https://live.paloaltonetworks.com/t5/general-topics/captive-portal-https-ssl-decrypt/m-p/429884#M94957 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>&nbsp;</P><P>Good afternoon, thank you very much for the answer, it is clearer for me.</P><P>&nbsp;</P><P>And regarding the certificates, I can use the same example, public certificate for the SSL Decrypt and also be used by the Captive Portal in the SSL/TLS profile.</P><P>&nbsp;</P><P>I remain attentive, best regards, thank you.</P> Sat, 28 Aug 2021 04:47:29 GMT Metgatz 2021-08-28T04:47:29Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-https-ssl-decrypt/m-p/429831#M94948 <P>Captive Portal HTTPS decrypt</P><P>&nbsp;</P><P>Dear all:</P><P>&nbsp;</P><P>Very good afternoon, I have the following doubts and concerns:</P><P>-Is it mandatory to configure SSL Decrypt ( I understand that yes, please confirm, it is for the point that when they enter a HTTPS site, it displays the captive portal in HTTPS ).</P><P>&nbsp;</P><P>Thinking to avoid having to manually pass and distribute the certificate, as it is impractical, e.g. for external devices, smart phones, etc. to have to install the self signed certificate from Palo Alto, is it possible to generate a CSR and use the Public certificate, externally signed, e.g. Global sing, etc, to be used for the SSL decrypt and the captive portal ?</P><P>&nbsp;</P><P>In this case the certificate would be externally validated, thinking in the computers, laptops, cell phones and external devices, but this certificate in the Palo Alto, would be only tied / linked to the LAN interface of Palo Alto, with a local DNS A record of example: My portal.mydomain.com, a local domain, but not external, there would be no problems with validation if the FQDN or CN Hostname of the certificate, resolves to a local IP (The LAN IP of Palo Alto).</P><P>&nbsp;</P><P>Please I remain attentive to all your comments, I appreciate the support, the clarification that you can give me.</P><P>&nbsp;</P><P>Thank you,</P><P>&nbsp;</P><P>I remain attentive, best regards.</P><P>&nbsp;</P> Fri, 27 Aug 2021 23:39:07 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-https-ssl-decrypt/m-p/429831#M94948 Metgatz 2021-08-27T23:39:07Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-https-ssl-decrypt/m-p/429854#M94949 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/179185">@Metgatz</a>,</P><P><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClevCAC" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClevCAC</A></P><P>It you are looking to intercept the HTTPS traffic you need to enable decryption to actually send the 302. Depending on a number of factors on how your non-managed devices and equipment your using there's ways to serve a splash page that prompts users connecting to download and internal your certificates.&nbsp;</P> Sat, 28 Aug 2021 02:51:38 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-https-ssl-decrypt/m-p/429854#M94949 BPry 2021-08-28T02:51:38Z https://live.paloaltonetworks.com/t5/general-topics/captive-portal-https-ssl-decrypt/m-p/429884#M94957 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp;</P><P>&nbsp;</P><P>Good afternoon, thank you very much for the answer, it is clearer for me.</P><P>&nbsp;</P><P>And regarding the certificates, I can use the same example, public certificate for the SSL Decrypt and also be used by the Captive Portal in the SSL/TLS profile.</P><P>&nbsp;</P><P>I remain attentive, best regards, thank you.</P> Sat, 28 Aug 2021 04:47:29 GMT https://live.paloaltonetworks.com/t5/general-topics/captive-portal-https-ssl-decrypt/m-p/429884#M94957 Metgatz 2021-08-28T04:47:29Z