Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
msander
Staff
Staff

Created on ‎07-29-2009 05:28 AM Edited on ‎02-11-2025 10:59 PM By Community Manager

Article Id 192486

Technical Tip: Using secure authentication (HTTPS) on a FortiGate and redirecting the authentication page

Description

 

This article explains how to use Secure authentication page on FortiGate.

Scope

 

FortiGate.

Solution


When enabling Authentication (and/or Disclaimer) on a Firewall Policy, FortiGate offers the option to redirect an HTTP authentication page to a Secure Channel (HTTPS).
In this scenario, the authentication page is redirected to a new HTTPS port and to the ingress FortiGate IP address.

The process is as follow:

[ USER ]  ---- network ----- port1 [ FortiGate ] -- Resources

1 --------> User traffic hits a Firewall Policy with authentication and HTTPS redirect.
2 <-------  Redirect with HTTPS port and IP address of port1.
3 --------> Authentication.
4 --------> Access to initial page requested .

In some instances, the FortiGate could be behind another router using a VIP, hence not reachable directly, or the administrator could want an FQDN name to be sent in place of an IP address

The network could now be as follow:

[ USER DEVICE ]  ---- Internet -----[ Router] ---- port1 [ FortiGate ] -- Resources
                                                                             (private IP)

In this case, the solution is to change the redirection information.

 

  1. By giving a DNS entry (that the FortiGate and the user's device must be able to resolve).

 

config firewall policy
    edit <my_policy_ID>
        set auth-redirect-addr "my.fortigate.com"
    next
end

 

In this first case, the URL that the user's browser will see is:  https://my.fortigate.com:1003/


Note:

The URL, such as the example 'my.fortigate.com', is not an external server, but points back to the FortiGate. This should be configured in the DNS server, or locally.

  1. By specifying an IP address directly.

 

config firewall policy
    edit <my_policy_ID>
        set auth-redirect-addr "the_public_Virtual_IP"
    next
end

 

Reminder:

The HTTPS redirect function and port can be configured from the following CLI commands:

 

config user setting
    set auth-secure-http enable  (default = disable)
end

config system global
    set auth-https-port 1442 (default = 1003)
end

 

Redirect HTTP to secure channel (HTTPS) through GUI:

Go to User & Authentication -> Authentication Settings -> Enable 'HTTP redirect' as displayed below. 

 

1.JPG

In the case it is required to configure a different presented certificate, the parameter is:

 

config user setting
    set auth-cert <auth-cert>
     set auth-ca-cert <auth-ca-cert>

 

In this case, auth-cert must be signed by auth-ca-cert in order not to trigger the untrusted certificate error, and the auth-ca-cert must be added to the browser.
Also, the CA certificate used in the user setting should be the same used in the ssl-inspection profile.

In case it is required to use the Captive Portal for Guest Users with HTTPS, make sure that a certificate signed by a Public CA is u,sed.
Also make sure that Captive Portal detection on the Client works. Otherwise, the authentication page will come with the auth-ca-cert (which will obviously not be trusted by the client because it’s the private CA).

 

53925
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.