Does anyone know if I can configure a web browser to use the PAN device as the proxy? We used to have an ISA as that proxy but after installing the PAN's (two 500's in HA) the ISA waqs moved to a DMZ and only helps with incoming connections to things like webmail and sharepoint.
If you still need a forward-proxy (can be handy for cases where you dont want to have public ip's flowing around in your core and by that be able to setup IDS to sound an alarm if such packet submerges anyway) you should use a device dedicated for this work.
Examples (depending on your needs, demands (assurance and stuff) and walletsize etc):
Most of the forward-proxies can be setup with keep-source meaning that you can still use user/panagent in your PA device (along with url-categories, av, ssl termination etc) if you setup like:
client <-> forward-proxy <-> PA <-> Internet
Im trying to dig into which setting will provide this in squid (if any).
I know for sure that Farist proxyfw can do this but I dunno about squid.
On the other hand the squid can add X-Forwarded-For header which PA can pickup in its logs. However the userid doesnt seem to be compatible with this according to:
Yes, use external of proxy server with PAN is not a good design (at least user-id not working).
However in this discussion, let focus on another feature - PAN work as proxy server.
Check Point is quite smart to add HTTP/HTTPS proxy into the FW. As the FW can log/control by the Client IP/User and URL itself but not only by the X-Forward-For header provided by external proxy.
Any timeline PAN will add this feature in the future?
I’m seeing this style of network layout all over the show. Customers of course have various reasons for using proxies. LAN PC’s/Laptop’s all talk to a proxy for internet access (in most cases it’s ISA). Most of them don’t need the proxy for caching and can do without the caching benefit. It’s the proxy function they’re after.
This becomes a bit of a mission to implement Palo in these cases. There are interesting workarounds like using X-FORWARD-FOR in the HTTP header. But as far as I can tell it doesn’t work with HTTPS. So this means a lot of the great features of Palo become an issue to get working 100% like User-ID.
I agree with linusso, a very basic proxy function implemented on the Palo’s would instantly solve all the issues in environments where a proxy and firewalling/user-id is needed.
Does anybody know if this is on the cards?
Most of them don’t need the proxy for caching and can do without the caching benefit.
I don't agree. I think the main advantage of a http proxy IS caching. It helps conserve (expensive) bandwidth, makes websites "faster" to users ...
In our highly developed contry in the center of Europe (Belgium) bandwidth is extremely pricey (in comparison to our neighbors). For now it's still doable without caching, but with every new bandwidth consuming web application it gets more difficult (or more expensive or slower, whatever you prefer). Cloud computing is in our situation out of the question, just because the cost of required bandwidth would overshadow.
That said: basic caching in PA would be a plus, but we knew it was missing when we bought it...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!