Fortinet black logo

New Features

Captive Portal for Compliance Failure

Copy Link
Copy Doc ID 761d83e3-4a7b-11e9-94bf-00505692583a:182001
Download PDF

Captive Portal for Compliance Failure

FortiOS 6.2 replaces the endpoint compliance profile with the EMS connector. FortiGate supports a customizable captive portal to direct users to install or enable the required software.

FortiOS supports per-policy custom disclaimers. For example, you may want to configure three firewall policies, each of which matches traffic from endpoints with different FortiClient statuses:

Endpoint status

FortiOS behavior

Endpoint does not have FortiClient installed.

Traffic matches a firewall policy that displays an in-browser warning to install FortiClient from the provided link.

Endpoint has FortiClient installed, registered to EMS, and connected to the FortiGate.

Traffic matches a dynamic firewall policy which allows the endpoint to reach its destination via this policy.

Endpoint is deregistered from EMS and disconnected from the FortiGate.

Traffic matches another dynamic firewall policy that displays warning to register FortiClient to EMS.

To configure this feature in the GUI:
  1. In the FortiOS CLI, run the following commands to enable per-policy disclaimer messages:

    config user setting

    set auth-cert "Fortinet_Factory"

    set per-policy-disclaimer enable

    end

  2. Go to Policy & Objects > IPv4 Policy and select the desired policy for when the endpoint does not have FortiClient installed.
  3. Under Disclaimer Options, enable Display Disclaimer.
  4. Enable Customize Messages.
  5. Click Edit Disclaimer Message.
  6. FortiOS displays the default disclaimer message. Edit the disclaimer to warn users to install FortiClient and provide the FortiClient download link. Click Save.

  7. Repeat steps 2-6 for each desired policy, creating custom disclaimers as desired.
To configure this feature in the CLI:

config user setting

set auth-cert "Fortinet_Factory"

set per-policy-disclaimer enable

end

config firewall policy

edit 1

set name "111"

set uuid c3ad8da0-bd7c-51e8-c0da-fe9053bf35ae

set srcintf "port12"

set dstintf "port11"

set srcaddr "all"

set dstaddr "pc155_address"

set action accept

set schedule "always"

set service "ALL"

set wsso disable

set groups "ems_03_group"

set disclaimer enable

set replacemsg-override-group "test"

set nat enable

next

edit 4

set name "44"

set uuid 686ea2ca-348d-51e9-9dca-b2b4b4aabbe2

set srcintf "port12"

set dstintf "port11"

set srcaddr "all"

set dstaddr "pc5-address"

set action accept

set schedule "always"

set service "ALL"

set wsso disable

set groups "ems_03_group"

set disclaimer enable

set replacemsg-override-group "test2"

set nat enable

next

edit 6

set name "66"

set uuid f1034e52-36d5-51e9-fbae-da21922ccd10

set srcintf "port12"

set dstintf "port11"

set srcaddr "all"

set dstaddr "all"

set status disable

set schedule "always"

set service "ALL"

set logtraffic all

set fsso disable

set block-notification enable

set replacemsg-override-group "endpoint-override"

next

end

Captive Portal for Compliance Failure

FortiOS 6.2 replaces the endpoint compliance profile with the EMS connector. FortiGate supports a customizable captive portal to direct users to install or enable the required software.

FortiOS supports per-policy custom disclaimers. For example, you may want to configure three firewall policies, each of which matches traffic from endpoints with different FortiClient statuses:

Endpoint status

FortiOS behavior

Endpoint does not have FortiClient installed.

Traffic matches a firewall policy that displays an in-browser warning to install FortiClient from the provided link.

Endpoint has FortiClient installed, registered to EMS, and connected to the FortiGate.

Traffic matches a dynamic firewall policy which allows the endpoint to reach its destination via this policy.

Endpoint is deregistered from EMS and disconnected from the FortiGate.

Traffic matches another dynamic firewall policy that displays warning to register FortiClient to EMS.

To configure this feature in the GUI:
  1. In the FortiOS CLI, run the following commands to enable per-policy disclaimer messages:

    config user setting

    set auth-cert "Fortinet_Factory"

    set per-policy-disclaimer enable

    end

  2. Go to Policy & Objects > IPv4 Policy and select the desired policy for when the endpoint does not have FortiClient installed.
  3. Under Disclaimer Options, enable Display Disclaimer.
  4. Enable Customize Messages.
  5. Click Edit Disclaimer Message.
  6. FortiOS displays the default disclaimer message. Edit the disclaimer to warn users to install FortiClient and provide the FortiClient download link. Click Save.

  7. Repeat steps 2-6 for each desired policy, creating custom disclaimers as desired.
To configure this feature in the CLI:

config user setting

set auth-cert "Fortinet_Factory"

set per-policy-disclaimer enable

end

config firewall policy

edit 1

set name "111"

set uuid c3ad8da0-bd7c-51e8-c0da-fe9053bf35ae

set srcintf "port12"

set dstintf "port11"

set srcaddr "all"

set dstaddr "pc155_address"

set action accept

set schedule "always"

set service "ALL"

set wsso disable

set groups "ems_03_group"

set disclaimer enable

set replacemsg-override-group "test"

set nat enable

next

edit 4

set name "44"

set uuid 686ea2ca-348d-51e9-9dca-b2b4b4aabbe2

set srcintf "port12"

set dstintf "port11"

set srcaddr "all"

set dstaddr "pc5-address"

set action accept

set schedule "always"

set service "ALL"

set wsso disable

set groups "ems_03_group"

set disclaimer enable

set replacemsg-override-group "test2"

set nat enable

next

edit 6

set name "66"

set uuid f1034e52-36d5-51e9-fbae-da21922ccd10

set srcintf "port12"

set dstintf "port11"

set srcaddr "all"

set dstaddr "all"

set status disable

set schedule "always"

set service "ALL"

set logtraffic all

set fsso disable

set block-notification enable

set replacemsg-override-group "endpoint-override"

next

end