This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Has anyone configured and tested the new functionality within Pan OS 11.0 Web Proxy in Transparent mode?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Has anyone configured and tested the new functionality within Pan OS 11.0 Web Proxy in Transparent mode?

Go to solution
AkashThangavel
L3 Networker

‎05-13-2024 02:06 AM

Hi team,

I've set up the Web proxy in transparent mode, but I'm unsure of its functioning. Our Palo Alto device doesn't support WCCP and only allows Inline mode deployment. With only the admin guide available for reference and study, I may be the sole individual who has done this. Particularly, I'm uncertain about the D-NAT aspect of transparent proxy mode, as the DNS-Proxy isn't functioning. If anyone has experience with this configuration, I'd greatly appreciate assistance on how to test it effectively.

 

I will share few logs and DNAT policy for reference

AkashThangavel_0-1715591008571.png

D-NAT for Proxy deployment
-------------------------------------------------------------------------------
AkashThangavel_1-1715591098465.png
NAT Applied, DNS port 53 changed to 8080 and the traffic started DROP in the firewall itself.

Furthermore, the actual traffic is being directly routed from the LAN to the WAN, bypassing the proxy entirely. What steps can be taken to ensure that traffic is routed from the LAN to the proxy and then onward to the WAN?

 

regards,

Akash Thangavel

Network Security Engineer



Akash Thangavel, Network Security Engineer
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
AkashThangavel
L3 Networker

‎05-22-2024 11:29 AM

TAC provided me the solution,

 

This is for the future reference, if anyone encounter issues, when trying the web proxy in transparent mode as per the incorrect instructions in the admin guide, refer to this information.

AkashThangavel_0-1716401854625.png

But the actually D-NAT should be like,

AkashThangavel_2-1716401993359.png

Traffic coming from client and going to Internet/web-server, needs to be send to Transparent proxy hence source zone would be client zone and dest zone would be Internet/web zone, not a PROXY zone. Also, For LAN to WAN, SSL traffic is routed to the PROXY zone using D-NAT, and then from PROXY to WAN, it is routed to the internet. In this process, the source and destination IPs remain the same in the traffic.

 

regards,

Akash Thangavel

Akash Thangavel, Network Security Engineer

View solution in original post

3 REPLIES 3

Go to solution
AkashThangavel
L3 Networker

‎05-22-2024 11:29 AM

TAC provided me the solution,

 

This is for the future reference, if anyone encounter issues, when trying the web proxy in transparent mode as per the incorrect instructions in the admin guide, refer to this information.

AkashThangavel_0-1716401854625.png

But the actually D-NAT should be like,

AkashThangavel_2-1716401993359.png

Traffic coming from client and going to Internet/web-server, needs to be send to Transparent proxy hence source zone would be client zone and dest zone would be Internet/web zone, not a PROXY zone. Also, For LAN to WAN, SSL traffic is routed to the PROXY zone using D-NAT, and then from PROXY to WAN, it is routed to the internet. In this process, the source and destination IPs remain the same in the traffic.

 

regards,

Akash Thangavel

Akash Thangavel, Network Security Engineer

Go to solution
Yoekleng.Kuy
L0 Member

‎11-23-2024 09:16 PM

I have test too but follow your NAT reference, it does not, can you share me the security policy and decryptions policy too?

 

0 Likes Likes

Go to solution
AkashThangavel
L3 Networker
In response to Yoekleng.Kuy

‎11-25-2024 10:09 PM

Please check this following reference,

 

Security Policy,

AkashThangavel_0-1732601142067.png

Decryption policy I don't have screenshot.

 

LOGS

AkashThangavel_1-1732601368093.png

 

 

 

Akash Thangavel, Network Security Engineer
(1)
  • 1 accepted solution
  • 1526 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks