: Authentication Portal Exclusion for Predefined Domains
Focus
Focus

Authentication Portal Exclusion for Predefined Domains

Table of Contents
End-of-Life (EoL)

Authentication Portal Exclusion for Predefined Domains

Configure an Authentication Portal Exclude List to exempt domains for application background traffic from authentication.
You can now quickly exclude domains that applications use for background traffic (for example, to update the application) from requiring authentication by including an Authentication Portal Exclude List in your authentication policy. This external dynamic list (EDL) ensures frictionless application upkeep by allowing the firewall to exclude the domains in the list from Authentication Portal authentication so that users don’t need to log in with their credentials to update approved applications. After you configure the Authentication Portal Exclude List, you can use it to enforce an authentication policy that excludes these trusted domains from requiring authentication.
Palo Alto Networks maintains and adds new domains to this EDL through content updates so that you don’t need to manually discover and allow these domains to your allow list. To require authentication for application background traffic, you can customize the entries in the Authentication Portal Exclude List.
  1. Add the Authentication Portal Exclude List.
    1. Select ObjectsExternal Dynamic Lists.
    2. Add a new external dynamic list.
    3. Enter a Name for the list.
    4. Select Predefined URL List as the Type.
    5. ( Optional) Enter a Description for the list.
    6. Select panw-auth-portal-exclude-list as the Source.
  2. ( Optional) Customize the list by configuring which domains require authentication.
    When you remove one of the List Entries or Add new Manual Exceptions, the firewall requires authentication to access that domain.
    1. Select List Entries and Exceptions.
    2. Review the List Entries.
      To filter the entries, enter text in the filter and select Apply Filter.
    3. To remove an entry from the default list and require Authentication Portal authentication before the firewall allows traffic to that domain, select the entry then click the Move button to move it to the Manual Exceptions list.
    4. To include an entry in the Manual Exceptions that is not in the default list, Add the domain.
    5. To delete an entry from the Manual Exceptions list, select it and Delete it.
  3. Click OK to confirm the configuration and Commit your changes.
  4. Create or edit an authentication policy rule to exempt the domains in the Authentication Portal Exclude List from authentication.
    1. Select PoliciesAuthentication.
    2. On the Service/URL Category tab, select the list you created in Step 1 as the URL Category.
    3. On the Actions tab, select default-no-captive-portal as the Authentication Enforcement.
    4. Click OK.
    5. Move the rule to the top so that it is the first rule in the policy.
    6. Commit your changes.
  5. Verify that the Authentication Portal Exclude List successfully exempts the specified domains from Authentication policy.
    1. Go to a domain that is included in the list and confirm that the firewall does not require authentication before it allows access.
    2. Use the following CLI command to view the number of entries in the list: request system external-list show type predefined-url name list-name (where list-name is the name of the Authentication Portal Exclude List.