Web Security Gateway and PaloAlto NGFW

Showing results for 
Search instead for 
Did you mean: 

Web Security Gateway and PaloAlto NGFW

L1 Bithead

Hi If I have a palo alto firewall as a core firewall, should I still use a web gateway for internet access. I have all subscriptions.





L4 Transporter



Palo Alto NGFW does:

1. URL Categorization - you can allow and deny categories or specific URLs

2. SSL Decryption, man-in-the-middle, to allow HTTPS traffic decoding which is critical to enable for item #3

3. Scanning Profiles - Antivirus, AntiSpyware, Vulnerability, Wildfire


Palo Alto NGFW does not act as a proxy-cache and does not hide Users behind it and does not do WAF.


If you can live with the above pros and cons - it is up to you what you choose.


Hope this helps,


@ShaiW wrote:

Palo Alto NGFW does not act as a proxy-cache and does not hide Users behind it and does not do WAF.

hi @ShaiW I'm interested to lern what you mean by 'does not hide Users'?

Tom Piens

L2 Linker



Understanding the where your end-points are located within the organization is also very important. Due to the current situation, where everyone is working from home, there is a constant threat to end-points that are accessing the corporate resources through VPN/remote access/Citrix.


Now, for internet/private access, the users would need to create a VPN to your environment which is a waste of bandwidth. This where a web gateway comes into picture. A web gateway can be a solution for both your on-prem or off-prem end-points.

It provides protection for all your end-points for port 80/443 traffic (URL-filtering, AV, Anti-spyware, DLP, threat prevention etc.) inline with your current security posture (on-prem Palo alto firewall)


I recently did a web gateway implementation (Zscaler) for a big client with 10000 users. They had Palo alto firewall on prem. The gateway was only for the roaming clients. The way we had it setup was, on the company LAN, Zscaler would disconnect automatically and 80/443 traffic would go through the palo-alto firewall. But if a user is remote on untrusted network Zscaler will enforce the traffic through the proxy node and apply all the security policies configured, which ensures that users can't go to any unwanted websites through company provided laptops.


Your choices for web-gateway solution can be Palo Prisma access, Zscaler, Netskope, Cisco secureX


Hope this helps.

Thanks & Regards,
Varun Rao

Hi @reaper 

Depending on the type & implementation of course: I mean that a proxy can hide the source IP of the user. An upstream firewall will see all web traffic originating from the proxy.


I would keep things simple and use the PAN as your proxy for everything. That way you dont have to look at two devices to try and figure out which device caused the traffic to drop.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!