https://live.paloaltonetworks.com/t5/general-topics/web-browsing/m-p/36450#M26796 <HTML><HEAD></HEAD><BODY><P><SPAN>The PA doesnt do web proxy so it will not understand when a client connects to the ip address of the PA box and sends "CONNECT </SPAN><A class="jive-link-external-small" href="http://www.example.com/">http://www.example.com/</A><SPAN> HTTP/1.0".</SPAN></P><P></P><P><SPAN>If you want to keep the proxy setting in your clients (well browser settings) and in order to avoid having public ip addresses in your internal network you would need to use a dedicated forward proxy for this. A good (and cheap) solution is to use squid. There are also squid appliances if you want to pay some money: </SPAN><A class="jive-link-external-small" href="http://www.squid-cache.org/Support/products.html">http://www.squid-cache.org/Support/products.html</A></P><P></P><P>Otherwise you need to disable the proxysetting in your client-browsers and make sure to point defgw towards your PA box (for the client the defgw is most likely already some router, then you need to add a routing entry in this router to point towards PA as defgw).</P><P></P><P>Edit: A tip when using a forward webproxy inline with a PA is to setup the webproxy to use "keep client ip". Then the PA will get the client ip's (as srcip on the packets forwarded to the PA) and you can use the ACC in the PA device to dig on what each client have done (otherwise the PA would just see the ip of the webproxy).</P></BODY></HTML> Thu, 29 Mar 2012 08:50:42 GMT mikand 2012-03-29T08:50:42Z https://live.paloaltonetworks.com/t5/general-topics/web-browsing/m-p/36449#M26795 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>We're about to install the web filter licence for the PA. Our current system is a proxy configuraiton via websense. Now that we're going to use the PA for web filtering is the best practise to create a security rule allowing all internal PCs direct access to the Internet using the common web based ports or is there some other way of making the PA the proxy?</P><P></P><P>Thanks</P><P></P><P>Rod</P></BODY></HTML> Thu, 29 Mar 2012 08:27:15 GMT https://live.paloaltonetworks.com/t5/general-topics/web-browsing/m-p/36449#M26795 djrodb 2012-03-29T08:27:15Z https://live.paloaltonetworks.com/t5/general-topics/web-browsing/m-p/36450#M26796 <HTML><HEAD></HEAD><BODY><P><SPAN>The PA doesnt do web proxy so it will not understand when a client connects to the ip address of the PA box and sends "CONNECT </SPAN><A class="jive-link-external-small" href="http://www.example.com/">http://www.example.com/</A><SPAN> HTTP/1.0".</SPAN></P><P></P><P><SPAN>If you want to keep the proxy setting in your clients (well browser settings) and in order to avoid having public ip addresses in your internal network you would need to use a dedicated forward proxy for this. A good (and cheap) solution is to use squid. There are also squid appliances if you want to pay some money: </SPAN><A class="jive-link-external-small" href="http://www.squid-cache.org/Support/products.html">http://www.squid-cache.org/Support/products.html</A></P><P></P><P>Otherwise you need to disable the proxysetting in your client-browsers and make sure to point defgw towards your PA box (for the client the defgw is most likely already some router, then you need to add a routing entry in this router to point towards PA as defgw).</P><P></P><P>Edit: A tip when using a forward webproxy inline with a PA is to setup the webproxy to use "keep client ip". Then the PA will get the client ip's (as srcip on the packets forwarded to the PA) and you can use the ACC in the PA device to dig on what each client have done (otherwise the PA would just see the ip of the webproxy).</P></BODY></HTML> Thu, 29 Mar 2012 08:50:42 GMT https://live.paloaltonetworks.com/t5/general-topics/web-browsing/m-p/36450#M26796 mikand 2012-03-29T08:50:42Z https://live.paloaltonetworks.com/t5/general-topics/web-browsing/m-p/36451#M26797 <HTML><HEAD></HEAD><BODY><P>Many thanks for taking the time to respond.</P><P></P><P>Rod</P></BODY></HTML> Thu, 29 Mar 2012 13:51:31 GMT https://live.paloaltonetworks.com/t5/general-topics/web-browsing/m-p/36451#M26797 djrodb 2012-03-29T13:51:31Z