SSLVPN disclaimers

darrencarr · ‎04-06-2010

Hi all, Does anyone know of a method to display a disclaimer for users once they have successfully authenticated using the SSL VPN. We have contractors with very limited access and I need to present something to them after they have authenticated which they then need to accept before continuing. I can' t see anything obvious in the configuration options? Cheers

Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)

abelio · ‎04-07-2010

Hi, as you' re running 4.1, one approach could be use CLI to edit auth firewall policy with something like:

 config firewall policy
    edit <id_auth_policy>
       set disclaimer enable
     next
 end

In some models you could display auth disclaimer page, customizable with replacement messages. Mobile user must accept your disclaimer to connect. Another related setting if disclaimer is available could be define an external page with your conditions and use " set redirect-url <url_name>" in the same policy. I' ve not access right now to an 1K unit to verify availabilty of this setting; please confirm it for us when you can. regards,

regards

/ Abel

darrencarr · ‎04-07-2010

Hi Abel Thanks for getting back to me. I tried to edit the policy in question but I do not have this as an option? I have attached what my options are. The action defined for this policy is ' SSLVPN' I also checked other policies that did not have any authentication defined and they too had no option for a disclaimer.

Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)

darrencarr · ‎04-07-2010

Hi Abel... Looking through the Forti OS 4 MR1 Admin Guide it would appear you can only use a disclaimer on a policy when the action is set to ACCEPT Page 326 User Authentication Disclaimer Available only on some models and only if Action is set to ACCEPT. Select this option to display the Authentication Disclaimer page (a replacement message) to the user. The user must accept the disclaimer to connect to the destination. You can use the disclaimer together with authentication or a protection profile. Redirect URL Available only on some models and only if Action is set to ACCEPT. If you enter a URL, the user is redirected to the URL after authenticating and/or accepting the user authentication disclaimer. Any other ideas? I can' t see anything in the CLI?

Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)

darrencarr · ‎04-07-2010

Ok...I can do a URL redirect but that doesn' t really achieve what I am trying to do... I would therefore like to modify the SSL-VPN login page. I have been into the replacement messages and have adjusted the title. I would like to add a statement beneath the box with a warning...my HTML skillls are none existent though... can anyone advise on how you would adjust the replacement message to include the warning so it appeared above the login box? Thanks guys

Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)

Troy_Sorzano · ‎04-07-2010

For below: Put a row TR and cell TD after the %%SSL_LOGIN%% token. It should look like this. %%SSL_LOGIN%%<tr><td>Your message here!</tr></td> For top: Put a row TR and cell TD before the %%SSL_LOGIN%% token. It should look like this. <tr><td>Your message here!</tr></td>%%SSL_LOGIN%% Troy

rwpatterson · ‎04-07-2010

Try this: <tr><td>%%SSL_LOGIN%%</td></tr><tr><td>Your message here!</td></tr> Put the " %%SSL_LOGIN%%" inside of the <TR><TD> elements. Also in the original post, the closing tags are reversed. Should be </td></tr>.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

darrencarr · ‎04-07-2010

Hi Troy Thanks for the tip. When I put it in before the %%SSL_LOGIN%% token it appears inside of the Login Box. If I wanted it to appear outside of the login box how would I do that? Thanks for the help

Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)

darrencarr · ‎04-07-2010

Thanks for the input Bob to confirm <html><head><title>*******</title><meta http-equiv=" Pragma" content=" no-cache" ><meta http-equiv=" cache-control" content=" no-cache" ><meta http-equiv=" cache-control" content=" must-revalidate" ><link href=" /sslvpn/css/login.css" rel=" stylesheet" type=" text/css" ><script language=" JavaScript" ></script></head><body class=" main" ><center><table width=" 100%" height=" 100%" align=" center" class=" container" valign=" middle" cellpadding=" 0" cellspacing=" 0" ><tr valign=middle><td><form action=" %%SSL_ACT%%" method=" %%SSL_METHOD%%" name=" f" ><table class=" list" cellpadding=10 cellspacing=0 align=center width=400 height=180>%%SSL_LOGIN%%</table>%%SSL_HIDDEN%%</td></tr></table></form></center></body><script>document.forms[0].username.focus();</script></html> <html><head><title>******</title><meta http-equiv=" Pragma" content=" no-cache" ><meta http-equiv=" cache-control" content=" no-cache" ><meta http-equiv=" cache-control" content=" must-revalidate" ><link href=" /sslvpn/css/login.css" rel=" stylesheet" type=" text/css" ><script language=" JavaScript" ></script></head><body class=" main" ><center><table width=" 100%" height=" 100%" align=" center" class=" container" valign=" middle" cellpadding=" 0" cellspacing=" 0" ><tr valign=middle><td><form action=" %%SSL_ACT%%" method=" %%SSL_METHOD%%" name=" f" ><table class=" list" cellpadding=10 cellspacing=0 align=center width=400 height=180><tr><td>%%SSL_LOGIN%%</td></tr><tr><td>Your message here!</td></tr></table>%%SSL_HIDDEN%%</td></tr></table></form></center></body><script>document.forms[0].username.focus();</script></html>

Fortigate 1000A v4.0,build194,100121 (MR1 Patch 4) Fortianalyzer 800B v4.0,build0130 (MR1 Patch 3)

rwpatterson · ‎04-08-2010

Looks solid! Give that a go.

Bob - self proclaimed posting junkie!
See my Fortigate related scripts at: http://fortigate.camerabob.com

SSLVPN disclaimers

Nominate a Forum Post for Knowledge Article Creation