PAN as proxy destination?

cancel
Showing results for 
Search instead for 
Did you mean: 

PAN as proxy destination?

L0 Member

Does anyone know if I can configure a web browser to use the PAN device as the proxy?  We used to have an ISA as that proxy but after installing the PAN's (two 500's in HA) the ISA waqs moved to a DMZ and only helps with incoming connections to things like webmail and sharepoint.

12 REPLIES 12

It really depends on the deployments in my opinion. Caching isn't always the main reason. For example if you want to push web traffic to a different "gateway" for breakout than the computer's actual default route.

Dont confuse a webcache with a webproxy 😉

Im not that sure that PA can act too much of a proxy due to how the hardware is layouted.

Im guessing that its possible but it would involve mgmtplane and that would be bad for other reasons (specially would bring a performance impact).

The reason for why Checkpoint can do this is because Checkpoint is a software solution and the performance goes downhill for every feature you enable (thats why Checkpoints datasheets shows performance figures with EVERYTHING DISABLED - compared to PA who have everything enabled).

To get an idea of what a simple HTTP proxy must be able to handle here is an example on how to do this with iRules (TCL) on a F5 loadbalancer:

http://devcentral.f5.com/Community/GroupDetails/tabid/1082223/asg/52/aft/85518/showtab/groupforums/D...

# web proxy example
#
# This is a simple, incomplete example web proxy iRule.
# It only supports limited proxy functionality of converting the requested host 
#    (from an absolute URI or the Host header) to an IP address and sending the request on.  
# It doesn't support CONNECT/HTTPS or most other RFC2616 requirements for a web proxy.
#
when HTTP_REQUEST {
 
    log local0. "[IP::client_addr]:[TCP::client_port]: New HTTP [HTTP::method] request to [HTTP::host], [HTTP::uri]"
 
    # Check if the URI is absolute and http://
    if {[string tolower [HTTP::uri]] starts_with "http://"}{
 
       # Parse the host value from the URI
       set host [URI::host [HTTP::uri]]
       log local0. "[IP::client_addr]:[TCP::client_port]: Parsed $host from URI [HTTP::uri]"
 
    } else {
       set host [HTTP::host]
    }
 
    # Check if host header has a port
    if {$host contains ":"}{
 
       # Scan the host header to parse the host and port
       if {[scan $host {%[^:]:%s} host port] == 2}{
 
          log local0. "[IP::client_addr]:[TCP::client_port]: Parsed \$host:\$port: $host:$port"
 
       } else {
          # Host value was host: without a port. Use the requested port.
          set port [TCP::local_port]
       }
    } else {
 
       # Host header didn't have a port. Use the requested port.
       set port [TCP::local_port]
    }
    # Check if the host header isn't an IP address (ie, it contains an alpha character)
    if {[string match {*[a-zA-Z]*} $host]}{
 
       log local0. "[IP::client_addr]:[TCP::client_port]: Host value not an IP: $host"
 
       # Perform a DNS lookup of the hostname
       NAME::lookup $host
 
       # Hold the request until name resolution completes
       HTTP::collect
 
    } elseif {[catch {IP::addr $host mask 255.255.255.255}]==0}{
 
       log local0. "[IP::client_addr]:[TCP::client_port]: Host is an IP: [HTTP::host]"
 
       # Request was to a valid IP address, so use that as the destination
       node $host $port
 
    } else {
 
       # Couldn't parse host header.  Could use the destination IP address as the destination?
       HTTP::respond 400 content "Invalid Host header"
       log local0. "[IP::client_addr]:[TCP::client_port]: Invalid host header: [HTTP::host]"
    }
}
when NAME_RESOLVED {
 
    set response [NAME::response]
 
    log local0. "[IP::client_addr]:[TCP::client_port]: Resolution response: $response (elements: [llength $response])"
 
    # Check if there is a resolution answer and it's an IP address
    switch [llength $response] {
 
       0 {
          # No response, or response wasn't an IP address
          log local0. "[IP::client_addr]:[TCP::client_port]: Non-existent/invalid response: $response"
      HTTP::respond 500 content "Couldn't process request"
       }
       default {
 
          # Response was one or more list entries.  Use the first list element.  Check if it's an IP address.
          if {[catch "IP::addr [lindex $response 0] mask 255.255.255.255"]==0}{
 
             # Request was to a valid IP address, so use that as the destination
             if {$port != "" and [string is integer $port]}{
                log local0. "[IP::client_addr]:[TCP::client_port]: Using destination with parsed port [lindex $response 0]:$port"
                node [lindex $response 0] $port
             } else {
                log local0. "[IP::client_addr]:[TCP::client_port]: Using destination with default port $response:[TCP::local_port]"
                node [lindex $response 0] $::default_port
             }
          } else {
             # No response, or response wasn't an IP address
             log local0. "[IP::client_addr]:[TCP::client_port]: Non-existent/invalid response: $response"
         HTTP::respond 500 content "Couldn't process request"
          }
       }
    }
    # Release the request
    HTTP::release
}

It has been 5 years since this discussion and I was wondering if there had been any changes that may effect what was available then: i.e. can the Palo Alto be a proxy target now.  

To prevent the flood of responses telling me that I need a proxy that caches let me paint the picture. I would like to use the Palo Alto as a backup Internet Access point for the WAN. I do not want  to reconfigure all the routers on the WAN to point o the Palo Alto if the primary Internet Access point goes down but I could easily change a proxy.pac script to point them to an alternate access point being the firewall. I would rather not use a cacheing proxy server (eg Squid) as it seems to interfere with SSL decrypt and I still want this protection. (unless someone can tell me how to overcome the squid proxy preventing SSL decrypt on the Palo Alto).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!