Description
This article describes how to configure a disclaimer page on a firewall policy level.
The disclaimer will be shown whenever users connects for the first time and they will have to accept it to get internet access.
Scope
FortiGate.
Solution
The goal is to present a disclaimer page for users connected behind port2 (Guest Network) whenever these users want to access the internet (routed via port1).
The disclaimer page is already created by default on the FortiGate, but can be edited according to the needs.
This can be done via the GUI:
Enable Policy Disclaimer from the Feature Visibility page
Go to System -> Feature Visibility -> Enable Policy Disclaimer.
Go to System -> Replacement Messages -> Extended View -> Authentication -> Disclaimer Page.
To enable policy disclaimer in CLI:
config system settings
set gui-advanced-policy enable
end
The second step is to enable the disclaimer on the policy level.
It will be needed to either create a new policy or find the policy ID that allows traffic from the Guest Network to the internet.
In this example, a simple policy with NAT is allowing traffic from port2 (Guest) to port1 (Internet):
It will be needed to either create a new policy or find the policy ID that allows traffic from the Guest Network to the internet.
In this example, a simple policy with NAT is allowing traffic from port2 (Guest) to port1 (Internet):
If the ID column is not showing up, it is possible to enable it as shown in the screenshot below:
Once the policy is shown, enable the disclaimer via the CLI:
config firewall policy
edit 2
set disclaimer enable
end
edit 2
set disclaimer enable
end
To enable the disclaimer via the GUI:
Once this is done, users behind port2 will have to accept the disclaimer to get further internet access.
Running a debug flow, see what is happening in the background:
diagnose debug en
diagnose debug flow filter addr 192.168.3.2
diagnose debug flow filter port 443
diagnose debug flow trace start 20
id=20085 trace_id=81 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=6, 192.168.3.2:51467->34.211.15.72:443) from port2. flag [S], seq 3361246429, ack 0, win 64240"
id=20085 trace_id=81 func=init_ip_session_common line=5654 msg="allocate a new session-000089a5"
id=20085 trace_id=81 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-192.168.174.254 via port1"
id=20085 trace_id=81 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=82 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=6, 34.211.15.72:443->192.168.3.2:51467) from local. flag [S.], seq 3893514304, ack 3361246430, win 42340"
diagnose debug flow filter addr 192.168.3.2
diagnose debug flow filter port 443
diagnose debug flow trace start 20
id=20085 trace_id=81 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=6, 192.168.3.2:51467->34.211.15.72:443) from port2. flag [S], seq 3361246429, ack 0, win 64240"
id=20085 trace_id=81 func=init_ip_session_common line=5654 msg="allocate a new session-000089a5"
id=20085 trace_id=81 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-192.168.174.254 via port1"
id=20085 trace_id=81 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=82 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=6, 34.211.15.72:443->192.168.3.2:51467) from local. flag [S.], seq 3893514304, ack 3361246430, win 42340"
Because of the keyword 'from local', FortiGate is impersonating the web server and responding with a SYN-ACK to the client requesting the website.
After the user has accepted the disclaimer, the user can start browsing the internet, and the user's IP address is shown on the GUI under Monitor -> Firewall User Monitor.
After the user has accepted the disclaimer, the user can start browsing the internet, and the user's IP address is shown on the GUI under Monitor -> Firewall User Monitor.
Once the user accepts the disclaimer, the user's IP address will be included in the command below.
Based on the following output, if the client IP 192.168.3.2 remains in the authentication list, the disclaimer page will not appear when accessing the server.
diagnose firewall auth list
192.168.3.2
type: disclaimer, id: 2, duration: 20, idled: 15
expire: 44, allow-idle: 60
flag(1000): src_idle
----- 1 listed, 0 filtered ------
Furthermore, after clearing the client IP from the authentication list, the disclaimer page will appear upon the next attempt.
Additionally, to display the disclaimer page using the FQDN rather than the FortiGate IP, configure the FQDN under auth-portal.
config firewall auth-portal
set portal-addr <FQDN>
end
To disable the disclaimer page on the policy:
config firewall policy
edit 2
set disclaimer disable
end
edit 2
set disclaimer disable
end
The disclaimer setting can also be disabled from the GUI under the policy settings:
If still getting the disclaimer page, check if the captive portal is enabled on the interface level. Check the source interface, for example: port2, and disable the 'Security mode' (Network -> Interface -> edit port2 -> disable Security mode).
Note:
This option, when enabled, can configure the authentication portal, user and group access, custom portal messages, exempt sources and destinations/services, and redirect after the captive portal, but if not using or specifying any of the mentioned here, then it can be disabled.
Note:
For Android devices and MAC devices to prompt the disclaimer automatically, it needs to be ensured that there is no policy configured on top order to allow Google services for Android and Apple services for MAC.
Ensure HTTPS is allowed if the firewall policy is defined with specific services.
Related article:
Technical Tip: How to create FortiGate captive portal using policy
