This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About tomimma
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About tomimma
07-28-2022
9Posts
0Likes
0Solutions
Jul 28, 2022Last Visited
User
Activity
User
Profile
Latest posts by tomimma
| Subject | Views | Posted |
|---|---|---|
| 1903 | 01-24-2013 06:20 AM | |
| 2494 | 01-23-2013 02:32 AM | |
| 2494 | 01-23-2013 01:21 AM | |
| 2494 | 01-23-2013 12:25 AM | |
| 3044 | 01-22-2013 11:59 PM | |
| 4797 | 01-22-2013 12:59 AM | |
| 3044 | 01-22-2013 12:51 AM | |
| 3285 | 01-21-2013 11:35 AM |
User Badges
Community Statistics
| Member Since | 12-05-2012 02:29 AM |
| Date Last Visited | 07-28-2022 04:52 PM |
| Posts | 9 |
01-24-2013
06:20 AM
Thanks, I am not sure if these solutions are feasible for my real situation though... It looks like it is acting more likely as "transparent", that is all to me.
... View more
01-23-2013
02:32 AM
Hi Mikand, I think I am getting closer to understand your explanation very clearly... but I need to clarify a few things, hope you don't mind. (1) Keepsource=yes Are we talking about "X-Forwarded-For" in HTTP header? or you simply meant a proxy can do keep clients IP as the original souce-ip when it sends packets to internet? The customer's proxy is ISA. But I am testing with Squid. How can I enable it in case of the latter case for ISA and Squid? (2) It can be reachable via management interface. Does this work?
... View more
01-23-2013
01:21 AM
Hi Mikand, and by that configure your proxy to keepsource=yes and also allow PaloAlto to communicate with PAN-agent through your proxy (unless your PAN-agent is reachable over mgmt-interface). In this case the PaloAlto will do the SNAT. ↑ I am not sure exactly what the above means... Are you referring to the specific proxy server model? Also, PAN-OS is 5.x which doesn't use an external PAN-agent. How does it work in that case?
... View more
01-23-2013
12:25 AM
Hi Skrall, Very clear explanation! Thank you. I guess there will be always a obstacle when you deploy a proxy server with PA... Of course, the best solution is not using proxy and let PA handle everything, but many companies request to use a proxy server...
... View more
01-22-2013
11:59 PM
Yes, this proxy is requirement, unfortunately...
... View more
01-22-2013
12:59 AM
Hi skrall, Just curious about your comment. Hope you don't mind if I ask this... ------------------------------------------------------------ If you are asking about: [User]-------[PaloAlto]-------[Proxy]------(internet) Then we will see the actual user and all applications destined for the internet. --------------------------------------------------------------------------- In the above design, the proxy will be standard forward proxy. (That means it is none-transparent) In this case, can PA still recognize a client's web access request and shows final destination-ip on internet? I thought, since user's web request goes through this proxy server, destination-ip will be recognized as ip address of proxy server...
... View more
01-22-2013
12:51 AM
Hi mikand, First of all, thanks for your comment. Actually, in this particular situation in one of my customers, I am looking for the solution with (1). Also, more detailed physical connection is below: [Clients] --- [PAN(vwmode)] --- [Proxy] --- [FW(NonePAN)] --- (Internet) As you can guess, PAN is not placed yet. That is why there is an existing FW (Not PA), and PAN will be placed between clients and the proxy server using virtual-wire mode. In addition, the proxy is none-transparent. The idea is not replacing the existing firewall. Instead placing PAN in the above deisgn and control user web access using user-id and app-id as well as web filtering in PAN. (The proxy is working as just cache server, and web filtering is not enabled on this server.) In this scenario, can PAN recognize destination-ip from a client as (A) the destination server on internet, or just (B) the ip of proxy server? My guess is (B), since web browser of client is explicitly configured the ip address of this proxy server...
... View more
01-21-2013
11:35 AM
Hi All, I think this topic has been discussed in the past, but I want to be clear about this deployment since web proxy server design is still typical in many customer's live network. So please allow me to bring this again. 2 basic deployments are mentioned in the past. These deployments are: (1) Place PAN between users and a proxy server. It would be like, for example: [Clients] -- [PAN] -- [Proxy] -- [Internet] (One of the recommended designs is placing a proxy server in a separate interface of PAN as a typical DMZ design.) But, let's assume the above simple design. PA could be either L3 or vwire mode. (2) Place PAN between a proxy server and internet. It would be like, for example: [Client] -- [Proxy] -- [PAN] -- [Internet] Now, my questions are: << In case of (1) scenario >> With this design, source web traffic comes from actual client and goes through PAN, so PAN can identify source user-id. What about destination IP and app-id? Clients' web browser are actually pointing to the proxy server and the session to an external web server in Internet is initiated from this web proxy server. Does that mean all destination IPs will be the IP address of this proxy server? What about app-id to be identified? Will it be "web-proxy" for all traffic from clients? << In case of (2) scenario >> From the past posts, the nature of this design can cause a problem, because all web access are coming from the web proxy server. That means PAN can't identify original source IP addresses of clients. The solution is enable "X-Forwarded-For" option in both web proxy server and PAN. With "X-Forwarded-For" solution, PAN can identify original source IP address from clients since the original source IP is included in HTTP header. My question is what about user-id? Can PAN map user-id based on this "X-Forwarded-For" feature, so that you can identify both original source IP and user-id? Any comment is appreciated. Thanks in advance, Tomimma
... View more
Labels:
- Labels:
-
App-ID
-
Networking
-
User-ID
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
07-28-2022
04:52 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks