Palo-Alto 500 replace bluecoat proxy server

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Palo-Alto 500 replace bluecoat proxy server

Not applicable

Hi gues!

LAN -> Bluecoat | Palo-Alto -> Internet

Is any one have an experiance with raplace bluecoat proxy server with palo-alto.

Is palo-alto can be proxy server for network?

Please share your experiance.

Thanks in advance.

4 REPLIES 4

L6 Presenter

Palo Alto does not have a proxy feature at this time.

L4 Transporter

Also the PA can't do WCCP... If that's a requirement for you in any way the PA isn't going to work.

That being said, the URL filtering capabilities are "pretty good" on PA, but you can't get as granular as you can with BlueCoat. In BlueCoat you can do some pretty neat tricks, like transparently turning links on a site from http to HTTPS. If you don't need the rich amount of logic the BlueCoat provides the PA might be "good enough." Take full advantage of the PA's DNS proxy feature (so you can do some DNS rewrite if needed), User ID agent and of course App-IDs and you might have enough features that you wouldn't need BlueCoat.

Also I'd probably go with 'PAN-DB' in lieu of BrightCloud for URL filtering... PAN-DB seems to me to be the way forward for PA (I don't work there though so don't take my word as the gospel truth)

L5 Sessionator

Hi,

No worry for you for doing that:

     Pan URL filtering is quite good

     Easy to support: nothing to specify in user browser (no question like: Internet doesn't work !!!! - answer: please configure your proxy)

     If just need logs and authent ... it's perfect

Only thing, can't use  advance feature like caching (doesn't matter, no need with more than 60% of all traffic in ssl), no referer ...

But at the end, you will be happy

Hope it's help

v.

Here are my experiences from replacing Bluecoat with PaloAlto (techwise):

- PaloAlto is not a proxy - with that having said you can still apply URL-filtering (you can use PA's own db now which are more granular than the Brightcloud based), SSL-termination, Antivirus, filetypepolicies (like white/blacklisting), IPS, UserID, Botnet-reporting and URL-logging (and probably something I forgot).

The above gives that you need to change the browsersetting in your clients to not use any http/https-proxy to reach the Internet along with in your core-routers put a default-route towards your PA's. That is if you were using the Bluecoat in non-transparent mode (client points to Bluecoat IP and the query looks like "CONNECT http(s)://www.example.com/" instead of "GET / HTTP/1.0\nHost: www.example.com" which is a regular transparent mode (and how it must look when you switch into PA)). A workaround could be to put a Squid Proxy (or similar) in front of the PA (that is client - Squid - PA - Internet) and configure that to be non-transparent towards clients (the clients will use the proxysetting in their browser) and transparent towards the PA (that is "keep srcip" - this way UserID can still be applied in the PA and you wont need to correlate logs between the devices).

- If you use UserID for logging (and security policies) you need to replace the BCAAA (like if you are using a Citrix environment or such) with the TS-client from PA.

- If you are sensitive about information disclosure (such as user-agent) then make sure that the clients have a manually set user-agent string (this can be done through GPO or similar depending on your environment). That is (currently) the PA gear isnt too happy to alter data - its more into detecting (and if you like blocking). There are currently some bugreports (according to other threads in here) that PA can for X-Forwarded-For (as example) only replace the value with whitespace but not completely remove the header when the traffic is passing through.

- Watch out for the chosen hardware (PA) SSL capabilities. More and more sites are using https these days which adds the demand on SSL-termination capabilities (if you want to protect the clients by using the AV and IPS capabilitties incl logging of your PA).

The above gives that depending on number of concurrent users a PA500 might be too "small": The SSL-capabilities of a PA500 is according to datasheets is 1000 concurrent SSL-sessions. Compare that to PA3050 which can do 15360 concurrent SSL-sessions (or 7936 for the PA3020). Now with tabbed browsing and all that a single client can easily chew up 10 or more concurrent SSL-sessions.

Somewhat techwise: Note that Bluecoats own numbers of "number of concurrent users" is based on that out of these "concurrent users" only about 40% will actually be using the Internet (that is through the Bluecoat device). That gives that PA was not only cheaper than Bluecoat in our case but could also take a way higher load (and by that happier clients).

Managementwise: If you are stuck with the PA500 there is a RAM-memory upgrade available from PA which would lower the commit times (when you use the mgmt GUI) with up to 50% - I dont know if this will affect SSL capabilities aswell (I think for the PA2000 plattform the mgmtplane is involved when creating the "fake" certs thats are signed by your termination CA cert before sent to the client).

  • 4182 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!