This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

How to skip CaptivePortal for one device?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to skip CaptivePortal for one device?

_slv_
L4 Transporter

‎04-11-2013 01:03 AM

Hello

As you can see on this forum I have some configurations problems with CP.

In the zone where I have CP enabled I have Minolta BizHub c220 device (with static IP 192.168.3.251). This device has scan to email features. After I enabled CP for this zone of course noone email go to user.

I checked almost every thread on this forum, but I didn't get solutions.

As I understand for CP we have three types of polices: security, NAT and captive portal. NAT is simple in this case, security I configured:

2013-04-10_144107.png

and Captive Portal policy:

2013-04-10_144142.png

in logs I have traffic:

2013-04-10_144401.png

NTP and DNS traffic is allowed by Security rule, thats OK

I add another security policy to allow all traffic from this zone to untrust zone. Thats doesnt working for me.

So I tryed to go further and I add CP policy that should allowed traffic on port 465, but as you can see in log - this doesn't working too

How I should configure polices in such situation?

I believe that it is possible to configure on PAN. I didint find on BizHub ability to authenticate on CP/HotSpot.

With regards

Slawek

0 Likes Likes
6 REPLIES 6

UhMayYeah
L5 Sessionator

‎04-11-2013 04:32 AM

Traffic logs show from zone as

Scholastcy instead of School.....?

_slv_
L4 Transporter
In response to UhMayYeah

‎04-11-2013 06:05 AM

yep. Its's OK. In the meantime I changed zone name from Scholastcy to School.

I'm curious why today some of traffic are allowed when yestarday was blocked

2013-04-11_150317.png

Is it possible to let 3.251 not all traffic to port 465 but only ssl (or even better google mail)?

0 Likes Likes

_slv_
L4 Transporter
In response to _slv_

‎04-12-2013 05:44 AM

OK - it's working. but ... I will "sleep better" when I limit type of application to google mail.

I have idea - in security rule "Scholastycy - ksero" change application from any to gmail - in my opinion it should limited ability to connect this BizHub to gmail.

I have questions for you: are my polices  set up correctly according to best practices?

ACieszkowski
L3 Networker
In response to _slv_

‎07-22-2013 09:15 AM

Changing application to gmail-base should work and you can also use DNS name as destination in that rule for even more granular control.

To be on the safe side - I would attach more security profiles to rule "Scholastycy - DNS". But even better would be to delete that rule and set up DNS Proxy on PAN device to avoid, possible, DNS Tunneling.

0 Likes Likes

_slv_
L4 Transporter
In response to ACieszkowski

‎07-23-2013 01:34 AM

>can also use DNS name as destination

so should I put there "gmail.com" ? I have very limited access to this device and I can't test this change...

If in security policy is Aplication:dns Service:aplication-defaul with anty-spyware:strict - is it still possible to make a DNS Tunneling??

so it's a time to setup DNS proxy ...

Regards

Slawek

0 Likes Likes

ACieszkowski
L3 Networker
In response to _slv_

‎07-23-2013 01:44 AM

You could put there DNS name of SMTP server the device is using. What it is - I do not know.

I believe it is, under some circumstances, check: https://live.paloaltonetworks.com/message/28579

0 Likes Likes
  • 3365 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks