change block page

Leo,

You can change this behavior under Authentication > services and look at the last part "captive portal" and change from block page to redirect.

Thanks

Hi, 

This are all the option under captive portal, there is no option for me to change the block page to the network authentication.

It doesn't make sense, it says captive portal but it's not. 

hi Leo

Please see the release notes for XG v16 here. XG Release 16.01.1.zip

In the PDF, Page 17 you can find this under known behaviour. 

Hope this helps. 

EDIT: Sorry that is page 18. 

Leo,

Thanks for the screenshot.

As you can see the first option allows you to decide if unauthenticated users will receive a captive portal(yes) or receive the block page(no). In order to get this working you have to create a policy rule where the option know users is enabled.

What Varun wrote is correct about the change they made on v16 when show captive portal is ticked inside the firewall rule.

I would advise you to remove the captive portal inside the rule and configure option (YES) inside the captive portal as I wrote on the previous theard.

They changed this behaviour on single firewall because you can enforce captive portal on some Firewall Rule and have the blocked message configured globally, so in this way if a blocked page is hitted by the user but the matched firewall rule has show captive portal enabled, user are able lo login using the url and bypass the block (if they are allowed to visit that page).

hi Luk

AFAIK when you enable match known users on a rule, the network rule would change to user based rule.

I tested this in my lab, it still shows me the block page with a link to login to captive portal. 

Here's the advantage of enabling "Show captive portal to unknown users" on the firewall rule.

1. You do not need to create a seperate drop rule to show captive portal

2. You have selectively enabled captive portal. For an example, if I create a firewall rule from LAN (particular subnet) to WAN with match known users and show captive portal enabled, only those users of the particular subnet would get the captive portal. 

Hope that helps.

Varun,

I am missing something. If the default behaviour is to receive blocked message, by default if the URL is blocked by web filtering, the user should receive the blocked website.

If the user is not yet authenticated, the user should receive the captive portal and then proceed to the URL if it allowed and not blocked page with link to Captive Portal.

If the user gets the blocked page but he has rights to navigate on that url, with this behaviour, we need to instruct users to click on "link to autheticate" (if they are not using STAS, client agent, NTLM, etc..).

This aspect should be changed in some way...

[^o)]

You got it correctly. 

Upon the first time, a block page will be shown with link to captive portal. 

From there onwards, the block page will be without a link to captive portal. That is the reason I insisted on behaviour change in XGv16 :) 

You could post this in a separate thread as a feature request, for now, this is what we have.

Regards,

Thanks Varun.

I will open a feature request on a new thread and on ideas.sophos.com

Thanks Varun.

I will open a feature request on a new thread and on ideas.sophos.com