Authentication Portal Exclusion for Predefined Domains
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Automatic Content Updates Through Offline Panorama
- Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances
- Syslog Forwarding Using Ethernet Interfaces
- Increased Configuration Size for Panorama
- Access Domain Enhancements for Multi-Tenancy
- Enhanced Performance for Panorama Query and Reporting
- Log Query Debugging
- Configurable Key Limits in Scheduled Reports
- Multiple Plugin Support for Panorama
End-of-Life (EoL)
Authentication Portal Exclusion for Predefined Domains
Configure an Authentication Portal Exclude List to exempt
domains for application background traffic from authentication.
You can now quickly exclude domains that applications
use for background traffic (for example, to update the application)
from requiring authentication by including an Authentication Portal
Exclude List in your authentication policy. This external dynamic
list (EDL) ensures frictionless
application upkeep by allowing the firewall to exclude the domains in
the list from Authentication Portal authentication so that users
don’t need to log in with their credentials to update approved applications.
After you configure the Authentication Portal Exclude List, you
can use it to enforce an authentication policy that
excludes these trusted domains from requiring authentication.
Palo
Alto Networks maintains and adds new domains to this EDL through
content updates so that you don’t need to manually discover and
allow these domains to your allow list. To require authentication
for application background traffic, you can customize the entries
in the Authentication Portal Exclude List.
- Add the Authentication Portal Exclude List.
- Select.ObjectsExternal Dynamic Lists
- Adda new external dynamic list.
- Enter aNamefor the list.
- SelectPredefined URL Listas theType.
- (Optional) Enter aDescriptionfor the list.
- Selectpanw-auth-portal-exclude-listas theSource.
- (Optional) Customize the list by configuring which domains require authentication.When you remove one of theList EntriesorAddnewManual Exceptions, the firewall requires authentication to access that domain.
- SelectList Entries and Exceptions.
- Review theList Entries.To filter the entries, enter text in the filter and selectApply Filter.
- To remove an entry from the default list and require Authentication Portal authentication before the firewall allows traffic to that domain, select the entry then click the Move button to move it to theManual Exceptionslist.
- To include an entry in theManual Exceptionsthat is not in the default list,Addthe domain.
- To delete an entry from theManual Exceptionslist, select it andDeleteit.
- ClickOKto confirm the configuration andCommityour changes.
- Create or edit an authentication policy rule to exempt the domains in the Authentication Portal Exclude List from authentication.
- Select.PoliciesAuthentication
- On theService/URL Categorytab, select the list you created in Step 1 as theURL Category.
- On theActionstab, selectdefault-no-captive-portalas theAuthentication Enforcement.
- ClickOK.
- Movethe rule to the top so that it is the first rule in the policy.
- Commityour changes.
- Verify that the Authentication Portal Exclude List successfully exempts the specified domains from Authentication policy.
- Go to a domain that is included in the list and confirm that the firewall does not require authentication before it allows access.
- Use the following CLI command to view the number of entries in the list:request system external-list show type predefined-url name(wherelist-namelist-nameis the name of the Authentication Portal Exclude List.