Configure session-based Internet access by username and password through a Palo Alto firewall

blog.payperitem.com,

To configure session-based Internet access by username and password through a Palo Alto firewall, where users authenticate before accessing websites, you’ll typically use Captive Portal along with User-ID, Authentication Policies, and possibly an external authentication service (like LDAP, RADIUS, or local database).

Here’s a high-level step-by-step guide:

✅ 1. Configure Authentication Profile

This defines how users authenticate.

  1. Go to Device > Authentication Profile
  2. Click Add:
    • Name: auth-profile-web
    • Type: Choose LDAP, RADIUS, or Local Database
    • Server Profile: Select your authentication source
    • Allow List: Optionally select specific user groups allowed to authenticate
  3. Click OK

✅ 2. Enable User-ID

This allows the firewall to associate traffic with usernames.

  • Go to Device > User Identification > User-ID and ensure User-ID is enabled on the interfaces where user traffic originates (typically internal zones).

✅ 3. Configure Captive Portal

To prompt users for authentication via web when accessing the Internet.

  1. Go to Device > User Identification > Captive Portal
  2. Set:
    • Enable Captive Portal
    • Mode: Redirect (recommended) or Transparent
    • Redirect Host: Usually a loopback interface (e.g., cp.portal.local)
    • Authentication Profile: Select the one created earlier (auth-profile-web)
    • SSL/TLS Service Profile: Create/select one for HTTPS if using Redirect
  3. Go to Network > Interfaces > Loopback
    • Add a loopback interface (e.g., Loopback.1)
    • Assign it an IP address (e.g., 10.10.10.1/32)
    • Bind to zone = trusted/internal
  4. Go to Device > Certificate Management > Certificates and import/create a certificate for the redirect host (e.g., cp.portal.local)

✅ 4. Create Authentication Policy

To trigger the captive portal for unauthenticated users.

  1. Go to Policies > Authentication
  2. Click Add
    • Name: web-access-auth
    • Source Zone: Internal user zone (e.g., trust)
    • Destination Zone: untrust (Internet)
    • Service: web-browsing, ssl, etc.
    • Action: default-web-form
    • Authentication Profile: auth-profile-web

✅ 5. Security Policy for Authenticated Users

Once users are authenticated, allow their traffic:

  1. Go to Policies > Security
  2. Add a rule:
    • Source Zone: trust
    • Source User: known-user
    • Destination Zone: untrust
    • Application: any or limited as needed
    • Action: allow

✅ 6. DNS and Redirect Configuration

Ensure internal users resolve the redirect host (e.g., cp.portal.local) correctly:

  • Add a DNS entry mapping cp.portal.local to the loopback IP (e.g., 10.10.10.1)
  • Use internal DNS server or static host file

🔒 Optional: Customize Login Page (Optional)

Go to Device > Response Pages > Captive Portal to customize the login page with branding or instructions.

✅ 7. Commit Configuration

After all configuration is complete, Commit the changes.

🔍 Testing

  1. Connect a client device
  2. Try accessing a website (e.g., http://example.com)
  3. You should be redirected to a login portal
  4. After login, the session should be allowed

Networking Security Website

Related Posts

VPN server in Azure

Setting up a VPN server in Azure that supports secure access for employees, vendors, and customers requires a carefully planned architecture to address different access levels, security boundaries, and scalability. Here’s a solid approach with Azure-native and custom options, along with a proposed build. 🔐 Goal: 🧱 Solution Overview: Option…

Read More

Server Hardening

1. OS-Level Hardening 🔹 Minimal Installation – Install only necessary packages. Avoid GUI on servers unless required.🔹 Update Regularly – Apply security patches promptly using apt update && apt upgrade (Debian) or yum update (RHEL).🔹 Disable Unused Services – Use systemctl disable –now <service> for unnecessary daemons.🔹 Enable SELinux or…

Read More