Authentication Portal Exclusion for Predefined Domains
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Automatic Content Updates Through Offline Panorama
- Enhanced Authentication for Dedicated Log Collectors and WildFire Appliances
- Syslog Forwarding Using Ethernet Interfaces
- Increased Configuration Size for Panorama
- Access Domain Enhancements for Multi-Tenancy
- Enhanced Performance for Panorama Query and Reporting
- Log Query Debugging
- Configurable Key Limits in Scheduled Reports
- Multiple Plugin Support for Panorama
End-of-Life (EoL)
Authentication Portal Exclusion for Predefined Domains
Configure an Authentication Portal Exclude List to exempt
domains for application background traffic from authentication.
You can now quickly exclude domains that applications
use for background traffic (for example, to update the application)
from requiring authentication by including an Authentication Portal
Exclude List in your authentication policy. This external dynamic
list (EDL) ensures frictionless
application upkeep by allowing the firewall to exclude the domains in
the list from Authentication Portal authentication so that users
don’t need to log in with their credentials to update approved applications.
After you configure the Authentication Portal Exclude List, you
can use it to enforce an authentication policy that
excludes these trusted domains from requiring authentication.
Palo
Alto Networks maintains and adds new domains to this EDL through
content updates so that you don’t need to manually discover and
allow these domains to your allow list. To require authentication
for application background traffic, you can customize the entries
in the Authentication Portal Exclude List.
- Add the Authentication Portal Exclude List.
- Select ObjectsExternal Dynamic Lists.
- Add a new external dynamic list.
- Enter a Name for the list.
- Select Predefined URL List as the Type.
- ( Optional) Enter a Description for the list.
- Select panw-auth-portal-exclude-list as the Source.
- ( Optional) Customize the list by configuring
which domains require authentication. When you remove one of the List Entries or Add new Manual Exceptions, the firewall requires authentication to access that domain.
- Select List Entries and Exceptions.
- Review the List Entries. To filter the entries, enter text in the filter and select Apply Filter.
- To remove an entry from the default list and require Authentication Portal authentication before the firewall allows traffic to that domain, select the entry then click the Move button to move it to the Manual Exceptions list.
- To include an entry in the Manual Exceptions that is not in the default list, Add the domain.
- To delete an entry from the Manual Exceptions list, select it and Delete it.
- Click OK to confirm the configuration and Commit your changes.
- Create or edit an authentication policy rule to exempt
the domains in the Authentication Portal Exclude List from authentication.
- Select PoliciesAuthentication.
- On the Service/URL Category tab, select the list you created in Step 1 as the URL Category.
- On the Actions tab, select default-no-captive-portal as the Authentication Enforcement.
- Click OK.
- Move the rule to the top so that it is the first rule in the policy.
- Commit your changes.
- Verify that the Authentication Portal Exclude List successfully
exempts the specified domains from Authentication policy.
- Go to a domain that is included in the list and confirm that the firewall does not require authentication before it allows access.
- Use the following CLI command to view the number of entries in the list: request system external-list show type predefined-url name list-name (where list-name is the name of the Authentication Portal Exclude List.