Random Captive Portal Popup

I would expect the authentication log to mention something about this, but look at the unified to be sure. Since an auth action is triggered, there must be a log

Unknown member

Jan 29, 2021

Replying to

@Reaper There is no record of the users name.

I think I know what the issue is, I just don't know why or if there is a way for any palo log to help me figure it out.

Random people are banging on a non-existent IP across firewalls. Let's say in order to cross from firewall "corp" to firewall "hardwork" you first get redirected to a captive portal.

The people in "corp" are getting the auth pop up because something is reaching out to an IP (say 10.1.1.12) within "hardwork".

What I can't figure out is what exactly is reaching out and why.

Unknown member

Jan 29, 2021

Not that I can tell.

On a side note, I was on a free Global Knowledge PCNSE test prep call yesterday with like 100 people and dropped your site as a good source of info. :)

Reaper

Jan 29, 2021

Replying to

Very much appreciated :) should I set up a PCNSE discussion area?

Unknown member

Jan 29, 2021

If I have a portal with multiple agent configs, is there a way to tell which config a user is getting?

Reaper

Jan 29, 2021

Replying to

Isn't it showing up in one of the related logs (auth or GP)? Try unified logs

Reaper

Jan 28, 2021

What does your 'authentication' policy look like? It may be too wide or an exception may be required If it is set to "known users" you may need to figure out if your GP users are losing their mapping for some reason (probing?)

Forum: Forum