Web Proxy behind PAN firewall and application recognition

Showing results for 
Search instead for 
Did you mean: 

Web Proxy behind PAN firewall and application recognition

Not applicable

I know this question has been asked in other posts but I figured I would give it another try. I would like the PAN to sit between my users and my web proxy *and* for the applications to be recognized instead of just reported as proxy traffic. Is there any setting to force the PANOS to do this?


Hi Skrall,

Very clear explanation! Thank you.

I guess there will be always a obstacle when you deploy a proxy server with PA...

Of course, the best solution is not using proxy and let PA handle everything, but many companies request to use a proxy server...

The best solution is obviously to rearrange the flow in your case so it becomes:


and by that configure your proxy to keepsource=yes and also allow PaloAlto to communicate with PAN-agent through your proxy (unless your PAN-agent is reachable over mgmt-interface). In this case the PaloAlto will do the SNAT.

This way it doesnt matter if your proxy is a forward-proxy (preferred because you will then have only internal ip's between User and Proxy) or transparent (the difference is that with forward-proxy the clients use CONNECT with dstip as the Proxy ip while in transparent the clients use HEAD/GET/POST with dstip as the real server on internet).

Another possibility, if you only have one set of PaloAltos, is to use VSYS (unless you have some policy which wont let you physically mix external and internal resources in the same hardware - meaning with VSYS you can let VSYS1 be the above internet firewall and VSYS2 will be some internal server firewall).

Hi Mikand,

and by that configure your proxy to keepsource=yes and also allow PaloAlto to communicate with PAN-agent through your proxy (unless your PAN-agent is reachable over mgmt-interface). In this case the PaloAlto will do the SNAT.

↑ I am not sure exactly what the above means...  Are you referring to the specific proxy server model? Also, PAN-OS is 5.x which doesn't use an external PAN-agent.

How does it work in that case?

1) Keepsource=yes meaning that the proxy on its "internet" interface should use the client-ip as srcip instead of its own. How you do this depends on which proxy you are using. Which vendor and model (and if possible software version) is it in your case?

2) In order for the PA box to know the users (unless you want to use captive portal which I imagine you want to avoid) the PA must be allowed to speak to the PAN-agent server(s) on your inside network. This means except for rules client (inside) -> internet (outsice) in the proxy you must have a rule which will allow pa (outside) -> pan-agent (inside).

The PANOS 5.x can use dedicated PAN-agent server(s) as previously. Whats new in PANOS 5.x is that itself contains a limited PAN-agent server (runned in the mgmt-plane) so there is no need for a dedicated server(s) in smaller networks. I dont remember the recommendation for using the internal PAN-agent server in the PA box but it was something like less than 100 users or such. If you network have several hundred or thousands of users the recommendation is to use dedicated PAN-agent servers (or install the PAN-agent service on each DC-server). You can of course still use dedicated PAN-agent server(s) even in small networks (just put that in your VMware cluster or such if you cant spare it a dedicated hardware or install it directly on the DC-servers).

3) The PaloAlto will do the SNAT meaning since the PA will see the clientips (which I assume is RFC1918 like 10.x.x.x or 192.168.x.x or such) the PA will do the NAT so this traffic on the interface facing internet will have its srcip replaced into the ip which the PA uses on this internet interface (or if you wish to replace it into some other ip or range of ips which is routed towards the PA by your internetrouter).

Hi Mikand,

I think I am getting closer to understand your explanation very clearly... but I need to clarify a few things, hope you don't mind.

(1) Keepsource=yes

Are we talking about "X-Forwarded-For" in HTTP header? or you simply meant a proxy can do keep clients IP as the original souce-ip when it sends packets to internet? The customer's proxy is ISA. But I am testing with Squid. How can I enable it in case of the latter case for ISA and Squid?

(2) It can be reachable via management interface. Does this work?

1) I was talking about that when the packet leaves your Proxy (towards internet) the srcip will be the clientip (instead of the ip of the physical interface).

Like so, before proxy:

srcip: <clientip>

dstip: <proxyip_insideinterface>

after proxy:

srcip: <clientip>

dstip: <webserverip>

I will check if squid can do the "keepsource=yes" feature and get back, otherwise there are other proxies which can do this.

2) Yes, you can specify which interface to use in Device -> Setup -> Services and then Service route configuration to define which mgmt-services should use the mgmt-interface and which should use one of the dataplane-interfaces.


I found some info on how to do this with squid:






Some newer info regarding Squid3:



The device where I first saw this keepsource=yes feature was in the Farist Firewall http://www.tutus.se/products/farist-firewall.html

Thanks, I am not sure if these solutions are feasible for my real situation though...

It looks like it is acting more likely as "transparent", that is all to me.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!