Hello,
I followed this KB: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Local-user-authentication/ta-p/190084
My goal was to authenticate "website-admin" users for our backend webservers so that they can do more then a normal guest visitor could do. The difference I wanted were 2 firewall policies one for guests and one for authenticated-users where for example IPS+WAF rules were more strict for guests then for authenticated users.
My problem is when enabling Captive Portal I could authenticate with my backend user and traffic hit the right policy but guests who MUST NOT authenticate did also had to authenticate which is not possible for them because they should not have any credentials.
How can I hide the auth page and only auth users which wanted to be authenticated? All other should be able to access all the webservers regularly.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello @luky ,
Thank you for contacting the Fortinet Forum portal.
You can create a rule below the suggested user group in the article and in the destination give web server address to which you want to allow access.
Additionally, in Step 2 there is the option to choose "Restricted to groups "and choose the group of users whom you want to access.
Best regards,
Manasa.
If you feel the above steps helped resolve the issue, mark the reply as solved so that other customers can get it easily while searching for similar scenarios.
Created on 08-03-2024 06:29 AM Edited on 08-03-2024 06:45 AM
Okay but under Network -> Interfaces on WAN Interface I cannot choose Captive Portal because "Security Mode" Option is missing but somehow works in CLI. Could it be that if Interface is on DHCP that Captive Portal is invisible?
Also the problem is that guests should be able to go to my websites without authenticating on fortigate. How to accomplish this? Is there a solution without this "Captive Portal" Method? I just want that fortigate recognizes admin vs. visitors by logging in into fortigate so that traffic goes other direction otherwise if not logged in user shouldnt notice that such mechanism is there at all. There should be no prompt for visitors.
Hello @luky ,
You cant see security mode option for interface role "wan" and "dmz". Security mode option is only available under GUI for LAN and undefined interface roles.
Best Regards,
salmas
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1634 | |
1063 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.