https://live.paloaltonetworks.com/t5/general-topics/external-web-proxy/m-p/1227665#M124141 <P>i am forwarding (BPF) to SkyHigh Web Gateway (on-prem),</P> <P>SkyHigh Web Gateway has a wonderful solution for identifying (and block) dozens of file-mimes (unlike the short list of Palo Alto file types).</P> <P><A href="https://success.skyhighsecurity.com/Skyhigh_Secure_Web_Gateway_(On-Prem)/Secure_Web_Gateway_Product_Guide/Media_Type_Filtering/Supported_Media_Types/Secure_Web_Gateway_(SWG)_Supported_MIME_Types" target="_blank">https://success.skyhighsecurity.com/Skyhigh_Secure_Web_Gateway_(On-Prem)/Secure_Web_Gateway_Product_Guide/Media_Type_Filtering/Supported_Media_Types/Secure_Web_Gateway_(SWG)_Supported_MIME_Types</A></P> <P>&nbsp;</P> <P>My plan is to to use Palo Alto (as default gateway) content inspection (TP and WF and all the protection modules), and then forward to SkyHigh (2nd hop)</P> <P>SkyHigh Proxy is listening on port 9090, and gets the traffic.</P> <P>Both PA and SkyHigh (and clients) using same SSL certificate.</P> <P>The issue is that the SkyHigh doesn't like the new SSL re-encryption from Palo Alto (1st hop).</P> <P>Seems like the SSL content inspection doesn't work when traffic comes not directly from clients (SSL is being handled by Palo Alto as MITM)</P> <P>&nbsp;</P> <P>Ideas?</P> <P>&nbsp;</P> Tue, 29 Apr 2025 13:42:26 GMT chens 2025-04-29T13:42:26Z https://live.paloaltonetworks.com/t5/general-topics/external-web-proxy/m-p/1227517#M124127 <P>Hi.</P> <P>Have someone working with next hop fwd proxy ?&nbsp;</P> <P>I need post firewall solution for additional files types blocks (like Trellix)</P> <P>&nbsp;</P> Mon, 28 Apr 2025 06:49:19 GMT https://live.paloaltonetworks.com/t5/general-topics/external-web-proxy/m-p/1227517#M124127 chens 2025-04-28T06:49:19Z https://live.paloaltonetworks.com/t5/general-topics/external-web-proxy/m-p/1227573#M124133 <P>Hello,</P> <P>Would you mind elaborating on your question?</P> <P>Regards,</P> Mon, 28 Apr 2025 16:58:44 GMT https://live.paloaltonetworks.com/t5/general-topics/external-web-proxy/m-p/1227573#M124133 OtakarKlier 2025-04-28T16:58:44Z https://live.paloaltonetworks.com/t5/general-topics/external-web-proxy/m-p/1227665#M124141 <P>i am forwarding (BPF) to SkyHigh Web Gateway (on-prem),</P> <P>SkyHigh Web Gateway has a wonderful solution for identifying (and block) dozens of file-mimes (unlike the short list of Palo Alto file types).</P> <P><A href="https://success.skyhighsecurity.com/Skyhigh_Secure_Web_Gateway_(On-Prem)/Secure_Web_Gateway_Product_Guide/Media_Type_Filtering/Supported_Media_Types/Secure_Web_Gateway_(SWG)_Supported_MIME_Types" target="_blank">https://success.skyhighsecurity.com/Skyhigh_Secure_Web_Gateway_(On-Prem)/Secure_Web_Gateway_Product_Guide/Media_Type_Filtering/Supported_Media_Types/Secure_Web_Gateway_(SWG)_Supported_MIME_Types</A></P> <P>&nbsp;</P> <P>My plan is to to use Palo Alto (as default gateway) content inspection (TP and WF and all the protection modules), and then forward to SkyHigh (2nd hop)</P> <P>SkyHigh Proxy is listening on port 9090, and gets the traffic.</P> <P>Both PA and SkyHigh (and clients) using same SSL certificate.</P> <P>The issue is that the SkyHigh doesn't like the new SSL re-encryption from Palo Alto (1st hop).</P> <P>Seems like the SSL content inspection doesn't work when traffic comes not directly from clients (SSL is being handled by Palo Alto as MITM)</P> <P>&nbsp;</P> <P>Ideas?</P> <P>&nbsp;</P> Tue, 29 Apr 2025 13:42:26 GMT https://live.paloaltonetworks.com/t5/general-topics/external-web-proxy/m-p/1227665#M124141 chens 2025-04-29T13:42:26Z