10-24-2018 02:13 AM
Hi !
I was wandering if there is a way to set up some sort of webproxy, so the connections to services behind firewall would be secure (https). We have some services that runs via http an would like to publish them to internet but we would like to make it more secure.
One solution would be (if Palo Alto has it) to have a mobile application with a portal (a proxy), where you have some icons of those serivces, let say web services, a webpage for example. When user opens it, the secure connection is established to it.
The problem is that one of the vendors for a web service we have, only allows HTTP connection and discourages the opening it to the internet. Thats why we are looking to still use this web service but make it more secure.
Thank you and best regards,
Jani
10-24-2018 04:53 AM
Hi Jani
Sounds to me like Palo Alto's Clientless VPN feature (introduced in PANOS-8.0.4) is what you need:
There are a few caveats:
1. This is a licensed feature - you need GlobalProtect License for your PAN Firewall. You can request a trial license on the support portal if one was never issued in the past for this Firewall.
2. It's support of web technologies, see this link for what is supported:
The user browses to Global Protect Portal and the links the user sees are behind the GlobalProtect Portal on the firewall so it is secure when leaving your network.
Hope this helps.
10-24-2018 04:44 AM
hi Jani
The PA firewall does not support proxy services, but you can set up GlobalProtect VPN, this allows you to build vpn tunnels into your application servers
10-24-2018 04:46 AM
Thank you for your response,
is there any way (except for Globa Protect) to secure http connections ?
Best regards,
Jani
10-24-2018 04:53 AM
Hi Jani
Sounds to me like Palo Alto's Clientless VPN feature (introduced in PANOS-8.0.4) is what you need:
There are a few caveats:
1. This is a licensed feature - you need GlobalProtect License for your PAN Firewall. You can request a trial license on the support portal if one was never issued in the past for this Firewall.
2. It's support of web technologies, see this link for what is supported:
The user browses to Global Protect Portal and the links the user sees are behind the GlobalProtect Portal on the firewall so it is secure when leaving your network.
Hope this helps.
10-24-2018 11:39 AM
That option works to encrypt traffic to the PA; the actual session to the HTTP service however still isn't going to be encrypted. If you wish to secure HTTP, you'll have to setup the service for HTTPS connections.
10-25-2018 05:55 AM
11-06-2018 03:35 AM
Thanks for help, i set up the portal and looks promising. I set up a zone for clientless traffic which has only few rules to acces servers to specific port.
This should be more secure way to access the servers from outside, but just to the entry point of firewall. Inside traffic is still secure as it was before, not less not more.
Thank you guys !
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
