Fortinet black logo

Cookbook

Home FortiGate / FortiOS 5.6.0 Cookbook

Configuring Captive Portal and security policies

5.6.0
6.2.16
6.2.15
6.2.14
6.2.13
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.5
6.2.4
6.2.3
6.2.2
6.2.0
6.0.0
5.6.0
5.4.0
Copy Link
Copy Doc ID 4d801240-7ccc-11e9-81a4-00505692583a:452213
Download PDF

Configuring Captive Portal and security policies

  1. On the FortiGate, go to Network > Interfaces and edit the internal interface.

    Under Admission Control, set Security Mode to Captive Portal.

    Set Authentication Portal to External, and enter the SAML authentication portal URL.

    Set User Access to Restricted to Groups, and set User Groups to any local group. As the FSSO group is not available, you cannot use this local group for access.

  2. Go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.

  3. Create the following FQDN objects:
    • www.googleapis.com
    • accounts.google.com
    • ssl-gstatic.com
    • fonts.gstatic.com
    • www.gstatic.com
  4. Add the following Google subnets:
    • 172.217.9.0/24
    • 216.58.192.0/19
  5. Create an address group, adding all created objects as members (in this example, g.suite-bypass).
  6. Go to Policy & Objects > IPv4 Policy and create the policies in these examples:
    • A policy for DNS.
    • A policy for access from FortiAuthenticator.
    • A policy for G Suite bypass.
    • A policy for FSSO, including the SAML user group.

  7. When finished, right-click each policy except the FSSO policy, select Edit in CLI, and enter the following commands for each policy except the FSSO policy:

    set captive-portal-exempt enable

    next

    end

    This command exempts users of these policies from the captive portal interface.

Previous
Next

Configuring Captive Portal and security policies

  1. On the FortiGate, go to Network > Interfaces and edit the internal interface.

    Under Admission Control, set Security Mode to Captive Portal.

    Set Authentication Portal to External, and enter the SAML authentication portal URL.

    Set User Access to Restricted to Groups, and set User Groups to any local group. As the FSSO group is not available, you cannot use this local group for access.

  2. Go to Policy & Objects > Addresses and add the FortiAuthenticator as an address object.

  3. Create the following FQDN objects:
    • www.googleapis.com
    • accounts.google.com
    • ssl-gstatic.com
    • fonts.gstatic.com
    • www.gstatic.com
  4. Add the following Google subnets:
    • 172.217.9.0/24
    • 216.58.192.0/19
  5. Create an address group, adding all created objects as members (in this example, g.suite-bypass).
  6. Go to Policy & Objects > IPv4 Policy and create the policies in these examples:
    • A policy for DNS.
    • A policy for access from FortiAuthenticator.
    • A policy for G Suite bypass.
    • A policy for FSSO, including the SAML user group.

  7. When finished, right-click each policy except the FSSO policy, select Edit in CLI, and enter the following commands for each policy except the FSSO policy:

    set captive-portal-exempt enable

    next

    end

    This command exempts users of these policies from the captive portal interface.

Previous
Next