Technical Tip: How to protect/restrict access to internal Web-Server using captive portal
| Description | This article describes how to add an extra layer of security to an internal web server exposed to the internet using Virtual IP. |
| Scope | FortiGate. |
| Solution | On the FortiGate, a captive portal can enforce authentication before users can access the web server. There are two main scenarios to consider regarding how port forwarding is configured on the firewall.
Scenario 1: When a Web-Server is running on port 443, adding a user group in the firewall policy will prompt the user to enter authentication details on the captive portal page.
When a user is attempting to access the web server using the public IP, the authentication portal is presented.
Scenario 2: When a Web-Server is running on a non-443 port, the additional configuration is required on the FortiGate to trigger the captive portal.
config user setting set auth-cert "ssl_cert" set auth-secure-http enable config auth-ports edit 1 set port 9191 <- Web-Server listening port. next end end
Note: If the above CLI command is not set, the firewall will not trigger the authentication portal. |
