Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Markus_M
Staff
Staff

Created on ‎09-27-2019 01:09 AM Edited on ‎12-30-2021 01:19 PM By Anonymous

Article Id 192275

Technical Tip: How to enable Captive Portal Exemption on interfaces

Description
This article explains how to enable captive portal exempt for a specific destination address.

A common use case is that the environment needs to have users authenticate but certain resources must be available prior to authentication. Or the portal is not hosted on the FortiGate but on another device, like a FortiAuthenticator. In these cases, the client will generate traffic that needs to pass the interface without authentication.

Solution
When using captive portal authentication on interfaces the CLI setting "captive-portal-exempt" in a firewall policy can be used to exempt captive portal authentication for specific destination addresses.

Configuration on CLI is as follow:

#config firewall policy
    edit <id>
        set captive-portal-exempt enable
    next
end

Example:
The following configuration example explains how to exempt a client from captive portal authentication for the FortiAuthenticator.
This device is hosted internally behind the interface “dmz” with the FQDN fortiauthenticator.forti.lab for wireless users connected to the Wifi SSID 'Guests'.

The SSID interface is configured as follows:

#config system interface
    edit "Guests"
        set vdom "root"
        set ip 10.0.0.1 255.255.0.0
        set type physical
        set security-mode captive-portal
        set security-external-web "https://fortiauthenticator/forti.lab/guests"
        set role lan
        set security-groups "Guest_users"
        set snmp-index 2
    next
end

Step 1: Create an address object for the FortiAuthenticator

#config firewall address
    edit "fortiauthenticator.forti.lab"
        set type fqdn
        set fqdn "fortiauthenticator.forti.lab"
    next
end

Step 2: Create a firewall policy from the interface 'Guests' to the DMZ with destination set to the FortiAuthenticator and enable captive portal exempt.

#config firewall policy
    edit 3
        set srcintf "Guests"
        set dstintf "dmz"
        set srcaddr "10.0.0.0/16"
        set dstaddr "fortiauthenticator.forti.lab"
        set action accept
        set schedule "always"
        set service "HTTPS"
        set captive-portal-exempt enable
    next
end
This example now allows traffic from a client from the captive portal interface to the DMZ without authentication or disclaimer (from the address object “10.0.0.0/16” to https:/fortiauthenticator.forti.lab:443).

Make sure to crosscheck this setting in the traffic flow if there are problems with such traffic that gets denied by policy. Likely the captive-portal-exempt setting is missing because it cannot be set automatically.

This related article explain how to enable the exemptions for specific address groups and services, with security-exempt-list.
Keep in mind that this setting is additional to the captive-portal-exempt, it does not replace it, but acts as a filter.



Labels:
12863
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.