07-12-2023 06:17 AM
Hello,
may it be possible to use explicit proxy feature in PAN-OS 11.0 with no authentication and allow access for all users?
The documentation is very limited in this area and describes SAML or Kerberos authentication only.
Thanks
Lumir
07-12-2023 02:30 PM
Hello,
Here are a few articles that may help out.
Regards,
07-13-2023 06:34 AM
You need to specify an authentication service type and have an assigned authentication profile to have a valid configuration. If you don't want to set that up you'd have to utilize a transparent proxy instead of an explicit proxy.
07-21-2023 12:11 AM - edited 07-21-2023 12:18 AM
Better question is why you want explicit/transperant proxy at all @itsnoc ? Even before 11.0 Palo Alto can be an SSL forward proxy as mentioned in https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/decryption/decryption-concepts/ssl-forwar... and if you do not configure authentication policy and portal redirection, it will decrypt the traffic and inspect it without authentication. You can use Policy based routing (PBR) routing from a router and switch to send the web traffic to the Firewall if it is not in path of the traffic as usually this is why explicit proxy is configured when it is not between the users and Internet. Palo Alto also has DNS Proxy mode if you want it to be your DNS point for the users https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFcCAK
Outside of that the Kerberos authentication for users that are in the AD is seamless without affecting the users so it is another option https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/dns/configure-a-web-proxy/conf...
Also SAML maybe to Azure AD can utilize SSL Client cert and this will again make the authentication expiriance seemless:
Also if you have proxy before the Palo Alto that authenticates the users then the Explicit proxy can use the XAU header to auto authenticate.
07-24-2023 06:28 AM
thanks for your comments, the documentation is very limited, same as the proxy functionality. Also it does not functional without issues - ssl handshake is sometime broken and clients have to reload web page in their browsers.
Thanks
Lumir
07-24-2023 08:04 AM
Hi @nikoolayy1
thanks for your summary, the main goal of using explicit proxy is to avoid default route and other hacks in the network. I built solution using the Fortigate explicit proxy which can keep original source IP, route traffic over the PA box which then recognize source user based on User-ID mapping.
Kerberos authentication works fine for desktop OS (Win, MAC) but does not work for Apple IOS devices - even with the Apple extension delivered by MDM.
Best regards
Lumir
01-08-2024 02:42 PM
Now there seems to be bypass support in 11.1 @itsnoc https://docs.paloaltonetworks.com/pan-os/11-1/pan-os-networking-admin/dns/configure-a-web-proxy/conf...
01-09-2024 09:49 PM
Good point @nikoolayy1 - works as expected. Thanks for you comment
Lumir
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
