INTRODUCTION

A captive portal automatically redirects users to a designated page whenever they attempt to access blocked, restricted, or potentially malicious websites. Instead of silently dropping traffic, it serves as both a security checkpoint and a policy enforcement tool, guiding users toward safer browsing practices. In this guide, you’ll learn how to configure a captive portal within a SASE environment and see practical scenarios of how redirection mechanisms are applied.

 

  1. Prerequisites and Initial Setup: Before enabling the captive portal, a minimum configuration must be in place.

Note: This configuration serves as the initial step in successfully registering and establishing connectivity with the SASE Gateway. Ensure that these settings remain intact and unaltered for proper operation.

 

Step 1: Enable Service Endpoint from Director under Parent Organization

  • From Director, navigate to: Parent Organization → Select SASE GW à Configuration Tab à Services à  Captive Portal à Click on Edit Button.

A screenshot of a computer

AI-generated content may be incorrect.

Step 2: Configure Gateway Settings

  • Click on Transport-VR and ensure the following entries exist.
    • HTTP Port = 80 and HTTPS Port = 443
    • Server URL = <Enterprise Chosen Domain> 
    • Certificate = <Server Certificate on SASE Gateway>
    • IP Address = <WAN Interface IP>

A screenshot of a computer

AI-generated content may be incorrect.A screenshot of a computer

AI-generated content may be incorrect.

  1. Captive Portal Configuration (Child Tenant)
  • From Concerto, go to: Child Tenant à Configure à Settings à Captive Portal.

A screenshot of a computer

AI-generated content may be incorrect.

 

  • Configure default portal pages:
    • Ask Page: Select Use Default Ask Page → Click Save Ask Changes

A screenshot of a computer

AI-generated content may be incorrect.

 

  • Block Page: Select Use Default Block Page → Click Save Block Changes

A screenshot of a computer

AI-generated content may be incorrect.

 

  • Justify Page: Select Use Default Justify Page → Click Save Justify Changes

A screenshot of a computer

AI-generated content may be incorrect.

 

  • Cancel Page: Select Use Default Cancel Page → Click Save Cancel Changes

A screenshot of a chat

AI-generated content may be incorrect.

 

  • Publish the Captive Portal configuration to the SASE Gateway.

A screenshot of a computer

AI-generated content may be incorrect.

 

  1. URL Filtering and Policy Enforcement

Scenario 1: Allow only Enterprise domains, block the rest. 

  1. Upload a CSV file with allowed domains:
    • Child-Tenant à Configure à User-Defined Objects à URL Categories.

A screenshot of a computer

AI-generated content may be incorrect.

 

  • Click Add URL Categories → URL Files → Add New File → Browse → Upload CSV

A screenshot of a computer

AI-generated content may be incorrect.

A screenshot of a computer

AI-generated content may be incorrect.

A screenshot of a computer

AI-generated content may be incorrect.

A screenshot of a computer

AI-generated content may be incorrect.

 

  1. Configure URL-Filtering Profile
    • Configure → Real-Time Protection → Profiles → Filtering Profiles → URL Filtering → click Add

A screenshot of a computer

AI-generated content may be incorrect.

A screenshot of a computer

AI-generated content may be incorrect.

 

  • Set Action = Block for all denied URLs. Then Click Next

A screenshot of a computer

AI-generated content may be incorrect.

 

  • Select Category List → Action = Allow and URL Category = Allow-URL-Patterns (uploaded under URL-Categories). Then click Next.

A screenshot of a computer

AI-generated content may be incorrect.

 

  • Set Default Action = Block for unmatched traffic. Enable “Cloud-Lookup State”. Then click on Next.

A screenshot of a computer

AI-generated content may be incorrect.

 

  • Name the Profile and Click Save.

A screenshot of a computer

AI-generated content may be incorrect.

 

  1. Configure an Internet Protection Rule.
    1. Configure → Real-Time Protection → Click Add Icon.

 

  1. Go to Enforcement tab à Select URL Filtering. Select the Block-Websites URL filtering profile.

A screenshot of a computer

AI-generated content may be incorrect.

 

  1. Name the Internet Protection Rule and Click Save.

A screenshot of a computer

AI-generated content may be incorrect.

 

  1. Publish the Config to the SASE Gateway

A screenshot of a computer

AI-generated content may be incorrect.

 

Verification:

  1. Connect to SASE Gateway.
  2. Test Browsing
  • Enterprise domains should open normally.
  • Blocked domains (e.g. Facebook) should redirect to the Captive Portable Block Page

A screenshot of a computer

AI-generated content may be incorrect.

 

 

Scenario 2: Block Gaming, Social Media, and Gambling; Justify Finance Sites.

  1. Create a new URL Filtering Profile.
  • Gaming, Social Media, Gambling → Block and Finance_service → Justify

A screenshot of a computer

AI-generated content may be incorrect.

 

 

  • Other traffic → Allow and Enable “Cloud Lookup State”.

A screenshot of a computer

AI-generated content may be incorrect.

 

  • Name the profile and click Save.

A screenshot of a computer

AI-generated content may be incorrect.

 

  1. Update the Internet Protection Rule.
  • Real-Time Protection Internet Protection Click on Allowed-Domains Enforcement Tab.  Replace the old profile with the newly created one

A screenshot of a computer

AI-generated content may be incorrect.

  1. Save and Publish the new Config.

 

Verification:

  1. Open a Browser and visit a financial_Services site. User is routed to the Justify page before access is granted.

A screenshot of a computer screen

AI-generated content may be incorrect.