Configure Transparent Proxy

With transparent proxy, the client browser is not aware of the proxy. Transparent proxy supports inline mode deployment and does not support web cache communication protocol (WCCP). Transparent proxy is transparent to the user without requiring additional authentication.
  1. (
    VM Series only
    ) If you have not already done so, activate the license for web proxy.
    This step is required for the PA-1400, PA-3400, and VM Series. The following steps are for the VM series; for the PA-1400 and PA-3400, follow the steps to activate subscription licenses.
    1. Log in to the Customer Service Portal (CSP).
    2. Select
      Web Proxy (Promotional Offer)
    3. Click
      Update Deployment Profile
    4. On the firewall, retrieve the license keys from the server.
      If the license key retrieval is not successful, restart the firewall and repeat this step before proceeding.
  2. Set up zones and interfaces.
    As a best practice, use Layer 3 (L3) for all interfaces and configure a separate zone for each interface within the same virtual routers and the same virtual systems.
    1. Configure an interface for the client.
    2. Configure an interface for the outgoing traffic to the internet.
    3. Configure a loopback interface for the proxy.
      All incoming traffic is routed through this interface to the proxy. Be sure to carefully copy the IP address for this interface and save it in a secure location because you must enter it as the
      Proxy IP
      address when you configure the web proxy.
  3. Set up the DNS proxy for Transparent Proxy.
    1. Configure a DNS proxy object for the proxy connection.
    2. Configure a DNS Server profile with both primary and secondary DNS servers.
      You must configure both a primary and a secondary DNS server for web proxy.
    3. Specify the loopback interface for the proxy connection.
  4. To enable decryption for MITM detection, create a self-signed root CA certificate or import a certificate signed by your enterprise certificate authority (CA). For more information, refer to the best practices for administrative access.
  5. Set up the Transparent Proxy.
    1. On the firewall, select
      Proxy Enablement
    2. Select
      Transparent Proxy
      as the
      Proxy Type
      then click
      to confirm the changes.
      If the only available option is None, verify that you have an active license for the web proxy feature.
    3. Edit
      Transparent Proxy Configuration
    4. Specify the
      Connect Timeout
      to define (in seconds) how long the proxy waits for a TCP response from the web server. If there is no response after the specified amount of time has elapsed, the proxy closes the connection.
    5. Select the
      Upstream Interface
      The upstream interface must be a loopback interface that is not associated with any other subnets.
    6. Specify the IP address of the loopback interface as the
      Proxy IP
      Enter the IP address of the interface you configured in Step 2.c.
    7. Specify the
      DNS Proxy
      object you created in Step 3.a.
      Specify the loopback interface as the
      Upstream Interface
    8. Click
      to confirm the changes.
  6. Configure the destination network address translation (DNAT) policy.
    You must configure the DNAT policy rule exactly as described in the following steps for the firewall to successfully use the web proxy to route traffic. Be sure to configure the DNAT policy rule so that it precedes the source network address translation (SNAT) policy rule.
    1. Select
      a NAT policy rule.
    2. Enter a unique
      and verify that
      Group Rules by Tag
      then select the
      NAT Type
    3. Select
      Original Packet
      a trusted zone as the
      Source Zone
      and the
      Destination Zone
      as the interface that contains the web proxy.
    4. Select
      Translated Packet
      and verify that
      Translation Type
      Source Address Translation
    5. Select
      Dynamic IP (with session distribution)
      as the
      Translation Type
      for the
      Destination Address Translation
    6. Enter the IP address of the web proxy as the
      Translated Address
      Enter the same IP address as the Proxy IP address specified in Step 2.c.
    7. Enter
      as the
      Translated Port
    8. Select a
      Session Distribution Method
      (for example,
      Round Robin
      The session distribution method is not applicable for web proxy.
    9. Click
      the changes.
  7. Configure a security policy to allow and route the proxy traffic.
    1. Configure a source network address translation (SNAT) policy rule after the DNAT rule.
    2. Configure a decryption policy to decrypt traffic.
      Select the zone that contains the proxy interface as the source zone.
    3. (Optional but recommended) Select
      Decryption Profile
      and select
      Block sessions on SNI mismatch with Server Certificate (SAN/CN)
      to automatically deny any sessions where the Server Name Indication (SNI) does not match the server certificate.
    4. Configure policy rules to allow access to the DNS proxy servers for both the client and the proxy.
    5. Configure a policy rule to allow traffic from the client to the proxy.
    6. Configure a policy rule to allow traffic from the proxy to the internet.

Recommended For You