PA with third party proxy scenario

Reply
L1 Bithead

PA with third party proxy scenario

i am looking for PA with proxy scenario deplyment as best practice and use caching of proxy with PA features.

L2 Linker

Re: PA with third party proxy scenario

Hello,

 

Could you provide a little bit more context around what you are trying to accomplish?

 

Are you interested in caching responses to HTTP requests from internal users? Or are you looking to deploy a caching solution in front of a web server sitting behind a Palo Alto firewall?

 

Thank you,

 

-JeffH

 

Jeff Hochberg | Sr. Systems Engineer - Technical Business Development

Palo Alto Networks | Atlanta, GA |  USA

Mobile: 404.432.1112 | www.paloaltonetworks.com

 

The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.

L1 Bithead

Re: PA with third party proxy scenario

Hi,

 

i am looking for two scenarios 

1- proxy located in LAN (inside network) for caching and url filtering and integarted with an active directory then PA for remaining security.

2- Proxy located behind the PA FW.

L2 Linker

Re: PA with third party proxy scenario

Ayman,

 

Thank you for the additional context.

 

Candidly, it's difficult to recommend any "best practices" here because of what's lost by deploying a proxy between the users and the firewall.

 

Out of curiosity, why would you not leverage the URL-Filtering and User-ID capabilities present in the firewall? In doing so, you are able to leverage Active Directory authentication and authorization for per-rule enforcement.

 

You would greatly simplify your environment and have a lot more visibility from one location if you collapsed these functions into the firewall.

 

Not to mention, if you're looking to take advantage of the inspection capabilities within PAN-OS, by deploying a proxy behind the firewall, you lose the ability to leverage SSL-Decryption. Given the vast majority of HTTP traffic is SSL encrypted, all of that traffic would pass through the firewall and not be inspected.

 

And, unless the proxy supports WCCP (or similar), the firewall logs would show all outbound access coming from the egress IP address on the proxy server.

 

The only advantage I see in deploying a proxy is in taking advantage of caching for increased performance - I don' t know that the performance gain is worth the sacrifices made to the overall security posture.

 

Jeff Hochberg | Sr. Systems Engineer - Technical Business Development

Palo Alto Networks | Atlanta, GA |  USA

 

The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!