Go to Cloudi-Fi
All Collections
Deployment
Fortigate - Enable HTTPS Redirection to avoid web-browser warning

Fortigate - Enable HTTPS Redirection to avoid web-browser warning

This article describe how to enable the HTTPS Redirection during the authentication between Fortigate and Cloudi-Fi
Alexandre Greiner avatar
Written by Alexandre Greiner
Updated over a week ago

Note: Your Cloudi-FI Guest SSID should already configured to apply the following procedure.

If you don't have configured your Cloudi-FI Guest SSID yet, please follow this article : Fortigate integration

1) Enable HTTPS Redirection

Connect to the Fortigate GUI.

Open the CLI console and run the following commands:

config user setting
   set auth-secure-http enable
end

2) Configure a FQDN for your Fortigate

You will now configure a FQDN for your Fortigate.

This will result that the guest user will be redirected to this FQDN instead of being redirected to the Fortigate IP Address.

This also implies that you must provide/purchase a public certificate for this FQDN in order to avoid certificate warning on guest's device.

Finally, Cloudi-Fi Support team can provide you a Cloudi-Fi certificate in order to make it easier for you.

This certificate should be renewed every years, after certifcat expiration.

Always from the CLI Console, run the following commands:

config firewall auth-portal
    set portal-addr "guest.3wi.fi"
end

Note that guest.3wi.fi is a domain name owned by Cloudi-Fi. You could use this FQDN if you decide to use the Cloudi-Fi public certificate.

If you prefer use your own domain and certificate, replace guest.3wi.fi by your domain.

3) Install the public certificate

Go to User & Devices > Authentication Settings > Certificate > Create :

  • Add the certificate file

  • Add the private key file

  • Provide a password to protect your certificate

  • Provide a Name to this object

Then select this certificate and click Apply.

4) Configure a DNS Rewrite rule

The domain you configured above is a public domain with a public certificate, but it should redirect the Guest locally to your Fortigate interface IP Address, and this IP Address could be different depending your different SSIDs/Fortigates.

Because of this, we have to create a DNS Rewrite Rule in order to replace the IP Address resolved for your FQDN, by a local address of the Fortigate.

Go to Security Profiles > DNS Filter > Enable DNS Translation

and create a DNS Translation rule.

Example:

  • FQDN: guest.3wi.fi

  • Original IP Address (resolved by public DNS) : 188.165.61.82

  • Translated IP Address (local IP Address of Fortigate interface) : 10.0.0.1

  • Netmask: 255.255.255.255

5) Enable the DNS Filter in the Security Policy

In order to activate this DNS translation created above, go to your security policy.

Edit the rule allowing the DNS traffic from your Guest network to DNS Server

Enable the DNS Filter Security feature

Did this answer your question?