Setting up Policy to allow all access to a squid proxy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Setting up Policy to allow all access to a squid proxy

L4 Transporter

Hi

 

Still a beginer with the PA.

 

I have a universal rule that allows from 

any zone 

my internal ip address

 

to 

ip address group that has by proxy addresses in it.

 

For applicaiton I have 

http-proxy - this covers a lot of ports

default urls

 

 

from my test  box I try 

wget -O /dev/null http://www.smh.com.au

 

this works !!!

wget -O /dev/null http://www.google.com

 

fails, when i look in the traffic logs I see that the PA have identified that the application is google-base.

 

so I add in google-basic, infact I include a application filter of general-internet

 

try that it fails.

 

I then set service to any not application default and now it works

 

 

But doesn't this now mean I can connect to my squid box on any port ????

 

How am I supposed to configure this ?

 

 

3 REPLIES 3

L4 Transporter

Actually even worse than this ....

 

the standard ports of the other applicaitons are allowed to the proxy

 

so for example msn-file-transfer allows 1025-65535 ... so now all these ports are allowed to the proxy !!!

For the record, its just me.

 

I had to set the service ports as well.

 

All working well now

To answer your question "so for example msn-file-transfer allows 1025-65535 ... so now all these ports are allowed to the proxy !!!"

 

No it is not the case.

Some applications use wide range of ports so SYN/SYN-ACK/ACK must be permitted through. When real communication starts then Palo can identify if it is really msn-file-transfer or not. If not then session is dropped.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 2411 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!