Websense, WCCP, ETC.

Reply
Highlighted
Not applicable

Websense, WCCP, ETC.

We have an ASA that has a websense connector that allows us to route websense request back to the cisco firewall. I would love to replace with your product. Does the Palo Alto have any functionality like this?

Tags (1)

Accepted Solutions
Highlighted
L4 Transporter

No, we don't currently have a way to route web requests from a Palo Alto Networks firewall to a websense device for url categorization. What we can do is offer to replace both the Websense and ASA devices via BrightCloud URL database running on the Palo Alto Networks firewall.

Alfred

View solution in original post


All Replies
Highlighted
L4 Transporter

No, we don't currently have a way to route web requests from a Palo Alto Networks firewall to a websense device for url categorization. What we can do is offer to replace both the Websense and ASA devices via BrightCloud URL database running on the Palo Alto Networks firewall.

Alfred

View solution in original post

Highlighted
L1 Bithead

I have a similar config now using Juniper firewall at branch offices. The branch offices only have 2 to 3 users so it doesn't make sense to deploy URL filtering to each location, however, the websense allows me point my branch firewall to the central websense server for URL filtering. The request travels across a dedicated t1 only for authorization, after which the remainder of the web session (if allowed) will go ou the local cable connection. Does the Palo Also have a branch location agent that will accomplish this? I would be willing to ditch my websense if I could get this done.

Highlighted
L5 Sessionator

We don't have a branch location agent.  The traffic would need to traverse the PAN device in order to use the URL filtering.

Highlighted
L2 Linker

"2-3 users at branch office location" is the perfect use-case for PAN Global Protect.

There are various options for "network security" at remote office location, but a basic business-DSL mode and basic packet filtering firewall would suffice (the price is right).    Once in place, use PAN Global Protect on all client machines -- all traffic will be routed through nearest PAN gateway and subject to all user resolution, security policy, threat, URL fitlering, etc (with added benefit of client interrogation for "HIP profile" that can be used in security policy -- example:  if HIP profile doesn't meet criteria X-Y-Z, you can have policy that would not allow machine to access server-subnet/database/etc).

Highlighted
L1 Bithead

The problem is that all traffic would be routed to the PA. In my situation, I want the policies to apply to traffic that travererses the local internet. So if user at branch site goes to a webpage, I would expect the global connect software to reference the Global gateway for policies, and depending on those policies either allow the traffic  to flow out the local internate or not. If I have to force all my traffic back to the Palo Alto, why not just tack up a VPN and force all traffic through it?

Highlighted
Not applicable

This can be a choice, VPN without split tunnel. All traffic from the remote office to the central site for inspection and filtering. You save devices/licenses and add the unique apps control but the required bandwith is double than the stand-alone case.

This is a test I want to do with ASA 5505 <--> PA-2050 controlling if PAN is capable to do routing & inspection in the same interface (ASA can't do)

Another solution could be Firewall as a Service. Virtual Firewall (PA 2000+ can do that) in central site used as branch office firewall, a crypto (IPSEC) or private connection (MPLS / own fiber) is needed.

Highlighted
L0 Member

@zanobis: what do you really mean when you say "routing and inspection in the same interface"? Every firewall is basically a router and I can't imagine a firewall that can inspect without routing the packets...

May you show me a link when Cisco say they can't do inspection and routing on the same interface?

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!