FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Article Id 266583



This article describes how to stop the captive portal triggering in another tab on a browser and how to prevent the authentication page being insecure.




FortiOS v7.0 and above.





DNS traffic should be exempted on the interface in which the captive portal is configured and an IPv4 policy should be set up to allow this traffic (it is possible to enhance the same with a DNS-filter) if using a public or external DNS server.







PC -> [port2] FortiGate [port1] -> Internet.


In the lab setup used to test the process in this article, port2 ( is enabled with security-mode set to captive-portal.


  1. Once the user opens the browser (such as Chrome) and tries to access (or any site), the firewall inbound interface (port2) on which captive-portal is enabled will trigger an auth redirection portal for user identification on port 1003.
  2. However, this auth page will also be triggered in another tab instead of the actual tab in which user tries to access



  • This was observed due to a connectivity check traffic trigger from the chrome browser to '' before handling the user's request towards ''.
  • Even if the user authentication is completed on the second tab, the error 'ERR_EMPTY_RESPONSE' occurs.




  • The expectation here is to redirect the user to itself post authentication.
  • This can be achieved by exempting certain traffic like '', '', '', '' under the captive portal settings as mentioned below.



Note: The FortiGate DNS server IP and user PC DNS server IP are expected to be the same to match the destination address to be exempted.


  1. By default, FortiGate will re-direct to https auth portal. Here, the certificate used will be "Fortinet_Factory" with the CN containing the serial number and due to which your browser will show 'not secure' error.

    Technical Tip: How to generate a self-signed certificate from FortiGate was followed to set up the CN/SAN name 'lab.fortigate.local'; this certificate was signed by the CA 'Fortinet_CA_SSL'. It is also viable to create a CSR and have it signed by a public certificate authority.


  • The configuration in the FortiGate CLI defined the re-direction URL to match the CN defined. 'User & Authentication -> Authentication Settings' mapped the certificate created.
  • Install the CA certificate (Fortinet_CA_SSL) on the local PC under 'trusted root certificate'.


config firewall auth-portal

set portal-addr "lab.fortigate.local"



config user setting

set auth-cert "Captive-portal"

set auth-ca-cert "Fortinet_CA_SSL"

set auth-secure-http enable



  1. Now, if another attempt is made to access, the auth portal will be re-directed on the same tab to lab.fortigate.local:1003.




Note: Ensure the auth-portal redirection url is being resolved to the IP assigned on the inbound interface. In this case, it is port2 (


Related articles: