Document:PAN-OS® Networking Administrator’s Guide

Configure Explicit Proxy

Filter

Networking
- Networking Introduction
Configure Interfaces
- Tap Interfaces
- Virtual Wire Interfaces
- Layer 2 Interfaces
- Layer 3 Interfaces
  - Configure Layer 3 Interfaces
  - Manage IPv6 Hosts Using NDP
- Configure a PPPoE Client on a Subinterface
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
Virtual Routers
- Virtual Router Overview
- Configure Virtual Routers
Service Routes
- Service Routes Overview
- Configure Service Routes
Static Routes
- Static Route Overview
- Static Route Removal Based on Path Monitoring
- Configure a Static Route
- Configure Path Monitoring for a Static Route
RIP
- RIP Overview
- Configure RIP
OSPF
- OSPF Concepts
- Configure OSPF
- Configure OSPFv3
- Configure OSPF Graceful Restart
- Confirm OSPF Operation
BGP
- BGP Overview
- MP-BGP
- Configure BGP
- Configure a BGP Peer with MP-BGP for IPv4 or IPv6 Unicast
- Configure a BGP Peer with MP-BGP for IPv4 Multicast
- BGP Confederations
IP Multicast
- IGMP
- PIM
- Configure IP Multicast
- View IP Multicast Information
Route Redistribution
- Route Redistribution Overview
- Configure Route Redistribution
GRE Tunnels
- GRE Tunnel Overview
- Create a GRE Tunnel
DHCP
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- DHCP Addressing
  - DHCP Address Allocation Methods
  - DHCP Leases
- DHCP Options
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure an Interface as a DHCP Relay Agent
- Monitor and Troubleshoot DHCP
DNS
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Configure a Web Proxy
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
DDNS
- Dynamic DNS Overview
- Configure Dynamic DNS for Firewall Interfaces
NAT
- NAT Policy Rules
- Source NAT and Destination NAT
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
- Configure NAT
- NAT Configuration Examples
NPTv6
- NPTv6 Overview
  - Unique Local Addresses
  - Reasons to Use NPTv6
- How NPTv6 Works
- NDP Proxy
- NPTv6 and NDP Proxy Example
- Create an NPTv6 Policy
NAT64
- NAT64 Overview
- IPv4-Embedded IPv6 Address
- DNS64 Server
- Path MTU Discovery
- IPv6-Initiated Communication
- Configure NAT64 for IPv6-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication
- Configure NAT64 for IPv4-Initiated Communication with Port Translation
ECMP
- ECMP Load-Balancing Algorithms
- Configure ECMP on a Virtual Router
- Enable ECMP for Multiple BGP Autonomous Systems
- Verify ECMP
LLDP
- LLDP Overview
- Supported TLVs in LLDP
- LLDP Syslog Messages and SNMP Traps
- Configure LLDP
- View LLDP Settings and Status
- Clear LLDP Statistics
BFD
- BFD Overview
- Configure BFD
- Reference: BFD Details
Session Settings and Timeouts
- Transport Layer Sessions
- TCP
- UDP
- ICMP
  - Security Policy Rules Based on ICMP and ICMPv6 Packets
  - ICMPv6 Rate Limiting
- Control Specific ICMP or ICMPv6 Types and Codes
- Configure Session Timeouts
- Configure Session Settings
- Session Distribution Policies
  - Session Distribution Policy Descriptions
  - Change the Session Distribution Policy and View Statistics
- Prevent TCP Split Handshake Session Establishment
Tunnel Content Inspection
- Tunnel Content Inspection Overview
- Configure Tunnel Content Inspection
- View Inspected Tunnel Activity
- View Tunnel Information in Logs
- Create a Custom Report Based on Tagged Tunnel Traffic
- Tunnel Acceleration Behavior
- Disable Tunnel Acceleration
Network Packet Broker
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
Advanced Routing
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
PoE
- PoE Overview
- Configure PoE

Configure Explicit Proxy

The explicit proxy method allows you to troubleshoot issues more easily, since the client browser is aware of the existence of the proxy.

(VM Series only) If you have not already done so, activate the license for web proxy.

You must activate the web proxy license for the PA-1400 Series, PA-3400 Series, and VM-Series. Learn how to activate your subscription licenses for the PA-1400 Series and PA-3400 Series or activate the web proxy license for the VM-Series in the following step.

Edit

the deployment profile.

Select

Web Proxy (Promotional Offer)

Click

Update Deployment Profile

On the firewall, retrieve the license keys from the server.

If the license key retrieval is not successful, restart the firewall and repeat this step before proceeding.

