- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-18-2012 08:54 AM
Hi,
PANOS 4.1.6
Client OS: Windows 7
Client Browser: Google Chrome 21.0.1180.89
I have PAN running with CaptivePortal (Public Certificate with AD Auth profile). Everything works fine when I use Firefox, Chrome and IE (in the case of IE except for the small hitch discussed here in this forum when running on Windows7). I am prompted to Authenticate WebForm without any certificate warning etc etc. How ever when I try gmail.com in chrome (and only in chrome it happens), it simply takes me through and lets me login to gmail and do what ever I want to. Its true for certain other google Apps services ( like Chrome WebStore, Google Analytics etc) too. CaptivePortal is running on Redirect mode on the Trust Interface (l3)
Any thoughts please?
Cheers.
09-19-2012 08:05 AM
Unfortunatly no : to be able to send broswer to a portal page,the firewall must rewrite HTTP answer ; it's obviously not possible when stream is encrypted with SSL, unless you enable SSL Decryption which allows PA to see real clear text traffic.
Also, SSL Decryption has many fallbacks and problems so I currently disabled it on Google services because of incompatibilities ; but it's achievable with with a lot of work.
I suggest you start playing with User Agent (reads Windows logon events in DomainController) or GlobalProtect Portal .
09-18-2012 10:41 AM
What's your captive portal policy and security policy look like?
09-18-2012 11:36 PM
Hi,
CP Rule is
from Trust VLAN 20 -> to Untrust any any services http/https/ftp captive-portal
from Trust Any -> to Untrust any any services http/https/ftp no-captive-portal
Security Rule is
From Trust Any Any to Untrust Any Any DENY p2p-apps No-Profiles
From Trust Any Any to Untrust Any Any ALLOW Any Profiles
Thanks
09-19-2012 06:47 AM
Did you enable SSL Decryption ? If not, when HTTPS is used, CaptivePortal will be ignored
09-19-2012 06:57 AM
Hello umphmharding,
I have done some more tweaking to see to it further to my earlier post mentioning CP and Security rules which you asked for. Now as an update to that, what I have done is created a top rule blocking ALL applications from Trust to Untrust for 'Unknown' users. This now helps me block all traffic unless properly authenticated with CaptivePortal. How ever interestingly if now Chrome Browser is launched and try accessing gmail or similar google Apps service, browser simply does NOT take me anywhere neither to captive portal. Again if I access some other site and then I am promped with CP, authenticate myself and everything goes smooth.
So looks like something got to do the way chrome intiates its session with Google services???
Thanks
09-19-2012 07:05 AM
Your rule "from Trust VLAN 20 -> to Untrust any any services http/https/ftp captive-portal" will be ignored on SSL (HTTPS) if you don't have SSL Decryption enabled.
09-19-2012 07:07 AM
I did that before. But if I do enable it, then I run to warning page problems as I dont have an internal CA.
But again if what you said is the case, why is that other browsers (FF and IE) taking me to CP when I access the same gmail services?
Thanks
09-19-2012 07:10 AM
The very first connection of your browser of the one that counts : is it possible that you open HTTP instead of HTTPS with Chrome while not with IE and FF ?
In my company, Chrome defaults connection Google with HTTPS .
If you take a Wireshark trace (1 for each browser) you will see what kind of connection is doing each browser.
For SSL Decryption : yes get errors if you don't invest a lot of time to set it up propely.
09-19-2012 07:12 AM
OK, I change the rule to from Trust VLAN 20 -> to Untrust any any services http/https/ftp captive-portal" to a new rule as below
from Trust VLAN 20 -> to Untrust any any services ANY captive-portal"
I also enabled SSL Decrypt now and the situation is that it (chrome) still does not take me to the CP page, instead takes to the certificate warning page, which means my SSL Decrypt rule is in place. But as before, all other browsers gets be to the CP.
09-19-2012 07:15 AM
If other browsers aren't complaining about Certificates, it means that they aren't being concerned by SSL decryption rule (so they aren't using HTTPS?)
Again, I think that if you want to make sure, you should get 1 Wireshark network capture for each browser, you will get a quick and 100% sure answer.
09-19-2012 08:00 AM
You are right...So Chrome takes directly to the https, where in other browsers are not. I was about to wireshark, but then I figured out from the URL seen on the CP..
So that means if the user tries an HTTPS Site the very first time and if I dont have SSL Decrypt enabled, CP is of no use? Getting internal CA wont be an easy way for now. So Isn't there a way work around to serve the purpose with out SSL Decrypt pls?
09-19-2012 08:05 AM
Unfortunatly no : to be able to send broswer to a portal page,the firewall must rewrite HTTP answer ; it's obviously not possible when stream is encrypted with SSL, unless you enable SSL Decryption which allows PA to see real clear text traffic.
Also, SSL Decryption has many fallbacks and problems so I currently disabled it on Google services because of incompatibilities ; but it's achievable with with a lot of work.
I suggest you start playing with User Agent (reads Windows logon events in DomainController) or GlobalProtect Portal .
09-19-2012 08:51 AM
Hmm.. I get that now. Thanks.
Could be silly, but I am wondering if I could prompt the 'unknown' user with a URL Category blocked page (for any site he visits as long as he is unknown), I could atleast customize the blocked page to ask the to click on an http link there where he is then taken to CP, where he athenticates and then things work they way we wanted...I am yet to go through the various rule bases processing flow...But does this make any sense to you?
09-19-2012 08:56 AM
When visiting SSL (HTTPS) you can only 'cut' connection if you don't decrypt it, you cannot provide nice warning/error message.
If you are using Windows accounts for login and don't have many remote offices, UserAgent is very quick to setup and you can forget CP forever.
09-19-2012 09:17 AM
Yeah, I see that too. I kept a security policy on the top saying ALLOW every thing from any to any from 'unknown' user but with a URL Profile to Block ALL Categories. Now it seems that if I open chrome and access https://gmail, I cant access it, but NOR there is CP popping up. I was thinking since the traffic is HTTPS, captive portal is skipped and hence URL blocked might get imposed (even if its HTTPS, I believe it should still categorise it as 'Unknown' URL Category from the name found on the certificate name) with the blocked page notification. How ever session doesn't progress and I don't seem to get a URL Category blocked page either...so..!!!!
I am on mac environment majorly and hence userid stuffs isn't doing so great for me. Another purpose is to make sure 'bad' external consultants do not misuse wired ethernet ports too.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!