Captive Portal for Compliance Failure
FortiOS 6.2 replaces the endpoint compliance profile with the EMS connector. FortiGate supports a customizable captive portal to direct users to install or enable the required software.
FortiOS supports per-policy custom disclaimers. For example, you may want to configure three firewall policies, each of which matches traffic from endpoints with different FortiClient statuses:
Endpoint status |
FortiOS behavior |
---|---|
Endpoint does not have FortiClient installed. |
Traffic matches a firewall policy that displays an in-browser warning to install FortiClient from the provided link. |
Endpoint has FortiClient installed, registered to EMS, and connected to the FortiGate. |
Traffic matches a dynamic firewall policy which allows the endpoint to reach its destination via this policy. |
Endpoint is deregistered from EMS and disconnected from the FortiGate. |
Traffic matches another dynamic firewall policy that displays warning to register FortiClient to EMS. |
To configure this feature in the GUI:
- In the FortiOS CLI, run the following commands to enable per-policy disclaimer messages:
config user setting
set auth-cert "Fortinet_Factory"
set per-policy-disclaimer enable
end
- Go to Policy & Objects > IPv4 Policy and select the desired policy for when the endpoint does not have FortiClient installed.
- Under Disclaimer Options, enable Display Disclaimer.
- Enable Customize Messages.
- Click Edit Disclaimer Message.
- FortiOS displays the default disclaimer message. Edit the disclaimer to warn users to install FortiClient and provide the FortiClient download link. Click Save.
- Repeat steps 2-6 for each desired policy, creating custom disclaimers as desired.
To configure this feature in the CLI:
config user setting
set auth-cert "Fortinet_Factory"
set per-policy-disclaimer enable
end
config firewall policy
edit 1
set name "111"
set uuid c3ad8da0-bd7c-51e8-c0da-fe9053bf35ae
set srcintf "port12"
set dstintf "port11"
set srcaddr "all"
set dstaddr "pc155_address"
set action accept
set schedule "always"
set service "ALL"
set wsso disable
set groups "ems_03_group"
set disclaimer enable
set replacemsg-override-group "test"
set nat enable
next
edit 4
set name "44"
set uuid 686ea2ca-348d-51e9-9dca-b2b4b4aabbe2
set srcintf "port12"
set dstintf "port11"
set srcaddr "all"
set dstaddr "pc5-address"
set action accept
set schedule "always"
set service "ALL"
set wsso disable
set groups "ems_03_group"
set disclaimer enable
set replacemsg-override-group "test2"
set nat enable
next
edit 6
set name "66"
set uuid f1034e52-36d5-51e9-fbae-da21922ccd10
set srcintf "port12"
set dstintf "port11"
set srcaddr "all"
set dstaddr "all"
set status disable
set schedule "always"
set service "ALL"
set logtraffic all
set fsso disable
set block-notification enable
set replacemsg-override-group "endpoint-override"
next
end