Note: Your Cloudi-FI Guest SSID should already configured to apply the following procedure.
If you don't have configured your Cloudi-FI Guest SSID yet, please follow this article : Fortigate integration
1) Enable HTTPS Redirection
Connect to the Fortigate GUI.
Open the CLI console and run the following commands:
config user setting
set auth-secure-http enable
2) Configure a FQDN for your Fortigate
You will now configure a FQDN for your Fortigate.
This will result that the guest user will be redirected to this FQDN instead of being redirected to the Fortigate IP Address.
This also implies that you must provide/purchase a public certificate for this FQDN in order to avoid certificate warning on guest's device.
Finally, Cloudi-Fi Support team can provide you a Cloudi-Fi certificate in order to make it easier for you.
This certificate should be renewed every years, after certifcat expiration.
Always from the CLI Console, run the following commands:
config firewall auth-portal
set portal-addr "guest.3wi.fi"
Note that guest.3wi.fi is a domain name owned by Cloudi-Fi. You could use this FQDN if you decide to use the Cloudi-Fi public certificate.
If you prefer use your own domain and certificate, replace guest.3wi.fi by your domain.
3) Install the public certificate
Go to User & Devices > Authentication Settings > Certificate > Create :
Add the certificate file
Add the private key file
Provide a password to protect your certificate
Provide a Name to this object
Then select this certificate and click Apply.
4) Configure a DNS Rewrite rule
The domain you configured above is a public domain with a public certificate, but it should redirect the Guest locally to your Fortigate interface IP Address, and this IP Address could be different depending your different SSIDs/Fortigates.
Because of this, we have to create a DNS Rewrite Rule in order to replace the IP Address resolved for your FQDN, by a local address of the Fortigate.
Go to Security Profiles > DNS Filter > Enable DNS Translation
and create a DNS Translation rule.
Original IP Address (resolved by public DNS) : 220.127.116.11
Translated IP Address (local IP Address of Fortigate interface) : 10.0.0.1
5) Enable the DNS Filter in the Security Policy
In order to activate this DNS translation created above, go to your security policy.
Edit the rule allowing the DNS traffic from your Guest network to DNS Server
Enable the DNS Filter Security feature