The availability of proxy configuration options is based
on the proxy type. You must first configure a DNS proxy object to
configure a proxy.
Proxy Fields
Description
Proxy Enablement
Proxy Type
Select the type of proxy you want to use.
None—The proxy is deactivated.
Explicit—Configure the proxy so that
the request contains the destination IP address of the configured
proxy and the client browser sends requests to the proxy directly.
Transparent—Configure the proxy so that
the request contains the destination IP address of the web server
and the client browser is redirected to the proxy.
Transparent
Proxy requires a specific Destination NAT (DNAT) policy rule to successfully
configure the web proxy. Refer to the PAN-OS Networking Administrator’s
Guide documentation for the complete procedure.
Palo Alto Networks Service
Proxy—Configure the proxy to forward
communications from firewalls in the downstream network to
destinations in the upstream network. The firewall can act
as a single proxy or as one in a series of proxies.
This proxy mode is supported on
PA-1400, PA-3400, VM-300, VM-500, and VM-700 firewalls
running PAN-OS 11.0.1-h2 or later. To enable a firewall to
support this proxy type and display it as an option here,
enter the following CLI command and then reboot your
firewall: set system setting
paloalto-networks-service-proxy on
Proxy Configuration
Connect Timeout
Specify (in seconds) how long the proxy
waits for a response from the web server. The range is 1–60 seconds
and the default is 5 seconds. If there is no response after the
specified amount of time has elapsed, the proxy closes the connection.
Listening InterfaceExplicit Proxy
only
Specify the Layer 3 (L3) interface where
the firewall checks for traffic to reroute to the proxy.
Upstream Interface
Select the upstream interface.
If
you are using a loopback interface, specify that interface as the Upstream Interface.
Proxy IP
Specify the IP address of the interface
where the firewall should check for traffic to reroute to the proxy (listening
interface).
DNS Proxy
Select the DNS proxy object you want
to use for the proxy connection.
Check domain in CONNECT & SNI
are the sameExplicit Proxy only
Enable this option to prevent domain fronting attacks
caused by specifying different domains between the CONNECT request
and the Server Name Indication (SNI) field in the HTTP header.
Authentication service typeExplicit
Proxy only
Select the type of service you want to use
to authenticate users.
SAML/CAS—Use
a SAML 2.0 based authentication service
or the authentication service available in the Cloud Identity Engine.
This
option requires Prisma Access, the Cloud Services 3.2.1 plugin,
and the add-on web proxy license.