Set up the necessary interfaces and zones.

As a best practice, use Layer 3 (L3) for the three interfaces the web proxy uses and configure a separate zone for each interface within the same virtual routers and the same virtual systems.

Configure an interface for the client traffic.

Be sure to carefully copy the IP address for this interface and save it in a secure location because you must enter it as the

Proxy IP

address when you configure the web proxy.

Configure an interface for the outgoing traffic to the internet.

Configure a loopback interface for the proxy.

All incoming traffic is routed through this interface to the proxy.

Set up the DNS proxy for Explicit Proxy.

Configure a DNS proxy object for the proxy connection.

Configure a DNS Server profile with both primary and secondary DNS servers.

You must configure both a primary and a secondary DNS server for web proxy.

Specify the interface for the proxy connection.

Specify either the traffic ingress interface or a loopback interface.

To enable decryption for MITM detection, create a self-signed root CA certificate or import a certificate signed by your enterprise certificate authority (CA). For more information, refer to the best practices for administrative access.

Ensure you have completed the pre-deployment steps for the authentication method you want to configure.

Configure Kerberos Authentication

Configure SAML Authentication

Configure Cloud Identity Engine Authentication

If you have a DNS security subscription, integrate the web proxy firewall with Explicit Proxy to sinkhole any requests that match the DNS security categories that you specify.

Select

Panorama

Cloud Services

Configuration

On-Prem Proxy

Edit

the settings then select the

Device Group

you want the web proxy firewall to use or

Add

a new device group.

To integrate the web proxy firewall with Prisma Access, you must configure the web proxy firewall in a separate device group that contains no other firewalls or virtual systems. If the firewall is already a member of a device group, create a child device group as a sub-group and move the firewall to the child device group.

(Optional) Select

Block Settings

Add

Blocked Domain

or any domains that are

Exempted Domains

because they are sinkholed due to matching one or more of the DNS Security categories.

(Optional) Select whether you want to

Log any requests made to blocked domains

Click

Set up the Explicit Proxy.

On the firewall, select

Network

Proxy

then

Edit

the

Proxy Enablement

settings.

Select

Explicit Proxy

as the

Proxy Type

then click

to confirm the changes.

If the only available option is None, verify that you have an active license for the web proxy feature.

Edit

the

Explicit Proxy Configuration

Specify the

Connect Timeout

to define (in seconds) how long the proxy waits for a response from the web server. If there is no response after the specified amount of time has elapsed, the proxy closes the connection.

Select the

Listening Interface

that contains the firewall where you want to enable the web proxy.

Specify the ingress interface for the client traffic.

Select the

Upstream Interface

that contains the interface with the web proxy that reroutes the traffic to the server.

If you are using a loopback interface, specify that interface as the

Upstream Interface

Specify the IP address of the listening interface as the

Proxy IP

Enter the IP address of the interface you created in Step 2.a

Specify the

DNS Proxy

object you created in Step 3.a.

Select

Check domain in CONNECT & SNI are the same

to prevent domain fronting attacks by specifying different domains between the CONNECT request and the Server Name Indication (SNI) field in the HTTP header.

Select the

Authentication service type

you want to use (either

SAML/CAS

Kerberos Single Sign On

Be sure to complete all necessary pre-deployment and configuration steps for the authentication method you select. Select only one of the following authentication methods:

Configure Kerberos Authentication

Configure SAML Authentication

Configure Cloud Identity Engine Authentication

Click

to confirm the changes.

Configure the necessary security policy rules to decrypt traffic and reroute applicable traffic to the proxy.

You will need to create the following types of rules:

Source NAT (if applicable)

Decryption

Security

Configure a decryption policy to decrypt the traffic so it can be rerouted if necessary.

To avoid decrypting traffic twice, select the zone that contains the upstream interface as the source zone for the decryption policy.

(Optional but recommended) Select

Objects

Decryption Profile

and select

Block sessions on SNI mismatch with Server Certificate (SAN/CN)

to automatically deny any sessions where the Server Name Indication (SNI) does not match the server certificate.

Configure the necessary security policy rules.

Create a security policy rule to allow traffic from the client to the interface you selected as the listening interface.

Configure a security policy rule to allow traffic from the zone that contains the upstream interface to the internet.

Configure a security policy rule to allow traffic from the DNS proxy zone to the internet.

Configure a security policy rule using the authentication profile you configured in Step 5 to route traffic to the proxy as appropriate.

Document:PAN-OS® Networking Administrator’s Guide

Configure Explicit Proxy

Table of Contents

Configure Explicit Proxy

Most Popular

Recommended For You