FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.

This article describes how to configure captive portal in bridge mode when 2nd FortiGate is acting as a portal server.




SSIDs of a FortiAP is configured as local-bridge and captive-portal. 


After a wireless client connects to the SSID on the FortiAP, the first HTTP(s) web request from client to internet will be redirected to portal server by the FortiAP, in this case, the portal server is a 2nd FortiGate.


The flows and steps:

1) The client sends the first web request, trying to internet.

2) FortiAP will not pass the request to Internet but reply with a HTTP(s) redirect response, to make client browser redirect to the portal server (2nd FortiGate).

3) The client connects to the portal-server.

4) The portal-server will push an authentication and login page to the client.

5) The client will input credentials and send to the portal-server.

6) The portal-server validates the credentials and redirect the client to FortiAP authentication URL.

7) The client connects to FortiAP authentication URL.

8) FortiAP sends query the portal-server's authentication result by using client's MAC & IP as keyword.

9) The portal-server reply the authentication result to FortiAP.

10) FortiAP accepts the client, and redirect client the original-url or configured start-url.




Sample Configuration.


# config wireless-controller vap
    edit "portal"
        set vdom "root"
        set ssid "portal"
        set security captive-portal
        set security-redirect-url ""
        set intra-vap-privacy enable
        set schedule "always"
        set local-bridging enable
        set external-web ""

# config system interface <----For Fortigate which is used as portal server.
    edit "wan1"
        set vdom "root"
        set ip
        set allowaccess ping https ssh http telnet capwap
        set vlanforward enable
        set type physical
        set security-mode captive-portal
        set security-groups "test"
        set role wan
        set snmp-index 2


Trouble-shooting commands.


debug log on FAP:


FAP # cw_debug app fapportal 8

FAP# fapportal_diag -d sta



If there is an NAT between client and Portal server (2nd FortiGate in this case), it will not work. 


The reason behind this is that FortiGate only support IP based session lookup when it is used as portal server.