About keklund

keklund · ‎03-28-2012

No - you've got it pretty clearly - thanks! Now I just need to work out which is the lesser of all those evils. I may split the difference - PBF for students/unknown users through a transparent proxy (all traffic), while staff/teachers have normal access. There are some testing/assessment sites that I wouldn't want to go through the proxy, but I have those as actual IP addresses so making that exception would be easy. Ideally PA would just get URL-rewrite in the PanOS, and that would solve this for me. The word I have through my vendor is they are hoping to add forced safesearch to a release late this year. Hopefully that opens up more generic rewrite capability.

keklund · ‎03-28-2012

Thanks for the info. We are looking into generating a user-id event against AD as workaround for this. This is for iPads primarily we are thinking a custom app that generates an LDAP login - "logout" would be changing the user-id to a user with no rights.

keklund · ‎03-27-2012

Yeah - I was afraid the FQDN was not going to resolve on the fly. I thought they had a refresh mechanism for this now, but it may not have been actual address objects I was thinking of. I could require all clients to setup a forward proxy, but I'm trying to make this transparent to the end users (not all of the clients are under AD control). Plus I'd have to deal with all the traffic going to the proxy, which I don't want, just youtube. I'm liking the idea of a dns-resolver pointing to the proxy. Why would there be a caveat of worrying about setting YouTube IPs in the proxy? Only traffic looking for *.youtube.com would hit the proxy, and the proxy should be able to handle the lookups normally to provide the content. Or am I not understanding it correctly? Would I be able to accomplish this on the PA itself, or just through setting my internal DNS servers to resolve the youtube.com domain? Thanks!

keklund · ‎03-27-2012

Working on an idea to allow a manner of login/logout for users coming through captive portal auth. On a system that may or may not be identified on the back-end, I can load the captive portal page URL manually and set/change the user-id. When I try to load the page again, I only get a blank page - is there a URL I can load to generate a 'logout' or ID clear event, or at least some way to force the captive portal to load again so users can enter a dummy 'logout' user?

keklund · ‎03-27-2012

Since URL-Rewrite is still not an option in PanOS (I think only recently they announced that it may be on the roadmap), I've been investigating ways to redirect YouTube traffic to an external proxy server that supports rewrite. I need to do this to implement the new Youtube for Schools service. Wondering if this is a workable scenario: - Setup an address object group using FQDNs of youtube servers (IPs would be hopeless) - Setup PBF to redirect traffic to this address group out an interface (or just next-hop externally) that passes traffic through an inline proxy that does the required URL rewrite Worth the trouble to set it up?

Member Since	‎08-04-2009 08:43 PM
Date Last Visited	‎02-09-2021 10:39 AM
Posts	13
Total Likes Received	1

Online Status	Offline
Date Last Visited	‎02-09-2021 10:39 AM

About keklund

Are used PA 'for-sale' posts permitted

Re: Need help with Enterasys NAC/NMS and PaloAlto UserID

Need help with Enterasys NAC/NMS and PaloAlto UserID

Need help with Enterasys NAC/NMS and PaloAlto UserID

Re: Youtube Edu

URL Rewrite - any update in new PanOS 4.1?

Re: PBF for YouTube Redirect to external proxy?

Re: Captive Portal page to load when user-id is known?

Re: PBF for YouTube Redirect to external proxy?

Captive Portal page to load when user-id is known?

PBF for YouTube Redirect to external proxy?