Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Cookbook

    6.2.0
    6.2.16
    6.2.15
    6.2.14
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.0
    6.0.0
    5.6.0
    5.4.0

    Retail environment guest access

    Retail environment guest access

    Businesses such as coffee shops provide free Internet access for customers. In this scenario, you do not need to configure guest management, as customers can access the WiFi access point without logon credentials.

    However, consider that the business wants to contact customers with promotional offers to encourage future patronage. You can configure an email collection portal to collect customer email addresses for this purpose. You can configure a security policy to grant network access only to users who provide a valid email address. The first time a customer’s device attempts WiFi connection, FortiOS requests an email address, which it validates. The customer’s subsequent connections go directly to the Internet without interruption.

    This configuration consists of the following steps:

    1. Create an email collection portal.
    2. Create a security policy.
    3. Check for harvested emails.

    Creating an email collection portal

    The customer’s first contact with your network is a captive portal that presents a webpage requesting an email address. When FortiOS has validated the email address, the customer’s device MAC address is added to the Collected Emails device group.

    To create an email collection portal using the GUI:
    1. Go to WiFi & Switch Controller > SSID and edit the SSID.
    2. From the Security Mode dropdown list, select Captive Portal.
    3. For Portal Type, select Email Collection.
    4. (Optional) In Customize Portal Messages, select Email Collection.
    To create an email collection portal using the CLI:

    This example modifies the freewifi WiFi interface to present an email collection captive portal.

    config wireless-controller vap

    edit freewifi

    set security captive-portal

    set portal-type email-collect

    end

    Creating a security policy

    You must configure a security policy that allows traffic to flow from the WiFi SSID to the Internet interface but only for members of the Collected Emails device group. This policy must be listed first. Unknown devices are not members of the Collected Emails device group, so they do not match the policy.

    To create a security policy using the GUI:
    1. Go to Policy & Objects > IPv4 Policy and select Create New.
    2. Configure the policy as follows:

      Incoming Interface

      freewifi

      Source Address

      all

      Source Device Type

      Collected Emails

      Outgoing Interface

      wan1

      Destination Address

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      On

    3. Select OK.
    To create a security policy using the CLI:

    config firewall policy

    edit 3

    set srcintf "freewifi"

    set dstintf "wan1"

    set srcaddr "all"

    set action accept

    set devices collected-emails

    set nat enable

    set schedule "always"

    set service "ALL"

    next

    end

    Checking for harvested emails

    To check for harvested emails using the GUI:
    1. Go to User & Device > Device Inventory.
    To check for harvested emails using the CLI:

    FGT-100D # diagnose user device list

    hosts

    vd 0 d8:d1:cb:ab:61:0f gen 35 req 30 redir 1 last 43634s 7-11_2-int

    ip 10.0.2.101 ip6 fe80::dad1:cbff:feab:610f

    type 2 'iPhone' src http c 1 gen 29

    os 'iPhone' version 'iOS 6.0.1' src http id 358 c 1

    email 'yo@yourdomain.com'

    vd 0 74:e1:b6:dd:69:f9 gen 36 req 20 redir 0 last 39369s 7-11_2-int

    ip 10.0.2.100 ip6 fe80::76e1:b6ff:fedd:69f9

    type 1 'iPad' src http c 1 gen 5

    os 'iPad' version 'iOS 6.0' src http id 293 c 1

    host 'Joes’s-iPad' src dhcp

    email 'you@fortinet.com'

    Previous
    Next

    Retail environment guest access

    Retail environment guest access

    Businesses such as coffee shops provide free Internet access for customers. In this scenario, you do not need to configure guest management, as customers can access the WiFi access point without logon credentials.

    However, consider that the business wants to contact customers with promotional offers to encourage future patronage. You can configure an email collection portal to collect customer email addresses for this purpose. You can configure a security policy to grant network access only to users who provide a valid email address. The first time a customer’s device attempts WiFi connection, FortiOS requests an email address, which it validates. The customer’s subsequent connections go directly to the Internet without interruption.

    This configuration consists of the following steps:

    1. Create an email collection portal.
    2. Create a security policy.
    3. Check for harvested emails.

    Creating an email collection portal

    The customer’s first contact with your network is a captive portal that presents a webpage requesting an email address. When FortiOS has validated the email address, the customer’s device MAC address is added to the Collected Emails device group.

    To create an email collection portal using the GUI:
    1. Go to WiFi & Switch Controller > SSID and edit the SSID.
    2. From the Security Mode dropdown list, select Captive Portal.
    3. For Portal Type, select Email Collection.
    4. (Optional) In Customize Portal Messages, select Email Collection.
    To create an email collection portal using the CLI:

    This example modifies the freewifi WiFi interface to present an email collection captive portal.

    config wireless-controller vap

    edit freewifi

    set security captive-portal

    set portal-type email-collect

    end

    Creating a security policy

    You must configure a security policy that allows traffic to flow from the WiFi SSID to the Internet interface but only for members of the Collected Emails device group. This policy must be listed first. Unknown devices are not members of the Collected Emails device group, so they do not match the policy.

    To create a security policy using the GUI:
    1. Go to Policy & Objects > IPv4 Policy and select Create New.
    2. Configure the policy as follows:

      Incoming Interface

      freewifi

      Source Address

      all

      Source Device Type

      Collected Emails

      Outgoing Interface

      wan1

      Destination Address

      all

      Schedule

      always

      Service

      ALL

      Action

      ACCEPT

      NAT

      On

    3. Select OK.
    To create a security policy using the CLI:

    config firewall policy

    edit 3

    set srcintf "freewifi"

    set dstintf "wan1"

    set srcaddr "all"

    set action accept

    set devices collected-emails

    set nat enable

    set schedule "always"

    set service "ALL"

    next

    end

    Checking for harvested emails

    To check for harvested emails using the GUI:
    1. Go to User & Device > Device Inventory.
    To check for harvested emails using the CLI:

    FGT-100D # diagnose user device list

    hosts

    vd 0 d8:d1:cb:ab:61:0f gen 35 req 30 redir 1 last 43634s 7-11_2-int

    ip 10.0.2.101 ip6 fe80::dad1:cbff:feab:610f

    type 2 'iPhone' src http c 1 gen 29

    os 'iPhone' version 'iOS 6.0.1' src http id 358 c 1

    email 'yo@yourdomain.com'

    vd 0 74:e1:b6:dd:69:f9 gen 36 req 20 redir 0 last 39369s 7-11_2-int

    ip 10.0.2.100 ip6 fe80::76e1:b6ff:fedd:69f9

    type 1 'iPad' src http c 1 gen 5

    os 'iPad' version 'iOS 6.0' src http id 293 c 1

    host 'Joes’s-iPad' src dhcp

    email 'you@fortinet.com'

    Previous
    Next