01-17-2014 05:54 AM
I'm just in the process of configuring a PA-500 on PAN OS 5.0.10 at our DR site so that it sit's on the internet connection at that office. It currently has three interfaces, outside, inside and DMZ. I've managed to configure things such as NAT so that I can browse the internet from that branch to test internet connectivity and NAT etc. To do this I had to set the DG of a test device to the LAN IP of the PA-500 However, I am struggling to find out how I can get other branches to test this connection becasuse they live on a different subnet/s..I was thinking there might be a way to configure the LAN connection of the firewall to act as a "web-proxy" so that I could configure the IE/Browser setting's of machines to the IP of the LAN interface? These client's by default have their proxy setting's configured to use our Microsoft TMG server at the head office.
Thanks in advance
01-17-2014 07:12 AM
With the way things are configured right now on your branch networks, how do they route traffic to the Microsoft TMG server at the head office? Do they go through VPN tunnels or there's some sort of MPLS/Private circuit that does the routing?
The reason for asking is; even though the current browser settings has the Windows server as the proxy, there's an underlying transport for those browsing sessions to get to the head office.
Would you be able to leverage that router or VPN transport to connect your branches to the PA-500's LAN interface?
I do not know of an explicit configuration to make an interface on the firewall a web-proxy, but we could configure NAT statements to translate tcp/8080, for instance, to tcp/80 on the firewall's interface.
The traffic will still need to be routed to the PAN before the NAT would take any effect, however.
Hope this helps.
01-17-2014 07:21 AM
Thanks for your reply. The other branch offices have their IE proxy setting's configure using a WPAD DNS/DHCP setting so it populates it with the TMG server name. They are all connected to head office via a MPLS "cloud" so when they hit the default gateway (which is the LAN interface of their local router) it know's how to get back to head office because there is a route for it. There should not be an issue with getting the traffic to the PA-500 as there will be routes configured by our WAN provider, and we can configure the proxy setting's manually. I will look into your suggestion to configure NAT for tcp/8080 to tcp/80, I am new to Palo Alto so it's a bit of a learning process for me!
01-17-2014 07:41 AM
Let me make a quick clarification. Though the tcp/8080 traffic is NAT'd to tcp/80 on the firewall, it would be considered as traffic destined for the firewall itself, not a proxy-session.
Again, the PAN firewall is not a web proxy, so sending traffic to the firewall to proxy web browsing will just be black-holed. (Sorry I didn't make this clear at first when I talked about NAT).
Since you can route traffic from the branches to the Palo using the MPLS circuit, why don't you just make the PA-500's LAN interface the default gw or next-hop for the branch networks?
You should be able to achieve this with some kind of Policy Based Routing, where the traffic is still destined for your Windows TMG server (for proxy) but it is routed through the PA-500 for filtering or firewalling.
Let me know if this would achieve your purpose.
01-17-2014 08:05 AM
Apologies, I perhaps should have included a bit more detail around our infrastructure. Our head office has a TMG proxy which sit's in front on a Cisco ASA. At our DR site we simply have the PA-500 device. All these networks live on different subnets whereby connectivity between them is achieved because our WAN provider has configured the routes for them. If I understand you correctly, what we could perhaps do is configured a default route on the WAN providers' routers whereby under normal circumstances traffic not destined to any of the known subnets to our internal network is sent to head office and onto the internet link. And then a secondary route which would sent it to the LAN interface of the PA-500 which would only be used in the event of an outage of the primary link?
01-17-2014 05:03 PM
Thanks for providing clarity of your purpose, and yes, what you've described sounds like it would be a good deployment.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!