Has anyone configured and tested the new functionality within Pan OS 11.0 Web Proxy in Transparent mode?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Has anyone configured and tested the new functionality within Pan OS 11.0 Web Proxy in Transparent mode?

L3 Networker

Hi team,

I've set up the Web proxy in transparent mode, but I'm unsure of its functioning. Our Palo Alto device doesn't support WCCP and only allows Inline mode deployment. With only the admin guide available for reference and study, I may be the sole individual who has done this. Particularly, I'm uncertain about the D-NAT aspect of transparent proxy mode, as the DNS-Proxy isn't functioning. If anyone has experience with this configuration, I'd greatly appreciate assistance on how to test it effectively.

 

I will share few logs and DNAT policy for reference

AkashThangavel_0-1715591008571.png

D-NAT for Proxy deployment
-------------------------------------------------------------------------------
AkashThangavel_1-1715591098465.png
NAT Applied, DNS port 53 changed to 8080 and the traffic started DROP in the firewall itself.

Furthermore, the actual traffic is being directly routed from the LAN to the WAN, bypassing the proxy entirely. What steps can be taken to ensure that traffic is routed from the LAN to the proxy and then onward to the WAN?

 

regards,

Akash Thangavel

Network Security Engineer



Akash Thangavel, Network Security Engineer
1 accepted solution

Accepted Solutions

L3 Networker

TAC provided me the solution,

 

This is for the future reference, if anyone encounter issues, when trying the web proxy in transparent mode as per the incorrect instructions in the admin guide, refer to this information.

AkashThangavel_0-1716401854625.png

But the actually D-NAT should be like,

AkashThangavel_2-1716401993359.png

Traffic coming from client and going to Internet/web-server, needs to be send to Transparent proxy hence source zone would be client zone and dest zone would be Internet/web zone, not a PROXY zone. Also, For LAN to WAN, SSL traffic is routed to the PROXY zone using D-NAT, and then from PROXY to WAN, it is routed to the internet. In this process, the source and destination IPs remain the same in the traffic.

 

regards,

Akash Thangavel

Akash Thangavel, Network Security Engineer

View solution in original post

3 REPLIES 3

L3 Networker

TAC provided me the solution,

 

This is for the future reference, if anyone encounter issues, when trying the web proxy in transparent mode as per the incorrect instructions in the admin guide, refer to this information.

AkashThangavel_0-1716401854625.png

But the actually D-NAT should be like,

AkashThangavel_2-1716401993359.png

Traffic coming from client and going to Internet/web-server, needs to be send to Transparent proxy hence source zone would be client zone and dest zone would be Internet/web zone, not a PROXY zone. Also, For LAN to WAN, SSL traffic is routed to the PROXY zone using D-NAT, and then from PROXY to WAN, it is routed to the internet. In this process, the source and destination IPs remain the same in the traffic.

 

regards,

Akash Thangavel

Akash Thangavel, Network Security Engineer

L0 Member

I have test too but follow your NAT reference, it does not, can you share me the security policy and decryptions policy too?

 

Please check this following reference,

 

Security Policy,

AkashThangavel_0-1732601142067.png

Decryption policy I don't have screenshot.

 

LOGS

AkashThangavel_1-1732601368093.png

 

 

 

Akash Thangavel, Network Security Engineer
  • 1 accepted solution
  • 1703 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!