I read this clear and useful article from @arsimon : Non-Authenticated Captive Portal Session Will Not be Logged by the Palo Alto Networks Device
These non-authenticated captive portal sessions can represent quite a lot of data. For example (after some testing), Firefox Linux v56 sends one captive portal probe every 3 seconds, and Palo Alto captive portal responds to those probes with the captive portal web form. This produces ~ 15KB every 3 seconds (~430MB/day) , which is a large amount of data that we would like to monitor for our satellite environment use case.
All this traffic (the initial WGET TCP sessions initiated by client + the authentication web form sent by the Palo in another TCP session) cannot be seen in the traffic logs, which is expected according to @arsimon's article. Here is another article that mentions that the sessions details are only temporary available in the GUI in the session browser: FORW Type Session with Destination Zone "captive-portal"
So 2 questions in order to be able to account for this traffic:
Note that above tests were done using Palo Alto 8.0.5 (VM100)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!