App portal for mobile devices

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

App portal for mobile devices

L1 Bithead

Hi !

 

I was wandering if there is a way to set up some sort of webproxy, so the connections to services behind firewall would be secure (https). We have some services that runs via http an would like to publish them to internet but we would like to make it more secure.

 

One solution would be (if Palo Alto has it) to have a mobile application with a portal (a proxy), where you have some icons of those serivces, let say web services, a webpage for example. When user opens it, the secure connection is established to it.

 

The problem is that one of the vendors for a web service we have, only allows HTTP connection and discourages the opening it to the internet. Thats why we are looking to still use this web service but make it more secure.

 

Thank you and best regards,

Jani

1 accepted solution

Accepted Solutions

L4 Transporter

Hi Jani

 

Sounds to me like Palo Alto's Clientless VPN feature (introduced in PANOS-8.0.4) is what you need:

 

https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/globalprotect-features/cli...

 

There are a few caveats:

1. This is a licensed feature - you need GlobalProtect License for your PAN Firewall. You can request a trial license on the support portal if one was never issued in the past for this Firewall.

2. It's support of web technologies, see this link for what is supported:

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

 

The user browses to Global Protect Portal and the links the user sees are behind the GlobalProtect Portal on the firewall so it is secure when leaving your network.

 

Hope this helps.

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

hi Jani

 

The PA firewall does not support proxy services, but you can set up GlobalProtect VPN, this allows you to build vpn tunnels into your application servers

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thank you for your response,

 

is there any way (except for Globa Protect) to secure http connections ?

 

Best regards,

Jani

L4 Transporter

Hi Jani

 

Sounds to me like Palo Alto's Clientless VPN feature (introduced in PANOS-8.0.4) is what you need:

 

https://www.paloaltonetworks.com/documentation/80/pan-os/newfeaturesguide/globalprotect-features/cli...

 

There are a few caveats:

1. This is a licensed feature - you need GlobalProtect License for your PAN Firewall. You can request a trial license on the support portal if one was never issued in the past for this Firewall.

2. It's support of web technologies, see this link for what is supported:

https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprot...

 

The user browses to Global Protect Portal and the links the user sees are behind the GlobalProtect Portal on the firewall so it is secure when leaving your network.

 

Hope this helps.

@ShaiW,

That option works to encrypt traffic to the PA; the actual session to the HTTP service however still isn't going to be encrypted. If you wish to secure HTTP, you'll have to setup the service for HTTPS connections. 

@ShaiWClientless VPN seems realy good solution for what i was looking for. Thank you for leting me know about the feature !

 

@BPryAs i understand wan connection will be encripted, because of the VPN, that is basically what we need. Or am i missing somethig ?

 

Thank you for your replies

So to be clear here, the only connection that is encrypted is going to be from the device to your firewall. The actual connection to the http server is still completely in the clear. If that works in your situation then you have a secure way of providing access back to your environment. Make no mistake though, that site is no more secure then it is currently.

Thanks for help, i set up the portal and looks promising. I set up a zone for clientless traffic which has only few rules to acces servers to specific port.

 

This should be more secure way to access the servers from outside, but just to the entry point of firewall. Inside traffic is still secure as it was before, not less not more.

 

Thank you guys !

  • 1 accepted solution
  • 3258 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!