| Description |
This article describes the process of enforcing different web filter profile to different user groups using captive portal and group-based firewall policies. |
| Scope | FortiGate. |
| Solution |
The biggest advantage of configuring captive portal as user authentication instead of simply setting group override or setting certain categories to have the action of 'Authenticate' (ref: FortiGuard filter | Authenticating a web category) in the Web Filter profile is that SAML authentication is supported for captive portal. Hence, SAML SSO authentication can be used for user authentication to apply the appropriate web filter profile later on, refer to this article on setting up captive portal with SAML: Outbound firewall authentication with Microsoft Entra ID as a SAML IdP | FortiGate / FortiOS 7.6.0 |....
In this demonstration, local firewall users 'testuser' in 'TESTGROUP1' and 'testuser2' in 'TESTGROUP2' will be utilized for user authentication with captive portal and Web Filter enforcement once the user is authenticated. 'TESTGROUP2' has a more restrictive web filter where social media sites like Facebook, X (formerly known as Twitter) and YouTube will be blocked.
Configure Captive Portal under the LAN interfaces that the traffic is coming from and restrict access to only the 2 configured user groups:
Multiple sources and destinations/services can be configured to be exempted from the captive portal. In the scenario of that not working as expected. However, refer to the method to troubleshoot the issue of the captive portal not popping up toward the end of the article where a firewall policy with captive-portal-exempt setting enabled is configured.
Create 2 web filter profiles for each user group, refer to: Web filter | FortiGate / FortiOS 7.6.0 | Fortinet Document Library. In this demonstration, 'TESTGROUP1' will have the default 'monitor-all' web filter profile:
Users in the 'TESTGROUP2' will be enforced with the custom web filter 'Restrict Social Media + YouTube':
Apply each Web Filter profile to an appropriate user-based policy for the Web Filter to take into effect:
To test the configuration, try to open a web browser and access 'facebook.com' and 'youtube.com'. The login page for the captive portal will be opened like below:
Type the 'testuser' credentials as follows and select 'Continue':
The YouTube main page will show up since the Web Filter 'monitor-all' will be used for any users in the 'TESTGROUP1' user group:
Once logged in, when going to another website as by default, FortiGate only enforces user re-authentication after the user idles for too long (refer to this documentation for more information and how to change the behavior: Authentication settings | FortiGate / FortiOS 7.6.0 | Fortinet Document Library). See the following main pages of Facebook and X respectively for the purposes of demonstration:
When trying to access those pages as 'testuser2', after typing the correct username and password in the captive portal like below:
Fortinet shows the replacement message informing that YouTube has been blocked:
Same goes for Facebook or X:
In the scenario where the captive portal is not opening when browsing the Internet, refer to Troubleshooting Tip: How to troubleshoot if captiv... - Fortinet Community to exempt DNS traffic from the captive portal and to be sure that the firewall will always prompt for user authentication:
If the replacement messages or the captive portal page are not opened and the browser shows the following error:
Be sure to load the CA certificate in the SSL/SSH inspection profile of the policy on to the browser and try again (refer to: Replacement Message not visible for all w... - Fortinet Community). |
