Fortinet black logo

Cookbook

Creating an exempt policy to allow users to access the captive portal

Copy Link
Copy Doc ID 52c06fe2-eb01-11eb-97f7-00505692583a:369400
Download PDF

If the FortiAuthenticator is not in the local user’s network, you need to create an exempt policy allowing users to access the FortiAuthenticator and reach the captive portal.

To create an exempt policy:
  1. Go to Policy & Objects > Firewall Policy and select Create New.
  2. Enter a policy name.
  3. In Incoming Interface, select the interface created to use an external captive portal.
  4. In Outgoing Interface, select the interface for DMZ.
  5. In Source:
    1. Select + to open the Select Entries window.
    2. In Address, search and select all.
    3. Select Close.
  6. In Destination:
    1. Select + to open the Select Entries window.
    2. In Address, select Create > Address, and in the New Address window, enter details related to the FortiAuthenticator SP. Click OK.
    3. Select Close.
  7. In Service:
    1. Select + to open the Select Entries window.
    2. Search and select HTTPS.
    3. Select Close.
  8. In the Firewall/Network Options pane, disable NAT.
  9. In Advanced pane, enable Exempt Captive Portal to exempt this policy from the captive portal.

    To make the Advanced pane visible:

    • Go to System > Feature Visibility.

    • Enable Policy Advanced Options.

    • Click Apply.

  10. Click OK.

If the FortiAuthenticator is not in the local user’s network, you need to create an exempt policy allowing users to access the FortiAuthenticator and reach the captive portal.

To create an exempt policy:
  1. Go to Policy & Objects > Firewall Policy and select Create New.
  2. Enter a policy name.
  3. In Incoming Interface, select the interface created to use an external captive portal.
  4. In Outgoing Interface, select the interface for DMZ.
  5. In Source:
    1. Select + to open the Select Entries window.
    2. In Address, search and select all.
    3. Select Close.
  6. In Destination:
    1. Select + to open the Select Entries window.
    2. In Address, select Create > Address, and in the New Address window, enter details related to the FortiAuthenticator SP. Click OK.
    3. Select Close.
  7. In Service:
    1. Select + to open the Select Entries window.
    2. Search and select HTTPS.
    3. Select Close.
  8. In the Firewall/Network Options pane, disable NAT.
  9. In Advanced pane, enable Exempt Captive Portal to exempt this policy from the captive portal.

    To make the Advanced pane visible:

    • Go to System > Feature Visibility.

    • Enable Policy Advanced Options.

    • Click Apply.

  10. Click OK.