Technical Tip: Using secure authentication (HTTPS) on a FortiGate and redirecting the authentication page
Products
FortiGate v4.0
FortiGate v5.0
FortiGate v5.2
Description
When enabling Authentication (and/or Disclaimer) on a Firewall Policy, the FortiGate offers the option to redirect an HTTP authentication page to a Secure Channel (HTTPS).

In this scenario, the authentication page is redirected to a new HTTPS port and to the ingress FortiGate IP address.

The process will be the following:

[ USER ]  ---- network ----- port1 [ FortiGate ] -- Resources

1 --------> User traffic hits a Firewall Policy with authentication and HTTPS redirect.
2 <-------  Redirect with HTTPS port and IP address of port1.
3 --------> Authentication.
4 --------> Access to initial page requested .


In some instances, the FortiGate could be behind another router using a VIP, hence not reachable directly, or the administrator could want an FQDN name to be sent in place of an IP address

The network could now be the following :

[ USER DEVICE ]  ---- Internet -----[ Router] ---- port1 [ FortiGate ] -- Resources
                                                                             (private IP)

In this case, the solution is to change the redirection information.

a) By giving a DNS entry (that the FortiGate AND the user's device must be able to resolve).

config firewall policy
    edit <my_policy_ID>
        set auth-redirect-addr "my.fortigate.com"
    next
end
In this first  case, the URL that the user's browser will see is :  https://my.fortigate.com:1003/
Note that
the URL, such as the example "my.fortigate.com", is not an external server, but points back to the Fortigate.
This should be configured in the DNS server, or locally.

b) By specifying an IP address directly.


config firewall policy
    edit <my_policy_ID>
        set auth-redirect-addr "the_public_Virtual_IP"
    next
end
Reminder : The HTTPS redirect function and port can be configured from the following CLI commands:

config user setting
    set auth-secure-http enable  (default = disable)
end

config system global
    set auth-https-port 1442 (default = 1003)
end
In the case where you want to configure a different presented certificate, the parameter is :

config user setting
set auth-cert <auth-cert>
set auth-ca-cert <auth-ca-cert>

In this case, auth-cert must be signed by auth-ca-cert in order to not trigger the untrusted certificate error, and the auth-ca-cert must be added to the browser.
Also, the CA certificate used in the user setting should be the same used in the ssl-inspection profile.

For further information about authentication, please consult the "User Authentication User Guide" and the "Fortinet CLI guide" which may be found at http://docs.fortinet.com.
Scope
HTTP and HTTPS authentication.
Last Modified Date: 09-01-2015 Document ID: FD30760