Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.0.7 Administration Guide
    7.0.7
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Retail environment guest access

    Retail environment guest access

    Businesses such as coffee shops provide free Internet access for customers. In this scenario, you do not need to configure guest management, as customers can access the WiFi access point without logon credentials.

    However, consider that the business wants to contact customers with promotional offers to encourage future patronage. You can configure an email collection portal to collect customer email addresses for this purpose. You can configure a firewall policy to grant network access only to users who provide a valid email address. The first time a customer’s device attempts WiFi connection, FortiOS requests an email address, which it validates. The customers' subsequent connections go directly to the Internet without interruption.

    This configuration consists of the following steps:

    1. Creating an email collection portal
    2. Creating a firewall policy
    3. Checking for collected emails

    Creating an email collection portal

    The customer’s first contact with your network is a captive portal that presents a webpage requesting an email address. When FortiOS has validated the email address, the customer’s device MAC address is added to the collected emails device group.

    This example modifies the freewifi WiFi interface to present an email collection captive portal.

    To configure the freewifi SSID to use an email collection portal in the GUI:
    1. Enable email collection:
      1. Go to System > Feature Visibility.
      2. In the Additional Features section, enable Email Collection.
      3. Click Apply.
    2. Edit the freewifi SSID:
      1. Go to WiFi & Switch Controller > SSIDs and edit the freewifi SSID.
      2. In the Security Mode Settings section, set the Security mode to Captive Portal.
      3. Set the Portal type to Email Collection.
      4. Click OK.
    To configure the freewifi SSID to use an email collection portal in the CLI:
    config wireless-controller vap
    edit freewifi
        set security captive-portal
        set portal-type email-collect
    next
end

    Creating a firewall policy

    You must configure a firewall policy that allows traffic to flow from the WiFi SSID to the internet interface only for members of the collected emails device group. This policy must be listed first. Unknown devices are not members of the collected emails device group, so they do not match the policy.

    To create a firewall policy:
    config firewall policy	  
    edit 3
        set srcintf "freewifi"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set email-collect enable
    next
end

    Checking for collected emails

    When a WiFi user connects to the freewifi SSID, they are presented with a captive portal to enter their email address.

    Once the user enters their email and clicks Continue, they will have access to the Internet. The collected emails can be verified in FortiOS.

    To check for collected emails in the GUI:
    1. Go to Dashboard > Users & Devices and click Add Widget.
    2. In the User & Authentication section, select Collected Email and click Add Widget.
    3. Click Close.
    4. Click the Collected Email to expand to full view. The list of emails is displayed.

    5. Optionally, click Export to export the data as a CSV or JSON file.
    To check for collected emails in the CLI:
    # diagnose firewall auth mac list

72:4d:e1:**:**:**, admin@fortinet.com
        type: email, id: 0, duration: 937, idled: 19
        expire: 863980, allow-idle: 864000
        flag(1000): src_idle
        packets: in 4753 out 4592, bytes: in 2662403 out 2458644

----- 1 listed, 0 filtered ------
    Previous
    Next

    Retail environment guest access

    Retail environment guest access

    Businesses such as coffee shops provide free Internet access for customers. In this scenario, you do not need to configure guest management, as customers can access the WiFi access point without logon credentials.

    However, consider that the business wants to contact customers with promotional offers to encourage future patronage. You can configure an email collection portal to collect customer email addresses for this purpose. You can configure a firewall policy to grant network access only to users who provide a valid email address. The first time a customer’s device attempts WiFi connection, FortiOS requests an email address, which it validates. The customers' subsequent connections go directly to the Internet without interruption.

    This configuration consists of the following steps:

    1. Creating an email collection portal
    2. Creating a firewall policy
    3. Checking for collected emails

    Creating an email collection portal

    The customer’s first contact with your network is a captive portal that presents a webpage requesting an email address. When FortiOS has validated the email address, the customer’s device MAC address is added to the collected emails device group.

    This example modifies the freewifi WiFi interface to present an email collection captive portal.

    To configure the freewifi SSID to use an email collection portal in the GUI:
    1. Enable email collection:
      1. Go to System > Feature Visibility.
      2. In the Additional Features section, enable Email Collection.
      3. Click Apply.
    2. Edit the freewifi SSID:
      1. Go to WiFi & Switch Controller > SSIDs and edit the freewifi SSID.
      2. In the Security Mode Settings section, set the Security mode to Captive Portal.
      3. Set the Portal type to Email Collection.
      4. Click OK.
    To configure the freewifi SSID to use an email collection portal in the CLI:
    config wireless-controller vap
    edit freewifi
        set security captive-portal
        set portal-type email-collect
    next
end

    Creating a firewall policy

    You must configure a firewall policy that allows traffic to flow from the WiFi SSID to the internet interface only for members of the collected emails device group. This policy must be listed first. Unknown devices are not members of the collected emails device group, so they do not match the policy.

    To create a firewall policy:
    config firewall policy	  
    edit 3
        set srcintf "freewifi"
        set dstintf "wan1"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ALL"
        set nat enable
        set email-collect enable
    next
end

    Checking for collected emails

    When a WiFi user connects to the freewifi SSID, they are presented with a captive portal to enter their email address.

    Once the user enters their email and clicks Continue, they will have access to the Internet. The collected emails can be verified in FortiOS.

    To check for collected emails in the GUI:
    1. Go to Dashboard > Users & Devices and click Add Widget.
    2. In the User & Authentication section, select Collected Email and click Add Widget.
    3. Click Close.
    4. Click the Collected Email to expand to full view. The list of emails is displayed.

    5. Optionally, click Export to export the data as a CSV or JSON file.
    To check for collected emails in the CLI:
    # diagnose firewall auth mac list

72:4d:e1:**:**:**, admin@fortinet.com
        type: email, id: 0, duration: 937, idled: 19
        expire: 863980, allow-idle: 864000
        flag(1000): src_idle
        packets: in 4753 out 4592, bytes: in 2662403 out 2458644

----- 1 listed, 0 filtered ------
    Previous
    Next