This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Web Browsing

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Web Browsing

djrodb
L3 Networker

‎03-29-2012 01:27 AM

Hi

We're about to install the web filter licence for the PA. Our current system is a proxy configuraiton via websense. Now that we're going to use the PA for web filtering is the best practise to create a security rule allowing all internal PCs direct access to the Internet using the common web based ports or is there some other way of making the PA the proxy?

Thanks

Rod

0 Likes Likes
2 REPLIES 2

mikand
L6 Presenter

‎03-29-2012 01:50 AM

The PA doesnt do web proxy so it will not understand when a client connects to the ip address of the PA box and sends "CONNECT http://www.example.com/ HTTP/1.0".

If you want to keep the proxy setting in your clients (well browser settings) and in order to avoid having public ip addresses in your internal network you would need to use a dedicated forward proxy for this. A good (and cheap) solution is to use squid. There are also squid appliances if you want to pay some money: http://www.squid-cache.org/Support/products.html

Otherwise you need to disable the proxysetting in your client-browsers and make sure to point defgw towards your PA box (for the client the defgw is most likely already some router, then you need to add a routing entry in this router to point towards PA as defgw).

Edit: A tip when using a forward webproxy inline with a PA is to setup the webproxy to use "keep client ip". Then the PA will get the client ip's (as srcip on the packets forwarded to the PA) and you can use the ACC in the PA device to dig on what each client have done (otherwise the PA would just see the ip of the webproxy).

djrodb
L3 Networker
In response to mikand

‎03-29-2012 06:51 AM

Many thanks for taking the time to respond.

Rod

0 Likes Likes
  • 1889 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks