I try to forward my WiFi mobile users http communications to my proxy.
WiFi mobile users and proxy are in two different VLAN plug on Palo Alto (default gateway of mobile users and proxy is Palo Alto Firewall).
Is it possible with Palo Alto?
The problem is that I need to forward all HTTP (80) from mobile users to the proxy on a different port (8080) and you could not define a specific forward port on the next hop on the Policy Based forwarding menu.
I tried with nat but my squid proxy deny the request.
I've made lots of test in lab with the Policy Based Forwarding and NAT features but it's not working.
Can you please help me ?
Why do you want to forward from port 80 to port 8080. With policy based forwarding you can specify the next hop ip address. can you not select the source user ip subnet or WIFI subnet only and foraward it the proxy server's ip address which is basically your next hop ip address. Also make sure to select the http from the services tab so only port 80 traffic gets . Please let me know if that helps.
Hi mbutt and thanks for your quick answer.
That exacly the configuration I made.
I want to forward to the 8080 tcp port because my proxy is listening to the 8080 tcp port and is not working in transparent mode, that why I would like to know if I can forward the http mobile phone connexions to the proxy thanks to Palo Alto Firewall (mobile phones does not have proxy configured and I could not change the configuration).
The goal of this configuration is to apply the company internet policy (proxy filtering settings) to the unmanage mobile phones.
In checkpoint FW, the feature is called http_mapped service.
Thanks again for your help
i just try to configured a simple forwarding policy rule (source IP: wifi_mobile ; dest. service http ; forward to proxy IP) and set the listen port of my proxy to tcp/80 (transparent mode) but this configurtion is not working.
Is there a way to correctly foward http connexion to a web proxy?
sorry again but I find the begining of the solution:
1/ my proxy is listening to the 8080 port in transparent mode
2/ the PA have a forward proxy rule from zone wifi_mobile to http service port => forward to proxy IP
3/ NAT configuration : from zone Wifi_mobile to zone "proxy" ; destination adresse 184.108.40.206 ; service http; nat source "none" ; nat dest. IP: proxy_IP ; nat port dest. 8080
This configuration is working when the mobile phone access to http://220.127.116.11
Hope you see the problem: I could not NAT all internet IP address to my unique proxy IP address.
Thanks again :smileyhappy:
The main difference between a transparent http-proxy and non-transparent http-proxy is how the request which the client sends looks like:
GET /path/file.txt HTTP/1.0
non-transparent (aka forward-proxy):
CONNECT http://www.example.com/path/file.txt HTTP/1.0
Also, when using a transparent proxy it will use the dstport on the inside as dstport on the outside. Which means that if you use a PA to DNAT the traffic from TCP80 into TCP8080 it will arrive to your proxy at TCP8080, the proxy (if runned in transparent mode) will then reuse the values of dstip and dstport on the packet it constructs on its outside before being sent to Internet (or whatever you might have there).
Which gives that if you cannot force your clients to use a proxysetting (so they send CONNECT http://www.example.com/ HTTP/1.0 instead of GET / HTTP/1.0) then you need to change your transparent proxy to act on the port (TCP80 and usually also TCP443) which the client tries to connect to (which the client thinks is the server it will speak to but by routing it will actually speak to the proxy session-wise).
thanks miklond but I don't know how to DNAT my dest port from 80 to 8080 because PA need an IP adresse (orginal dest & translated dest.) and I could not know the dest. IP (internet).
you can look on page 15 on how to configure destination NAT of the following doc.
Please let us know if this helps.
So I suppose your answer mean:"it's not possible because you could not create a port translation if in the orginal packet the destination IP is Internet (any)"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!