URL and Threat filter before reach squid caching

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

URL and Threat filter before reach squid caching

Not applicable

Dear All,

We have an existing squid proxy which going to use as a proxy caching and we want to use PAN to perform url and threat filteration in between user and squid proxy.

The end user browser proxy has been configure to point its proxy setting to this squid proxy.

What will be your advice to achieve such requirements? In terms of deployment mode, what modes will it be and how does the physical connection looks within user, proxy and internet?

Thanks.

Regards,

Eugene

9 REPLIES 9

Not applicable

Hi,

One possible solution would be to configure a new port with a new zone on the firewall for the proxy, point browsers to the new IP address of the proxy, and then apply a content filtering policy when your LAN accesses the zone in which the proxy is. That way your firewall's URL filtering policy will be applied before requests reach the proxy.

Hi npare,

When you said "point browsers to the new IP address of the proxy", are you referring to configure PAN as proxy and from PAN points its parent proxy for caching back to Squid?

Is there such as setting?

Please correct me if i'm wrong.

Thanks.

Eugene

I was refering to pointing the browsers to the new IP address that the squid box will have.

Here is an example, if your LAN is 192.168.1.0/24 and the squid proxy is at 192.168.1.10, you could configure a new interface set to 192.168.2.1/24, include that new interface in your virtual router, change the IP of your squid box to 192.168.2.10 and it's gateway to 192.168.2.1, and then setup the necessary rules (allow port 8080 from LAN to Proxy via port 8080 if that's what you configured, then allow DNS, web browsing, SSL etc... from the Squid server out to the internet).

I would also recommend a rule to prevent NAT from the LAN to the proxy so that the proxy sees the real source IP address of the connection.

Edit: I do believe you can configure a policy based forwarding rule to redirect port 80 traffic to your squid proxy, but that's not something I configured myself yet.I'll give that a try with my proxy and let you know either later today or tomorrow.

Hi Eugene,

I think I managed to get a good solution working for you. I have a proxy on my LAN at I setup policy based forwarding to redirect web traffic over to the proxy automatically. My workstation is configured to go directly to the internet but I am still going through the proxy thanks to the policy based forwarding rule.

Here is what I did

Policy based forwarding rule set as follows:

Source

- Zone : LAN

- Source : NOT the Proxy's IP address

- Destination : NOT the Proxy's IP address (to make sure traffic going to the proxy doesn't get redirected to the proxy)

- Service : service-http and service-https

Action : Forward

Forwarding

- Egress I/F : ethernet 1/2 (my LAN interface)

- Next hop : IP address of proxy

NAT Rule placed at the top:

Source Zone : LAN

Destination Zone : Internet

Destination address : Proxy

Translated packet : None/None (to keep the original source IP).

Without the NAT rule, the firewall would forward to the proxy but would NAT with it's public IP address first which would cause issues.

Of course you might need to adapt those rules to your network but hopefully that is a good solution for your environment.

Hi npare,

Thank you for your replied answer and detail explanation of the setup which i really appreciated that. Smiley Wink

One thing that i need to confirm, is that your explained setup only require one configure port in PAN to make all this works? meaning only LAN port configured?

On the other hand, i was actually thinking that there might an easier way other than involving changing the browser new proxy ip address as the clients machine are quite a lot probably around 800 machines.

Do you have any other options other than this?

Will it possible to configure PAN to be inline between users and squid traffic without having to change anything on the user browser side? If yes, how we can configure to achieve such requirements?

Thanks.

Regards,

Eugene

Hi,

Your firewall needs to be operational first. It will need a port configured towards the internet wichout which the proxy will not be able to reach out to websites.

The method I last described (policy based forwarding) does not require the browsers to be configured to use a proxy, they should be configured to go direct, the firewall will redirect the traffic to the proxy.

Can the firewall be placed inline? Maybe with two firewall ports configured as a virtual router but that uses 2 valuable ports on the firewall so personally, that's not an option I would consider.

If I were to implement this, I would :

1. Put the proxy in it's own subnet on a layer-3 port on the firewall

2. Use Windows Domain GPO's to push the proxy's new IP onto the browser's configuration

3. Apply the web filtering policy when the local LAN accesses the zone where the proxy is.

That way, the proxy is isolated and already in a "DMZ" if reverse proxy ever becomes a necessity.

L6 Presenter

I think Client <-> Squid <-> PAN <-> Internet would be a better option than Client <-> PAN <-> Squid <-> Internet because this way the PAN can also act on dstip and stuff (and so not all appid becomes "http-proxy" :P).

Also putting the Squid inline with your PAN (instead of a DMZ) will also optimize performance.

"Flows" inline:

Client -> Squid
Squid -> PAN
PAN -> Internet
Internet -> PAN
PAN -> Squid
Squid -> Client

which gives with 1Gbit/s (as example) links you wont have any "collissions" (where the same data flows over the same cable multiple times). A request is sent out on TX and response is received at RX and thats it.

"Flows" DMZ (example with ICAP):

Client -> PAN
PAN -> Squid
Squid -> PAN
PAN -> Internet
Internet -> PAN
PAN -> Squid
Squid -> ICAP
ICAP -> Squid
Squid -> PAN
PAN -> Client

which (if you are unlucky) gives you a performance of 1Gbit/s / 3 = 333Mbit/s in throughput (yeah I know that ICAP traffic isnt symmetric (you copy the stuff to the ICAP server and get a ACK/NACK in response but still)).

A workaround for this would be if you use two interfaces on your PAN for the DMZ like inside/outside or such but I would still prefer the inline method (Client <-> Squid <-> PAN <-> Internet).

Having the squid box first would also have the advantage that it will cache the deny messages, meaning people going to websites that eventually would be blocked would only reach the proxy, not all the way to the firewall.

Provided squid caches deny messages, I mostly have experience with Blue Coat proxies.

I forgot to add something to the performance example and that is number of sessions.

If you place your Squid on a DMZ both incoming and outgoing sessions (from that Squid) will occupy resources in your PAN.

If you place the Squid inline with the PAN roughly half of the sessions will be needed in the PAN (not that PAN have any issues with number of sessions but can be a thing to think of specially when it comes to the smaller models of PAN).

  • 4800 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!