Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Markus_M
Staff & Editor
Staff & Editor

Created on ‎09-08-2014 01:59 PM Edited on ‎06-03-2025 12:30 AM By Moderator

Article Id 197111

Technical Tip: How to configure exemptions for Captive Portal on the FortiGate (captive-portal-exempt and security-exempt-list)

Description

 

This article explains the different ways in which one can add exemptions to the FortiGate captive portal so that users can access services before authenticating. These source/destination exemptions are frequently required so that users can do things like query DNS servers and reach externally-hosted captive portals for further authentication.

Scope

 

FortiGate, Captive Portal.


Solution

 

There are two options for specifying exemptions on the FortiGate. Administrators may use either option on their own or both simultaneously, depending on the requirements. Notably, they do not have to be configured in an overlapping fashion (i.e., each method may be configured with different exemptions, and they collectively decide the cumulative list of exemptions for the captive portal; it is not necessary to copy exemptions to both methods):

 

Option 1: security-exempt-list (configured on a per-interface basis).

  • In the CLI, a list is configured first under config user security-exempt-list and then applied on a per-interface basis.
  • In the GUI, this configuration can be done within the Network -> Interfaces section, as well as the WiFi & Switch Controller -> SSIDs section (for wireless networks). More specifically, the setting maps to the Exempt sources and Exempt destinations/services sections.
  • This setting allows admins to configure exemptions for Source Addresses, Destination Addresses, and Destination Services, and they apply for all traffic that hit the captive portal-enabled interface. This is useful for applying broad exemptions, such as for DNS traffic in-general.
  • Note: even with these exemptions, a Firewall Policy must exist in-general that allows the desired traffic to flow (i.e., the exemption is solely for captive portal and does not exempt from standard Firewall Policy assessment, route-lookups, etc).

 

Option 2: captive-portal-exempt (configured on a per-Firewall Policy basis).

  • In the CLI, this setting may be configured on a per-Firewall Policy basis. By default, the setting is disabled.
  • In the GUI, this configuration may be toggled on/off using the Exempt from captive portal toggle in the Advanced section at the bottom of the Firewall Policy configuration (Policy & Objects -> Firewall Policy).
  • This setting allows admins to specify Firewall Policies that are exempt from captive portal authentication (i.e., users may use these policies before authenticating/accepting the portal). This option can be useful for allowing more-specific combinations of exemptions compared to the interface-wide security-exempt-list setting (for example, users belonging to the x.x.x.x subnet may access certain destinations/services without the captive portal, whereas users in the y.y.y.y subnet may not).
  • Note: This setting is only available when the Firewall Policy does not have Users/Groups applied to it. If Users/Groups are applied to the Firewall Policy, then this setting is disabled and hidden in the CLI for that policy.

 

Configuring security-exempt-list - GUI Method.

To configure the security-exempt-list via the GUI, navigate to either Network -> Interfaces (all interfaces) or WiFi & Switch Controller -> SSIDs (wireless SSIDs only) and modify the following sections:

  • Exempt sources - exempts all traffic whose Source Address is included in this list (for example, to allow through a device that cannot support captive portal authentication, such as a network printer).
  • Exempt destinations/services - exempts traffic whose Destination Address or Destination Service is included in this list (for example, allowing access to external captive portal servers, or allowing services like DNS and ICMP Ping without needing authentication).

 

security-exempt-list_GUI.png

 

In the above example, all traffic sourced from 192.168.160.2 would be allowed through the captive portal without needing to authenticate. Additionally, any traffic destined for IP addresses matching the fortinet.com FQDN Address object would be allowed through, as would traffic that matches the DNS service of UDP/53. However, as noted earlier, a Firewall Policy must still exist to allow this traffic to flow in-general.

 

Configuring security-exempt-list - CLI Method.

To configure the security-exempt-list via the CLI, use the CLI commands described in the following links:

For demonstration purposes, the following configuration is the CLI equivalent to the above GUI screenshot:

 

Configure the security-exempt-list entry:

 

config user security-exempt-list

    edit 'VLAN160-exempt-list'

        config rule

            edit 1

                set srcaddr 'test_192.168.160.2'

            next
            edit 2

                set dstaddr 'fortinet.com'

            next
            edit 3

                set service 'DNS'

            next

        end

    next

end

 

Assign the security-exempt-list to the network interface:

 

config system interface

    edit 'VLAN160'

        set security-exempt-list 'VLAN160-exempt-list'

    next

end

 

Configuring captive-portal-exempt - GUI Method.

To enable this setting via the GUI, admins must first navigate to System -> Feature Visibility and enable the Policy Advanced Options toggle. This allows the toggle to appear in the GUI:

 

policy_advanced_options.png

 

Next, navigate to Policy & Objects -> Firewall Policy, edit the policy, then enable the Exempt from captive portal toggle at the bottom of the page under the Advanced section:

 

captive-portal-exempt_GUI.png

 

With this setting enabled, any traffic that matches this Firewall Policy will be allowed to pass without requiring captive portal authentication. However, keep the following important notes in mind when using per-Firewall Policy captive portal exemptions:

  • Firewall Policy matters here. If a broad captive portal policy with no exemptions (such as a general Internet access policy) is placed above a narrower exemption policy (such as one allowing access to a specific website) then the broader policy will take effect and the traffic will not be exempted.
  • If a User/Group is applied to the Firewall Policy (such as in the Source section) then Exempt from captive portal will be automatically toggled-off upon saving the configuration. This is expected behavior.

 

Configuring captive-portal-exempt - CLI Method.

To enable this setting in the CLI, navigate to the Firewall Policy that will be used to exempt traffic from captive portal authentication and enable captive-portal-exempt:

 

config firewall policy

    edit <id>

        set captive-portal-exempt enable

    next

end

 

To check the state of this setting for existing Firewall Policies, run the following command (only entries with the setting enabled will appear):

 

show firewall policy | grep -f 'captive-portal-exempt'

 

Important Reminder:

Remember that the per-Firewall Policy exemptions created with captive-portal-exempt are separate-from and in-addition to the exemptions defined on the FortiGate's network interface using security-exempt-list. There is no requirement to configure the same exemption in both places, though it will not cause problems to do so.

 

Related document:
Captive Portals
20938
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.