This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Captive Portal HTTPS SSL decrypt

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Captive Portal HTTPS SSL decrypt

Metgatz
L4 Transporter

‎08-27-2021 04:39 PM

Captive Portal HTTPS decrypt

 

Dear all:

 

Very good afternoon, I have the following doubts and concerns:

-Is it mandatory to configure SSL Decrypt ( I understand that yes, please confirm, it is for the point that when they enter a HTTPS site, it displays the captive portal in HTTPS ).

 

Thinking to avoid having to manually pass and distribute the certificate, as it is impractical, e.g. for external devices, smart phones, etc. to have to install the self signed certificate from Palo Alto, is it possible to generate a CSR and use the Public certificate, externally signed, e.g. Global sing, etc, to be used for the SSL decrypt and the captive portal ?

 

In this case the certificate would be externally validated, thinking in the computers, laptops, cell phones and external devices, but this certificate in the Palo Alto, would be only tied / linked to the LAN interface of Palo Alto, with a local DNS A record of example: My portal.mydomain.com, a local domain, but not external, there would be no problems with validation if the FQDN or CN Hostname of the certificate, resolves to a local IP (The LAN IP of Palo Alto).

 

Please I remain attentive to all your comments, I appreciate the support, the clarification that you can give me.

 

Thank you,

 

I remain attentive, best regards.

 

High Sticker
0 Likes Likes
2 REPLIES 2

BPry
Cyber Elite
Cyber Elite

‎08-27-2021 07:51 PM

@Metgatz,

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClevCAC

It you are looking to intercept the HTTPS traffic you need to enable decryption to actually send the 302. Depending on a number of factors on how your non-managed devices and equipment your using there's ways to serve a splash page that prompts users connecting to download and internal your certificates. 

(1)

Metgatz
L4 Transporter
In response to BPry

‎08-27-2021 09:47 PM

@BPry 

 

Good afternoon, thank you very much for the answer, it is clearer for me.

 

And regarding the certificates, I can use the same example, public certificate for the SSL Decrypt and also be used by the Captive Portal in the SSL/TLS profile.

 

I remain attentive, best regards, thank you.

High Sticker
0 Likes Likes
  • 2485 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks