Authentication Portal Exclusion for Predefined Domains

Configure an Authentication Portal Exclude List to exempt domains for application background traffic from authentication.
You can now quickly exclude domains that applications use for background traffic (for example, to update the application) from requiring authentication by including an Authentication Portal Exclude List in your authentication policy. This external dynamic list (EDL) ensures frictionless application upkeep by allowing the firewall to exclude the domains in the list from Authentication Portal authentication so that users don’t need to log in with their credentials to update approved applications. After you configure the Authentication Portal Exclude List, you can use it to enforce an authentication policy that excludes these trusted domains from requiring authentication.
Palo Alto Networks maintains and adds new domains to this EDL through content updates so that you don’t need to manually discover and allow these domains to your allow list. To require authentication for application background traffic, you can customize the entries in the Authentication Portal Exclude List.
  1. Add the Authentication Portal Exclude List.
    1. Select
      Objects
      External Dynamic Lists
      .
    2. Add
      a new external dynamic list.
    3. Enter a
      Name
      for the list.
    4. Select
      Predefined URL List
      as the
      Type
      .
    5. (
      Optional
      ) Enter a
      Description
      for the list.
    6. Select
      panw-auth-portal-exclude-list
      as the
      Source
      .
  2. (
    Optional
    ) Customize the list by configuring which domains require authentication.
    When you remove one of the
    List Entries
    or
    Add
    new
    Manual Exceptions
    , the firewall requires authentication to access that domain.
    1. Select
      List Entries and Exceptions
      .
    2. Review the
      List Entries
      .
      To filter the entries, enter text in the filter and select
      Apply Filter
      .
    3. To remove an entry from the default list and require Authentication Portal authentication before the firewall allows traffic to that domain, select the entry then click the Move button to move it to the
      Manual Exceptions
      list.
    4. To include an entry in the
      Manual Exceptions
      that is not in the default list,
      Add
      the domain.
    5. To delete an entry from the
      Manual Exceptions
      list, select it and
      Delete
      it.
  3. Click
    OK
    to confirm the configuration and
    Commit
    your changes.
  4. Create or edit an authentication policy rule to exempt the domains in the Authentication Portal Exclude List from authentication.
    1. Select
      Policies
      Authentication
      .
    2. On the
      Service/URL Category
      tab, select the list you created in Step 1 as the
      URL Category
      .
    3. On the
      Actions
      tab, select
      default-no-captive-portal
      as the
      Authentication Enforcement
      .
    4. Click
      OK
      .
    5. Move
      the rule to the top so that it is the first rule in the policy.
    6. Commit
      your changes.
  5. Verify that the Authentication Portal Exclude List successfully exempts the specified domains from Authentication policy.
    1. Go to a domain that is included in the list and confirm that the firewall does not require authentication before it allows access.
    2. Use the following CLI command to view the number of entries in the list:
      request system external-list show type predefined-url name
      list-name
      (where
      list-name
      is the name of the Authentication Portal Exclude List.

Recommended For You