topic Re: Web Proxy behind PAN firewall and application recognition in General Topics

Web Proxy behind PAN firewall and application recognition

dustintodd — Fri, 17 Dec 2010 19:57:27 GMT

I know this question has been asked in other posts but I figured I would give it another try. I would like the PAN to sit between my users and my web proxy *and* for the applications to be recognized instead of just reported as proxy traffic. Is there any setting to force the PANOS to do this?

Re: Web Proxy behind PAN firewall and application recognition

skrall — Tue, 21 Dec 2010 05:23:42 GMT

If you are asking about this topology:

[User]------[Proxy]------[Paloalto]-----(internet)

Then all outbound traffic will be detected as the Proxy and the only traffic seen will be HTTP and HTTPS unless a second interface is picking up the other traffic such as FTP, MAIL, etc.

If you are asking about:

[User]-------[PaloAlto]-------[Proxy]------(internet)

Then we will see the actual user and all applications destined for the internet.

Re: Web Proxy behind PAN firewall and application recognition

kccg — Thu, 12 Jul 2012 10:06:38 GMT

if i'm using

[User]------[Proxy]------[Paloalto]-----(internet)

is there a way i can see the user?

Re: Web Proxy behind PAN firewall and application recognition

bryanpascal — Thu, 12 Jul 2012 11:39:05 GMT

Hi ,

Users' traffic should pass through the paloalto first then your proxy!

Re: Web Proxy behind PAN firewall and application recognition

kccg — Thu, 12 Jul 2012 12:53:31 GMT

is there anyway i can see the user behind the proxy?

Re: Web Proxy behind PAN firewall and application recognition

skrall — Thu, 12 Jul 2012 16:14:56 GMT

If you just want to identify users you could set up a TAP port on the Palo Alto using a Mirror Port on a switch to inspect the traffic prior to the proxy. I do not recommend inserting the Palo before and after the proxy because this will cause each packet to be inspected twice. Also, if you have BLOCK or CONTINUE pages on policies you can get some unexpected results.

Steve Krall

Re: Web Proxy behind PAN firewall and application recognition

mikand — Thu, 12 Jul 2012 19:59:45 GMT

Yes if you run a proxy that can act in transparent mode such as the Färist proxyfirewall (www.tutus.se) among others. Meaning that it will keep the srcip unaltered even if the client uses the proxyfirewall as a forward proxy (setup proxysettings in their webbrowser).

This way you can use:

[User]------[Proxy]------[Paloalto]-----(internet)

in two modes:

1) forward-proxy

The user setup the proxysettings in their webbrowser to point to the proxy. The proxy will then do nameresolution and surf on behalf of the user. The srcip hitting paloalto is the actual user srcip. Paloalto will then NAT outbound traffic towards internet so you get:

- User calls 10.0.0.1:3128 for http or 10.0.0.1:3129 for https (ip of proxy - preferly RFC1918 network).

- Proxy will query DNS and then setup a http/https towards the public ip on the Internet.

- Paloalto will NAT the user srcip before traffic leaves on the internet-interface.

2) transparent-proxy

The user will browse on its own straight to the public ip's on the internet and the proxy will be completely transparent for the user (except for errormessages and such).

- User will query DNS and then setup a http/https towards the public ip on the Internet.

- Paloalto will NAT the user srcip before traffic leaves on the internet-interface.

Personally I would prefer the first method because then you can setup triggers in your SIEM so it will scream if packets with public ip's is seen in the core (between User and Proxy) - because this would be a good sign that something is bad with a particular client (like a malware got through).

Also because you have a proxy between the paloalto unit (who sits next to Internet) and your internal network this proxy could also protect inbound connections which the paloalto device does towards the panagent servers in order to find out userid of the srcip's it is seeing.

Re: Web Proxy behind PAN firewall and application recognition

kccg — Sun, 15 Jul 2012 07:14:12 GMT

my configuration is in vwire mode.

when i see from the traffic log, all traffic to the internet is using source ip the proxy server ip.

how to configure, to use user-id in this topology?

i already set the zone to use user-id,

user-id work for internal traffic but not work for traffic to the internet

Re: Web Proxy behind PAN firewall and application recognition

tomimma — Tue, 22 Jan 2013 08:59:10 GMT

Hi skrall,

Just curious about your comment. Hope you don't mind if I ask this...

------------------------------------------------------------

If you are asking about:

[User]-------[PaloAlto]-------[Proxy]------(internet)

Then we will see the actual user and all applications destined for the internet.

---------------------------------------------------------------------------

In the above design, the proxy will be standard forward proxy. (That means it is none-transparent)

In this case, can PA still recognize a client's web access request and shows final destination-ip on internet?

I thought, since user's web request goes through this proxy server, destination-ip will be recognized as ip address of proxy server...

Re: Web Proxy behind PAN firewall and application recognition

skrall — Tue, 22 Jan 2013 20:02:26 GMT

The traffic logs will show the Proxy IP as the destination as you have said. But URL filtering looks at the actual URL requested to make a classification. And with HTTPS traffic, we look at the FQDN in the certificate to make URL classification. The actual application is detected based on signatures that match the Application layer header (HTTP Ver 1.1, etc). So only some of your reports will be negatively effected. I am not aware of this causing any problems in a production environment. If you really need the the destination IP address you could put one interface in TAP mode and watch the traffic on the other side of the Proxy but there is no good way to correlate the inside traffic and the outside traffic. And be careful about deep inspection of packets twice. This could cause performance degradation in a busy network.

