07-25-2013 03:05 AM
Hi all,
I have a simple question, is it possible to make my PA-3020 work like an explicit proxy ?
I configured URL Filtering and I would like to adress web requests to the PA-3020 just like if it was a real explicit proxy...
Many thanks in advance.
Rudy
07-26-2013 03:52 AM
Hmm.
On re-investigating it looks like there are configuration elements missing that would let you use the PAN as an explicit proxy. One of the installs I've put in was effectively a transparent proxy in a network with an explicit proxy (different manufacturer) and from the high degree of similarities I assumed it would be possible to swap out an explicit proxy for a PAN. Seems I was wrong :smileyblush:
The PAN certainly understands all of the explicit proxy interactions because it is decoding them fine. Pan is capable of doing DNS lookups, user authentication, NAT and PAT, URL filtering etc., all of the functions of a proxy apart from content caching. Ther isn't however an obvious way to configure it as an explicit proxy so even if you could bodge it by stringing together some VSYSs, VRs and NAT'ing or similar it probably would be a nightmare to support.
I have the nagging feeling it should be possible, I guess the question to ask would be how would you displace an explicit proxy (e.g. BlueCoat) using a PAN? The options and the logic all seem to be there you just can't quite tie them together.
07-25-2013 03:32 AM
PA firewall cannot act as a web proxy. So, like just like an explicit proxy the Palo Alto will not be able to cache web pages.
But just like an explicit proxy the PA can act as a dns proxy.
To be straight, the Palo Alto will not not be able to do all that an explicit Proxy does.
07-25-2013 04:40 AM
Hi Chatri,
Thank you for this quick answer!
So it means i cannot configure my browser to adress web requests to the PA and apply URL filtering on it, right?
BR,
Rudy
07-25-2013 08:17 AM
You need to distinguish carefully between what the PAN will do and what other "Web Proxies" do.
Normally a Web Proxy would also cache pages from the Internet to save on Internet bandwidth. This is not a feature of the PANs.
Reading your question carefully, you should be able to configure the browser to use the PAN as an explicit proxy AND be able to do URL filtering on the PAN. This will permit Internet access and filter by URL, it will NOT cache pages that it receives. Therefore future requests for valid pages will result in those pages being retrieved again from the Internet.
07-25-2013 09:42 AM
Wait a second here... I'm not aware of the ability for the PAs to act as an explicit proxy. What you're saying is that I can take Internet Explorer, go into connection settings and point the browser's proxy settings at my PA device IP with some proxy port (8080 let's just say).
I'm not aware of that being the case... PA can do VWire and be an inline web filtering appliances, and PA can route as a firewall and do web filtering, but I'm not aware of a case where you can explicitly define the PA as a proxy server.
07-26-2013 01:53 AM
Hi agardner,
I'm interesting on configuring my browser to use the PAN as an explicit proxy AND be able to do URL filtering on the PAN, but I really don't know how and can't find any documentation about it... (maybe I did not search into the right place...)
Anyway, if it is possible and somebody can give any advice on how to do it I'll try this out and give you a feedback.
Many thanks,
Rudy.
07-26-2013 03:52 AM
Hmm.
On re-investigating it looks like there are configuration elements missing that would let you use the PAN as an explicit proxy. One of the installs I've put in was effectively a transparent proxy in a network with an explicit proxy (different manufacturer) and from the high degree of similarities I assumed it would be possible to swap out an explicit proxy for a PAN. Seems I was wrong :smileyblush:
The PAN certainly understands all of the explicit proxy interactions because it is decoding them fine. Pan is capable of doing DNS lookups, user authentication, NAT and PAT, URL filtering etc., all of the functions of a proxy apart from content caching. Ther isn't however an obvious way to configure it as an explicit proxy so even if you could bodge it by stringing together some VSYSs, VRs and NAT'ing or similar it probably would be a nightmare to support.
I have the nagging feeling it should be possible, I guess the question to ask would be how would you displace an explicit proxy (e.g. BlueCoat) using a PAN? The options and the logic all seem to be there you just can't quite tie them together.
07-26-2013 07:22 AM
Well in essence the answer for right now is that you cannot replace something like a BlueCoat explicit proxy with a PAN device. You can replace an implicit, inline proxy with PAN using Vwire or having the firewall be a hop on the way to the Internet, but I am not aware of a way to make a PA device accept explicit proxy requests.
I get where you're coming from... PA does act as a DNS server ("DNS proxy" is really "DNS server" honestly... it's not transparent at all, the client has to explicitly be configured with the PA as its DNS proxy for DNS to work), and PA can act as a DHCP server too. I'm just not aware of any explicit proxy functionality, caching or not.
07-26-2013 08:53 AM
In order to replace a Bluecoat with a PA, except for the configuration etc the steps needed are:
1) Change webbrowser settings so the webbrowser wont use a proxy for the traffic.
2) Make sure the clients has default route so any internet ip-addresses will be routed through your PA device.
3) Install PAN-agent or TS-agent (the later if a citrix farm is being used for the browsing) to have logs of which user did what on the Internet.
However if you still wish to use an explicit proxy I would set this up so the flow would become:
Client <-> Proxy <-> PA <-> Internet
and make sure that the Proxy will be able to be transparent towards the PA device. That is the traffic leaving the proxy will have the clientip as srcip.
Squid among other proxysolutions can do this.
07-26-2013 09:48 AM
Another possible solution along with mikand's could be to have the proxy add "X-Forwarded-For" HTTP headers that the PA can interpret, so the PA can do user identification using the client IP. You'd have to get User-ID set up for that to work, either on t he PA itself or via the User-ID agent. I believe adding this header is this is a common feature with web proxies.
I've never done the X-Forwarded-For HTTP header parsing with PA, but it looks neat. These two forum thread links look promising:
I think the PA can even strip out the X-Forwarded-For header as the traffic leaves out to the Internet, so your internal IP space doesn't "leak out" in the HTTP headers.
07-29-2013 05:53 AM
Well... bogus? It strips the IP off. Considering that I don't think there's even an RFC defined for X-Forwarded-For it's tempting to say that it's not exactly "bogus." Also IDSs are made to be tuned... tuning that one rule out from firing off wouldn't be that big of a deal (here, where I work it wouldn't be a big deal, can't speak for others).
07-30-2013 02:05 PM
Ah! I see. I didn't realize the way that the X-Forwarded-For header was being "mangled" actually broke websites that presumably use a WAF or IDS/IPS and interpret the mangled XFF header as bad traffic.
In that case I completely agree that XFF might not be the best answer. Maybe replacing the XFF inside IP with some bogus IP (or an outside IP address assigned to the PA?) would be a better solution. Hmph.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
