Is there a way to use the hostname for captive portal instead of IP?

Question

Really, the subject says it all... is there a way to configure the HTTPS & HTTP proxies to redirect to a hostname instead of the IP address of the firewall? 
 Reason I ask is I'd really like to keep my certificates consistent. We use an internal PKI, and so I have issued the XG a valid certificate based on our root cert. Yes, I can go back and re-issue it with the IP address, but I would like for it to redirect, if possible, to the internal hostname instead. 
 Similar to overriding the hostname for the external SSL vpn... I want to do it on an internal-facing service. 
 If the answer is currently "not possible" - I would like to suggest this as a feature.

Ronak Sheth · Accepted Answer

Hello Filippo Bastianello 
 Refer the KB article to use FQDN for captive portal. 
 
 https://community.sophos.com/kb/en-us/123035 
 
 Regards, Ronak.

ce_Sophos · Answer

Guys, I found a workaround for this. It's working for me. My box XG450 (SFOS 17.0.5 MR-5) Navigate to Authentication > Services > Web Policy Actions for Unauthenticated Users (Captive Portal) Change "Login prompt method" to "Display a custom message" In the textbox enter below text Click Apply That's it enjoy. Ensure you have a valid HTTPS certificate uploaded to the UTM. Above method is working for me.

Slawski · Answer

You can add IP SAN if you have an internal PKI deployed. Installing custom root authority certificates on user's machines is necessary for HTTPS inspection to work anyway. And this is what I did. Created a simple "scripted" CA using OpenSSL and uploaded its signing certificate to SFOS. I have also issued a certificate for my box with both name and IPS as SANs. Everything works fine (root certificated had to be added to trusted authorities). Even Google Chrome presents green lock when I'm using IP Address.

BTW: Symantec allows IP SANs for Intranet and RapidSSL certificates but not for public certificates.

GaryChancellor · Answer

FYI, in v16, if I navigate to the domain name setting in the LAN DHCP it uses that as the "hostname" of the firewall. For Captive Portal and for Admin access if you have an SSL certificate, then you don't get the warning and the certificate can match the local domain name. 
 
 Regards, 
 Gary

Ben Newall · Answer

Yep, its done. I just used it 5 minutes ago! :)

oussama bekkaye · Answer

Version 17.1 has now been released. Once you have updated to v17.1, you can switch to using the device hostname for the Captive Portal and other end-user interactions as follows: 
 1) Log in to the Firewall console over ssh 2) Select option 4 (Device Console) 3) Enter the following command at the prompt: set http_proxy proxy_url_use_hostname on 4) To confirm that it has set, enter the following command: show http_proxy 5) Type &lsquo;exit&rsquo; to return to the menu and logout.

source : https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/11580213-captive-portal-fqdn-support