Palo Alto NGFW does:
1. URL Categorization - you can allow and deny categories or specific URLs
2. SSL Decryption, man-in-the-middle, to allow HTTPS traffic decoding which is critical to enable for item #3
3. Scanning Profiles - Antivirus, AntiSpyware, Vulnerability, Wildfire
Palo Alto NGFW does not act as a proxy-cache and does not hide Users behind it and does not do WAF.
If you can live with the above pros and cons - it is up to you what you choose.
Hope this helps,
Understanding the where your end-points are located within the organization is also very important. Due to the current situation, where everyone is working from home, there is a constant threat to end-points that are accessing the corporate resources through VPN/remote access/Citrix.
Now, for internet/private access, the users would need to create a VPN to your environment which is a waste of bandwidth. This where a web gateway comes into picture. A web gateway can be a solution for both your on-prem or off-prem end-points.
It provides protection for all your end-points for port 80/443 traffic (URL-filtering, AV, Anti-spyware, DLP, threat prevention etc.) inline with your current security posture (on-prem Palo alto firewall)
I recently did a web gateway implementation (Zscaler) for a big client with 10000 users. They had Palo alto firewall on prem. The gateway was only for the roaming clients. The way we had it setup was, on the company LAN, Zscaler would disconnect automatically and 80/443 traffic would go through the palo-alto firewall. But if a user is remote on untrusted network Zscaler will enforce the traffic through the proxy node and apply all the security policies configured, which ensures that users can't go to any unwanted websites through company provided laptops.
Your choices for web-gateway solution can be Palo Prisma access, Zscaler, Netskope, Cisco secureX
Hope this helps.
Depending on the type & implementation of course: I mean that a proxy can hide the source IP of the user. An upstream firewall will see all web traffic originating from the proxy.
I would keep things simple and use the PAN as your proxy for everything. That way you dont have to look at two devices to try and figure out which device caused the traffic to drop.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!