How to skip CaptivePortal for one device?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How to skip CaptivePortal for one device?

L4 Transporter

Hello

As you can see on this forum I have some configurations problems with CP.

In the zone where I have CP enabled I have Minolta BizHub c220 device (with static IP 192.168.3.251). This device has scan to email features. After I enabled CP for this zone of course noone email go to user.

I checked almost every thread on this forum, but I didn't get solutions.

As I understand for CP we have three types of polices: security, NAT and captive portal. NAT is simple in this case, security I configured:

2013-04-10_144107.png

and Captive Portal policy:

2013-04-10_144142.png

in logs I have traffic:

2013-04-10_144401.png

NTP and DNS traffic is allowed by Security rule, thats OK

I add another security policy to allow all traffic from this zone to untrust zone. Thats doesnt working for me.

So I tryed to go further and I add CP policy that should allowed traffic on port 465, but as you can see in log - this doesn't working too

How I should configure polices in such situation?

I believe that it is possible to configure on PAN. I didint find on BizHub ability to authenticate on CP/HotSpot.

With regards

Slawek

6 REPLIES 6

L5 Sessionator

Traffic logs show from zone as

Scholastcy instead of School.....?

yep. Its's OK. In the meantime I changed zone name from Scholastcy to School.

I'm curious why today some of traffic are allowed when yestarday was blocked

2013-04-11_150317.png

Is it possible to let 3.251 not all traffic to port 465 but only ssl (or even better google mail)?

OK - it's working. but ... I will "sleep better" when I limit type of application to google mail.

I have idea - in security rule "Scholastycy - ksero" change application from any to gmail - in my opinion it should limited ability to connect this BizHub to gmail.

I have questions for you: are my polices  set up correctly according to best practices?

Changing application to gmail-base should work and you can also use DNS name as destination in that rule for even more granular control.

To be on the safe side - I would attach more security profiles to rule "Scholastycy - DNS". But even better would be to delete that rule and set up DNS Proxy on PAN device to avoid, possible, DNS Tunneling.

>can also use DNS name as destination

so should I put there "gmail.com" ? I have very limited access to this device and I can't test this change...

If in security policy is Aplication:dns Service:aplication-defaul with anty-spyware:strict - is it still possible to make a DNS Tunneling??

so it's a time to setup DNS proxy ...

Regards

Slawek

You could put there DNS name of SMTP server the device is using. What it is - I do not know.

I believe it is, under some circumstances, check: https://live.paloaltonetworks.com/message/28579

  • 2868 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!