LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What are the components needed to set up a Captive Portal on a Palo Alto firewall, and how do they fit together?

Seven pieces: DNS entry, Cert, SSL/TLS profile, User+Auth profile, Auth enforcement, Auth policy rule, and an interface management profile.

Seven-step captive-portal dependency chain: DNS → Certificate → SSL/TLS Profile → Auth Profile → Auth Enforcement → Auth Policy → Interface Mgmt Profile.

* The Captive Portal config dependency chain. *

Component Role
DNS entry Gives the portal a hostname (captiveportal.mydomain.ch) so the cert CN matches
Certificate Signed by the FW's CA — lets HTTPS work without warnings
SSL/TLS Profile Specifies min TLS version (1.2+) and ties the cert to the portal
Authentication Profile Where to look up users (Local DB, AD, RADIUS)
Authentication Enforcement Glues method (web-form / browser-challenge / certificate) to the profile
Authentication Policy Rule The "who, when, what services" — e.g., inside-zone users on HTTP/HTTPS must hit captive portal
Interface Management Profile Permits Response Pages on the inside interface so the FW can answer redirects

Why so many pieces? Each layer is reusable: one cert for many services, one auth profile for many enforcements, one enforcement for many policies. Decoupled = flexible.

Tip: Mental model: DNS+Cert+TLS = "make it look like a real website." Auth Profile+Enforcement+Policy = "decide who must log in."

Go deeper:

  • doc Captive portal (Wikipedia) — the HTTP-redirect intercept mechanism the components serve, plus OS-probe detection and HTTPS limits.

From Quiz: INTROL / Firewall Advanced Lab (Lab 6) | Updated: Jul 14, 2026