Re: Web Proxy behind PAN firewall and application recognition

tomimma — Wed, 23 Jan 2013 08:25:35 GMT

Hi Skrall,

Very clear explanation! Thank you.

I guess there will be always a obstacle when you deploy a proxy server with PA...

Of course, the best solution is not using proxy and let PA handle everything, but many companies request to use a proxy server...

Re: Web Proxy behind PAN firewall and application recognition

mikand — Wed, 23 Jan 2013 08:52:04 GMT

The best solution is obviously to rearrange the flow in your case so it becomes:

[User]-------[Proxy]-------[PaloAlto]------(internet)

and by that configure your proxy to keepsource=yes and also allow PaloAlto to communicate with PAN-agent through your proxy (unless your PAN-agent is reachable over mgmt-interface). In this case the PaloAlto will do the SNAT.

This way it doesnt matter if your proxy is a forward-proxy (preferred because you will then have only internal ip's between User and Proxy) or transparent (the difference is that with forward-proxy the clients use CONNECT with dstip as the Proxy ip while in transparent the clients use HEAD/GET/POST with dstip as the real server on internet).

Another possibility, if you only have one set of PaloAltos, is to use VSYS (unless you have some policy which wont let you physically mix external and internal resources in the same hardware - meaning with VSYS you can let VSYS1 be the above internet firewall and VSYS2 will be some internal server firewall).

Re: Web Proxy behind PAN firewall and application recognition

tomimma — Wed, 23 Jan 2013 09:21:00 GMT

Hi Mikand,

↑ I am not sure exactly what the above means... Are you referring to the specific proxy server model? Also, PAN-OS is 5.x which doesn't use an external PAN-agent.

How does it work in that case?

Re: Web Proxy behind PAN firewall and application recognition

mikand — Wed, 23 Jan 2013 09:45:22 GMT

1) Keepsource=yes meaning that the proxy on its "internet" interface should use the client-ip as srcip instead of its own. How you do this depends on which proxy you are using. Which vendor and model (and if possible software version) is it in your case?

2) In order for the PA box to know the users (unless you want to use captive portal which I imagine you want to avoid) the PA must be allowed to speak to the PAN-agent server(s) on your inside network. This means except for rules client (inside) -> internet (outsice) in the proxy you must have a rule which will allow pa (outside) -> pan-agent (inside).

The PANOS 5.x can use dedicated PAN-agent server(s) as previously. Whats new in PANOS 5.x is that itself contains a limited PAN-agent server (runned in the mgmt-plane) so there is no need for a dedicated server(s) in smaller networks. I dont remember the recommendation for using the internal PAN-agent server in the PA box but it was something like less than 100 users or such. If you network have several hundred or thousands of users the recommendation is to use dedicated PAN-agent servers (or install the PAN-agent service on each DC-server). You can of course still use dedicated PAN-agent server(s) even in small networks (just put that in your VMware cluster or such if you cant spare it a dedicated hardware or install it directly on the DC-servers).

3) The PaloAlto will do the SNAT meaning since the PA will see the clientips (which I assume is RFC1918 like 10.x.x.x or 192.168.x.x or such) the PA will do the NAT so this traffic on the interface facing internet will have its srcip replaced into the ip which the PA uses on this internet interface (or if you wish to replace it into some other ip or range of ips which is routed towards the PA by your internetrouter).

Re: Web Proxy behind PAN firewall and application recognition

tomimma — Wed, 23 Jan 2013 10:32:35 GMT

Hi Mikand,

I think I am getting closer to understand your explanation very clearly... but I need to clarify a few things, hope you don't mind.

(1) Keepsource=yes

Are we talking about "X-Forwarded-For" in HTTP header? or you simply meant a proxy can do keep clients IP as the original souce-ip when it sends packets to internet? The customer's proxy is ISA. But I am testing with Squid. How can I enable it in case of the latter case for ISA and Squid?

(2) It can be reachable via management interface. Does this work?

Re: Web Proxy behind PAN firewall and application recognition

mikand — Wed, 23 Jan 2013 10:41:45 GMT

1) I was talking about that when the packet leaves your Proxy (towards internet) the srcip will be the clientip (instead of the ip of the physical interface).

Like so, before proxy:

srcip: <clientip>

dstip: <proxyip_insideinterface>

after proxy:

srcip: <clientip>

dstip: <webserverip>

I will check if squid can do the "keepsource=yes" feature and get back, otherwise there are other proxies which can do this.

2) Yes, you can specify which interface to use in Device -> Setup -> Services and then Service route configuration to define which mgmt-services should use the mgmt-interface and which should use one of the dataplane-interfaces.

Edit:

I found some info on how to do this with squid:

http://wiki.squid-cache.org/Features/Tproxy4

http://wiki.squid-cache.org/ConfigExamples/Intercept/CentOsTproxy4

http://wiki.squid-cache.org/ConfigExamples/FullyTransparentWithTPROXY

http://www.squid-cache.org/mail-archive/squid-users/200705/0443.html

http://www.squid-cache.org/mail-archive/squid-users/200705/0447.html

Some newer info regarding Squid3:

http://www.deckle.co.uk/squid-users-guide/transparent-caching-proxy.html

http://www.lesismore.co.za/squid3.html

The device where I first saw this keepsource=yes feature was in the Farist Firewall http://www.tutus.se/products/farist-firewall.html

Re: Web Proxy behind PAN firewall and application recognition

tomimma — Thu, 24 Jan 2013 14:20:16 GMT

Thanks, I am not sure if these solutions are feasible for my real situation though...

It looks like it is acting more likely as "transparent", that is all to me.