topic PA with third party proxy scenario in Integration Discussions

PA with third party proxy scenario

AymanShimy — Thu, 24 Jan 2019 11:58:27 GMT

i am looking for PA with proxy scenario deplyment as best practice and use caching of proxy with PA features.

Re: PA with third party proxy scenario

jhochberg — Tue, 12 Mar 2019 20:14:00 GMT

Hello,

Could you provide a little bit more context around what you are trying to accomplish?

Are you interested in caching responses to HTTP requests from internal users? Or are you looking to deploy a caching solution in front of a web server sitting behind a Palo Alto firewall?

Thank you,

-JeffH

Jeff Hochberg | Sr. Systems Engineer - Technical Business Development

Palo Alto Networks | Atlanta, GA | USA

Mobile: 404.432.1112 | www.paloaltonetworks.com

The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.

Re: PA with third party proxy scenario

AymanShimy — Tue, 12 Mar 2019 21:33:36 GMT

Hi,

i am looking for two scenarios

1- proxy located in LAN (inside network) for caching and url filtering and integarted with an active directory then PA for remaining security.

2- Proxy located behind the PA FW.

Re: PA with third party proxy scenario

jhochberg — Tue, 12 Mar 2019 23:20:26 GMT

Ayman,

Thank you for the additional context.

Candidly, it's difficult to recommend any "best practices" here because of what's lost by deploying a proxy between the users and the firewall.

Out of curiosity, why would you not leverage the URL-Filtering and User-ID capabilities present in the firewall? In doing so, you are able to leverage Active Directory authentication and authorization for per-rule enforcement.

You would greatly simplify your environment and have a lot more visibility from one location if you collapsed these functions into the firewall.

Not to mention, if you're looking to take advantage of the inspection capabilities within PAN-OS, by deploying a proxy behind the firewall, you lose the ability to leverage SSL-Decryption. Given the vast majority of HTTP traffic is SSL encrypted, all of that traffic would pass through the firewall and not be inspected.

And, unless the proxy supports WCCP (or similar), the firewall logs would show all outbound access coming from the egress IP address on the proxy server.

The only advantage I see in deploying a proxy is in taking advantage of caching for increased performance - I don' t know that the performance gain is worth the sacrifices made to the overall security posture.

Jeff Hochberg | Sr. Systems Engineer - Technical Business Development

Palo Alto Networks | Atlanta, GA | USA