How to skip CaptivePortal for one device?

Reply
Highlighted
L4 Transporter

How to skip CaptivePortal for one device?

Hello

As you can see on this forum I have some configurations problems with CP.

In the zone where I have CP enabled I have Minolta BizHub c220 device (with static IP 192.168.3.251). This device has scan to email features. After I enabled CP for this zone of course noone email go to user.

I checked almost every thread on this forum, but I didn't get solutions.

As I understand for CP we have three types of polices: security, NAT and captive portal. NAT is simple in this case, security I configured:

2013-04-10_144107.png

and Captive Portal policy:

2013-04-10_144142.png

in logs I have traffic:

2013-04-10_144401.png

NTP and DNS traffic is allowed by Security rule, thats OK

I add another security policy to allow all traffic from this zone to untrust zone. Thats doesnt working for me.

So I tryed to go further and I add CP policy that should allowed traffic on port 465, but as you can see in log - this doesn't working too

How I should configure polices in such situation?

I believe that it is possible to configure on PAN. I didint find on BizHub ability to authenticate on CP/HotSpot.

With regards

Slawek

Tags (2)
L5 Sessionator

Re: How to skip CaptivePortal for one device?

Traffic logs show from zone as

Scholastcy instead of School.....?

L4 Transporter

Re: How to skip CaptivePortal for one device?

yep. Its's OK. In the meantime I changed zone name from Scholastcy to School.

I'm curious why today some of traffic are allowed when yestarday was blocked

2013-04-11_150317.png

Is it possible to let 3.251 not all traffic to port 465 but only ssl (or even better google mail)?

L4 Transporter

Re: How to skip CaptivePortal for one device?

OK - it's working. but ... I will "sleep better" when I limit type of application to google mail.

I have idea - in security rule "Scholastycy - ksero" change application from any to gmail - in my opinion it should limited ability to connect this BizHub to gmail.

I have questions for you: are my polices  set up correctly according to best practices?

L3 Networker

Re: How to skip CaptivePortal for one device?

Changing application to gmail-base should work and you can also use DNS name as destination in that rule for even more granular control.

To be on the safe side - I would attach more security profiles to rule "Scholastycy - DNS". But even better would be to delete that rule and set up DNS Proxy on PAN device to avoid, possible, DNS Tunneling.

L4 Transporter

Re: How to skip CaptivePortal for one device?

>can also use DNS name as destination

so should I put there "gmail.com" ? I have very limited access to this device and I can't test this change...

If in security policy is Aplication:dns Service:aplication-defaul with anty-spyware:strict - is it still possible to make a DNS Tunneling??

so it's a time to setup DNS proxy ...

Regards

Slawek

L3 Networker

Re: How to skip CaptivePortal for one device?

You could put there DNS name of SMTP server the device is using. What it is - I do not know.

I believe it is, under some circumstances, check: https://live.paloaltonetworks.com/message/28579

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!