topic Re: PAN-OS 11.0 Explicit proxy with no authentication in General Topics

PAN-OS 11.0 Explicit proxy with no authentication

itsnoc — Wed, 12 Jul 2023 13:17:22 GMT

Hello,

may it be possible to use explicit proxy feature in PAN-OS 11.0 with no authentication and allow access for all users?

The documentation is very limited in this area and describes SAML or Kerberos authentication only.

Thanks

Lumir

Re: PAN-OS 11.0 Explicit proxy with no authentication

OtakarKlier — Wed, 12 Jul 2023 21:30:21 GMT

Hello,

Here are a few articles that may help out.

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/dns/configure-a-web-proxy/configure-explicit-proxy

https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/dns/configure-a-web-proxy/configure-authentication-for-explicit-web-proxy

Regards,

Re: PAN-OS 11.0 Explicit proxy with no authentication

BPry — Thu, 13 Jul 2023 13:34:17 GMT

@itsnoc,

You need to specify an authentication service type and have an assigned authentication profile to have a valid configuration. If you don't want to set that up you'd have to utilize a transparent proxy instead of an explicit proxy.

Re: PAN-OS 11.0 Explicit proxy with no authentication

nikoolayy1 — Fri, 21 Jul 2023 07:18:43 GMT

Better question is why you want explicit/transperant proxy at all @itsnoc ? Even before 11.0 Palo Alto can be an SSL forward proxy as mentioned in https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/ssl-forward-proxy and if you do not configure authentication policy and portal redirection, it will decrypt the traffic and inspect it without authentication. You can use Policy based routing (PBR) routing from a router and switch to send the web traffic to the Firewall if it is not in path of the traffic as usually this is why explicit proxy is configured when it is not between the users and Internet. Palo Alto also has DNS Proxy mode if you want it to be your DNS point for the users https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFcCAK

Outside of that the Kerberos authentication for users that are in the AD is seamless without affecting the users so it is another option https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/dns/configure-a-web-proxy/configure-authentication-for-explicit-web-proxy

Also SAML maybe to Azure AD can utilize SSL Client cert and this will again make the authentication expiriance seemless:

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-authentication

Also if you have proxy before the Palo Alto that authenticates the users then the Explicit proxy can use the XAU header to auto authenticate.

Re: PAN-OS 11.0 Explicit proxy with no authentication

itsnoc — Mon, 24 Jul 2023 13:28:21 GMT

@OtakarKlier , @BPry

thanks for your comments, the documentation is very limited, same as the proxy functionality. Also it does not functional without issues - ssl handshake is sometime broken and clients have to reload web page in their browsers.

Thanks

Lumir

Re: PAN-OS 11.0 Explicit proxy with no authentication

itsnoc — Mon, 24 Jul 2023 15:04:21 GMT

Hi @nikoolayy1

thanks for your summary, the main goal of using explicit proxy is to avoid default route and other hacks in the network. I built solution using the Fortigate explicit proxy which can keep original source IP, route traffic over the PA box which then recognize source user based on User-ID mapping.

Kerberos authentication works fine for desktop OS (Win, MAC) but does not work for Apple IOS devices - even with the Apple extension delivered by MDM.

Best regards

Lumir

Re: PAN-OS 11.0 Explicit proxy with no authentication

nikoolayy1 — Mon, 08 Jan 2024 22:42:34 GMT

Now there seems to be bypass support in 11.1 @itsnoc https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-networking-admin/dns/configure-a-web-proxy/configure-exemptions-for-explicit-proxy-authentication

Re: PAN-OS 11.0 Explicit proxy with no authentication

lumirs — Wed, 10 Jan 2024 05:49:23 GMT

Good point @nikoolayy1 - works as expected. Thanks for you comment

Lumir