Skip to content

FortiGate / FortiWiFi

Compatibility

Social WiFi has been tested and is proven to work on the following configurations:

FortiWiFi – wireless interfaces

  • FortiOS version 5.6.0 and above (tested up to 7.6.3)

FortiGate hardware or virtual machine – wired interfaces

  • recommended: FortiOS version 6.2.4 and above (tested up to 7.6.3)
  • FortiOS version 5.6.0 and above work if the captive portal is enabled on a physical interface, VLAN interfaces are not supported below FortiOS 6.2.4

Access the device’s configuration panel

This guide assumes using the web based UI of the controller, which you can access by entering the IP address of the device in your browser. The screenshots are based on firmware v5.6.2.

Alternatively, if your device is managed from FortiCloud, you can access the management UI from there.

RADIUS configuration

Go to User & Authentication → RADIUS Servers → Create New and use the following settings:

NameSocial WiFi
Authentication MethodSpecify
MethodPAP
NAS IPLeave empty
Include in every user groupUnchecked
Primary Server IP/Name35.205.62.147
Primary Server SecretRadius Secret is available in Access Points tab of the Social WiFi Panel
Secondary Server IP/NameLeave empty
Secondary Server SecretLeave empty

26052025-1514.png

Click OK.

Now you need to change the RADIUS port to 31812. Open the CLI Console (top right corner, between “help” and username).

2025-05-26_15-17.png

You will see the terminal pop up. Please copy (ctrl+C) and paste (ctrl+V) or type in the following commands:

config user radius
edit "Social WiFi"
set radius-port 31812
next
end

Click enter, then copy and paste the below.

config user radius
edit "Social WiFi"
config accounting-server
edit 1
set status enable
set server 35.205.62.147
set secret [*your radius secret from the panel*]
set port 31813
next
end
end

2025-05-26_15-24.png

Then close the CLI console by clicking the “x” button in the top right corner.

Remote Group configuration

Go to User & Authentication → User Groups → Create New

2025-05-26_17-20.png

and use the following settings:

NameSocial WiFi - Guest
TypeFirewall
MembersLeave empty

Under Remote Groups, click +Add.

2025-05-26_15-35.png

Select Social WiFi from the Remote Server dropdown list. Make sure that Grups are set to Any. Click OK to proceed.

2025-05-26_15-32_1.png

2025-05-26_15-36.png

Click OK.

Setting the auth-timeout

Open up the console again and enter the following commands:

config user setting
set auth-timeout-type idle-timeout
end
config user group
edit Social\ WiFi\ -\ Guest
set authtimeout 480
end

Where the “set authtimeout 480” is in minutes and you can adjust the value freely. This will make your users have to relogin after not being active in the network for 8 hours.

2023-04-27_16-50.png

Walled Garden configuration

Now we need to add all the services that will be available without logging in. This list includes Social WiFi login page and third-party social login services (like Facebook).

The following guide assumes firmware version 5.6.2, which doesn’t support domains with wildcard (e.g. “*.facebook.com”). Using wildcards was added in firmware 6.2.2, so if you have that version or higher, you may adjust the following steps accordingly.

The suggested way to add all required entries, is to use the console again to copy (ctrl+C) and paste (ctrl+V) the following scripts.

Part 1:

# Social WiFi main service
config firewall address
edit "Social WiFi - main 1"
set type fqdn
set fqdn "login.socialwifi.com"
next
edit "Social WiFi - main 2"
set type fqdn
set fqdn "sw-login.com"
next
end
config firewall addrgrp
edit "Social WiFI - main"
set member "Social WiFi - main 1" "Social WiFi - main 2"
next
end
# Facebook remarketing pixel
config firewall address
edit "Social WiFi - Facebook pixel 1"
set type fqdn
set fqdn "connect.facebook.net"
next
edit "Social WiFi - Facebook pixel 2"
set type fqdn
set fqdn "www.facebook.com"
next
end
config firewall addrgrp
edit "Social WiFI - Facebook pixel"
set member "Social WiFi - Facebook pixel 1" "Social WiFi - Facebook pixel 2"
next
end
# Google remarketing tag
config firewall address
edit "Social WiFi - Google tag 1"
set type fqdn
set fqdn "www.googletagmanager.com"
next
edit "Social WiFi - Google tag 2"
set type fqdn
set fqdn "www.googleadservices.com"
next
edit "Social WiFi - Google tag 3"
set type fqdn
set fqdn "googleads.g.doubleclick.net"
next
end
config firewall addrgrp
edit "Social WiFI - Google tag"
set member "Social WiFi - Google tag 1" "Social WiFi - Google tag 2" "Social WiFi - Google tag 3"
next
end
# Facebook login
config firewall address
edit "Social WiFi - Facebook 1"
set type fqdn
set fqdn "www.facebook.com"
next
edit "Social WiFi - Facebook 2"
set type fqdn
set fqdn "facebook.com"
next
edit "Social WiFi - Facebook 3"
set type fqdn
set fqdn "static.xx.fbcdn.net"
next
edit "Social WiFi - Facebook 4"
set type fqdn
set fqdn "external-frt3-2.xx.fbcdn.net"
next
end
config firewall addrgrp
edit "Social WiFi - Facebook"
set member "Social WiFi - Facebook 1" "Social WiFi - Facebook 2" "Social WiFi - Facebook 3" "Social WiFi - Facebook 4"
next
end

