Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Thonno
New Contributor III

FortiNAC Registration Portal Bypassed When Using FortiGate Explicit Proxy

Hello everyone, Iā€™m back with another issue related to FortiNAC...

 

In the client's network infrastructure where FortiNAC is deployed, there is an Explicit Proxy configured on the FortiGate.

If I disable the proxy on the test machine, the FortiNAC Captive Portal appears as expected. However, when the proxy is enabled, the traffic bypasses FortiNAC entirely, and I can browse the internet without being redirected to the Captive Portal.

 

Iā€™ve tried creating Proxy Policies to deny traffic from the isolation VLAN subnet, but this still bypasses the FortiNAC registration portal, and I receive an error indicating that internet access is blocked.

 

Is it possible to forward traffic from the FortiGate proxy to FortiNAC? I couldn't find any reference to "proxy" in the allowaccess settings for FortiNAC's port2 interface.

Thank you very much for your help!

1 Solution
ebilcari
Staff
Staff

A quick way I can think of is to put the FNAC isolation domain as exception in proxy client configuration (if centrally managed) and block internet access via proxy when the hosts are in the isolation VLAN.

There is no built in mechanism in FNAC to accept user proxied traffic, this may cause issues since FNAC will extract some of the host's information when it access the portal, even NAT is not recommended.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.

View solution in original post

3 REPLIES 3
AEH
New Contributor

Hello,

Can you please show us the proxy and the forwarding server configuration ?.

BR.

AEH.
AEH.
Thonno
New Contributor III

Hi, the pre-existing proxy policies (configured by other providers in all ā†’ all) have no forwarding server and are configured with the WAN interface as the destination interface.

ebilcari
Staff
Staff

A quick way I can think of is to put the FNAC isolation domain as exception in proxy client configuration (if centrally managed) and block internet access via proxy when the hosts are in the isolation VLAN.

There is no built in mechanism in FNAC to accept user proxied traffic, this may cause issues since FNAC will extract some of the host's information when it access the portal, even NAT is not recommended.

- Emirjon
If you have found a solution, please like and accept it to make it easily accessible for others.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the ā€œNominate to Knowledge Baseā€ button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors