About GSA_George

Hi Steve,   The SSL request made to the firewall is via a 302 injected into the session by the FW. If I decrypt the traffic I see the 302 which has a header location value of http://my_captive_portal_addr:6080.   Palo alto documentation suggests that 6080 should only be used for NTLM auth (Ports Used for Management Functions (paloaltonetworks.com)) however we are successfully auth'ing using kerberos.    If  I manually browse to https://my_captive_portal_addr:6082 I get a valid TLS connection albeit with a 403, so the firewall is obviously capable of setting up a TLS encrypted session to the captive portal address.    The interface management profile I'm using doesn't have HTTP or HTTPS selected. Only Response Pages and User-ID, which I believe is suggested by the palo alto documentation. I'm having a bit of trouble getting logs for the traffic in question, although I can see it in the fw session browser, I'm not sure it's using the security rule I'm expecting, so I need to narrow that down first.   I was hoping there might be a way to tell the captive portal configuration to only use port 6082 but my googling has returned nothing so far. I can't see that configuring a security rule allowing only SSL on app default will make any difference given the header location specifies http traffic over port 6080.   Thanks, George ... View more