topic Inspection of 'http-proxy' traffic in General Topics

Inspection of 'http-proxy' traffic

loki — Wed, 11 Mar 2015 11:20:21 GMT

My instinct when I read my own title is to tell me to block the app-id type http-proxy as I can't see inside it and it shouldn't be on my network.

However, I have a requirement, mostly due to legacy infrastructure, where all the traffic passing through my PA firewall will effectively terminate on a proxy server (probably bluecoat) further down the line.

Is it possible in anyway on the PA to inspect further into the http-proxy app to see what is really going on? from a reporting perspective my visibility into the traffic is about the same as it was prior to installing the box (nil)

keen for someone to surprise me on this one

Re: Inspection of 'http-proxy' traffic

Dz3015 — Wed, 11 Mar 2015 14:15:59 GMT

What type of proxying are you doing? You should still have visibility into the traffic. The only time you wouldn't is if you are encrypting the traffic and the PA is not doing decryption.

Re: Inspection of 'http-proxy' traffic

PauliLaine — Thu, 12 Mar 2015 05:55:22 GMT

Try Object - Security Profile and select Url Filtering Profile you are using for www-traffic. Then select under desired profile: Settings - and enable: User-Agent, Referer and X-Forwarded for. You'll need to have PAN-OS version 6.x. This will enable more log entries in the log file, just like Blue Coat logging does (and makes proxy logging irrelevant, since now the same information is shown in the PA ;).

I hope I understood your question right.

Regards,

Pauli

Re: Inspection of 'http-proxy' traffic

Dz3015 — Thu, 12 Mar 2015 14:59:27 GMT

I think you are spot on! loki, adding those entries will enable your PA to look past the proxy app to give you what you are looking for.

Re: Inspection of 'http-proxy' traffic

loki — Thu, 12 Mar 2015 22:27:04 GMT

Yep, understood, this is the path all the reading about proxy logging has taken me down, good to see there is a way to see that info.

I'll let you know how it goes.