Configure session-based Internet access by username and password through a Palo Alto firewall

blog.payperitem.com,

To configure session-based Internet access by username and password through a Palo Alto firewall, where users authenticate before accessing websites, you’ll typically use Captive Portal along with User-ID, Authentication Policies, and possibly an external authentication service (like LDAP, RADIUS, or local database).

Here’s a high-level step-by-step guide:

✅ 1. Configure Authentication Profile

This defines how users authenticate.

  1. Go to Device > Authentication Profile
  2. Click Add:
    • Name: auth-profile-web
    • Type: Choose LDAP, RADIUS, or Local Database
    • Server Profile: Select your authentication source
    • Allow List: Optionally select specific user groups allowed to authenticate
  3. Click OK

✅ 2. Enable User-ID

This allows the firewall to associate traffic with usernames.

  • Go to Device > User Identification > User-ID and ensure User-ID is enabled on the interfaces where user traffic originates (typically internal zones).

✅ 3. Configure Captive Portal

To prompt users for authentication via web when accessing the Internet.

  1. Go to Device > User Identification > Captive Portal
  2. Set:
    • Enable Captive Portal
    • Mode: Redirect (recommended) or Transparent
    • Redirect Host: Usually a loopback interface (e.g., cp.portal.local)
    • Authentication Profile: Select the one created earlier (auth-profile-web)
    • SSL/TLS Service Profile: Create/select one for HTTPS if using Redirect
  3. Go to Network > Interfaces > Loopback
    • Add a loopback interface (e.g., Loopback.1)
    • Assign it an IP address (e.g., 10.10.10.1/32)
    • Bind to zone = trusted/internal
  4. Go to Device > Certificate Management > Certificates and import/create a certificate for the redirect host (e.g., cp.portal.local)

✅ 4. Create Authentication Policy

To trigger the captive portal for unauthenticated users.

  1. Go to Policies > Authentication
  2. Click Add
    • Name: web-access-auth
    • Source Zone: Internal user zone (e.g., trust)
    • Destination Zone: untrust (Internet)
    • Service: web-browsing, ssl, etc.
    • Action: default-web-form
    • Authentication Profile: auth-profile-web

✅ 5. Security Policy for Authenticated Users

Once users are authenticated, allow their traffic:

  1. Go to Policies > Security
  2. Add a rule:
    • Source Zone: trust
    • Source User: known-user
    • Destination Zone: untrust
    • Application: any or limited as needed
    • Action: allow

✅ 6. DNS and Redirect Configuration

Ensure internal users resolve the redirect host (e.g., cp.portal.local) correctly:

  • Add a DNS entry mapping cp.portal.local to the loopback IP (e.g., 10.10.10.1)
  • Use internal DNS server or static host file

🔒 Optional: Customize Login Page (Optional)

Go to Device > Response Pages > Captive Portal to customize the login page with branding or instructions.

✅ 7. Commit Configuration

After all configuration is complete, Commit the changes.

🔍 Testing

  1. Connect a client device
  2. Try accessing a website (e.g., http://example.com)
  3. You should be redirected to a login portal
  4. After login, the session should be allowed

Networking Security Website

Related Posts

Deep insight knowledge of lansweeper

Lansweeper is a popular network management and IT asset discovery tool used by organizations to manage their IT infrastructure more effectively. It provides capabilities for network scanning, asset management, reporting, and troubleshooting. Below is a deep dive into its functionalities, features, and best practices for deploying and utilizing Lansweeper in…

Read More

Server Hardening

1. OS-Level Hardening 🔹 Minimal Installation – Install only necessary packages. Avoid GUI on servers unless required.🔹 Update Regularly – Apply security patches promptly using apt update && apt upgrade (Debian) or yum update (RHEL).🔹 Disable Unused Services – Use systemctl disable –now <service> for unnecessary daemons.🔹 Enable SELinux or…

Read More

Free Self-service password reset (SSPR) functionality for users on a Windows Server-based Active Directory (AD) environment

✅ 1. Open Source SSPR Solutions 🔹 1.1. PwdReset Features: 💡 Useful for small-to-mid scale environments. 🔹 1.2. Self Service Password (LDAP Tool) Features: Setup requirements: ✅ 2. Configuration Guide for LTB Self Service Password with Windows AD ✅ 3. Optional Enhancements ✅ 4. Alternatives (Freeware, Not Fully Open Source)…

Read More