Quiz Entry - updated: 2026.07.14
What are the components needed to set up a Captive Portal on a Palo Alto firewall, and how do they fit together?
Seven pieces: DNS entry, Cert, SSL/TLS profile, User+Auth profile, Auth enforcement, Auth policy rule, and an interface management profile.
* The Captive Portal config dependency chain. *
| Component | Role |
|---|---|
| DNS entry | Gives the portal a hostname (captiveportal.mydomain.ch) so the cert CN matches |
| Certificate | Signed by the FW's CA — lets HTTPS work without warnings |
| SSL/TLS Profile | Specifies min TLS version (1.2+) and ties the cert to the portal |
| Authentication Profile | Where to look up users (Local DB, AD, RADIUS) |
| Authentication Enforcement | Glues method (web-form / browser-challenge / certificate) to the profile |
| Authentication Policy Rule | The "who, when, what services" — e.g., inside-zone users on HTTP/HTTPS must hit captive portal |
| Interface Management Profile | Permits Response Pages on the inside interface so the FW can answer redirects |
Why so many pieces? Each layer is reusable: one cert for many services, one auth profile for many enforcements, one enforcement for many policies. Decoupled = flexible.
Tip: Mental model: DNS+Cert+TLS = "make it look like a real website." Auth Profile+Enforcement+Policy = "decide who must log in."
Go deeper:
Captive portal (Wikipedia) — the HTTP-redirect intercept mechanism the components serve, plus OS-probe detection and HTTPS limits.