Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
04-26-2011 07:22 AM
We use ntlm (CP) to authenticate our users against the PA.
We want any http traffic forwarded to a proxy. The proxy would have http access to the internet through the PA. I was thinking of using a policy based forwarding rule to forward service-http to the proxy. Similar to how e.g. a Cisco router can intercept http traffic and forward it to a proxy using the WCCP protocol (or any other implementation of the same).
This way all authentication and traffic logging stays on the PA, easier to monitor...
But will it work ? In which order are rulesets processed ? For it to work, it would have to process the CP ntlm authentication rule before the PBF rule. Is that the case ? If not, can I set a processing order for rulesets ?
04-05-2012 11:30 AM
Your CP authentication should take place first
Policy Based forwarding takes precedence over whatever is in your routing
If you'd like to foward all your https/ http traffic over to a proxy outside of the PAN FW, then you should be able to enable UserID (via CP) and then route to the Proxy Server via the PBF
https://live.paloaltonetworks.com/docs/DOC-1628
Hope this helps.
05-06-2011 11:14 AM
I am attaching a slide from our documentation literature. If this fails to answer your question you probably need to open a case with Support.
You can use these commands to see which policy is processing traffic.
show session all filter source <ip_addr>
show session id xxxxx
xxxxx = the ID number shown by the first command.
Steve Krall
04-03-2012 04:15 AM
Picking up an old thread... have'nt had the chance to try or implement yet.
Seems like your attachment went missing. Can you get it back for me, please ?
04-05-2012 11:30 AM
Your CP authentication should take place first
Policy Based forwarding takes precedence over whatever is in your routing
If you'd like to foward all your https/ http traffic over to a proxy outside of the PAN FW, then you should be able to enable UserID (via CP) and then route to the Proxy Server via the PBF
https://live.paloaltonetworks.com/docs/DOC-1628
Hope this helps.
04-05-2012 11:32 PM
Thank you, exactly the answer and document I was looking for.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
