I am trying to understand what references mean when mentioning Palo Alto firewall as a web proxy or any reference to it that way.
I mean, from what I gather, the PA does not cache web requests like a web proxy product would, or rewrite URLs, or have other traditional web proxy type features. Unless I am wrong?
Could it be that the term Web Proxy is often misused in certain descriptions or reference when discussing PA devices?
I was looking at this comparison paper, but seems to highlight what Web Proxies don't do in regards to App-ID, which I understand.
Solved! Go to Solution.
What specific features are you looking for? PAN is a "transparent" web proxy. There is no need to point to a proxy in your environment. Personally, I prefer this method as it is much easier to implement without a bunch of special use case exceptions where a traditional proxy doesn't work/isn't supported/causes problems/etc.
Thank you for responding!
I am not really looking for anything in particular, just trying to understand when I read and see reference to using PA device as a web proxy. When I think of a web proxy device, I think of web caching or web proxy device capturing the request and resending on user's behalf, and or other features that are specific to web proxy.
In other words, I've believed there is a clear separate distiction between these two types of products.
When you say the PA is a transparent proxy, that is just meant to say that web traffic flows through it as an intermediatary device (as a firewall for app-id scanning, etc, using NAT)? Therefore, when web proxy is used to in reference to PA device, I should understand within that context only (specifically)? Am I correct in this thinking?
Just trying to confirm as I get these kinds of questions when evaluating what are necessary in environments...
I guess that's kind of hard to answer because I don't know what features you are looking for. I couldn't tell you on the top of my head whether or not PA caches requests (I would assume so). Is there a specific feature or use case you are looking for. Perhaps I am just misunderstanding your question. Whether you explicitly forward traffic to a proxy on a predefined port or if it just runs transparently inline shouldn't make that big of a difference. I guess this boils down to your derfinition of "on your behalf".
Most of the documents compare pan to a proxy, yes it does proxy, ssl forward etc but it does not cache or rewrite like a proxy.
so PAN is a next gen firewall, a proxy is a proxy.
for me the proxy has been replace by the PAN for outgoing traffic for the reasons mentioned by @jeremy.larsen .
Not as much requiremenr for cache as mega gig pipes now replace our old isdn etc...
you cannot check your bus timetabel these days without https and this cannot be cached in proxy world,
plus the additional complication and demands of todays content seems to be ever forcing us closer to a proxy rule of......
if url=*.* then go direct (vial PAN)
having said that, our incoming web requests do not touch the PAN, it traverses a non NGFW and is then reverse proxied to our internal web servers. we are in control of code and content and with ssl terminated on the proxy we can cache to reduce overheads on our web servers.
so.... if you need to proxy, dont use a PAN, it is not a proxy.
Ah! Incoming connections is your use case (I was only describing a client internet bound use case). Yes, in that case, PAN might be inline but then you should be using comething like F5/Netscaler/etc for reverse proxy traffic flow and load balancing. I don't usually refer to those services as a "web proxy".
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!