PAN-OS 11.0 Explicit proxy with no authentication

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PAN-OS 11.0 Explicit proxy with no authentication

L1 Bithead

 

Hello,

 

may it be possible to use explicit proxy feature in PAN-OS 11.0 with no authentication and allow access for all users?

 

The documentation is very limited in this area and describes SAML or Kerberos authentication only.

 

Thanks 

Lumir

 

7 REPLIES 7

Cyber Elite
Cyber Elite

@itsnoc,

You need to specify an authentication service type and have an assigned authentication profile to have a valid configuration. If you don't want to set that up you'd have to utilize a transparent proxy instead of an explicit proxy. 

L6 Presenter

Better question is why you want explicit/transperant proxy at all @itsnoc ? Even before 11.0 Palo Alto can be an SSL forward proxy as mentioned in https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/ssl-forwar... and if you do not configure authentication policy and portal redirection, it will decrypt the traffic and inspect it without authentication. You can use Policy based routing (PBR) routing from a router and switch to send the web traffic to the Firewall if it is not in path of the traffic as usually this is why explicit proxy is configured when it is not between the users and Internet. Palo Alto also has DNS Proxy mode if you want it to be your DNS point for the users https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFcCAK

 

 

Outside of that the Kerberos authentication for users that are in the AD is seamless without affecting the users so it is another option https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/dns/configure-a-web-proxy/conf...

 

Also SAML maybe to Azure AD can utilize SSL Client cert and this will again make the authentication expiriance seemless:

 

https://learn.microsoft.com/en-us/azure/active-directory/authentication/concept-certificate-based-au...

 

 

 

Also if you have proxy before the Palo Alto that authenticates the users then the Explicit proxy can use the XAU header to auto authenticate.

 

L1 Bithead

@OtakarKlier , @BPry 

thanks for your comments, the documentation is very limited, same as the proxy functionality. Also it does not functional without issues - ssl handshake is sometime broken and clients have to reload web page in their browsers.

 

Thanks

Lumir

Hi @nikoolayy1 

 

thanks for your summary, the main goal of using explicit proxy is to avoid default route and other hacks in the network. I built solution using the Fortigate explicit proxy which can keep original source IP, route traffic over the PA box which then recognize source user based on User-ID mapping. 

 

Kerberos authentication works fine for desktop OS (Win, MAC) but does not work for Apple IOS devices - even with the Apple extension delivered by MDM. 

 

Best regards

Lumir 

Good point @nikoolayy1 - works as expected. Thanks for you comment

Lumir

  • 2243 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!