This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Web Proxy behind PAN firewall and application recognition

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Web Proxy behind PAN firewall and application recognition

Go to solution
dustintodd
Not applicable

‎12-17-2010 11:57 AM

I know this question has been asked in other posts but I figured I would give it another try. I would like the PAN to sit between my users and my web proxy *and* for the applications to be recognized instead of just reported as proxy traffic. Is there any setting to force the PANOS to do this?

0 Likes Likes
16 REPLIES 16

Go to solution
mikand
L6 Presenter
In response to tomimma

‎01-23-2013 02:41 AM

1) I was talking about that when the packet leaves your Proxy (towards internet) the srcip will be the clientip (instead of the ip of the physical interface).

Like so, before proxy:

srcip: <clientip>

dstip: <proxyip_insideinterface>

after proxy:

srcip: <clientip>

dstip: <webserverip>

I will check if squid can do the "keepsource=yes" feature and get back, otherwise there are other proxies which can do this.

2) Yes, you can specify which interface to use in Device -> Setup -> Services and then Service route configuration to define which mgmt-services should use the mgmt-interface and which should use one of the dataplane-interfaces.

Edit:

I found some info on how to do this with squid:

http://wiki.squid-cache.org/Features/Tproxy4

http://wiki.squid-cache.org/ConfigExamples/Intercept/CentOsTproxy4

http://wiki.squid-cache.org/ConfigExamples/FullyTransparentWithTPROXY

http://www.squid-cache.org/mail-archive/squid-users/200705/0443.html

http://www.squid-cache.org/mail-archive/squid-users/200705/0447.html

Some newer info regarding Squid3:

http://www.deckle.co.uk/squid-users-guide/transparent-caching-proxy.html

http://www.lesismore.co.za/squid3.html

The device where I first saw this keepsource=yes feature was in the Farist Firewall http://www.tutus.se/products/farist-firewall.html

0 Likes Likes

Go to solution
tomimma
L1 Bithead
In response to mikand

‎01-24-2013 06:20 AM

Thanks, I am not sure if these solutions are feasible for my real situation though...

It looks like it is acting more likely as "transparent", that is all to me.

0 Likes Likes
  • 10120 Views
  • 16 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks