1. Solution Overview

Solution tested

Prisma Access Plugin v 1.8

Captive Portal FQDN resolves Prisma Captive Portal Redirect IP Address.

This DNS record is created by Cloudi-Fi.

Note: All the configuration should be done in the correct template.

Template mapping is configured in :

Panorama > Cloud Services > Configuration > Remote Networks

2. Configure SAML Identity Provider (IdP)

SAML Identity Provider

Go to Device > Server Profiles > SAML Identity Provider

Note: If multiples physical sites are routed behind the Palo Alto, create an IdP profile for each physical location.

You just have to modify the Identity Provider SSO URL for each IdP profile with the Cloudi-Fi location URL.

Configure SAML Authentication Profile

Go to Device > Authentication Profile

  • Type: SAML

  • IdP Server Profile: Select the Cloudi-Fi IdP profile created at step 1

  • Certificate profile: Create a new profile and import the Cloudi-Fi_IdP_cert (see screenshot below)

  • SAML Attributes / Username Attribute: token

  • SAML Attributes / User Group Attribute: profile

Certificate profile:

Create Web-forms

Create a specific web-form which will be used in the Authentication policy:

If you have multiple location behind one Palo Alto equipment, create one web-form per location.

Go to Objects > Authentication > Add

3. Configure Captive portal settings

Go to Device > User-Identification > Captive portal Settings > Edit

FQDN : customer.cloudi-fi.net

This FQDN resolves the IP Address of the Prisma Access Captive Portal IP.

Each Prisma Access Customer has a unique Captive Portal Redirect IP. This IP should be provided to Cloudi-Fi in order to create the dedicated DNS record.

Idle timer and timer should be equal and match with the session lifetime configured in the Cloudi-Fi captive portal

This FQDN will be use also used during the SAML authentication as Service Provider EntityID and have to be declared in the Cloudi-Fi administration interface.

Cloudi-Fi admin > settings > Advanced settings > PaloAlto Networks:

4. Captive Portal

Prisma Access provide a dedicated IP Address where is enabled the Captive Portal Service.

Go to Panorama > Cloud Services > Status > Network Details > Service Infrastructure.

5. Configure Policy

Create custom URL Category

We will create custom URL categories and will use them to create the Walled Garden (URL accessible by the user before being authenticated)

Go to Objects > Custom Objects > URL Category > Add

- Profile Name: Cloudi-Fi_portal

- Type: URL List

- Sites:


Note: If you have social medias in your captive portal, create another custom URL category.

Domains will be provided by Cloudi-Fi team.

Creates security rules

Go to Policies > Security Rules

We shall create 4 security rules:

1/ Guest DNS Proxy rule: to allow the Guest Layer3 IP to reach the DNS server

o Source: Guest gateway IP address (Zone Guest)

o Destination: DNS server(s) configured in the DNS-Proxy

o Application: DNS

o Action Allow

2/ Whitelist rule: to allow unauthenticated user to access the captive portal

o Source: Guest network (Zone Guest)

o User: Unknown

o Destination: Any (Zone External)

o Application: Any (you can restrict as you wish. At least web-browsing and SSL)

o URL Filtering: Cloudi-Fi custom categories

o Action: Allow

3/ Guest-Allowed: Allow authenticated user to access to Internet

o Source: Guest network (Zone Guest)

o User: Know-User

o Destination: Any (Zone External)

o Application: Any (you can restrict as you wish. At least web-browsing and SSL)

o Action: Allow

o Profile Settings: URL Filtering enabled

4/ Guest-DenyAll : Explicit deny to prevent Guest network to access other internal resources (optional with default PAN policy behavior but recommended)

o Source: Guest network (Zone Guest)

o Destination: Any (All zones)

o Application / Services: Any

o Action: Deny

Authentication rule

This rule will redirect unauthenticated user to the Cloudi-Fi captive portal

Go to Policies > Authentication > Add

- Source: Guest Network (Guest zone)

- User: Unknown

- Destination: Any (External Zone)

- Service: HTTP

- Action: Authentication enforcement: Cloudi-Fi web-form created at step 1

Note that if multiple physical sites are located behind the PAN, you have to create 1 authentication rule per physical location with the appropriate web-form.


Did this answer your question?