Part 2:

# Twitter login
config firewall address
edit "Social WiFi - Twitter 1"
set type fqdn
set fqdn "twitter.com"
next
edit "Social WiFi - Twitter 2"
set type fqdn
set fqdn "api.twitter.com"
next
edit "Social WiFi - Twitter 3"
set type fqdn
set fqdn "x.com"
next
edit "Social WiFi - Twitter 4"
set type fqdn
set fqdn "api.x.com"
next
edit "Social WiFi - Twitter 5"
set type fqdn
set fqdn "pbs.twimg.com"
next
edit "Social WiFi - Twitter 6"
set type fqdn
set fqdn "abs-0.twimg.com"
next
edit "Social WiFi - Twitter 7"
set type fqdn
set fqdn "abs.twimg.com"
next
end
config firewall addrgrp
edit "Social WiFi - Twitter"
set member "Social WiFi - Twitter 1" "Social WiFi - Twitter 2" "Social WiFi - Twitter 3" "Social WiFi - Twitter 4" "Social WiFi - Twitter 5"
next
end
# LinkedIn login
config firewall address
edit "Social WiFi - LinkedIn 1"
set type fqdn
set fqdn "www.linkedin.com"
next
edit "Social WiFi - LinkedIn 2"
set type fqdn
set fqdn "static-exp1.licdn.com"
next
edit "Social WiFi - LinkedIn 3"
set type fqdn
set fqdn "media-exp1.licdn.com"
next
edit "Social WiFi - LinkedIn 4"
set type fqdn
set fqdn "static.licdn.com"
next
end
config firewall addrgrp
edit "Social WiFi - LinkedIn"
set member "Social WiFi - LinkedIn 1" "Social WiFi - LinkedIn 2" "Social WiFi - LinkedIn 3" "Social WiFi - LinkedIn 4"
next
end
# Group everything in one group
config firewall addrgrp
edit "Social WiFi"
set member "Social WiFI - main" "Social WiFI - Facebook pixel" "Social WiFI - Google tag" "Social WiFi - Facebook" "Social WiFi - Twitter" "Social WiFi - LinkedIn"
next
end

Interface or WiFi interface configuration

Go to Network → Interfaces and edit the interface you want Social WiFi to work on. The below example uses a VLAN, but this works on a Physical interface as well.

Configure the “Network” section of the interface as follows:

Security ModeEnabled: Captive Portal
Authentication PortalExternal: http://login.socialwifi.com/
User AccessRestricted to Groups
User GroupsSocial WiFi – Guest
Exempt SourcesLeave empty
Exempt Destinations/ServicesSocial WiFi
Redirect after Captive PortalOriginal Request

2025-05-27_12-37.png

Click OK.

Firewall configuration

You need to allow for traffic from guests using Social WiFi, because the default policy is to deny all traffic.

Go to Policy & Objects → Firewall Policy → +Create New.

Configure as follows:

NameSocial WiFi Allow Guests
Incoming InterfaceThe interface that has Social WiFi configured
Outgoing InterfaceYour WAN interface
Sourceall
User/groupEmpty
Destinationall
ServiceALL
ActionACCEPT

2025-05-27_13-00.png

Click OK.

Add the device to Social WiFi Panel

The setup of FortiGate is now finished. The last step is to add the MAC address(es) to the Social WiFi platform.

If you configured Social WiFi on an interface, you only must add the one interface used.

If you configured Social WiFi on an SSID, you must add all the MAC addresses of the Access Points. Usually the MAC address will be printed on a label on the device itself. It should be visible in the GUI as well on the edit interface screen. If you don’t know the MAC address, please contact Social WiFi Support.

Now, switch to Social WiFi Panel, go to Access Points tab, click the Add button and paste the MAC address(es). Click Create.

Test the solution

Connect with the WiFi network. You should see a login page. Go through the login process and, once finished, you should have internet access. You should see first connections and authorisations in the Social WiFi Panel’s statistics section.

Troubleshooting

If you have any external firewall behind the FortiGate device, please make sure that you enable these ports:

  • TCP/8080 (Captive Portal (http redirection))
  • TCP/8081 (Captive Portal (https redirection)
  • UDP/9177, 337008 (AP Communication (Capture Packets subsystem))