Alternative to captive webportal Palo Alto

The idiotic way to implement user identification when everything else fails.

You need:

GPO to push automaticly run powershell

A webserver, for example Apache

A syslog forwarder, for example rsyslog

And setup the Paloalto firewall as a User ID agent with syslog listener.

Plain and simple. Absolutely not secure, but until I bother with integrating user certificates as authentication for the requests this will do.

Powershell which runs every hour or minute on the clients

The webserver, a simple apache server hosted on an ubuntu box without any content

Install rsyslog if not installed

put the following in /etc/rsyslog.d/02-apache2.conf

Validate the config:

systemctl restart rsyslogd

On the paloalto, enable user-id syslog on the interface and lock the permitted address to the webserver sending the syslogs

add the uid profile to the interface:

Add the following syslog parser:

Setup the server monitor:

and the syslog parser profile.

And you’re good to go. Not secure, but it works as a simple solution

Trip to Bølgekraftverket

Took a sponatious trip to Bølgekraftverket located in Toft, Rong.,4.9247579,15z/data=!4m2!3m1!1s0x0:0x9092354b5b6cc1c0?sa=X&ved=2ahUKEwiG3YrHms_xAhXql4sKHTVsDIYQ_BIwGHoECEAQBQ

Took a few photos. Fun to take photos again.

GlobalProtect + Client Certificate

Setup the client certificate deployment by following this guide :

Start of by exporting the CA certificate:

Install the certificate on you Palo Alto Firewall:

the certificate should look something like this:

Create a Certificate profile:

Add this profile to your Authentication settings on the GlobalProtect gateway:

Now you can access your globalprotect vpn with the required client certificate.

If you get disconnected right away you can check the debug logs undre Troubleshooting, look for this message:

indicating the client certificate is not correct or missing