PaloAlto

Palo Alto CaptivePortal – Detail Behavior and Design Guide –

2017.04.15

CaptivePortal of PaloAlto

You can be made to the user authentication in the Web browser in PaloAlto.

Although CaptivePortal is not a standard, it is becoming a common name that refers to the so-called "Web Authentication".That is, the network authentication to input the ID password in the browser before NW communication.

The behavior of CaptivePortal in PaloAlto is as follows.

[Behavior of CaptivePortal]

  1. PC attempts to access to any of the http site (for example www.yahoo.co.jp)
  2. PaloAlto is against its communication to CaptivePortal policy (=rules), if applicable to the "Action = web-form" is Jack the http session, return an HTTP status code 302 (Moved) to the PC, redirects to CaptivePortal authentication page which IP address is his own.
  3. To access the PC to the authentication page at http GET method

It is a common problem in the Web authentication, it is impossible to jack the https session, so the site first to access must not begin with https site, you shuld be careful because it can not redirect.

If you want to authenticate only a particular segment (Seg.A), it is considered the following implementation.

[CaptivePortal Policy]

  1. Src = Seg.A, Dst = any, Service = http, URLcategory: computer-and-internet-security Action = no-captive-portal
  2. Src = Seg.A, Dst = any, Service http, Action = web-form
  3. Src = any, Dst = any, Service any, Action = no-captive-portal

In the first rule to allow the pattern updates, such as Trend Micro.It should be noted that, as a caveat, cannot configure the App Identification of the rules in CaptivePortal.

Further, if there are communications from the same source IP substantially simultaneously with tcp port 80, only the first one is redirected, and following communications are blocked by TCP Reset for 1 second without redirectingSo, it is good idea to exclude the http application running in the background like virus pattern update.

In addition, CaptivePortal policy will be inspected prior to the security policy.If the authentication is successful, communications corresponding to Action=web-form are ignored, and controlled in accordance with security policy.

As a security policy with the combination of CaptivePortal policy,

Src = Seg.A, User = unknown, Dst = any, Service = any, Action = Deny

If initially put this, until the PC of Seg.A is successful authentication, he will not be able to (also other than http) communicate.

コメント

Copied title and URL