https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-to-proxy/m-p/32564#M23853 <HTML><HEAD></HEAD><BODY><P>I am attaching a slide from our documentation literature. If this fails to answer your question you probably need to open a case with Support. </P><P></P><P>You can use these commands to see which policy is processing traffic.</P><P></P><P>show session all filter source &lt;ip_addr&gt;</P><P>show session id xxxxx</P><P></P><P>xxxxx = the ID number shown by the first command.</P><P></P><P>Steve Krall</P></BODY></HTML> Fri, 06 May 2011 18:14:54 GMT skrall 2011-05-06T18:14:54Z https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-to-proxy/m-p/32563#M23852 <HTML><HEAD></HEAD><BODY><P>We use ntlm (CP) to authenticate our users against the PA.</P><P>We want any http traffic forwarded to a proxy. The proxy would have http access to the internet through the PA. I was thinking of using a policy based forwarding rule to forward service-http to the proxy. Similar to how e.g. a Cisco router can intercept http traffic and forward it to a proxy using the <A href="http://en.wikipedia.org/wiki/Web_Cache_Communication_Protocol">WCCP </A>protocol (or any other implementation of the same).</P><P></P><P>This way all authentication and traffic logging stays on the PA, easier to monitor...</P><P></P><P>But will it work ? In which order are rulesets processed ? For it to work, it would have to process the CP ntlm authentication rule before the PBF rule. Is that the case ? If not, can I set a processing order for rulesets ?</P></BODY></HTML> Tue, 26 Apr 2011 14:22:14 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-to-proxy/m-p/32563#M23852 dieter_b 2011-04-26T14:22:14Z https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-to-proxy/m-p/32564#M23853 <HTML><HEAD></HEAD><BODY><P>I am attaching a slide from our documentation literature. If this fails to answer your question you probably need to open a case with Support. </P><P></P><P>You can use these commands to see which policy is processing traffic.</P><P></P><P>show session all filter source &lt;ip_addr&gt;</P><P>show session id xxxxx</P><P></P><P>xxxxx = the ID number shown by the first command.</P><P></P><P>Steve Krall</P></BODY></HTML> Fri, 06 May 2011 18:14:54 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-to-proxy/m-p/32564#M23853 skrall 2011-05-06T18:14:54Z https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-to-proxy/m-p/32565#M23854 <HTML><HEAD></HEAD><BODY><P>Picking up an old thread... have'nt had the chance to try or implement yet.</P><P></P><P>Seems like your attachment went missing. Can you get it back for me, please ?</P></BODY></HTML> Tue, 03 Apr 2012 11:15:37 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-to-proxy/m-p/32565#M23854 dieter_b 2012-04-03T11:15:37Z https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-to-proxy/m-p/32566#M23855 <HTML><HEAD></HEAD><BODY><P>Your CP authentication should take place first </P><P>Policy Based forwarding takes precedence over whatever is in your routing </P><P></P><P>If you'd like to foward all your https/ http traffic over to a proxy outside of the PAN FW, then you should be able to enable UserID (via CP) and then route to the Proxy Server via the PBF</P><P></P><P><A href="https://live.paloaltonetworks.com/docs/DOC-1628">https://live.paloaltonetworks.com/docs/DOC-1628</A><SPAN> </SPAN></P><P><SPAN><BR /></SPAN></P><P>Hope this helps.</P></BODY></HTML> Thu, 05 Apr 2012 18:30:21 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-to-proxy/m-p/32566#M23855 sjamaluddin 2012-04-05T18:30:21Z https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-to-proxy/m-p/32567#M23856 <HTML><HEAD></HEAD><BODY><P>Thank you, exactly the answer and document I was looking for.</P></BODY></HTML> Fri, 06 Apr 2012 06:32:07 GMT https://live.paloaltonetworks.com/t5/general-topics/policy-based-forwarding-to-proxy/m-p/32567#M23856 dieter_b 2012-04-06T06:32:07Z