Traffic log of non-authenticated captive portal sessions


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L1 Bithead

Traffic log of non-authenticated captive portal sessions

I read this clear and useful article from @arsimon : Non-Authenticated Captive Portal Session Will Not be Logged by the Palo Alto Networks Device



These non-authenticated captive portal sessions can represent quite a lot of data. For example (after some testing), Firefox Linux v56 sends one captive portal probe every 3 seconds, and Palo Alto captive portal responds to those probes with the captive portal web form. This produces ~ 15KB every 3 seconds (~430MB/day) , which is a large amount of data that we would like to monitor for our satellite environment use case.


All this traffic (the initial WGET TCP sessions initiated by client + the authentication web form sent by the Palo in another TCP session) cannot be seen in the traffic logs, which is expected according to @arsimon's article. Here is another article that mentions that the sessions details are only temporary available in the GUI in the session browser: FORW Type Session with Destination Zone "captive-portal"



So 2 questions in order to be able to account for this traffic:

  1. Is there any way to produce traffic logs for those non-authenticated sessions? (I tried creating a security rule matching captive portal traffic, without success)
  2. Is there a log somewhere that would say something like "TIMESTAMP - captive portal sent login page to IP XXXX" . From this, we could approximately recontruct the amount of data used (~ * 15KB) 


 Note that above tests were done using Palo Alto 8.0.5 (VM100)

Tags (2)
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!