Description
This article describes how to configure a disclaimer page on a firewall policy level.
The disclaimer will be shown whenever users connects for the first time and they will have to accept it to get internet access.
Scope
FortiGate.
Solution
The goal is to present a disclaimer page for users connected behind port2 (Guest Network) whenever these users want to access the internet (routed via port1).
The disclaimer page is already created by default on the FortiGate, but can be edited according to the needs.
This can be done via the GUI:
Go to System -> Replacement Messages -> Extended View -> Authentication -> Disclaimer Page
The second step is to enable the disclaimer on the policy level.
It will be needed to either create a new policy or find the policy ID which allows traffic from the Guest Network to the internet.
In this example, a simple policy with NAT is allowing traffic from port2 (Guest) to port1 (Internet) :
If the ID column is not showing up, it is possible to enable it as shown on below screenshot:
Once the policy is shown, enable the disclaimer via the CLI:
config firewall policy
edit 2
set disclaimer enable
end
edit 2
set disclaimer enable
end
Once this is done, users behind port2 will have to accept the disclaimer to get further internet access.
Running a debug flow, see what is happening in the background:
diag deb en
dia deb flow filter addr 192.168.3.2
dia deb flow filter port 443
dia deb flow trace start 20
id=20085 trace_id=81 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=6, 192.168.3.2:51467->34.211.15.72:443) from port2. flag [S], seq 3361246429, ack 0, win 64240"
id=20085 trace_id=81 func=init_ip_session_common line=5654 msg="allocate a new session-000089a5"
id=20085 trace_id=81 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-192.168.174.254 via port1"
id=20085 trace_id=81 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=82 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=6, 34.211.15.72:443->192.168.3.2:51467) from local. flag [S.], seq 3893514304, ack 3361246430, win 42340"
dia deb flow filter addr 192.168.3.2
dia deb flow filter port 443
dia deb flow trace start 20
id=20085 trace_id=81 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=6, 192.168.3.2:51467->34.211.15.72:443) from port2. flag [S], seq 3361246429, ack 0, win 64240"
id=20085 trace_id=81 func=init_ip_session_common line=5654 msg="allocate a new session-000089a5"
id=20085 trace_id=81 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-192.168.174.254 via port1"
id=20085 trace_id=81 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=82 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=6, 34.211.15.72:443->192.168.3.2:51467) from local. flag [S.], seq 3893514304, ack 3361246430, win 42340"
Because of the keyword 'from local', FortiGate is impersonating the web server and responding with an SYN-ACK to the client requesting the website.
After the user has accepted the disclaimer, he can browse the internet, and the IP address is shown on GUI page Monitor -> Firewall User Monitor.
After the user has accepted the disclaimer, he can browse the internet, and the IP address is shown on GUI page Monitor -> Firewall User Monitor.
Once the user accepts the disclaimer, their IP will be included in the command below.
Based on the following output, if the client IP 192.168.3.2 remains in the authentication list, the disclaimer page will not appear when accessing the server.
diagnose firewall auth list
192.168.3.2
type: disclaimer, id: 2, duration: 20, idled: 15
expire: 44, allow-idle: 60
flag(1000): src_idle
----- 1 listed, 0 filtered ------
Furthermore, after clearing the client IP from the authentication list, the disclaimer page will appear upon the next attempt.
Additionally, to display the disclaimer page using the FQDN rather than the FortiGate IP, then configure the FQDN under auth-portal.
config firewall auth-portal
set portal-addr <FQDN>
end
To disable the disclaimer page on the policy:
config firewall policy
edit 2
set disclaimer disable
end
edit 2
set disclaimer disable
end
If still getting the disclaimer page, then check the interface:
Check the source interface for example: port2 and disable the 'Security mode':
Network ---->interface--->port2
Note:
This option when enabled can configure the authentication portal, user and group access, custom portal messages, exempt sources and destinations/services, and redirect after the captive portal but if not using or specifying any of the mentioned here then it can be disabled.
