Configure session-based Internet access by username and password through a Palo Alto firewall

To configure session-based Internet access by username and password through a Palo Alto firewall, where users authenticate before accessing websites, you’ll typically use Captive Portal along with User-ID, Authentication Policies, and possibly an external authentication service (like LDAP, RADIUS, or local database).

Here’s a high-level step-by-step guide:

---

✅ 1. Configure Authentication Profile

This defines how users authenticate.

1. Go to Device > Authentication Profile
2. Click Add:
   • Name: auth-profile-web
   • Type: Choose LDAP, RADIUS, or Local Database
   • Server Profile: Select your authentication source
   • Allow List: Optionally select specific user groups allowed to authenticate
3. Click OK

---

✅ 2. Enable User-ID

This allows the firewall to associate traffic with usernames.

• Go to Device > User Identification > User-ID and ensure User-ID is enabled on the interfaces where user traffic originates (typically internal zones).

---

✅ 3. Configure Captive Portal

To prompt users for authentication via web when accessing the Internet.

1. Go to Device > User Identification > Captive Portal
2. Set:
   • Enable Captive Portal
   • Mode: Redirect (recommended) or Transparent
   • Redirect Host: Usually a loopback interface (e.g., cp.portal.local)
   • Authentication Profile: Select the one created earlier (auth-profile-web)
   • SSL/TLS Service Profile: Create/select one for HTTPS if using Redirect
3. Go to Network > Interfaces > Loopback
   • Add a loopback interface (e.g., Loopback.1)
   • Assign it an IP address (e.g., 10.10.10.1/32)
   • Bind to zone = trusted/internal
4. Go to Device > Certificate Management > Certificates and import/create a certificate for the redirect host (e.g., cp.portal.local)

---

✅ 4. Create Authentication Policy

To trigger the captive portal for unauthenticated users.

1. Go to Policies > Authentication
2. Click Add
   • Name: web-access-auth
   • Source Zone: Internal user zone (e.g., trust)
   • Destination Zone: untrust (Internet)
   • Service: web-browsing, ssl, etc.
   • Action: default-web-form
   • Authentication Profile: auth-profile-web

---

✅ 5. Security Policy for Authenticated Users

Once users are authenticated, allow their traffic:

1. Go to Policies > Security
2. Add a rule:
   • Source Zone: trust
   • Source User: known-user
   • Destination Zone: untrust
   • Application: any or limited as needed
   • Action: allow

---

✅ 6. DNS and Redirect Configuration

Ensure internal users resolve the redirect host (e.g., cp.portal.local) correctly:

• Add a DNS entry mapping cp.portal.local to the loopback IP (e.g., 10.10.10.1)
• Use internal DNS server or static host file

---

🔒 Optional: Customize Login Page (Optional)

Go to Device > Response Pages > Captive Portal to customize the login page with branding or instructions.

---

✅ 7. Commit Configuration

After all configuration is complete, Commit the changes.

---

🔍 Testing

1. Connect a client device
2. Try accessing a website (e.g., http://example.com)
3. You should be redirected to a login portal
4. After login, the session should be allowed