Security Policies Not Applied When Client Use Web Proxy on Their Browser

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Security Policies Not Applied When Client Use Web Proxy on Their Browser

L2 Linker
Dear all, I am currently learning the Palo Alto Firewall using Palo Alto VM. I've configured some security policies, for example, file blocking that forbide client to upload a PDF file (including to those website which use SSL). All of the policies are working as expected. Then, I try to set the client web browser to use a web proxy (Squid) located in front of the firewall. The diagram is as follows. Trusted PC => Firewall => Squid Web Proxy => Modem => Internet By using web proxy, the client simply can bypass the security policies. Is there anything I need to set so that the Firewall can inspect the packet send through the web proxy? Thank you. Sincerely, Bagus Hanindhito
10 REPLIES 10

L2 Linker

Hi @hibagus,

 

Does these rules involve user identification as well or are they simply on source and destination IP's.

 

What is the application getting identified in the rules which are working and non working ?

 

 

Hi @hpunjabi,

 

Here is the simplified topology of my network.

Drawing1.jpg

 

There are two zones, the Untrust Zone and Trust Zone. I configure all of the security policies with Source=Trust Zone and Destination=Untrust Zone. Here are the two of my security rules as an example.

* User can access Facebook but cannot use chat and comment or like the post.

* User cannot upload PDF file.

 

All of the rules are working perfectly if the User (Trust PC) access the web directly. But, if I configure the browser in Trust PC to access the web via SQUID Web Proxy Cache, the security rules seem do not have effects (i.e. User can still upload PDF file or use Facebook chat).

 

Thank you.

Ok, so is squid traffic hitting same policy as that of Direct traffic ?

 

Also can you try to configure a policy for below website and see if it works in both the scenarios, if it works then decryption might be one of the reason for it not working.

 

http://www.tinyupload.com/

You are right, I cannot upload PDF into the non-SSL website both by connecting directly through internet or by connecting via Squid Proxy.

 

If the site uses SSL and I connect through the Squid Proxy, then the rules will not be applied (i.e. still can upload PDF file).

 

I use SSL Forward Proxy in the decryption. Is there anything I need to configure?

 

Thank you.

 

For Decryption you might need to look at your decryption policies first see if squid proxy (IP or port) is mentioned in decryption and see if it is working fine.

 

One simple way to check if decryption is working or not is to check certificate in your browser when working through squid are you getting certificate from firewall or from the server directly.

 

Also in the logs, if you see logs detail and in flags section check if you are able to see decrypt flag.

 

Below article can help you to troubleshoot decryption if it is not working:

 

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Implement-and-Test-SSL-Decryption...

 

 

Hi @hpunjabi.

Sorry for the late response.

 

I have checked that by using SSL Forward Proxy, all of the clients get the certificate from the firewall. I also enable the SSL decryption opt-out page for making sure whether the SSL decryption works or not. Fortunately, yes, it is working and the opt-out page is displayed on the client browser.

 

But, the policies (e.g. file blocking, application blocking) are still not applied when the users browse through the squid proxy. If the users browse directly (without web proxy), the policies are applied. I have no idea why.

 

Any ideas?

 

Thank you.

Hi @hibagus,

 

Can you check which rule is it hitting while you are accessing through squid proxy is it the same rule created for squid proxy or different.

 

If the rule hitting is different than one thing which I can think of now is that you have 'application-default' enabled under service section in the squid policy, change that to 'any' and check if it is working after that.  

 

 

 

Dear @hpunjabi.

 

I did what you have suggested and it did not work as expected.

I think it looks like there is a difference between the "direct access" request and "through proxy" request. 

 

I've read the article below

https://blog.webernetz.net/at-a-glance-http-proxy-packets-vs-normal-http-packets/

 

I suspect that the application traffic from the proxy does not match the default application signature defined in Palo Alto Firewall thus it let them through. I think I need to define a new application in the Palo Alto Firewall and define a new "proxy" signature to help the Firewall to identify. 

 

Do you know how to copy and modify the applications that already have defined in Palo Alto Firewall? It seems that I cannot clone it and modify the signature.

 

Thank you.

Sincerely,

Bagus Hanindhito

 

Hi Bagus,

 

You wont be able to clone an http-proxy application, you will have to define a custom application:

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/app-id/use-application-objects-in-po...

 

I am pretty sure it is something to tweak with your security/decryption policies,try correlating logs when accessing directly and when going through squid proxy, check if facebook chat and other applications are getting identified. 

 

If you can paste decryption policy and security policy for facebook then we can take a look.

L1 Bithead

It really is highly unusual to have your proxy outside your firewall. Why isn't your proxy in the Trust zone? If it were inside, the PA would see it as just another client and your policies would work as you expect.

 

Connections via proxies are not quite the same as those that go direct, so I suspect that your firewall is not seeing the traffic as web traffic and is not applying your policies to it.

  • 5780 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!