https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43090#M31612 <HTML><HEAD></HEAD><BODY><P>A policy can be scheduled using the option of Schedulers (Object&gt;Schedules) .</P><P>At present, schedules can be only applied to Security policies and not Captive portal policies.</P><P>You may speak to your SE if you would like to request this feature.</P><P></P><P>Closest option for scheduling CP would be to apply schedules to the security rule that allows applications dns and web-browsing for unknown-users, this way CP auth page will not be presented, but this option could be a bit clumsy.</P><P></P><P></P><P></P><P>HTH,</P><P>Ameya </P></BODY></HTML> Mon, 28 Oct 2013 18:45:41 GMT UhMayYeah 2013-10-28T18:45:41Z https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43087#M31609 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>We use a PA500 box on 5.0.3 in a boarding school environment.</P><P></P><P>I want CP only to be active during lessons and not in the afternoon / evenings..&nbsp; However I cannot find how to apply a schedule to my CP.&nbsp; How do I do that?</P><P></P><P>Also the students are complaining about having to relogin every time one of their devices are powered up from suspended mode.&nbsp; Which CP settings do change to avoid this?&nbsp; </P><P>Can a CP user use multiple devices simultaneously under the same user account?</P><P></P><P>Thanks a lot for comments on this</P><P></P><P>regards Tor</P></BODY></HTML> Mon, 28 Oct 2013 16:53:46 GMT https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43087#M31609 LCMember4427 2013-10-28T16:53:46Z https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43088#M31610 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Captiv Portal policies can't be scheduled then they will be prompted everytime.</P><P>Yes, one acccount can be used on many devices.</P><P></P><P>Rgds</P><P></P><P>V.</P></BODY></HTML> Mon, 28 Oct 2013 17:21:09 GMT https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43088#M31610 VinceM 2013-10-28T17:21:09Z https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43089#M31611 <HTML><HEAD></HEAD><BODY><P>You mean prompted every time the schedule is switched on?</P><P></P><P>I meant to switch on the CP authentication at 7am and switch it off at 4pm.&nbsp; Users should have to log on at the first time they needed internet after 7am and then relogin every 4 hours if the session timeout was set to 4hrs.&nbsp; After 4pm they shouldn't be bugged with CP auth until next morning.</P><P></P><P>Sorry if I misunderstood you, but I tried to elaborate my scenario.</P><P></P><P>regards Tor</P></BODY></HTML> Mon, 28 Oct 2013 17:28:57 GMT https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43089#M31611 LCMember4427 2013-10-28T17:28:57Z https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43090#M31612 <HTML><HEAD></HEAD><BODY><P>A policy can be scheduled using the option of Schedulers (Object&gt;Schedules) .</P><P>At present, schedules can be only applied to Security policies and not Captive portal policies.</P><P>You may speak to your SE if you would like to request this feature.</P><P></P><P>Closest option for scheduling CP would be to apply schedules to the security rule that allows applications dns and web-browsing for unknown-users, this way CP auth page will not be presented, but this option could be a bit clumsy.</P><P></P><P></P><P></P><P>HTH,</P><P>Ameya </P></BODY></HTML> Mon, 28 Oct 2013 18:45:41 GMT https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43090#M31612 UhMayYeah 2013-10-28T18:45:41Z https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43091#M31613 <HTML><HEAD></HEAD><BODY><P>Hi</P><P>Just before the 'offending' CP user policies I tried to insert a new security policy for 'any' user scheduled to be active after school hours.&nbsp; I hoped that it would 'catch' everyone in the scheduled timeframe so they never jumped further to the CP policies further down.&nbsp; However they are still prompted for username and password.&nbsp; Is this because the Captive Portal policy for this subnet is active (and cannot be controlled by a schedule).&nbsp; Please elaborate if I misunderstood how to do this.</P><P></P><P>Also there is abosolutely not way to 'log off' a PanOS <SPAN style="font-size: 10pt; line-height: 1.5em;">captive portal session?&nbsp; Occasionally we make public computers available and it would be nice if the current user was able to log out before letting another user continue browsing the internet. </SPAN></P><P></P><P>regards </P><P></P><P>Tor</P></BODY></HTML> Fri, 08 Nov 2013 13:41:28 GMT https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43091#M31613 LCMember4427 2013-11-08T13:41:28Z https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43092#M31614 <HTML><HEAD></HEAD><BODY><P><SPAN style="; color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; text-decoration: underline;"><EM><STRONG> Is this because the Captive Portal policy for this subnet is active (and cannot be controlled by a schedule).&nbsp; Please elaborate if I misunderstood how to do this?</STRONG></EM></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">CP page would be prompted as long as the HTTP GET request/HTTPS transaction reaches firewall's CP zone.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;">Applying&nbsp; schedules to the <STRONG>security rule</STRONG> that allows applications <STRONG>dns</STRONG><STRONG> and web-browsing</STRONG> for unknown-users would ensure that DNS resolution and web-traffic only succeeds during the desired schedule, indirectly controlling the prompting of CP auth page.</SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="; color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; text-decoration: underline;"><EM style="color: #3b3b3b; text-decoration: underline; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; text-decoration: underline;"><STRONG>Also there is </STRONG><STRONG>abosolutely not way to 'log off' a PanOS </STRONG></SPAN><SPAN style="font-size: 10pt; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b; text-decoration: underline;"><STRONG>captive portal session?&nbsp; Occasionally we make public computers available and it would be nice if the current user was able to log out before letting another user continue browsing the internet.</STRONG></SPAN></EM></SPAN></P><P></P><P><SPAN style="font-size: 10pt; line-height: 1.5em;">Firewall sets a cookie so that future login requests</SPAN><SPAN style="font-size: 10pt; line-height: 1.5em;"> become transparent to the user using session cookies in redirect mode, if the browser has not been closed,</SPAN></P><P><SPAN style="font-size: 10pt;">Try disabling this option so that a new user has to login when the current user closes the browser window.</SPAN></P><P><SPAN style="font-size: 10pt;">Currently there is no option to log off a CP user.<BR /></SPAN></P><P><SPAN style="font-size: 10pt;"><BR /></SPAN></P><P><SPAN style="font-size: 10pt;">HTH,</SPAN></P><P><SPAN style="font-size: 10pt;">Ameya <BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P><P><SPAN style="color: #3b3b3b; font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif;"><BR /></SPAN></P></BODY></HTML> Fri, 08 Nov 2013 21:16:35 GMT https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43092#M31614 UhMayYeah 2013-11-08T21:16:35Z https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43093#M31615 <HTML><HEAD></HEAD><BODY><P>a simple ssh-script that automatically logs in and runs the command:</P><P></P><P><SPAN style="text-decoration: underline;">to disable:</SPAN></P><P><EM>configure</EM></P><P><EM>set rulebase captive-portal rules <SPAN style="text-decoration: underline;">CWP</SPAN> action no-captive-portal</EM></P><P><EM>commit</EM></P><P></P><P><SPAN style="text-decoration: underline;"> or to enable:</SPAN></P><P><EM>configure</EM></P><P><EM>set rulebase captive-portal rules <SPAN style="text-decoration: underline;">CWP</SPAN> action web-form</EM></P><P><EM>commit</EM></P><P>'</P><P>Dirty, but running that on a schedule should do the trick.</P></BODY></HTML> Wed, 20 Nov 2013 13:51:27 GMT https://live.paloaltonetworks.com/t5/general-topics/scheduled-captive-portal-and-byod/m-p/43093#M31615 raystr 2013-11-20T13:51:27Z