topic Re: Setting up Policy to allow all access to a squid proxy in General Topics

Setting up Policy to allow all access to a squid proxy

Alex_Samad — Mon, 15 May 2017 04:54:40 GMT

Still a beginer with the PA.

I have a universal rule that allows from

any zone

my internal ip address

ip address group that has by proxy addresses in it.

For applicaiton I have

http-proxy - this covers a lot of ports

default urls

from my test box I try

wget -O /dev/null http://www.smh.com.au

this works !!!

wget -O /dev/null http://www.google.com

fails, when i look in the traffic logs I see that the PA have identified that the application is google-base.

so I add in google-basic, infact I include a application filter of general-internet

try that it fails.

I then set service to any not application default and now it works

But doesn't this now mean I can connect to my squid box on any port ????

How am I supposed to configure this ?

Re: Setting up Policy to allow all access to a squid proxy

Alex_Samad — Mon, 15 May 2017 05:17:26 GMT

Actually even worse than this ....

the standard ports of the other applicaitons are allowed to the proxy

so for example msn-file-transfer allows 1025-65535 ... so now all these ports are allowed to the proxy !!!

Re: Setting up Policy to allow all access to a squid proxy

Alex_Samad — Tue, 16 May 2017 06:59:36 GMT

For the record, its just me.

I had to set the service ports as well.

All working well now

Re: Setting up Policy to allow all access to a squid proxy

Raido_Rattameister — Wed, 17 May 2017 03:25:45 GMT

To answer your question "so for example msn-file-transfer allows 1025-65535 ... so now all these ports are allowed to the proxy !!!"

No it is not the case.

Some applications use wide range of ports so SYN/SYN-ACK/ACK must be permitted through. When real communication starts then Palo can identify if it is really msn-file-transfer or not. If not then session is dropped.