This article describes how to install a custom Certificate SSL on your FortiGate firewall to avoid HTTPS warnings
Prerequisites
Before starting, ensure that you have the following prerequisites:
- Your Cloudi-FI Guest SSID/Subnet should already be configured to apply the following procedure. If you haven’t configured your Cloudi-FI Guest SSID yet, please follow this article: FortiGate integration.
- A dedicated SSL certificate has to be issued
1. Install the public certificate
Go to System > Certificate > Create/Import > Certificate > Import Certificate > Certificate:
-
Add the certificate file
-
Add the private key file
-
Provide a password to protect your certificate (for instance: cloudifi)
-
Provide a Name for this object
Then select this certificate and click Apply.
Sometimes, you will have to import the intermediate certificate(s).
Go to System > Certificate > Create/Import > CA Certificate and add the certificate file
Then click on "OK"
2. Enable HTTPS Redirection
Connect to the Fortigate GUI, open the CLI console and run the following commands:
config user setting
set auth-secure-http enable
set auth-cert "your certificate_name"
end
3. Configure an FQDN for your FortiGate
Connect to the Fortigate GUI > Policy & Objects > Addresses > Create New Addresse
- Name
- Interface: any
- Type: FQDN
- FQDN (for instance guest.poc.cloudi-fi.net)
This will result in the guest user being redirected to this FQDN instead of the Fortigate IP Address.
This also implies that you must provide/purchase a public certificate for this FQDN to avoid a certificate warning on the guest’s device.
Then, connect to the Fortigate GUI, open the CLI console and run the following commands:
config firewall auth-portal
set portal-addr "your_fqdn"
end
Then, go to "User & Authentication > Authentication Settings"
- Captive portal type: FQDN
- Captive portal (Enabled): select your FQDN
- Authenticated timeout: 5 minutes
- Protocol support: HTTP, HTTPS
- HTTP redirect: Enabled
- Certificate: select the certificate imported in Step 1 : Install the public certificate
Note that guest.poc.cloudi-fi.net is a domain name owned by Cloudi-Fi. You could use this FQDN if you use the Cloudi-Fi public certificate. If you prefer to use your domain and certificate, replace them with your domain.
4. Local DNS Record
Go to Network > DNS Servers to configure the DNS database server with static DNS entries.
You may need to activate the feature in:
System > Feature Visibility > Additional Features > DNS Database.
First, create DNS Service on Interface
- Interface: interface where the guest users will be connecting
- Mode: Recursive
Then, create a DNS Database
DNZ Zone
- DNS Zone: name one your Zone
- Domaine name: same as FQDN configured in Step 3 : Configure an FQDN for your FortiGate
- Hostname of Primary DNS: dns
Within this DNS database, create the DNS static entry as shown below
- Type: Address (A)
- Hostname (for instance guest)
- IP Address: IP of internal interface where the guest users will be connecting
Save the settings in DNS
The next step is to edit your DHCP configuration on the Guest interface. You can choose between the IP address of your interface
Or Specify a public IP address
The users behind this Guest SSID will get IP from this DHCP range and will be able to resolve the static DNS entry in the DNS database as below.
For instance
nslookup guest.poc.cloudi-fi.net
Server: Unknown
Address: 192.168.28.1
What's next?
You can visit our Fortinet partner page here for more information about our solutions
More details about Cloudi-Fi Captive portal solutions
More details about Cloud-Fi SD Wan Solutions