Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
princes
Staff
Staff

Created on ‎08-29-2024 06:34 AM

Article Id 337462

Technical Tip: Securing a captive portal enabled interface by hiding the interface IP in the URL bar

Description

This article describes how to secure an interface with captive portal enabled.

By default, if captive portal is enabled with a local portal, the user's browser will be redirected to the FortiGate interface IP and port.

This workaround makes it possible to hide the interface IP address from the browser URL display.
Scope All supported versions of FortiOS.
Solution

Create a DNS database on the FortiGate. Any FQDN can be used according to individual requirements.

The listening interface with captive portal should be configured as recursive DNS.

 

The DNS related settings must be set up as follows:

 

Go to Network -> DNS Server and create the following settings:

 

Captive_img_4.png

 

Now, add a DNS database for the record:

 

Captive_img1.png

 

Since this entry has been configured with a recursive server as a FortiGate LAN (port3) interface, it is necessary to specify that the user system should use the DNS server as the FortiGate interface.

If the interface is enabled with DHCP, manually specify the DNS server to push on the end machine.

 

After configuring the DNS server as 10.135.13.43 in the user system, the DNS resolution should work properly:

 

Captive_img2.png

 

Now, it is necessary to set up the default portal address as a configured FQDN on the DNS database on FortiGate:

 

config firewall auth-portal

iron-kvm14 (auth-portal) # sh full

config firewall auth-portal

set portal-addr ''
set portal-addr6 ''
set identity-based-route ''
set proxy-auth disable

end

 

set portal-addr prince.Fg2_auth    <- By default, FortiGate will present an Interface IP and port 1000.

end

 

Now, if the user tries to browse anything, the captive portal page will not show an Interface IP address in the URL section:

 

Captive_fqdn.png

 

Authd debug:

 

authd_fnbam_locked_out: username=prince, src_addr=10.135.2.31, n_failures=0, record_ttl=-2942155
[_authd_fnbam_auth_user:1371]: called
_authd_fnbam_auth: Start auth
authd_epoll_work: timeout 29800
[authd_http_accept_session:1112]: src 10.135.2.31 flag 00008000
[authd_http_change_state:2822]: src 10.135.2.31 flag 00008000
authd_http: change state from 0 to 1

pid=2012, auth_rsp_data=0x7ffcf6f69020
pid=2012, user=prince
pid=2012, svr=prince, groups_len=0
prince() authentication successful: timeout=300 group_id=( 16777218 )
[authd_http_authentication_done:1590]: src 10.135.2.31 flag 30018800
[authd_http_prepare_http303_redir:3925]: http://www.gstatic.com/generate_204 <- Captive redirect browser.
[authd_http_send:1268]: src 10.135.2.31 flag 30018800
[authd_http_change_state:2822]: src 10.135.2.31 flag 30018800
authd_http: change state from 103 to 5
[authd_http_disconnect:2745]: src 10.135.2.31 flag 30018800
[authd_http_change_state:2822]: src 10.135.2.31 flag 30018800
authd_http: change state from 5 to 6

 

 

Note: To achieve this, the user has 2 options: either map this FQDN to an interface IP on the local DNS, or use the above method on              FortiGate. However, the recommended way is to perform this FQDN mapping on a local DNS server.

 

Related article for captive portal:

Technical Tip: Captive portal authentication with users as members of multiple groups
618
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.