policy based forwarding to proxy

Reply
L4 Transporter

policy based forwarding to proxy

We use ntlm (CP) to authenticate our users against the PA.

We want any http traffic forwarded to a proxy. The proxy would have http access to the internet through the PA. I was thinking of using a policy based forwarding rule to forward service-http to the proxy. Similar to how e.g. a Cisco router can intercept http traffic and forward it to a proxy using the WCCP protocol (or any other implementation of the same).

This way all authentication and traffic logging stays on the PA, easier to monitor...

But will it work ? In which order are rulesets processed ? For it to work, it would have to process the CP ntlm authentication rule before the PBF rule. Is that the case ? If not, can I set a processing order for rulesets ?


Accepted Solutions
Highlighted
L4 Transporter

Re: policy based forwarding to proxy

Your CP authentication should take place first

Policy Based forwarding takes precedence over whatever is in your routing

If you'd like to foward all your https/ http traffic over to a proxy outside of the PAN FW, then you should be able to enable UserID (via CP) and then route to the Proxy Server via the PBF

https://live.paloaltonetworks.com/docs/DOC-1628


Hope this helps.

View solution in original post


All Replies
Highlighted
L4 Transporter

Re: policy based forwarding to proxy

I am attaching a slide from our documentation literature. If this fails to answer your question you probably need to open a case with Support.

You can use these commands to see which policy is processing traffic.

show session all filter source <ip_addr>

show session id xxxxx

xxxxx = the ID number shown by the first command.

Steve Krall

Highlighted
L4 Transporter

Re: policy based forwarding to proxy

Picking up an old thread... have'nt had the chance to try or implement yet.

Seems like your attachment went missing. Can you get it back for me, please ?

Highlighted
L4 Transporter

Re: policy based forwarding to proxy

Your CP authentication should take place first

Policy Based forwarding takes precedence over whatever is in your routing

If you'd like to foward all your https/ http traffic over to a proxy outside of the PAN FW, then you should be able to enable UserID (via CP) and then route to the Proxy Server via the PBF

https://live.paloaltonetworks.com/docs/DOC-1628


Hope this helps.

View solution in original post

Highlighted
L4 Transporter

Re: policy based forwarding to proxy

Thank you, exactly the answer and document I was looking for.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!