Technical Tip: How to create FortiGate captive portal using policy

hazim · ‎10-06-2022

Description

This article describes how to create a captive portal in FortiGate to authenticate users accessing the network.

Scope

FortiGate version 6.4, 7.0 and 7.2 above.

Solution

Go to Policy & Objects -> Firewall Policy and select 'Create new/Edit'.

Enable the following features:

1) Assign the User/Group in the source section and address object. Use the 'all' address object if it is not wanted to specify any IP addresses.

# config firewall policy
edit 1
set name "example-policy"
set srcintf "port2"
set dstintf "port1"
set srcaddr "all"
set dstaddr "all"
set action accept
set schedule "always"
set service "ALL"
set users "ami" <--- Name of user/group
set disclaimer enable
set auth-cert "Fortinet_CA_SSL"
set nat enable
set redirect-url "www.fortinet.com"
next
end

2) Enable disclaimer (Optional) in the policy using CLI:

# config firewall policy

edit <x>

set disclaimer enable

3) Redirect to a specific website after user authentication.

Note that this option is available only if you turn on the disclaimer option on item (2).

# config firewall policy

edit <x>

set disclaimer enable

set redirect-url "www.fortinet.com"

The page will redirect to www.fortinet.com as per configuration in the CLI.