1 --------> User traffic hits a Firewall Policy with authentication and HTTPS redirect. 2 <------- Redirect with HTTPS port and IP address of port1. 3 --------> Authentication. 4 --------> Access to initial page requested .
In some instances, the FortiGate could be behind another router using a VIP, hence not reachable directly, or the administrator could want an FQDN name to be sent in place of an IP address
The network could now be the following :
[ USER DEVICE ] ---- Internet -----[ Router] ---- port1 [ FortiGate ] -- Resources (private IP)
In this case, the solution is to change the redirection information.
a) By giving a DNS entry (that the FortiGate AND the user's device must be able to resolve).
config firewall policy edit <my_policy_ID> set auth-redirect-addr "my.fortigate.com" next end
In this first case, the URL that the user's browser will see is : https://my.fortigate.com:1003/ Note that the URL, such as the example "my.fortigate.com", is not an external server, but points back to the Fortigate. This should be configured in the DNS server, or locally.
b) By specifying an IP address directly.
config firewall policy edit <my_policy_ID> set auth-redirect-addr "the_public_Virtual_IP" next end
Reminder : The HTTPS redirect function and port can be configured from the following CLI commands:
config user setting set auth-secure-http enable (default = disable) end
config system global set auth-https-port 1442 (default = 1003) end
In the case where you want to configure a different presented certificate, the parameter is :
config user setting
set auth-cert <auth-cert> set auth-ca-cert <auth-ca-cert>
In this case, auth-cert must be signed by auth-ca-cert in order to not trigger the untrusted certificate error, and the auth-ca-cert must be added to the browser. Also, the CA certificate used in the user setting should be the same used in the ssl-inspection profile.
For further information about authentication, please consult the "User Authentication User Guide" and the "Fortinet CLI guide" which may be found at http://docs.fortinet.com.
HTTP and HTTPS authentication.
Last Modified Date: 09-01-2015 Document ID: FD30760