Captive portal in Transparent mode on Palo Alto Networks firewall

Captive portal is a feature on PAN firewall which can be usde for user identification. We can have user to IP mapping for the machines which are not part of a domain for example mobile phone, personal laptop, Guest user machine.

When a user will try to access http, https sites he will get prompt for captive portal authentication page. Once user will give username and password he will be allowed to access internet and firewall can enforce security policy based on username, Traffic log will have username mentioned.

Note: Captive portal will be prompted for the users whose user-to-ip mapping is not there on the firewall if user to ip mapping is already present firewall will not prompt for captive portal.

Use following command to check if user to ip mapping is there or not:

 show user ip-user-mapping all

Configuration is as follows:

1>Authentication profile:
Create a authentication profile. This authentication profile will be used to authenticate the users against either to a local database, LDAP,RADIUS, TACACS+, Kerberos. In this example I am using local database and allowing all user who are in local database to authenticate.

Go to Device> Authentication profile


Local database:local-user-database

2> Configure captive portal settings:

Go to Device>User Identification> Captive Portal

Select the configured authentication profile. Make sure the captive portal is enabled.


3> Enable user-identification on Source Zone: Find out the zone on which user is sitting and enable user identification on zone.


4> Captive portal policy: Configure captive portal policy to specify which traffic needs captive portal. For example any traffic coming from trust zone/ particular subnet prompt for captive portal.


Test if captive portal works:

Open a browser in test system. Try to open a website which falls under the category specified in captive portal rule. In above example We have to open a website which falls under shopping category.

To check to which category a website belongs to use following CLI command:

test url

When you will hit in web browser the URL will get changed to and you will get certificate warning after clicking advance you will get captive portal authentication page.  To avoid certificate warning you should use captive portal in Redirect mode.


This entry was posted in PaloAlto networks firewall and tagged , , , , . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s