topic Re: Has anyone configured and tested the new functionality within Pan OS 11.0 Web Proxy in Transparent mode? in Next-Generation Firewall Discussions

Has anyone configured and tested the new functionality within Pan OS 11.0 Web Proxy in Transparent mode?

AkashThangavel — Mon, 13 May 2024 09:06:46 GMT

Hi team,

I've set up the Web proxy in transparent mode, but I'm unsure of its functioning. Our Palo Alto device doesn't support WCCP and only allows Inline mode deployment. With only the admin guide available for reference and study, I may be the sole individual who has done this. Particularly, I'm uncertain about the D-NAT aspect of transparent proxy mode, as the DNS-Proxy isn't functioning. If anyone has experience with this configuration, I'd greatly appreciate assistance on how to test it effectively.

I will share few logs and DNAT policy for reference

D-NAT for Proxy deployment

-------------------------------------------------------------------------------

NAT Applied, DNS port 53 changed to 8080 and the traffic started DROP in the firewall itself.

Furthermore, the actual traffic is being directly routed from the LAN to the WAN, bypassing the proxy entirely. What steps can be taken to ensure that traffic is routed from the LAN to the proxy and then onward to the WAN?

regards,

Akash Thangavel

Network Security Engineer

Re: Has anyone configured and tested the new functionality within Pan OS 11.0 Web Proxy in Transparent mode?

AkashThangavel — Wed, 22 May 2024 18:29:25 GMT

TAC provided me the solution,

This is for the future reference, if anyone encounter issues, when trying the web proxy in transparent mode as per the incorrect instructions in the admin guide, refer to this information.

But the actually D-NAT should be like,

Traffic coming from client and going to Internet/web-server, needs to be send to Transparent proxy hence source zone would be client zone and dest zone would be Internet/web zone, not a PROXY zone. Also, For LAN to WAN, SSL traffic is routed to the PROXY zone using D-NAT, and then from PROXY to WAN, it is routed to the internet. In this process, the source and destination IPs remain the same in the traffic.

regards,

Akash Thangavel

Re: Has anyone configured and tested the new functionality within Pan OS 11.0 Web Proxy in Transparent mode?

Yoekleng.Kuy — Sun, 24 Nov 2024 05:16:47 GMT

I have test too but follow your NAT reference, it does not, can you share me the security policy and decryptions policy too?

Re: Has anyone configured and tested the new functionality within Pan OS 11.0 Web Proxy in Transparent mode?

AkashThangavel — Tue, 26 Nov 2024 06:09:42 GMT

Please check this following reference,

Security Policy,

Decryption policy I don't have screenshot.

LOGS