04-08-2025 09:30 AM
Hi Palo experts!
Do you know if Prisma explicit proxy can be used for on-Orem servers’ internet sccess?
I have few small sites with two segments: remote networks (for users) and server subnet (which is reachable via service connection from Prisma MU).
i do not have interconnect license neither on-prem proxy to be used.
Do you think it’s possible to use explicit proxy in this case to let servers access the internet with Prisma Access policies?
Kind Regards,
Kasper
04-15-2025 10:17 PM
You can but you will need to use kerberos for your servers Kerberos Authentication for Explicit Proxy Deployments as it is what palo alto recommends for authenticating your servers to the prisma access explicit proxy. The supported authentication is the issue by Prisma Access for not web browser users.
Still if that is not an option then you may need to deploy palo alto firewall in one location and maybe steer the outbound server Internet traffic to that location with vpn tunnels to the firewall (2 FW in HA active/standby) as to exit from the firewall after being checked. This way you will not need to deploy firewalls in all locations and as only server updates of the software and apps in most cases will generate internet traffic it shouldn't be that much.
04-15-2025 10:28 PM
Also I forgot to mention if you don't want authentication then but just to trust and decrypt the server traffic based on IP addrresses then see the options below but if possible source the server traffic with specific dedicated public ip address:
How Explicit Proxy Identifies Users
04-16-2025 03:20 AM
Thank you Nikoolayy1,
I have PAN220 in every site, it's not a problem, but I have no security licenses there.
Thus I do not want to open all traffic from the server to the internet, but use Prisma instead.
Servers will be in the "SC" network, not "RN".
I saw in Palo documents that the connection from LAN to explicit proxy should use RN tunnel.
I'm afraid the kerberos authentication issues - I have no idea what apps will be used on the servers.
At the moment, the only solution I can imagine is web proxy (squid?), in "Prisma RN enabled LAN" and configured on the servers (for apps that supports proxy), and static internet access policies for the ones that does not support it (I would need to know the destination).
Kind Regards,
Kacper
04-17-2025 04:56 PM
Sorry but you I think you need to dig dipper and to test things. I also shared that you can use trusted source ip addresses my second post that does not need kerberos, also SPN connection can also host servers as mentioned in Can the internal DNS server be behind SPN not a CAN?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
