Quiz Entry - updated: 2026.07.01
What does Captive Portal session timeout mean, and why is the default of 60 minutes a deliberate choice?
After 60 min of inactivity, the user-IP binding expires and the user must re-authenticate.
Why a timeout exists at all:
- IP addresses are reassigned (DHCP lease renewals, device sleep/wake).
- A workstation logs out / changes user — old binding could grant the new user the old user's permissions.
- Stolen / left-unattended sessions auto-close.
Why 60 min is sensible default:
- Long enough that users don't get re-prompted constantly during normal work.
- Short enough that an unattended session can't persist for days.
- Stated explicitly: the Captive Portal authentication timeout is 60 minutes of inactivity.
How to manually reset for testing (Palo Alto CLI):
debug user-id reset captive-portal ip-address 192.168.10.100
The Web GUI doesn't expose this — you SSH to the FW.
Tip: Captive Portal timeout is configurable per zone. Tune higher for office desktops, lower for guest Wi-Fi.