topic Re: App portal for mobile devices in General Topics

App portal for mobile devices

janicerne — Wed, 24 Oct 2018 09:13:12 GMT

Hi !

I was wandering if there is a way to set up some sort of webproxy, so the connections to services behind firewall would be secure (https). We have some services that runs via http an would like to publish them to internet but we would like to make it more secure.

One solution would be (if Palo Alto has it) to have a mobile application with a portal (a proxy), where you have some icons of those serivces, let say web services, a webpage for example. When user opens it, the secure connection is established to it.

The problem is that one of the vendors for a web service we have, only allows HTTP connection and discourages the opening it to the internet. Thats why we are looking to still use this web service but make it more secure.

Thank you and best regards,

Jani

Re: App portal for mobile devices

reaper — Wed, 24 Oct 2018 11:44:35 GMT

hi Jani

The PA firewall does not support proxy services, but you can set up GlobalProtect VPN, this allows you to build vpn tunnels into your application servers

Re: App portal for mobile devices

janicerne — Wed, 24 Oct 2018 11:46:57 GMT

Thank you for your response,

is there any way (except for Globa Protect) to secure http connections ?

Best regards,

Jani

Re: App portal for mobile devices

ShaiW — Wed, 24 Oct 2018 11:53:26 GMT

Hi Jani

Sounds to me like Palo Alto's Clientless VPN feature (introduced in PANOS-8.0.4) is what you need:

https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/globalprotect-features/clientless-vpn

There are a few caveats:

1. This is a licensed feature - you need GlobalProtect License for your PAN Firewall. You can request a trial license on the support portal if one was never issued in the past for this Firewall.

2. It's support of web technologies, see this link for what is supported:

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-clientless-vpn/supported-technologies

The user browses to Global Protect Portal and the links the user sees are behind the GlobalProtect Portal on the firewall so it is secure when leaving your network.

Hope this helps.

Re: App portal for mobile devices

BPry — Wed, 24 Oct 2018 18:39:09 GMT

@ShaiW,

That option works to encrypt traffic to the PA; the actual session to the HTTP service however still isn't going to be encrypted. If you wish to secure HTTP, you'll have to setup the service for HTTPS connections.

Re: App portal for mobile devices

janicerne — Thu, 25 Oct 2018 09:29:30 GMT

@ShaiWClientless VPN seems realy good solution for what i was looking for. Thank you for leting me know about the feature !

@BPryAs i understand wan connection will be encripted, because of the VPN, that is basically what we need. Or am i missing somethig ?

Thank you for your replies

Re: App portal for mobile devices

BPry — Thu, 25 Oct 2018 12:55:03 GMT

So to be clear here, the only connection that is encrypted is going to be from the device to your firewall. The actual connection to the http server is still completely in the clear. If that works in your situation then you have a secure way of providing access back to your environment. Make no mistake though, that site is no more secure then it is currently.

Re: App portal for mobile devices

janicerne — Tue, 06 Nov 2018 11:35:57 GMT

Thanks for help, i set up the portal and looks promising. I set up a zone for clientless traffic which has only few rules to acces servers to specific port.

This should be more secure way to access the servers from outside, but just to the entry point of firewall. Inside traffic is still secure as it was before, not less not more.

Thank you guys !