Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
tino_p
Staff
Staff

Created on ‎06-26-2024 11:49 PM

Article Id 322732

Technical Tip: How to bind the captive portal to loopback interface

Description This article describes how to bind the captive portal to the loopback interface.
Scope Loopback interface, authentication, FortiGate.
Solution
  1. To define the user in the user group:

 

 
 
vab_usergrp.png

 

  1. To define the loopback interface, and configure its captive portal, restrict the access to step 1's user group:

 

 vab_lb.png

 

  1. To define the LAN interface and configure its captive portal, restrict access to step 1's user group, and exempt source of loopback's IP address:

 

vab_lan.png

 

  1. To define the firewall policies:
  • 1 policy from the LAN interface to the loopback interface.
  • 1 policy from the LAN interface to the WAN interface (with active authentication/user group in source address/NAT enabled) OR to any other interface that meets the business requirement.

 vab_policy.png

 

  1. As a result, the user needs to authenticate to access resources (i.e.: Internet). If the user wants to see the FQDN instead of the loopback interface's IP address, it needs to have a local DNS to resolve it. 

 

vab_authen.png

  

vab_user.png

 

  1. Sample configurations on CLI:

 

config system interface
    edit "Authen_int"
        set vdom "root"
        set ip 192.168.150.1 255.255.255.255
        set allowaccess ping
        set type loopback
        set security-mode captive-portal
        set security-groups "GRP1"
        set role lan
        set snmp-index 15
        set ip-managed-by-fortiipam disable
    next

edit "port5"
    set vdom "root"
    set ip 192.168.85.254 255.255.255.0
    set allowaccess ping https ssh http
    set type physical
    set security-mode captive-portal
    set security-exempt-list "port5-exempt-list"
    set security-groups "GRP1"
    set device-identification enable
    set lldp-transmission enable
    set role lan
    set snmp-index 5
next

config firewall policy
    edit 2
        set name "auth"
        set uuid 393c0fbc-2de1-51ef-239a-d711a29c4d91
        set srcintf "port5"
        set dstintf "Authen_int"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all
        set captive-portal-exempt enable
    next

edit 1
    set name "www"
    set uuid b9a5a732-2ddf-51ef-56f9-eb5fd6fe2748
    set srcintf "port5"     <----- The LAN interface.
    set dstintf "port1"         <----- The WAN interface to access Internet.
    set action accept
    set srcaddr "all"
    set dstaddr "all"
    set schedule "always"
    set service "ALL"
    set logtraffic all
    set nat enable
    set groups "GRP1"
next
end

config authentication setting
    set update-time 2024-06-18 19:09:42
    set captive-portal "Authen"
end

config firewall auth-portal
    set portal-addr "authen.fqdn.here"     <----- Need local DNS to resolve.
end

 

1302
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.