Technical Tip: How to alter the IP address of captive portal in FortiGate firewall for security purposes

Description

This article describes how to hide the FortiGate IP address for security purposes when users get authenticated through the captive portal.

Scope

FortiGate.

Solution

The FortiGate's IP address and port number are visible to the user when they attempt to authenticate in the captive portal if it is enabled at the interface or policy level.

This is a security risk as users can see the FortiGate IP address. To fix this, configure a random IP address that is not used in the network environment and also enable auth-secure.

config firewall auth-portal
    set portal-addr "172.16.17.18"
end

config user setting
    set auth-cert "Fortinet_Factory"
    set auth-ca-cert "Fortinet_CA_SSL"
    set auth-secure-http enable
end

After making the above changes, when the user tries to log in, the FortiGate will give a spoofed IP address in the captive portal.