FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Markus_M
Staff
Staff
Article Id 197111

Description
This article explains how to add a captive portal security exempt list additionally to the captive-portal-exempt setting on a firewall policy.

A common use case is that the environment needs to have only specific address groups or services going through an interface that otherwise would require the client to authenticate to the firewall.

Related KB :
Technical Note: How to enable Captive Portal Exemption on interfaces

Documentation:
Captive portals on the help page


Solution
For this setting the CLI only setting “captive-portal-exempt” on the specific firewall policy is required to be enabled.

Verify that this is the case because this setting cannot be set automatically:

#show firewall policy <id of the policy>

It should return this for example:

fortigate.forti.lab # show firewall policy 3

config firewall policy
    edit 3
        set srcintf "Guests"
        set dstintf "dmz"
        set srcaddr "10.0.0.0/16"
        set dstaddr "fortiauthenticator.forti.lab"
        set action accept
        set schedule "always"
        set service "HTTPS" "ALL_ICMP"
        set captive-portal-exempt enable
    next
end
This example allows traffic from a client from the captive portal interface to the DMZ without authentication (from the address object “10.0.0.0/16” to https:/fortiauthenticator.forti.lab:443).

It's now possible to add an exemption list of services and addresses that can access resources without Portal Disclaimer or authentication. The exemption list acts as a filter.
This setting is available on the Web UI and CLI when the Security Mode has changed to 'Captive Portal'.

On the CLI the security exempt list can be best shown with an example:
#config user security-exempt-list
    edit "Guests-exempt-list"
        config rule
            edit 1
                set dstaddr "DMZ_servers"
            next
            edit 2
                set service "ALL_ICMP"
            next
            edit 3
                set service "HTTPS"
            next
        end
    next
end
The security-exempt-list needs to be referred then in the interface setting, such that it looks as follows:
#config system interface
    edit "Guests"
        set vdom "root"
        set ip 10.0.0.1 255.255.0.0
        set type physical
        set security-mode captive-portal
        set security-external-web "https://fortiauthenticator/forti.lab/guests"
        set role lan
        set security-exempt-list "Guests-exempt-list"
        set security-groups "Guest_users"
        set snmp-index 2
    next
end
On the Web UI it will look this way:

 
Keep in mind that this exemption setting is additional to the captive-portal-exempt. It does not replace it, but acts as a filter to the exemption.
To learn more about Captive Portals, please check the related articles.
Contributors