04-16-2014 11:19 AM
I want to use my PA as a proxy for the internet and want to remove my current ISA 2006 proxy server. I was curious what methods others are using and if you have any detailed step by step instruction how to configure this.
08-26-2014 12:30 PM
Greeng,
Our ISA is only used to publish about 10 sites so the migration will not be so bad for us. We are only using it as an inbound proxy to Sharepoint.
Phil
09-09-2014 11:19 AM
HITSSEC
Unfortunately for us, we have 30+.
A bit frustrating that no PA people have chimed in here.
09-09-2014 11:23 AM
greeng may they don't have experience in ISA 2006, I am about to try to start migrating in the next two weeks and it might a bit difficult
09-09-2014 02:30 PM
Hi Infosec,
May be you could/should ask an integrator/partner/PAN Pro Services to help you with your migration. Given the question you posted during the past few months I fear you will need a lot of trials and energy to do this alone. Experience makes a big difference for smooth migrations.
09-10-2014 07:49 AM
Yes I have been working with a PA engineer on the migration but isa 2006 is older and not a lot of people have indepth knowledge of it.
09-10-2014 08:11 AM
I am PANW Professional Services and used to admin ISA 2000 to 2006 and Forefront TMG as well.
Even without that, as long as customer starts 'explaining' what is the intent of his legacy product filtering rules, I can usually make PAN device work the same way. It's also true with our partners.
I would like to avoid you the pitfalls of migrations with someone experienced on PANW at your side. Up to you 
09-10-2014 09:34 AM
Thanks I would like to avoid the pitfalls of the migration myself that is why I work with a PA engineer and also like to get different view points on the community boards. I began learning PA last December when we implemented our first and then configured our second along with managing all other areas of the network.
The intent of my migration from an ISA 2006 firewall is to move foff of old technology to better improve over all security. Currently different users are give access or blocked from access to certain web sites via the proxy server based on GPO. The first step we took was to create security policies based on the level of access allowed to a certain type of user. Next step is to enable those policies on the PA and slowly remove those blocked site from the ISA and assure that the PA is doing all the filtering.
Next will be to change the rules and the GPO's so that the users,at all facilitues,no longer go through the ISA but directly to the PA.
09-16-2014 08:32 AM
Currently I have a PA 3020 at my central facility and the ISA 2006 server. At the remote sites I have ASA 5505 and the users are being sent back to the central facility via an active directory GPO and there internet filtered by the ISA server. Is there any way to send them back to the PA instead of the ISA for their filtered internet?
09-17-2014 03:02 AM
The PA is not a proxy, so for it to filter the users you have to have it cross the PA for the internet access.
I assume your ASA connects via a vpn site-to-site tunnel. If this is true you can setup the remote site as a non-split tunnel and send all traffic to the core site with the Palo Alto and they get their internet access from here.
To do this you create a separate routing domain on the ASA with your local LAN users and connect this to the vpn. The default route for this domain is the vpn tunnel. So all traffic from the users comes to the core.
The main routing domain has the vpn gateway interface and connects the actual tunnel endpoints only.
On Cisco routers these are called VRF, but I'm pretty sure they have a different name on the ASA.
09-17-2014 05:52 AM
I know its not a proxy in the truest of senses but it can be used to block web sites that are not appropriate or are harmfull. We are currently routing traffic from our branches across a vpn tunnel for our service I would expect we could do the same with bringing them back for the filtered internet.\
09-17-2014 06:58 AM
Also when I was looking at these the PA engineer told me it was not a proxy but could replace my ISA server
09-18-2014 04:19 AM
The PA can definitely replace the filtering functions on the ISA.
Your configuration issue is just with the routing domain. From your description, right now you have local internet routing at the ASA site but via the proxy server web browser settings the actual internet path is the ISA server at your PA location. This method is not applicable to the PA web filtering.
You need to change the routing setup on the ASA so that the default route for internet traffic on the user subnet takes the vpn tunnel.
09-24-2014 01:56 PM
I have further checked into the method used to bring our remote sites back to the main site for internet access and web site filtering. The users are being directed back to the proxy server through a GPO that sets the internet options\connections\LAN settings\proxy server to the proxy server. There are no settings on the cisco firewall its only using a GPO. Can this be updated to point to the PA throught the GPO instead by setting the IE options internet options\connections\LAN settings\proxy server to the PA instead of the proxy server?
09-24-2014 02:19 PM
Unfortunately, you cannot use browser proxy settings to direct internet traffic to the PA as you do with the ISA proxy server. I'm sorry my previous attempts to explain the difference are unclear.
The PA web filtering relies on traffic routing to deliver the web browsing traffic to the PA firewall and then from the firewall on to the internet. The inspection takes place by rules applied then to this traffic.
With a remote site that has their own internet access, you need to configure a separated routing domain for the user traffic that has a default route into the vpn tunnel up to your PA site. This is the only way the internet traffic can then come through the PA before browsing.
You will need to change the routing architecture of the remote site to get the traffic up to the Palo Alto for web browsing.
Naturally, you could replace the ASA with a PA200 instead and do the inspection locally.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
