Palo Alto Networks Knowledgebase: Non-Authenticated Captive Portal Session Will Not be Logged by the Palo Alto Networks Device
Non-Authenticated Captive Portal Session Will Not be Logged by the Palo Alto Networks Device
Created On 02/07/19 23:38 PM - Last Updated 02/07/19 23:38 PM
The Captive Portal is a component of User-ID and provides a means to authenticate users to map username to IP address. For users without user-IP-mappings, that are trying to access the internet and Captive Portal is enabled on the Palo Alto Networks device, will be prompted to authenticate through Captive Portal in order to access the internet site. If the user does not authenticate when prompted by Captive Portal, then no HTTP data will be sent to the client trying to access the site and therefore it will not log the attempt to access the site on the Palo Alto Networks logs.
Since no data has been transferred after the TCP handshake has completed, the attempt to access the site by a user, that does not authenticate will not be logged on the Palo Alto Network device. When a non-authenticated user tries to go to a web server, a SYN packet will be passed from the client to the server through the firewall.
The response which is a SYN+ACK from the web server, which will be passed to the client through the firewall. The client will then respond back using ACK to complete the handshake with the server. Once the TCP handshake is complete, the client will send a HTTP data packet with "Get Request". The firewall take the "Get Request" and will not forward that to the server, instead the firewall will send a response packet to client asking the client to authenticate for the Captive Portal.
Palo Alto Networks is not forwarding 'any data' packets to the server. Captive Portal requires the TCP handshake to complete. Since no data traffic was allowed to flow from the client that did not authenticate to the web server, the session will not be logged on the Palo Alto Network logs, which is the expected behavior.