How to Troubleshoot Captive Portal

How to Troubleshoot Captive Portal

Created On 09/25/18 20:39 PM - Last Modified 06/16/23 17:38 PM


This document describes checks and commands to troubleshoot Captive Portal on a Palo Alto Networks firewall.



  • Make sure that captive portal is enabled.
  • Make sure user identification is enabled on the ingress zone.
  • Make sure there is a captive portal policy.
  • Keep in mind that a security policy needs to be matched first before the session is redirected to captive portal, thus if a deny policy is matched the packets will be dropped and the session will not be redirected to the captive portal.

Note: In order for captive portal to work, the following is needed in the security policy:

  • Web-browsing and DNS must be allowed for the captive portal page is brought up on http port 80
  • DNS query is needed for URL look up. This action spawns the captive portal redirect.
  • Captive portal uses SSL to connection on ports 6080,6081,6082 not 443.

Use the following command to reset any captive portal session (the client will have to authenticate again).
The IP address in the following commands is the IP address of the client:

> debug user-id reset captive-portal ip-address


Use the following commands to check the captive portal log:

> less mp-log appweb3-l3svc.log


For more details, enable l3svc debug level:

debug l3svc on debug


Captive portal session counter can be viewed through global counter:

> show counter global | match session_svc


The following is a capture of a captive portal session. Captive portal redirects the session to an internal/local captive portal port (6080) and captive portal zone (N/A):

1435247/1[1078]/l2-lan-trust/6[80]/l2-lan-untrust web-browsing    DISCARD FLOW   
1449020/1[1103]/l2-lan-trust/6[6080]/N/A          ssl            ACTIVE  FLOW  ND
1449021/1[1102]/l2-lan-trust/6[80]/N/A            web-browsing    ACTIVE  FLOW  ND
1432627/1[1060]/l2-lan-trust/6[21]/l2-lan-untrust ftp            DISCARD FLOW   
1436228/1[1081]/l2-lan-trust/6[80]/l2-lan-untrus web-browsing    DISCARD FLOW


For more information about the session via the CLI, type:


> show session id 1449020
session 1449020

c2s flow:

sport: 1103 dport: 6080
proto: 6 dir: c2s
state: ACTIVE type: FLOW
ipver: 4
src-user: 0
dst-user: 0


s2c flow:

sport: 443 dport: 1103
proto: 6 dir: s2c
state: ACTIVE type: FLOW
ipver: 4
src-user: 0
dst-user: 0

start time : Thu Jul 24 17:10:04 2008
timeout : 1800 sec
time to live : 1749 sec
total byte count : 3872
layer7 packet count : 12
vsys : vsys1
application : ssl
rule : captive-portal
session to be logged at end : no
session in session ager : yes
session sync'ed from HA peer : no
address/port translation : destination
layer7 processing : enabled
URL filtering enabled : no
session terminated on host : yes
captive portal session : yes


See also:


Configuring Captive Portal in 9.1
Configuring Captive Portal in 10.1 
Configuring Captive Portal in 10.2
Configuring Captive Portal in 11.0


owner: jnguyen

  • Print
  • Copy Link

Choose Language