Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

policy based forwarding to proxy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

policy based forwarding to proxy

L4 Transporter

We use ntlm (CP) to authenticate our users against the PA.

We want any http traffic forwarded to a proxy. The proxy would have http access to the internet through the PA. I was thinking of using a policy based forwarding rule to forward service-http to the proxy. Similar to how e.g. a Cisco router can intercept http traffic and forward it to a proxy using the WCCP protocol (or any other implementation of the same).

This way all authentication and traffic logging stays on the PA, easier to monitor...

But will it work ? In which order are rulesets processed ? For it to work, it would have to process the CP ntlm authentication rule before the PBF rule. Is that the case ? If not, can I set a processing order for rulesets ?

1 accepted solution

Accepted Solutions

Your CP authentication should take place first

Policy Based forwarding takes precedence over whatever is in your routing

If you'd like to foward all your https/ http traffic over to a proxy outside of the PAN FW, then you should be able to enable UserID (via CP) and then route to the Proxy Server via the PBF

https://live.paloaltonetworks.com/docs/DOC-1628


Hope this helps.

View solution in original post

4 REPLIES 4

L4 Transporter

I am attaching a slide from our documentation literature. If this fails to answer your question you probably need to open a case with Support.

You can use these commands to see which policy is processing traffic.

show session all filter source <ip_addr>

show session id xxxxx

xxxxx = the ID number shown by the first command.

Steve Krall

Picking up an old thread... have'nt had the chance to try or implement yet.

Seems like your attachment went missing. Can you get it back for me, please ?

Your CP authentication should take place first

Policy Based forwarding takes precedence over whatever is in your routing

If you'd like to foward all your https/ http traffic over to a proxy outside of the PAN FW, then you should be able to enable UserID (via CP) and then route to the Proxy Server via the PBF

https://live.paloaltonetworks.com/docs/DOC-1628


Hope this helps.

Thank you, exactly the answer and document I was looking for.

  • 1 accepted solution
  • 6182 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!