1. Solution overview

Solution tested

VM Series with PAN-Os 9.0.3

VM Series with PAN-Os 9.1.3

2. Configure SAML Identity Provider (IdP)

SAML Identity Provider

Go to Devices > Server Profiles > SAML Identity Provider


Currently, the URL format provided in the Cloudi-Fi admin interface is not the same that should be configured in the PAN-OS. You have to rewrite it to match the format described.

An update of the Cloudi-Fi admin interface will be performed soon.

Note: If multiples physical sites are routed behind the Palo Alto, create an IdP profile for each physical location.

You just have to modify the Identity Provider SSO URL for each IdP profile with the Cloudi-Fi location URL.

Configure SAML Authentication Profile

Go to Device > Authentication Profile

  • Type: SAML

  • IdP Server Profile: Select the Cloudi-Fi IdP profile created at step 1

  • Certificate profile: Create a new profile and import the Cloudi-Fi_IdP_cert (see screenshot below)

  • SAML Attributes / Username Attribute: token

  • SAML Attributes / User Group Attribute: profile

Certificate profile

Create Web-forms

Create a specific web-form which will be used in the Authentication policy:

If you have multiple location behind one Palo Alto equipment, create one web-form per location.

Go to Object > Authentication > Add

3. Configure Captive portal settings

Go to Device > User-Identification > Captive portal Settings > Edit

Note: During the redirection to the Cloudi-Fi captive portal, the user will be redirected to a Layer3 interface of the Palo Alto equipment.

The field “Redirect Host” shall specify the intranet hostname that resolves the IP address of the Layer 3 interface to which the firewall redirects web requests.


As the redirection is performed in HTTPS, you will experience a Certificate warning in the Guest web-browser. The installation of a public certificate is therefore necessary.

Idle timer and timer should be equal and match with the session lifetime configured in the Cloudi-Fi captive portal

This FQDN will be use also used during the SAML authentication as Service Provider EntityID and have to be declared in the Cloudi-Fi administration interface.

Cloudi-Fi admin > settings > Advanced settings > PaloAlto Networks:

4. Layer 3 Interface configuration

Interface Management Profile

Create a new Interface Management profile

Go to Network > Network Profiles > Interface Management > Add


- Ping (optional)

- Response Pages

- User-ID


Go to Network > Zone > add

Create a dedicated zone for the Guest and enable User Identification

Layer 3 interface

Create the Guest interface or sub-interface and assign the Interface Management profile and the zone created in the previous steps.

DHCP Server

Create a DHCP server for the Guest network

Go to Network > DHCP > DHCP Server > Add

- Select the Guest interface

- Define an IP Pool and DHCP Options

Note that the Layer3 interface dedicated for the Guest is configured as DNS server for the Guest

DNS Proxy

We will use the DNS Proxy feature to add a DNS static entry to resolve the FQDN configured in the captive portal settings and redirect the user to the Layer3 interface or sub-interface

Go to Network > DNS Proxy > Add

- Select the Guest interface or sub-interface

- Fill a valid DNS server reachable by the PAN as Primary server


Go to static entry and add the FQDN and IP Address

5. Configure Policy

Create custom URL Category

We will create custom URL categories and will use them to create the Walled Garden (URL accessible by the user before being authenticated)

Go to Object > Custom Objects > URL Category > Add

- Profile Name: Cloudi-Fi_portal

- Type: URL List

- Sites:

o *.cloudi-fi.net

o *.cloudi-fi.com

If you have social medias in your captive portal, create another custom URL category.

Domains will be provided by Cloudi-Fi team.

Creates security rules

We shall create 4 security rules:

1/ Guest DNS Proxy rule: to allow the Guest Layer3 IP to reach the DNS server

o Source: Guest gateway IP address (Zone Guest)

o Destination: DNS server(s) configured in the DNS-Proxy

o Application: DNS

o Action Allow

2/ Walled Garden rule: to allow unauthenticated user to access the captive portal

o Source: Guest network (Zone Guest)

o User: Unknown

o Destination: Any (Zone External)

o Application: Any (you can restrict as you wish. At least web-browsing and SSL)

o URL Filtering: Cloudi-Fi custom categories

o Action: Allow

3/ Guest-Allowed: Allow authenticated user to access to Internet

o Source: Guest network (Zone Guest)

o User: Know-User

o Destination: Any (Zone External)

o Application: Any (you can restrict as you wish. At least web-browsing and SSL)

o Action: Allow

o Profile Settings: URL Filtering enabled

4/ Guest-DenyAll : Explicit deny to prevent Guest network to access other internal resources (optional with default PAN policy behavior but recommended)

o Source: Guest network (Zone Guest)

o Destination: Any (All zones)

o Application / Services: Any

o Action: Deny

NAT rule

You have to create a NAT rule to translate Guest private IP addresses in a public address

- Original packet

o Source zone: Guest

o Destination zone: External

o Source address: Guest network

- Translated packet, Source address translation:

o Translation type: Dynamic IP and Port

o Address type: Interface address

o Interface: ethernet1/1 in our case

o Destination address translation: None

Authentication rule

This rule will redirect unauthenticated user to the Cloudi-Fi captive portal

Go to Policy > Authentication > Add

- Source: Guest Network (Guest zone)

- User: Unknown

- Destination: Any (External Zone)

- Service: HTTP/HTTPS

- Action: Authentication enforcement: Cloudi-Fi web-form created at step 1

Note that if multiple physical sites are located behind the PAN, you have to create 1 authentication rule per physical location with the appropriate web-form.

Did this answer your question?