Configure Captive Portal Detection in Proxy and Hybrid Modes
Configure captive portal login page
| Where Can I Use This? | What Do I Need? |
|---|
- Prisma Access (managed by Panorama or Strata Cloud Manager)
- Windows and macOS endpoints
|
- GlobalProtect Gateway license or Prisma Access license with the
Mobile User subscription
- GlobalProtect app 6.3.3-h2 (6.3.3-c679) and later
|
Captive portal is a network security implementation where users connecting to a network
(typically Wi-Fi) are first redirected to a web page for authentication before being
allowed to establish a GlobalProtect secure connection to access corporate resources.
This approach provides an additional layer of security by ensuring users authenticate
through the local network's portal before the GlobalProtect client can establish a
secure tunnel to the organization's network infrastructure. For information on enabling
and configuring captive portal for end users, refer to
Customize the GlobalProtect App.
When users are in proxy or tunnel and proxy (hybrid) mode, the captive portal login page
may not load upon Wi-Fi connection because the proxy intercepts and blocks packets from
reaching the captive portal. To ensure captive portal connectivity in these modes, it is
recommended that you set Captive Portal Exception Timeout (sec)
to 600 seconds. In addition, you must allow direct internet access (bypassing any proxy
or filtering) for the connectivity check endpoint URLs:
- On Panorama, add these URLs to your Proxy Auto-Configuration (PAC)
file:
if (
shExpMatch(host, "captive.apple.com") ||
shExpMatch(host, "edge-http.microsoft.com") ||
shExpMatch(host, "detectportal.firefox.com") )
{ return "DIRECT"; }
- On Strata Cloud Manager, either add these URLs to your PAC file or to a
forwarding profile:
- captive.apple.com
- clients3.google.com
- msftconnecttest.com
