Web Security Gateway and PaloAlto NGFW

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L1 Bithead

Web Security Gateway and PaloAlto NGFW

Hi If I have a palo alto firewall as a core firewall, should I still use a web gateway for internet access. I have all subscriptions.

 

Thanks

 

Highlighted
L3 Networker

Hi

 

Palo Alto NGFW does:

1. URL Categorization - you can allow and deny categories or specific URLs

2. SSL Decryption, man-in-the-middle, to allow HTTPS traffic decoding which is critical to enable for item #3

3. Scanning Profiles - Antivirus, AntiSpyware, Vulnerability, Wildfire

 

Palo Alto NGFW does not act as a proxy-cache and does not hide Users behind it and does not do WAF.

 

If you can live with the above pros and cons - it is up to you what you choose.

 

Hope this helps,

Shai

Highlighted
L7 Applicator


@ShaiW wrote:

Palo Alto NGFW does not act as a proxy-cache and does not hide Users behind it and does not do WAF.


hi @ShaiW I'm interested to lern what you mean by 'does not hide Users'?

Tom Piens - PANgurus.com
New to PAN-OS or getting ready to take the PCNSE? check out amazon.com/dp/1789956374
Highlighted
L2 Linker

Hi,

 

Understanding the where your end-points are located within the organization is also very important. Due to the current situation, where everyone is working from home, there is a constant threat to end-points that are accessing the corporate resources through VPN/remote access/Citrix.

 

Now, for internet/private access, the users would need to create a VPN to your environment which is a waste of bandwidth. This where a web gateway comes into picture. A web gateway can be a solution for both your on-prem or off-prem end-points.

It provides protection for all your end-points for port 80/443 traffic (URL-filtering, AV, Anti-spyware, DLP, threat prevention etc.) inline with your current security posture (on-prem Palo alto firewall)

 

I recently did a web gateway implementation (Zscaler) for a big client with 10000 users. They had Palo alto firewall on prem. The gateway was only for the roaming clients. The way we had it setup was, on the company LAN, Zscaler would disconnect automatically and 80/443 traffic would go through the palo-alto firewall. But if a user is remote on untrusted network Zscaler will enforce the traffic through the proxy node and apply all the security policies configured, which ensures that users can't go to any unwanted websites through company provided laptops.

 

Your choices for web-gateway solution can be Palo Prisma access, Zscaler, Netskope, Cisco secureX

 

Hope this helps.



Thanks & Regards,
Varun Rao
Senior Security Engineer, Victoria | Australia | NTT





Highlighted
L3 Networker

Hi @reaper 

Depending on the type & implementation of course: I mean that a proxy can hide the source IP of the user. An upstream firewall will see all web traffic originating from the proxy.

Highlighted
Cyber Elite

Hello,

I would keep things simple and use the PAN as your proxy for everything. That way you dont have to look at two devices to try and figure out which device caused the traffic to drop.

 

Regards,

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!