Technical Tip: Change the FortiGate captive portal port
Description
This article describes how to change the FortiGate's captive portal listening ports for HTTP/HTTPS connections.
Scope
FortiGate, Captive portal.
Solution
By default, the FortiGate will listen on TCP/1000 and 1003 for HTTP/HTTPS connections if Captive Portal functionality is enabled on an interface. Clients that trigger captive portal authentication on the FortiGate will be redirected to the captive portal with the port/protocol set based on the triggering traffic (i.e., client HTTP traffic triggers redirect to HTTP captive portal port, whereas client HTTPS traffic redirects to HTTPS port).
To change these to a different set of ports, modify the following CLI options:
config system global
set auth-http-port <1-65535, default = 1000>
set auth-https-port <1-65535, default = 1003>
end
Additional options exist to enhance captive portal functionality on the FortiGate, including the ability to redirect HTTP and HTTPS users towards an HTTPS captive portal (for encryption/security reasons), specify different IPs/FQDNs to redirect users towards for the captive portal, and adjust how long users may remain connected before needing to reauthenticate.
Related documents:
Technical Tip: FortiGate configured with multiple captive portals and as a DNS server
Technical Tip: Explanation of auth-timeout types for Firewall authentication users