01-24-2019 03:58 AM
i am looking for PA with proxy scenario deplyment as best practice and use caching of proxy with PA features.
03-12-2019 01:14 PM
Hello,
Could you provide a little bit more context around what you are trying to accomplish?
Are you interested in caching responses to HTTP requests from internal users? Or are you looking to deploy a caching solution in front of a web server sitting behind a Palo Alto firewall?
Thank you,
-JeffH
Jeff Hochberg | Sr. Systems Engineer - Technical Business Development
Palo Alto Networks | Atlanta, GA | USA
Mobile: 404.432.1112 | www.paloaltonetworks.com
The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.
03-12-2019 02:33 PM
Hi,
i am looking for two scenarios
1- proxy located in LAN (inside network) for caching and url filtering and integarted with an active directory then PA for remaining security.
2- Proxy located behind the PA FW.
03-12-2019 04:20 PM
Ayman,
Thank you for the additional context.
Candidly, it's difficult to recommend any "best practices" here because of what's lost by deploying a proxy between the users and the firewall.
Out of curiosity, why would you not leverage the URL-Filtering and User-ID capabilities present in the firewall? In doing so, you are able to leverage Active Directory authentication and authorization for per-rule enforcement.
You would greatly simplify your environment and have a lot more visibility from one location if you collapsed these functions into the firewall.
Not to mention, if you're looking to take advantage of the inspection capabilities within PAN-OS, by deploying a proxy behind the firewall, you lose the ability to leverage SSL-Decryption. Given the vast majority of HTTP traffic is SSL encrypted, all of that traffic would pass through the firewall and not be inspected.
And, unless the proxy supports WCCP (or similar), the firewall logs would show all outbound access coming from the egress IP address on the proxy server.
The only advantage I see in deploying a proxy is in taking advantage of caching for increased performance - I don' t know that the performance gain is worth the sacrifices made to the overall security posture.
Jeff Hochberg | Sr. Systems Engineer - Technical Business Development
Palo Alto Networks | Atlanta, GA | USA
The content of this message is the proprietary and confidential property of Palo Alto Networks and should be treated as such. If you are not the intended recipient and have received this message in error, please delete this message from your computer system and notify me immediately by reply e-mail. Any unauthorized use or distribution of the content of this message is prohibited.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
