Web Proxy behind PAN firewall and application recognition

if i'm using

[User]------[Proxy]------[Paloalto]-----(internet)

is there a way i can see the user?

Hi ,

Users' traffic should pass through the paloalto first  then your proxy!

is there anyway i can see the user behind the proxy?

If you just want to identify users you could set up a TAP port on the Palo Alto using a Mirror Port on a switch to inspect the traffic prior to the proxy.  I do not recommend  inserting the Palo before and after the proxy because this will cause each packet to be inspected twice. Also, if you have BLOCK or CONTINUE pages on policies you can get  some unexpected results.

Steve Krall

Yes if you run a proxy that can act in transparent mode such as the Färist proxyfirewall (www.tutus.se) among others. Meaning that it will keep the srcip unaltered even if the client uses the proxyfirewall as a forward proxy (setup proxysettings in their webbrowser).

This way you can use:

[User]------[Proxy]------[Paloalto]-----(internet)

in two modes:

1) forward-proxy

The user setup the proxysettings in their webbrowser to point to the proxy. The proxy will then do nameresolution and surf on behalf of the user. The srcip hitting paloalto is the actual user srcip. Paloalto will then NAT outbound traffic towards internet so you get:

- User calls 10.0.0.1:3128 for http or 10.0.0.1:3129 for https (ip of proxy - preferly RFC1918 network).

- Proxy will query DNS and then setup a http/https towards the public ip on the Internet.

- Paloalto will NAT the user srcip before traffic leaves on the internet-interface.

2) transparent-proxy

The user will browse on its own straight to the public ip's on the internet and the proxy will be completely transparent for the user (except for errormessages and such).

- User will query DNS and then setup a http/https towards the public ip on the Internet.

- Paloalto will NAT the user srcip before traffic leaves on the internet-interface.

Personally I would prefer the first method because then you can setup triggers in your SIEM so it will scream if packets with public ip's is seen in the core (between User and Proxy) - because this would be a good sign that something is bad with a particular client (like a malware got through).

Also because you have a proxy between the paloalto unit (who sits next to Internet) and your internal network this proxy could also protect inbound connections which the paloalto device does towards the panagent servers in order to find out userid of the srcip's it is seeing.

my configuration is in vwire mode.

when i see from the traffic log, all traffic to the internet is using source ip the proxy server ip.

how to configure, to use user-id in this topology?

i already set the zone to use user-id,

user-id work for internal traffic but not work for traffic to the internet

Hi skrall,

Just curious about your comment. Hope you don't mind if I ask this...

------------------------------------------------------------

If you are asking about:

[User]-------[PaloAlto]-------[Proxy]------(internet)

Then we will see the actual user and all applications destined for the internet.

---------------------------------------------------------------------------

In the above design, the proxy will be standard forward proxy. (That means it is none-transparent)

In this case, can PA still recognize a client's web access request and shows final destination-ip on internet?

I thought, since user's web request goes through this proxy server, destination-ip will be recognized as ip address of proxy server...

The traffic logs will show the Proxy IP as the destination as you have said. But URL filtering looks at the actual URL requested to make a classification. And with HTTPS traffic, we look at the FQDN in the certificate to make URL classification. The actual application is detected based on signatures that match the Application layer header (HTTP Ver 1.1, etc). So only some of your reports will be negatively effected. I am not aware of this causing any problems in a production environment. If you really need the the destination IP address you could put one interface in TAP mode and watch the traffic on the other side of the Proxy but there is no good way to correlate the inside traffic and the outside traffic. And be careful about deep inspection of packets twice. This could cause performance degradation in a busy network.

SK

Hi Skrall,

Very clear explanation! Thank you.

I guess there will be always a obstacle when you deploy a proxy server with PA...

Of course, the best solution is not using proxy and let PA handle everything, but many companies request to use a proxy server...

The best solution is obviously to rearrange the flow in your case so it becomes:

[User]-------[Proxy]-------[PaloAlto]------(internet)

and by that configure your proxy to keepsource=yes and also allow PaloAlto to communicate with PAN-agent through your proxy (unless your PAN-agent is reachable over mgmt-interface). In this case the PaloAlto will do the SNAT.

This way it doesnt matter if your proxy is a forward-proxy (preferred because you will then have only internal ip's between User and Proxy) or transparent (the difference is that with forward-proxy the clients use CONNECT with dstip as the Proxy ip while in transparent the clients use HEAD/GET/POST with dstip as the real server on internet).

Another possibility, if you only have one set of PaloAltos, is to use VSYS (unless you have some policy which wont let you physically mix external and internal resources in the same hardware - meaning with VSYS you can let VSYS1 be the above internet firewall and VSYS2 will be some internal server firewall).

Hi Mikand,

and by that configure your proxy to keepsource=yes and also allow PaloAlto to communicate with PAN-agent through your proxy (unless your PAN-agent is reachable over mgmt-interface). In this case the PaloAlto will do the SNAT.

↑ I am not sure exactly what the above means...  Are you referring to the specific proxy server model? Also, PAN-OS is 5.x which doesn't use an external PAN-agent.

How does it work in that case?

1) Keepsource=yes meaning that the proxy on its "internet" interface should use the client-ip as srcip instead of its own. How you do this depends on which proxy you are using. Which vendor and model (and if possible software version) is it in your case?

2) In order for the PA box to know the users (unless you want to use captive portal which I imagine you want to avoid) the PA must be allowed to speak to the PAN-agent server(s) on your inside network. This means except for rules client (inside) -> internet (outsice) in the proxy you must have a rule which will allow pa (outside) -> pan-agent (inside).

The PANOS 5.x can use dedicated PAN-agent server(s) as previously. Whats new in PANOS 5.x is that itself contains a limited PAN-agent server (runned in the mgmt-plane) so there is no need for a dedicated server(s) in smaller networks. I dont remember the recommendation for using the internal PAN-agent server in the PA box but it was something like less than 100 users or such. If you network have several hundred or thousands of users the recommendation is to use dedicated PAN-agent servers (or install the PAN-agent service on each DC-server). You can of course still use dedicated PAN-agent server(s) even in small networks (just put that in your VMware cluster or such if you cant spare it a dedicated hardware or install it directly on the DC-servers).

3) The PaloAlto will do the SNAT meaning since the PA will see the clientips (which I assume is RFC1918 like 10.x.x.x or 192.168.x.x or such) the PA will do the NAT so this traffic on the interface facing internet will have its srcip replaced into the ip which the PA uses on this internet interface (or if you wish to replace it into some other ip or range of ips which is routed towards the PA by your internetrouter).

Hi Mikand,

I think I am getting closer to understand your explanation very clearly... but I need to clarify a few things, hope you don't mind.

(1) Keepsource=yes

Are we talking about "X-Forwarded-For" in HTTP header? or you simply meant a proxy can do keep clients IP as the original souce-ip when it sends packets to internet? The customer's proxy is ISA. But I am testing with Squid. How can I enable it in case of the latter case for ISA and Squid?

(2) It can be reachable via management interface. Does this work?