Palo Alto CaptivePortal Authentication Exclusion

In PaloAlto, consider the case for a certain NW segment and authentication target of CaptivePortal.In its NW segment, "I want the host which has a certain IP address to communicate without sending the credential information," you have there is a need.

In such a case, using the XML-API  leads the only target IP to the state which is always authenticated .

How to use XML-API

Auto cooperation of using only the NW communication is also possible, but it is simple easy-to-understand better of manual registration using the WebUI of PaloAlto.

WebUI for the XML-API is called API Browser, URL is as follows.

https://[FQDN of Palo]/api/

Then you get the following screen.

You need originally the "API-KEY" information in order to use the XML-API, but if you access to the URL in a state authenticated to the normal management Web console, API-KEY is not required.

Certification = Authentication Exclusion

Click on the "User ID" in the API Browser, enter the XML such as the following, and then Submit.


<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<login>
<entry name="test-user1" ip="192.168.1.1"></entry>
<entry name="test-user2" ip="192.168.1.2"></entry>
</login>
</payload>
</uid-message>

If you want to delete and enter the XML below, and then Submit.


<uid-message>
<version>1.0</version>
<type>update</type>
<payload>
<logout>
<entry name="test-user1" ip="192.168.1.1"></entry>
</logout>
</payload>
</uid-message>

If you put and after the timeout = XX of ip = "~", but it is time-out after the registration after XX seconds, to be taken this, and it continues to be in effect until you delete (logout).

Confirmation can be from the CLI.

# show user ip-user-mapping all | match Never
192.168.1.2vsys1XMLAPItest-user2NeverNever

To share

  • このエントリーをはてなブックマークに追加

To follow