topic Re: How to skip CaptivePortal for one device? in General Topics

How to skip CaptivePortal for one device?

_slv_ — Thu, 11 Apr 2013 08:03:56 GMT

Hello

As you can see on this forum I have some configurations problems with CP.

In the zone where I have CP enabled I have Minolta BizHub c220 device (with static IP 192.168.3.251). This device has scan to email features. After I enabled CP for this zone of course noone email go to user.

I checked almost every thread on this forum, but I didn't get solutions.

As I understand for CP we have three types of polices: security, NAT and captive portal. NAT is simple in this case, security I configured:

and Captive Portal policy:

in logs I have traffic:

NTP and DNS traffic is allowed by Security rule, thats OK

I add another security policy to allow all traffic from this zone to untrust zone. Thats doesnt working for me.

So I tryed to go further and I add CP policy that should allowed traffic on port 465, but as you can see in log - this doesn't working too

How I should configure polices in such situation?

I believe that it is possible to configure on PAN. I didint find on BizHub ability to authenticate on CP/HotSpot.

With regards

Slawek

Re: How to skip CaptivePortal for one device?

UhMayYeah — Thu, 11 Apr 2013 11:32:37 GMT

Traffic logs show from zone as

Scholastcy instead of School.....?

Re: How to skip CaptivePortal for one device?

_slv_ — Thu, 11 Apr 2013 13:05:12 GMT

yep. Its's OK. In the meantime I changed zone name from Scholastcy to School.

I'm curious why today some of traffic are allowed when yestarday was blocked

Is it possible to let 3.251 not all traffic to port 465 but only ssl (or even better google mail)?

Re: How to skip CaptivePortal for one device?

_slv_ — Fri, 12 Apr 2013 12:44:09 GMT

OK - it's working. but ... I will "sleep better" when I limit type of application to google mail.

I have idea - in security rule "Scholastycy - ksero" change application from any to gmail - in my opinion it should limited ability to connect this BizHub to gmail.

I have questions for you: are my polices set up correctly according to best practices?

Re: How to skip CaptivePortal for one device?

Retired Member — Mon, 22 Jul 2013 16:15:12 GMT

Changing application to gmail-base should work and you can also use DNS name as destination in that rule for even more granular control.

To be on the safe side - I would attach more security profiles to rule "Scholastycy - DNS". But even better would be to delete that rule and set up DNS Proxy on PAN device to avoid, possible, DNS Tunneling.

Re: How to skip CaptivePortal for one device?

_slv_ — Tue, 23 Jul 2013 08:34:34 GMT

>can also use DNS name as destination

so should I put there "gmail.com" ? I have very limited access to this device and I can't test this change...

If in security policy is Aplication:dns Service:aplication-defaul with anty-spyware:strict - is it still possible to make a DNS Tunneling??

so it's a time to setup DNS proxy ...

Regards

Slawek

Re: How to skip CaptivePortal for one device?

Retired Member — Tue, 23 Jul 2013 08:44:17 GMT

You could put there DNS name of SMTP server the device is using. What it is - I do not know.

I believe it is, under some circumstances, check: https://live.paloaltonetworks.com/message/28579