Troubleshooting Tip: Captive Portal does not work correctly when only 'HTTPS' is selected as a supported protocol

In order for a device to be redirected to the Captive Portal once connected to the network, at least one of the requests the device makes has to be intercepted by the FortiGate to tell the device where to go.

This process is covered in detail in Troubleshooting Tip: General captive portal explanation, flow and troubleshooting.

When both 'HTTP' and 'HTTPS' are enabled, this is not an issue. The device makes a regular HTTP request to it's Captive Portal detection site (or when a user tries to browse to any site), the FortiGate will see this and redirect the user to the Captive Portal.

However, when only 'HTTPS' is enabled, the FortiGate is no longer able to intercept the regular HTTP request.

The user will still be presented with a redirect, but this will be encrypted with the FortiGate's certificate, which is not trusted by the user's device. 

The browser will be redirected once the user proceeds through the error, but this is not ideal.
In order for this to work properly, both need to be enabled. The captive portal page itself will still be HTTPS.