Reverse Proxy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Reverse Proxy

L2 Linker

Can the PaloAlto do reverse proxy like ISA can?

If I have an internal web server hosting multiple sites how do I publish that through the PaloAlto?

7 REPLIES 7

L4 Transporter

As far as I know PAN is not a reverse proxy in terms of a WebApp Firewall. Although it can break up inbound SSL traffic in order to analyze traffic destined for internal webservers.  Roland

L3 Networker

I think you could probably rig it up with URL filters and application policies to achieve the same thing ISA does today. But for a basic web server I can't imagine you would need more than a basic NAT policy terminating on the untrust side and a basic security policy to allow web-browsing / ssl to your web server.

Not applicable

@bwilliams2,

I am wondering the same thing.  If you come across any articles on configurating PA as a reverse proxy please post them to this thread.   I have not seen a config option that would allow inbound URL's to be passed to internal destinations based on the inbound URL request.

i.e.

Internet request to www.website1.com --> Palo Alto --> Web Server 1 - 10.0.0.1

Internet request to www.website2.com --> Palo Alto --> Web Server 2 - 10.0.0.2

Internet request to www.website3.com --> Palo Alto --> Web Server 3 - 10.0.0.3

Thanks,
Jeff

Not applicable

I'm interested in this, as well.  We'll have to keep our Cisco ASA online just for its reverse proxy functionality. (WebVPN)

Hi,

ISA not only does a reverse proxy but much more. The "publishing" concept is more complex than a simple NAT. ISA interacts in authentication process, single sing-on, kerberos delegation, AD integration, publishing certificates, etc.

PAN is a firewall ISA is a firewall + publisher for MS infrasctructure.

Regards

L2 Linker

Per my sales engineer.

" I recall your ISA is doing reverse proxy for one public IP pointing to multiple private IPs.  We do not support this configuration."

So in short answer. No.

Thanks for all the responses.

L0 Member

I'm also interested in finding a similar reverse proxy solution.  I want to have a single external IP translated to multiple internal IPs based upon URL.  Thus I want an external clients to reach my different internal webservers, based by the dns name they are browsing to; with all webservers FQDNs resolving to the same IP address.


r,
Jonathan Runyan

DARPA ACO TA-3 Information System Security Officer (ISSO)
Jonathan.L.Runyan.ctr@us.navy.mil (NIPR)
Jon.Runyan.ctr@spawar.navy.smil.mil (SIPR)
Jrunyan@spawar.navy.ic.gov (JWICS)
Jonathan.L.Runyan@Ausgar.com
858-952-4237 (cell)

619-553-6473 (Lab154C SAPF, Seaside Bldg 600, rm154C)

-------------------------------------------
CISSP | Security+ | ITIL-V3 | CSWF IAT-2
  • 6851 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!