PAN as proxy destination?

Dont confuse a webcache with a webproxy 😉

Im not that sure that PA can act too much of a proxy due to how the hardware is layouted.

Im guessing that its possible but it would involve mgmtplane and that would be bad for other reasons (specially would bring a performance impact).

The reason for why Checkpoint can do this is because Checkpoint is a software solution and the performance goes downhill for every feature you enable (thats why Checkpoints datasheets shows performance figures with EVERYTHING DISABLED - compared to PA who have everything enabled).

To get an idea of what a simple HTTP proxy must be able to handle here is an example on how to do this with iRules (TCL) on a F5 loadbalancer:

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/aft/85518/showtab/groupforums/D...

# web proxy example
#
# This is a simple, incomplete example web proxy iRule.
# It only supports limited proxy functionality of converting the requested host 
#    (from an absolute URI or the Host header) to an IP address and sending the request on.  
# It doesn't support CONNECT/HTTPS or most other RFC2616 requirements for a web proxy.
#
when HTTP_REQUEST {
 
    log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP [HTTP::method] request to [HTTP::host], [HTTP::uri]"
 
    # Check if the URI is absolute and http://
    if {[string tolower [HTTP::uri]] starts_with "http://"}{
 
       # Parse the host value from the URI
       set host [URI::host [HTTP::uri]]
       log local0. "[IP::client_addr]:[TCP::client_port]: Parsed $host from URI [HTTP::uri]"
 
    } else {
       set host [HTTP::host]
    }
 
    # Check if host header has a port
    if {$host contains ":"}{
 
       # Scan the host header to parse the host and port
       if {[scan $host {%[^:]:%s} host port] == 2}{
 
          log local0. "[IP::client_addr]:[TCP::client_port]: Parsed \$host:\$port: $host:$port"
 
       } else {
          # Host value was host: without a port. Use the requested port.
          set port [TCP::local_port]
       }
    } else {
 
       # Host header didn't have a port. Use the requested port.
       set port [TCP::local_port]
    }
    # Check if the host header isn't an IP address (ie, it contains an alpha character)
    if {[string match {*[a-zA-Z]*} $host]}{
 
       log local0. "[IP::client_addr]:[TCP::client_port]: Host value not an IP: $host"
 
       # Perform a DNS lookup of the hostname
       NAME::lookup $host
 
       # Hold the request until name resolution completes
       HTTP::collect
 
    } elseif {[catch {IP::addr $host mask 255.255.255.255}]==0}{
 
       log local0. "[IP::client_addr]:[TCP::client_port]: Host is an IP: [HTTP::host]"
 
       # Request was to a valid IP address, so use that as the destination
       node $host $port
 
    } else {
 
       # Couldn't parse host header.  Could use the destination IP address as the destination?
       HTTP::respond 400 content "Invalid Host header"
       log local0. "[IP::client_addr]:[TCP::client_port]: Invalid host header: [HTTP::host]"
    }
}
when NAME_RESOLVED {
 
    set response [NAME::response]
 
    log local0. "[IP::client_addr]:[TCP::client_port]: Resolution response: $response (elements: [llength $response])"
 
    # Check if there is a resolution answer and it's an IP address
    switch [llength $response] {
 
       0 {
          # No response, or response wasn't an IP address
          log local0. "[IP::client_addr]:[TCP::client_port]: Non-existent/invalid response: $response"
      HTTP::respond 500 content "Couldn't process request"
       }
       default {
 
          # Response was one or more list entries.  Use the first list element.  Check if it's an IP address.
          if {[catch "IP::addr [lindex $response 0] mask 255.255.255.255"]==0}{
 
             # Request was to a valid IP address, so use that as the destination
             if {$port != "" and [string is integer $port]}{
                log local0. "[IP::client_addr]:[TCP::client_port]: Using destination with parsed port [lindex $response 0]:$port"
                node [lindex $response 0] $port
             } else {
                log local0. "[IP::client_addr]:[TCP::client_port]: Using destination with default port $response:[TCP::local_port]"
                node [lindex $response 0] $::default_port
             }
          } else {
             # No response, or response wasn't an IP address
             log local0. "[IP::client_addr]:[TCP::client_port]: Non-existent/invalid response: $response"
         HTTP::respond 500 content "Couldn't process request"
          }
       }
    }
    # Release the request
    HTTP::release
}

It has been 5 years since this discussion and I was wondering if there had been any changes that may effect what was available then: i.e. can the Palo Alto be a proxy target now.  

To prevent the flood of responses telling me that I need a proxy that caches let me paint the picture. I would like to use the Palo Alto as a backup Internet Access point for the WAN. I do not want  to reconfigure all the routers on the WAN to point o the Palo Alto if the primary Internet Access point goes down but I could easily change a proxy.pac script to point them to an alternate access point being the firewall. I would rather not use a cacheing proxy server (eg Squid) as it seems to interfere with SSL decrypt and I still want this protection. (unless someone can tell me how to overcome the squid proxy preventing SSL decrypt on the Palo Alto).