Implementing email harvesting
The customer’s first contact with your network will be with a captive portal which presents a web page requesting an email address. When FortiOS has validated the email address, the customer’s device MAC address is added to the Collected Emails device group.
You need configure a device policy that allows traffic to flow from the WiFi SSID to the Internet interface. Within that policy, you need an authentication rule to allow members of the Collected Emails device group to access the Internet. This rule must be listed first. Unknown devices are not members of the Collected Emails device group, so they don’t match the rule.
You also need to select Prompt E-mail collection Portal for all devices.
To create the device policy
1. Go to Policy > Policy > Policy and select Create New.
2. Enter the following information:
Policy Type | Firewall |
Policy Subtype | Device Identity |
Incoming Interface | wifi |
Source Address | all |
Outgoing Interface | wan1 |
Enable NAT | Enable. |
You are now ready to create the authentication rule.
To create the authentication rule - web-based manager
1. In Configure Authentication Rules, select Create New and enter:
Destination Address | all |
Device | Collected Emails |
Compliant with Endpoint Profile | not selected |
Schedule | always |
Service | ALL |
Action | ACCEPT |
2. Select OK.
3. If asked, confirm that you accept FortiOS will enable device identification on the source interface.
4. In Device Policy Options, select Prompt E-mail Collection Portal for all devices.
5. Optionally, customize authentication messages.
6. Select OK to complete configuration of the security policy.
To create the authentication rule - CLI
config firewall policy
edit 3
set srcintf "wifi"
set dstintf "wan1"
set srcaddr "all"
set action accept
set email-collection-portal enable
set identity-based enable
set identity-from device
set nat enable
config identity-based-policy
edit 1
set schedule "always"
set dstaddr "abc"
set service "ALL"
set devices "collected-emails"
end
end