Hi Steve, The SSL request made to the firewall is via a 302 injected into the session by the FW. If I decrypt the traffic I see the 302 which has a header location value of http://my_captive_portal_addr:6080. Palo alto documentation suggests that 6080 should only be used for NTLM auth (Ports Used for Management Functions (paloaltonetworks.com)) however we are successfully auth'ing using kerberos. If I manually browse to https://my_captive_portal_addr:6082 I get a valid TLS connection albeit with a 403, so the firewall is obviously capable of setting up a TLS encrypted session to the captive portal address. The interface management profile I'm using doesn't have HTTP or HTTPS selected. Only Response Pages and User-ID, which I believe is suggested by the palo alto documentation. I'm having a bit of trouble getting logs for the traffic in question, although I can see it in the fw session browser, I'm not sure it's using the security rule I'm expecting, so I need to narrow that down first. I was hoping there might be a way to tell the captive portal configuration to only use port 6082 but my googling has returned nothing so far. I can't see that configuring a security rule allowing only SSL on app default will make any difference given the header location specifies http traffic over port 6080. Thanks, George
... View more
Hi, I've enabled captive portal on our systems, following the PA docs (Configure Authentication Portal (paloaltonetworks.com)). I have an SSL/TLS profile created with a valid, trusted certificate signed by our own internal CA. When our machines try to authenticate to the captive portal, they do so over HTTP not HTTPS. Is there some way to force captive portal auth over HTTPS? Thanks!
... View more