Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
rmetzger
Staff
Staff

Created on ‎11-05-2010 04:37 AM Edited on ‎08-19-2023 06:51 AM By Community Manager

Article Id 198703

Technical Tip: Configuring a disclaimer page on a FortiGate firewall policy

Description


This article describes how to configure a disclaimer page on a firewall policy level.
The disclaimer will be shown whenever users connects for the first time and they will have to accept it to get internet access.

 

Scope

 

FortiGate.

Solution


The goal is to present a disclaimer page for users connected behind port2 (Guest Network) whenever these users want to access the internet (routed via port1).

The disclaimer page is already created by default on the FortiGate, but can be edited according to the needs.

This can be done via the GUI:
Go to System -> Replacement Messages -> Extended View -> Authentication -> Disclaimer Page

 

The second step is to enable the disclaimer on the policy level.
It will be needed to either create a new policy or find the policy ID which allows traffic from the Guest Network to the internet.
In this example, a simple policy with NAT is allowing traffic from port2 (Guest) to port1 (Internet) :

 

If the ID column is not showing up, it is possible to enable it like shown on below screenshot:
 
 
 

 
Once the policy is shown, enable the disclaimer via the CLI:
#config firewall policy
edit 2
set disclaimer enable
end
 
Once this is done, users behind port2 will have to accept the disclaimer in order to get further internet access.

Running a debug flow, see what is happening in the background:
 
diag deb en
dia deb flow filter addr 192.168.3.2
dia deb flow filter port 443
dia deb flow trace start 20
id=20085 trace_id=81 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=6, 192.168.3.2:51467->34.211.15.72:443) from port2. flag [S], seq 3361246429, ack 0, win 64240"
id=20085 trace_id=81 func=init_ip_session_common line=5654 msg="allocate a new session-000089a5"
id=20085 trace_id=81 func=vf_ip_route_input_common line=2591 msg="find a route: flag=04000000 gw-192.168.174.254 via port1"
id=20085 trace_id=81 func=av_receive line=301 msg="send to application layer"
id=20085 trace_id=82 func=print_pkt_detail line=5494 msg="vd-root:0 received a packet(proto=6, 34.211.15.72:443->192.168.3.2:51467) from local. flag [S.], seq 3893514304, ack 3361246430, win 42340"

Because of keyword “from local”, the FortiGate is impersonating the web server and responding with a SYN-ACK to the client requesting the website.
After the user has accepted the disclaimer, he can browse the internet and the IP address is shown on GUI page Monitor > Firewall User Monitor

 

>> If we want to disable the disclaimer page 

 

>>Disable the disclaimer on the policy.

 

#config firewall policy
edit 2
set disclaimer disable
end
If still getting the disclaimer page, then need to check the interface,
 

>Check the source interface for example: port2  and disable the "Security mode"

 

-Network ---->interface--->port2

 

Note: This option when enabled,  you can configure the authentication portal, user and group access, custom portal messages, exempt sources and destinations/services, and redirect after captive portal but if you not using or specifying any of the mentioned here then it can be disabled.

 

 
 
 

image.png

 

 

Labels:
41735
0 Kudos
Submit Article Idea
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.