Yup - that's my understanding of how it works.
So - my question once again: is there any way to see what is causing the captive portal connections? The logs only show succesful flow of traffic, not attempts to port 80 that are stopped or presented an auth page by CP.
See if there is a captive-portal log & view it via the CLI. You may need to contact Support if the log file is not generated.
admin@pa2050> tail follow yes mp-log captive_portal.log
Or issue a packet capture from the PA device. Set the filters for dest ports: 6080 and 6082
6080 Captive Portal captive portal redirect
6082 Captive portal and captive portal redirect with certificate
Just an update on this:
Finally received a response regading this: It's not possible to see what destination IP (or URL) is causing captive portal to intercept. The GUI logs, nor any CLI log files, include this information. The captive potal log no longer exists in PAN 4.x.x, and the logs containing CP info do not contain the dest IP.
The only way we've been able to do it is to turn off captive portal and let all unidentified traffic pass from the CP rules to the security rules where they are blocked (unknown URL traffic is blocked in our environment). At that point we can check the logs. Unfortuantely, this process affects the production environment, so disabling CP for 5 to 10 minutes is the only viable option.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!