Hi Scott, You could use a PBF rule for "unknown" users. (just not mapped IP with any user) to IP where CP is configured. Then "your captive portal" have to redirect all incomming traffic to destination 80/tcp or 443/tcp to local address. The CP shall be in DMZ (traffic to CP shall pass over firewall) - only then PBF works. Also CP shall be connected to the different L3 interface than LAN and External. ex. I have: e1/1 - Internet/External e1/2 - LAN e1/3 - CP PBF have to change a routing for unknown users from default: User->PAN->Internet to: User->PAN->Captive Portal Rule on PAN: IPtables redirect/DNAT on Linux: iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination <IP of Captive Portal>:80 iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to-destination <IP of Captive Portal>:443 Note: HTTPS redirect could generate SSL warning. After this you could user XML-API to adding users with timeout value. There is no idle time as in generic PAN CP, only a timeout. Setting the Timeout for User to IP mapping Created Using User-ID XML-API T.
... View more
Hi, You could parse syslog messages on another device (ex. Linux), and next generate XML-API update request to USER-ID with choosen timeout value. Juniper -> (Syslog) -> Linux Server -> (XML-API) -> Palo Device Setting the Timeout for User to IP mapping Created Using User-ID XML-API http://www.rsyslog.com/doc/v8-stable/configuration/actions.html?highlight=execute#shell-execute T.
... View more