- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
11-04-2015 08:03 AM
Hello All, Was just wondering if anyone may be able to help with this our question.
Please see the attached High Level Diagram. Both Firewalls are PA 3020's with the full licence set enabled. We need to replace the ISA server which is not providing any other functions than forwarding the traffic down one of the 3 paths in the diagram, unfortunately we need to maintain this capability owing to some historic complexities with certain applications in our infrastructure not working through our proxy or via the cloud proxy or vice versa.
I know the PA can do Policy based forwarding which would suffice for the passage of traffic either via the Local Proxy or directly out via the ISP router. Everything I have read would suggest that the PBF is more of a routing level thing which requires an interface in the same subnet within the PA.
Obviously this is not possible for the cloud hosted proxy, if we were to set the egress interface and just put the next hop address as the cloud proxy would that function. My inclination is that the next hop needs to be exactly that but just looking for confirmation before I buy another solution. Thanks in Advance
11-04-2015 04:07 PM
So the PAN interface doesnt need to be on the same vlan segment, it should just need to have the traffic routed to it. The PBF then should be setup by source and then flow out a destination interface on the PAN. The interface shouldnt need to be on the same segment as long as the way the packets flow out they get sent towards their intended destination.
I dont think I did a good job explaining this. Here is the link to a PBF doc that does a good job explaing it.
https://live.paloaltonetworks.com/t5/Documentation-Articles/Policy-Based-Forwarding/ta-p/54408
11-04-2015 11:41 PM
Hi Otakar,
Thanks for the reply, i think i may not have explained this fully, we are trying to replace the ISA server whihc at the moment based on policy directs the traffic to the cloud proxy by ammending the packet header and its this function i am wondering whether the PA can reproduce to allow us to remove the ISA.
11-05-2015 10:33 AM
Hello,
I think the answer here is it depends on what the ISA server is currently doing to detect/authorize traffic. The PAN can do somethings but not everything. It would be helpful if you could explain, without give us the keys to the kingdom, what actions/inspections the ISA server is currently performing. I think based on that we could determine if the PAN can replace the ISA.
Regards,
11-10-2015 12:57 PM - edited 11-10-2015 12:58 PM
Hi WesNeary...Are your users explicitly proxied (browser set to use proxy server) to the ISA server, and the ISA server is using proxy chaining to connect the cloud service? In other words, the ISA server is configured to use an upstream proxy server = cloud service.
11-12-2015 01:58 AM
Hi Rmonvon
You are correct clients have the ISA set as there browser proxy this then based on its rulesets forwards the traffic to either our onsite proxy, the upstream proxy or directly to the internet.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!