Web Proxy behind PAN firewall and application recognition

cancel
Showing results for 
Search instead for 
Did you mean: 

Web Proxy behind PAN firewall and application recognition

Not applicable

I know this question has been asked in other posts but I figured I would give it another try. I would like the PAN to sit between my users and my web proxy *and* for the applications to be recognized instead of just reported as proxy traffic. Is there any setting to force the PANOS to do this?

1 ACCEPTED SOLUTION

Accepted Solutions

L4 Transporter

If you are asking about this topology:

[User]------[Proxy]------[Paloalto]-----(internet)

Then all outbound traffic will be detected as the Proxy and the only traffic seen will be HTTP and HTTPS unless a second interface is picking up the other traffic such as FTP, MAIL, etc.

If you are asking about:

[User]-------[PaloAlto]-------[Proxy]------(internet)

Then we will see the actual user and all applications destined for the internet.

View solution in original post

16 REPLIES 16

L4 Transporter

If you are asking about this topology:

[User]------[Proxy]------[Paloalto]-----(internet)

Then all outbound traffic will be detected as the Proxy and the only traffic seen will be HTTP and HTTPS unless a second interface is picking up the other traffic such as FTP, MAIL, etc.

If you are asking about:

[User]-------[PaloAlto]-------[Proxy]------(internet)

Then we will see the actual user and all applications destined for the internet.

View solution in original post

if i'm using

[User]------[Proxy]------[Paloalto]-----(internet)

is there a way i can see the user?

Hi ,

Users' traffic should pass through the paloalto first  then your proxy!

is there anyway i can see the user behind the proxy?


If you just want to identify users you could set up a TAP port on the Palo Alto using a Mirror Port on a switch to inspect the traffic prior to the proxy.  I do not recommend  inserting the Palo before and after the proxy because this will cause each packet to be inspected twice. Also, if you have BLOCK or CONTINUE pages on policies you can get  some unexpected results.

Steve Krall

Yes if you run a proxy that can act in transparent mode such as the Färist proxyfirewall (www.tutus.se) among others. Meaning that it will keep the srcip unaltered even if the client uses the proxyfirewall as a forward proxy (setup proxysettings in their webbrowser).

This way you can use:

[User]------[Proxy]------[Paloalto]-----(internet)

in two modes:

1) forward-proxy

The user setup the proxysettings in their webbrowser to point to the proxy. The proxy will then do nameresolution and surf on behalf of the user. The srcip hitting paloalto is the actual user srcip. Paloalto will then NAT outbound traffic towards internet so you get:

- User calls 10.0.0.1:3128 for http or 10.0.0.1:3129 for https (ip of proxy - preferly RFC1918 network).

- Proxy will query DNS and then setup a http/https towards the public ip on the Internet.

- Paloalto will NAT the user srcip before traffic leaves on the internet-interface.

2) transparent-proxy

The user will browse on its own straight to the public ip's on the internet and the proxy will be completely transparent for the user (except for errormessages and such).

- User will query DNS and then setup a http/https towards the public ip on the Internet.

- Paloalto will NAT the user srcip before traffic leaves on the internet-interface.

Personally I would prefer the first method because then you can setup triggers in your SIEM so it will scream if packets with public ip's is seen in the core (between User and Proxy) - because this would be a good sign that something is bad with a particular client (like a malware got through).

Also because you have a proxy between the paloalto unit (who sits next to Internet) and your internal network this proxy could also protect inbound connections which the paloalto device does towards the panagent servers in order to find out userid of the srcip's it is seeing.

my configuration is in vwire mode.

when i see from the traffic log, all traffic to the internet is using source ip the proxy server ip.

how to configure, to use user-id in this topology?

i already set the zone to use user-id,

user-id work for internal traffic but not work for traffic to the internet

Hi skrall,

Just curious about your comment. Hope you don't mind if I ask this...

------------------------------------------------------------

If you are asking about:

[User]-------[PaloAlto]-------[Proxy]------(internet)

Then we will see the actual user and all applications destined for the internet.

---------------------------------------------------------------------------

In the above design, the proxy will be standard forward proxy. (That means it is none-transparent)

In this case, can PA still recognize a client's web access request and shows final destination-ip on internet?

I thought, since user's web request goes through this proxy server, destination-ip will be recognized as ip address of proxy server...

The traffic logs will show the Proxy IP as the destination as you have said. But URL filtering looks at the actual URL requested to make a classification. And with HTTPS traffic, we look at the FQDN in the certificate to make URL classification. The actual application is detected based on signatures that match the Application layer header (HTTP Ver 1.1, etc). So only some of your reports will be negatively effected. I am not aware of this causing any problems in a production environment. If you really need the the destination IP address you could put one interface in TAP mode and watch the traffic on the other side of the Proxy but there is no good way to correlate the inside traffic and the outside traffic. And be careful about deep inspection of packets twice. This could cause performance degradation in a busy network.

SK

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!