CAVEAT: Below I use the phrase "Captive Portal" because that is the function we are using this policy for. In actuality, we are using a URL Filtering policy to match any URL * , *.* , *.*.* , *.*.*.* and loading a Continue and Override Page. We are NOT using Palo Alto's Captive Portal feature. The before.jpg image shows how the rule was configured when we were seeing broken image links on our custom page. When we looked at the URL for the broken images, we noticed that each image was being filtered through the Guest_Captive_Portal rule instead of the Guest_Captive_Portal_JPEGs rule. So, with our Guest_Captive_Portal_JPEGs rule configured with Source Zone = any and Source Address = Guest WiFi network range, the images weren't loading properly. The after.jpg image shows how the Guest_Captive_Portal_JPEGs rule is currently configured and working properly. When we set the Source Zone = Guest-Trust and Source Address = any, the images load without issue. Again, we aren't sure why this change made a difference. If someone can explain to us why that is, we'd greatly appreciate it. Either way, it is working as desired with the changes identified above.
... View more