Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PAN as an explicit proxy?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN as an explicit proxy?

L2 Linker

Hi all,

I have a simple question, is it possible to make my PA-3020 work like an explicit proxy ?

I configured URL Filtering and I would like to adress web requests to the PA-3020 just like if it was a real explicit proxy...

Many thanks in advance.

Rudy

1 accepted solution

Accepted Solutions

Hmm.

On re-investigating it looks like there are configuration elements missing that would let you use the PAN as an explicit proxy.  One of the installs I've put in was effectively a transparent proxy in a network with an explicit proxy (different manufacturer) and from the high degree of similarities I assumed it would be possible to swap out an explicit proxy for a PAN.  Seems I was wrong :smileyblush:

The PAN certainly understands all of the explicit proxy interactions because it is decoding them fine.  Pan is capable of doing DNS lookups, user authentication, NAT and PAT, URL filtering etc., all of the functions of a proxy apart from content caching.  Ther isn't however an obvious way to configure it as an explicit proxy so even if you could bodge it by stringing together some VSYSs, VRs and NAT'ing or similar it probably would be a nightmare to support.

I have the nagging feeling it should be possible, I guess the question to ask would be how would you displace an explicit proxy (e.g. BlueCoat) using a PAN?  The options and the logic all seem to be there you just can't quite tie them together.

View solution in original post

13 REPLIES 13

L3 Networker

PA firewall cannot act as a web proxy. So, like just like an explicit proxy the Palo Alto will not be able to cache web pages.

But just like an explicit proxy the PA can act as a dns proxy.

To be straight, the Palo Alto will not not be able to do all that an explicit Proxy does.

Hi Chatri,

Thank you for this quick answer!

So it means i cannot configure my browser to adress web requests to the PA and apply URL filtering on it, right?

BR,

Rudy

You need to distinguish carefully between what the PAN will do and what other "Web Proxies" do.

Normally a Web Proxy would also cache pages from the Internet to save on Internet bandwidth.  This is not a feature of the PANs.

Reading your question carefully, you should be able to configure the browser to use the PAN as an explicit proxy AND be able to do URL filtering on the PAN.  This will permit Internet access and filter by URL, it will NOT cache pages that it receives.  Therefore future requests for valid pages will result in those pages being retrieved again from the Internet.

Wait a second here... I'm not aware of the ability for the PAs to act as an explicit proxy. What you're saying is that I can take Internet Explorer, go into connection settings and point the browser's proxy settings at my PA device IP with some proxy port (8080 let's just say).

I'm not aware of that being the case... PA can do VWire and be an inline web filtering appliances, and PA can route as a firewall and do web filtering, but I'm not aware of a case where you can explicitly define the PA as a proxy server.

Hi agardner,

I'm interesting on configuring my browser to use the PAN as an explicit proxy AND be able to do URL filtering on the PAN, but I really don't know how and can't find any documentation about it... (maybe I did not search into the right place...)

Anyway, if it is possible and somebody can give any advice on how to do it I'll try this out and give you a feedback.

Many thanks,

Rudy.

Hmm.

On re-investigating it looks like there are configuration elements missing that would let you use the PAN as an explicit proxy.  One of the installs I've put in was effectively a transparent proxy in a network with an explicit proxy (different manufacturer) and from the high degree of similarities I assumed it would be possible to swap out an explicit proxy for a PAN.  Seems I was wrong :smileyblush:

The PAN certainly understands all of the explicit proxy interactions because it is decoding them fine.  Pan is capable of doing DNS lookups, user authentication, NAT and PAT, URL filtering etc., all of the functions of a proxy apart from content caching.  Ther isn't however an obvious way to configure it as an explicit proxy so even if you could bodge it by stringing together some VSYSs, VRs and NAT'ing or similar it probably would be a nightmare to support.

I have the nagging feeling it should be possible, I guess the question to ask would be how would you displace an explicit proxy (e.g. BlueCoat) using a PAN?  The options and the logic all seem to be there you just can't quite tie them together.

Well in essence the answer for right now is that you cannot replace something like a BlueCoat explicit proxy with a PAN device. You can replace an implicit, inline proxy with PAN using Vwire or having the firewall be a hop on the way to the Internet, but I am not aware of a way to make a PA device accept explicit proxy requests.

I get where you're coming from... PA does act as a DNS server ("DNS proxy" is really "DNS server" honestly... it's not transparent at all, the client has to explicitly be configured with the PA as its DNS proxy for DNS to work), and PA can act as a DHCP server too. I'm just not aware of any explicit proxy functionality, caching or not.

In order to replace a Bluecoat with a PA, except for the configuration etc the steps needed are:

1) Change webbrowser settings so the webbrowser wont use a proxy for the traffic.

2) Make sure the clients has default route so any internet ip-addresses will be routed through your PA device.

3) Install PAN-agent or TS-agent (the later if a citrix farm is being used for the browsing) to have logs of which user did what on the Internet.

However if you still wish to use an explicit proxy I would set this up so the flow would become:

Client <-> Proxy <-> PA <-> Internet

and make sure that the Proxy will be able to be transparent towards the PA device. That is the traffic leaving the proxy will have the clientip as srcip.

Squid among other proxysolutions can do this.

Edit: Look at for some more information.

Another possible solution along with mikand's could be to have the proxy add "X-Forwarded-For" HTTP headers that the PA can interpret, so the PA can do user identification using the client IP. You'd have to get User-ID set up for that to work, either on t he PA itself or via the User-ID agent. I believe adding this header is this is a common feature with web proxies.

I've never done the X-Forwarded-For HTTP header parsing with PA, but it looks neat. These two forum thread links look promising:

I think the PA can even strip out the X-Forwarded-For header as the traffic leaves out to the Internet, so your internal IP space doesn't "leak out" in the HTTP headers.

Stripping the x-forwarded-for header seems bogus currently, also not stripping it will lead to informationd disclosure:

Well... bogus? It strips the IP off. Considering that I don't think there's even an RFC defined for X-Forwarded-For it's tempting to say that it's not exactly "bogus." Also IDSs are made to be tuned... tuning that one rule out from firing off wouldn't be that big of a deal (here, where I work it wouldn't be a big deal, can't speak for others).

I was thinking of this

A correct behaviour from PA would be to completely remove that line (including any \r\n) and not as not just "null" the value.

Ah! I see. I didn't realize the way that the X-Forwarded-For header was being "mangled" actually broke websites that presumably use a WAF or IDS/IPS and interpret the mangled XFF header as bad traffic.

In that case I completely agree that XFF might not be the best answer. Maybe replacing the XFF inside IP with some bogus IP (or an outside IP address assigned to the PA?) would be a better solution. Hmph.

  • 1 accepted solution
  • 21717 Views
  • 13 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!