deny Message text box, type the deny message.
  2. To change settings for other categories in this proxy, see the topic for the next category you want to modify.
  3. Save the configuration.

If you modified a predefined proxy action, when you save the changes you are prompted to clone (copy) your settings to a new action.

For more information on predefined proxy actions, see About Proxy Actions.

See Also

About the HTTP-Proxy

Give Us Feedback     Get Support     All Product Documentation     Technical Search