Websense, WCCP, ETC.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Websense, WCCP, ETC.

Not applicable

We have an ASA that has a websense connector that allows us to route websense request back to the cisco firewall. I would love to replace with your product. Does the Palo Alto have any functionality like this?

1 accepted solution

Accepted Solutions

L4 Transporter

No, we don't currently have a way to route web requests from a Palo Alto Networks firewall to a websense device for url categorization. What we can do is offer to replace both the Websense and ASA devices via BrightCloud URL database running on the Palo Alto Networks firewall.

Alfred

View solution in original post

7 REPLIES 7

L4 Transporter

No, we don't currently have a way to route web requests from a Palo Alto Networks firewall to a websense device for url categorization. What we can do is offer to replace both the Websense and ASA devices via BrightCloud URL database running on the Palo Alto Networks firewall.

Alfred

I have a similar config now using Juniper firewall at branch offices. The branch offices only have 2 to 3 users so it doesn't make sense to deploy URL filtering to each location, however, the websense allows me point my branch firewall to the central websense server for URL filtering. The request travels across a dedicated t1 only for authorization, after which the remainder of the web session (if allowed) will go ou the local cable connection. Does the Palo Also have a branch location agent that will accomplish this? I would be willing to ditch my websense if I could get this done.

We don't have a branch location agent.  The traffic would need to traverse the PAN device in order to use the URL filtering.

"2-3 users at branch office location" is the perfect use-case for PAN Global Protect.

There are various options for "network security" at remote office location, but a basic business-DSL mode and basic packet filtering firewall would suffice (the price is right).    Once in place, use PAN Global Protect on all client machines -- all traffic will be routed through nearest PAN gateway and subject to all user resolution, security policy, threat, URL fitlering, etc (with added benefit of client interrogation for "HIP profile" that can be used in security policy -- example:  if HIP profile doesn't meet criteria X-Y-Z, you can have policy that would not allow machine to access server-subnet/database/etc).

The problem is that all traffic would be routed to the PA. In my situation, I want the policies to apply to traffic that travererses the local internet. So if user at branch site goes to a webpage, I would expect the global connect software to reference the Global gateway for policies, and depending on those policies either allow the traffic  to flow out the local internate or not. If I have to force all my traffic back to the Palo Alto, why not just tack up a VPN and force all traffic through it?

This can be a choice, VPN without split tunnel. All traffic from the remote office to the central site for inspection and filtering. You save devices/licenses and add the unique apps control but the required bandwith is double than the stand-alone case.

This is a test I want to do with ASA 5505 <--> PA-2050 controlling if PAN is capable to do routing & inspection in the same interface (ASA can't do)

Another solution could be Firewall as a Service. Virtual Firewall (PA 2000+ can do that) in central site used as branch office firewall, a crypto (IPSEC) or private connection (MPLS / own fiber) is needed.

@zanobis: what do you really mean when you say "routing and inspection in the same interface"? Every firewall is basically a router and I can't imagine a firewall that can inspect without routing the packets...

May you show me a link when Cisco say they can't do inspection and routing on the same interface?

Thanks

  • 1 accepted solution
  • 6200 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!