PAN as proxy destination?

Reply
L0 Member

PAN as proxy destination?

Does anyone know if I can configure a web browser to use the PAN device as the proxy?  We used to have an ISA as that proxy but after installing the PAN's (two 500's in HA) the ISA waqs moved to a DMZ and only helps with incoming connections to things like webmail and sharepoint.

Tags (1)
L0 Member

PAN devices ARE NOT Web Proxies and can't be used for that (is something belonging to "What PAN firewall is NOT": is not a Proxy, is not a WAF, is not an UTM) :-)

Regards

L1 Bithead

Any roadmap to add this feature? It is good selling point if End user want to replace their Proxy server originally use as URL filtering device.

Check Point FW can act as Web proxy server in R75.40. check_point_web_proxy.png

L3 Networker

Hi using proxies with PAN only masquerades information flows assing through the PAN. We've replaced our websence system (proxy) and are routing directy to the internet through the PAN. This allows us to see and more importantly control all data flows.

Rod

L6 Presenter

I agree...

If you still need a forward-proxy (can be handy for cases where you dont want to have public ip's flowing around in your core and by that be able to setup IDS to sound an alarm if such packet submerges anyway) you should use a device dedicated for this work.

Examples (depending on your needs, demands (assurance and stuff) and walletsize etc):

http://www.squid-cache.org/Support/products.html

http://www.bluecoat.com/

http://www.tutus.se/products/farist-firewall.html

Most of the forward-proxies can be setup with keep-source meaning that you can still use user/panagent in your PA device (along with url-categories, av, ssl termination etc) if you setup like:

client <-> forward-proxy <-> PA <-> Internet

L4 Transporter

Any hint on how keep-source would have to be implemented in squid ?

Other possibilities:

  • client -- PA -- proxy -- internet
    But that would require tight security on the proxy...
  • PBF to redirect http to proxy (still have to try that sometime)
L6 Presenter

Im trying to dig into which setting will provide this in squid (if any).

I know for sure that Farist proxyfw can do this but I dunno about squid.

On the other hand the squid can add X-Forwarded-For header which PA can pickup in its logs. However the userid doesnt seem to be compatible with this according to:

https://live.paloaltonetworks.com/message/1723#1723

https://live.paloaltonetworks.com/docs/DOC-1128

L1 Bithead

Yes, use external of proxy server with PAN is not a good design (at least user-id not working).

However in this discussion, let focus on another feature - PAN work as proxy server.

Check Point is quite smart to add HTTP/HTTPS proxy into the FW. As the FW can log/control by the Client IP/User and URL itself but not only by the X-Forward-For header provided by external proxy.

Any timeline PAN will add this feature in the future?

L3 Networker

I’m seeing this style of network layout all over the show. Customers of course have various reasons for using proxies. LAN PC’s/Laptop’s all talk to a proxy for internet access (in most cases it’s ISA). Most of them don’t need the proxy for caching and can do without the caching benefit. It’s the proxy function they’re after.

This becomes a bit of a mission to implement Palo in these cases. There are interesting workarounds like using X-FORWARD-FOR in the HTTP header. But as far as I can tell it doesn’t work with HTTPS. So this means a lot of the great features of Palo become an issue to get working 100% like User-ID.

I agree with linusso, a very basic proxy function implemented on the Palo’s would instantly solve all the issues in environments where a proxy and firewalling/user-id is needed.

Does anybody know if this is on the cards?

L4 Transporter

Most of them don’t need the proxy for caching and can do without the caching benefit.

I don't agree. I think the main advantage of a http proxy IS caching. It helps conserve (expensive) bandwidth, makes websites "faster" to users ...

In our highly developed contry in the center of Europe (Belgium) bandwidth is extremely pricey (in comparison to our neighbors). For now it's still doable without caching, but with every new bandwidth consuming web application it gets more difficult (or more expensive or slower, whatever you prefer). Cloud computing is in our situation out of the question, just because the cost of required bandwidth would overshadow.

That said: basic caching in PA would be a plus, but we knew it was missing when we bought it...

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!