Paloalto is not a proxy. To use us as a replacement for a proxy, you would create rules that allow "application = web-browsing" and "application = ssl" and apply a URL filtering profile and an antivirus profile. You can enable SSL Decryption to act as a "man in the middle" and inspect encrypted files to protect against malware.
our company was also using TMG/ISA. We replaced them with the PA. To replace the proxy with PA you have to do following:
1) Route internet traffic to the PA (ip route static 0.0.0.0 0.0.0.0 "PA-GATEWAY-INTERFACE-IP")
2) Remove from your Web-Browser ANY proxy settings (IE: internet options -> Connections -> LAN Settings). This can be done easily with GPO.
You need only your proxy, if you want to use it as a reverse proxy. Or you can use a IIS as a ARR Application Request Routing : The Official Microsoft IIS Site
we created some AD Groups and added them in the firewall policy (domain/Group-Name).
You need to configure the User-ID Agent (Install the agent on any server or use the agentless User-ID on your PA). Also you have to add your AD Groups in the "Group Mapping Settings". You will find some documentation here in the forum....
it's quite difficult to explain. but read the admin guide: https://live.paloaltonetworks.com/docs/DOC-6603
And I also don't know what you want to restrict. There are so many ways to restrict and allow internet traffic. With URL Filtering, allow application, data filtering and so on...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!