LOGBOOK

HELP

Quiz Entry - updated: 2026.07.01

What does Captive Portal session timeout mean, and why is the default of 60 minutes a deliberate choice?

After 60 min of inactivity, the user-IP binding expires and the user must re-authenticate.

Why a timeout exists at all:

  • IP addresses are reassigned (DHCP lease renewals, device sleep/wake).
  • A workstation logs out / changes user — old binding could grant the new user the old user's permissions.
  • Stolen / left-unattended sessions auto-close.

Why 60 min is sensible default:

  • Long enough that users don't get re-prompted constantly during normal work.
  • Short enough that an unattended session can't persist for days.
  • Stated explicitly: the Captive Portal authentication timeout is 60 minutes of inactivity.

How to manually reset for testing (Palo Alto CLI):

debug user-id reset captive-portal ip-address 192.168.10.100

The Web GUI doesn't expose this — you SSH to the FW.

Tip: Captive Portal timeout is configurable per zone. Tune higher for office desktops, lower for guest Wi-Fi.

From Quiz: INTROL / Firewall Advanced Lab (Lab 6) | Updated: Jul 01, 2026