Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
npaiva
Staff & Editor
Staff & Editor

Created on ‎09-24-2024 05:28 AM

Article Id 343759

Technical Tip: VIP with Captive Portal certificate error

Description

 

This article describes how to expose an internal Webserver with a VIP, accessible only with authentication without any certificate errors.

 

Scope

 

FortiOS.

 

Solution

 

It is assumed that the FortiGate already has the protected server certificate imported into the configuration, or created with Let’s Encrypt.

The first step is to create an SSL/SSH inspection profile to protect the server and select the appropriate certificate. In this case, it has been previously imported a certificate to authenticate the FQDN fortigate.paiva.pt:

 

ssl-profile.png

 

The next step is to create the VIP object to port forward from the FortiGate Public IP (external IP) to the internal webserver:

 

vip.png

 

Configure the Firewall Policy allowing the traffic for authenticated users only. A user group may also be used:

 

config firewall policy

    edit 73

        set name "fortigate.paiva"

        set uuid fbb58736-7971-51ef-8963-1e452bdb3f8e

        set srcintf "port1"

        set dstintf "port2"

        set action accept

        set srcaddr "all"

        set dstaddr "fortigate.paiva"

        set schedule "always"

        set service "ALL"

        set utm-status enable

        set inspection-mode proxy

        set ssl-ssh-profile "fortigate.paiva"

        set ips-sensor "default"

        set logtraffic all

        set nat enable

        set users "paiva"

    next

end

 

With a user or user group in the policy, when a user tries to access this service a Captive Portal will be triggered for authentication. But this Captive Portal will trigger a certificate error on the user browser:

 

captive portal error.png

 

It is also possible to observe that the user was redirected to the IP 10.191.20.119 (external IP of the FortiGate) for authentication. This redirection happens due to the captive portal.

To fix the certificate error for the Captive Portal there are two steps to follow.

First, it is necessary to change the Certificate being used for the captive portal, by default it will use Fortinet’s built-in certificate.

To accomplish this access the CLI and perform the following changes:

 

config user setting

    set auth-cert "fortigate.paiva.san"

    set auth-secure-http enable

end

 

After this change it is possible to see that the certificate being used for the Portal is the correct one, however, there is still the certificate error:

 

cert-changed.png

 

The certificate error now is present due to the redirect to the captive portal. The redirect by default will be performed to the FortiGate IP of the incoming interface request.

It is necessary to configure the FortiGate to use a FQDN for the Captive Portal instead, using the CLI to perform the following changes:

 

config firewall auth-portal

    set portal-addr "fortigate.paiva.pt"  <<< FQDN

end

 

After the change certificate errors no longer exist for authentication:

 

no-errors.png

1335
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.