Web Proxy

If your network uses a proxy device, learn how to configure a web proxy as either an explicit proxy or a transparent proxy to route authentication traffic.
If your network uses a proxy device for security, you can now leverage the same level of protection using the on-premises web proxy capability with PAN-OS 11.0. The web proxy features enables additional options for migrating from an existing web proxy architecture to a simple unified management console. Using the web proxy feature with Prisma Access provides a seamless method for migrating, deploying, and maintaining secure web gateway (SWG) configurations from an easy to use and simplified interface. Web proxy helps during the transition from on-premises to the cloud with no loss to security or efficiency.
Web proxy requires both a valid DNS Security license and the Prisma Access explicit proxy license.
The web proxy supports two methods for routing traffic:
  • For the explicit proxy method, the request contains the destination IP address of the configured proxy and the client browser sends requests to the proxy directly.
  • For the transparent proxy method, the request contains the destination IP address of the web server and the client browser is redirected to the proxy. There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support XAU.
The following platforms support web proxy:
  • PA-1400
  • PA-3400
  • VM Series (with vCPUs)
  • Panorama using PAN-OS 11.0
Web proxy supports IPv4.

Configure Explicit Proxy

The explicit proxy method allows you to troubleshoot issues more easily, since the client browser is aware of the existence of the proxy.
  1. Set up the necessary interfaces and zones.
    As a best practice, use Layer 3 (L3) for the three interfaces the web proxy uses and configure a separate zone for each interface within the same virtual routers and the same virtual systems.
    1. Configure an interface for the client traffic.
      Be sure to carefully copy the IP address for this interface and save it in a secure location because you must enter it as the
      Proxy IP
      address when you configure the web proxy.
    2. Configure an interface for the outgoing traffic to the internet.
    3. Configure a loopback interface for the proxy.
      All incoming traffic is routed through this interface to the proxy.
  2. Set up the DNS proxy for Explicit Proxy.
    1. Configure a DNS proxy object for the proxy connection.
    2. Configure a DNS Server profile with both primary and secondary DNS servers.
      You must configure both a primary and a secondary DNS server for web proxy.
    3. Specify the interface for the proxy connection.
      Specify either the traffic ingress interface or a loopback interface.
  3. Set up the Kerberos authentication method for your users.
    The
    SAML/CAS
    method will be supported in a future release.
    1. Create a service account for the directory (if it is not already configured) and enable support for AES128 and AES256 encryption in the service account properties.
    2. Register the service principal name (SPN) for the proxy FQDN and create a keytab file for the Kerberos single sign-on (SSO).
      The Kerberos keytab principal name must match the hostname that resolves to the proxy interface IP address.
    3. On the firewall, create a server profile for the Kerberos server.
    4. Configure an authentication profile to use Kerberos and import the keytab to the authentication profile.
    5. (Optional but recommended) If you use Panorama to manage your firewalls, configure a log forwarding profile to forward logs to Cortex Data Lake (CDL), Panorama, or both.
      By default, the firewall does not forward logs to CDL or Panorama. Forwarding the logs ensures that the complete authentication log information is available to assist in troubleshooting any potential authentication issues.
      As a best practice, if you are using Panorama to manage the web proxy firewall, configure any objects the proxy uses in a shared Panorama location and configure the web proxy firewall in a separate device group that contains no other firewalls or virtual systems. If the firewall is already a member of a device group, create a child device group as a sub-group and move the firewall to the child device group.
      If you experience issues with the browser challenge when using the Chrome browser, we recommend using an alternate browser.
  4. Set up the Explicit Proxy.
    1. On the firewall, select
      Network
      Proxy
      then
      Edit
      the
      Proxy Enablement
      settings.
    2. Select
      Explicit Proxy
      as the
      Proxy Type
      then click
      OK
      to confirm the changes.
      If the only available option is None, verify that you have an active license for the web proxy feature.
    3. Edit
      the
      Explicit Proxy Configuration
      .
    4. Specify the
      Connect Timeout
      to define (in seconds) how long the proxy waits for a response from the web server. If there is no response after the specified amount of time has elapsed, the proxy closes the connection.
    5. Select the
      Listening Interface
      that contains the firewall where you want to enable the web proxy.
      Specify the ingress interface for the client traffic.
    6. Select the
      Upstream Interface
      that contains the interface with the web proxy that reroutes the traffic to the server.
      If you are using a loopback interface, specify that interface as the
      Upstream Interface
      .
    7. Specify the IP address of the listening interface as the
      Proxy IP
      .
      Enter the IP address of the interface you created in Step 1.1.
    8. Specify the
      DNS Proxy
      object you created in Step 2.
    9. Select
      Check domain in CONNECT & SNI are the same
      to prevent domain fronting attacks by specifying different domains between the CONNECT request and the Server Name Indication (SNI) field in the HTTP header.
    10. Select the
      Authentication service type
      you want to use (either
      SAML/CAS
      or
      Kerberos Single Sign On
      ).
    11. Select the
      Authentication Profile
      you created in Step 3..
    12. Click
      OK
      to confirm the changes.
  5. Configure the necessary security policy rules to decrypt traffic and reroute applicable traffic to the proxy.
    You will need to create the following types of rules:
    • Source NAT (if applicable)
    • Decryption
    • Security
    1. Configure a decryption policy to decrypt the traffic so it can be rerouted if necessary.
      To avoid decrypting traffic twice, select the proxy zone as the source zone for the decryption policy.
    2. Configure a security policy rule to allow traffic from the client to the interface you selected as the listening interface.
    3. Configure a security policy rule to allow traffic from the zone that contains the upstream interface to the internet.
    4. Configure a security policy rule to allow traffic from the DNS proxy zone to the internet.
    5. Configure a security policy rule using the authentication profile you configured in Step 3 to route traffic to the proxy as appropriate.

Configure Transparent Proxy

With transparent proxy, the client browser is not aware of the proxy. Transparent proxy supports inline mode deployment and does not require a web cache communication protocol (WCCP). Transparent proxy also supports non-standard HTTP(S) ports and is transparent to the user without requiring additional authentication.
  1. Set up zones and interfaces.
    As a best practice, use Layer 3 (L3) for all interfaces and configure a separate zone for each interface within the same virtual routers and the same virtual systems.
    1. Configure an interface for the client.
    2. Configure an interface for the outgoing traffic to the internet.
    3. Configure a loopback interface for the proxy.
      All incoming traffic is routed through this interface to the proxy. Be sure to carefully copy the IP address for this interface and save it in a secure location because you must enter it as the
      Proxy IP
      address when you configure the web proxy.
  2. Set up the DNS proxy for Transparent Proxy.
    1. Configure a DNS proxy object for the proxy connection.
    2. Configure a DNS Server profile with both primary and secondary DNS servers.
      You must configure both a primary and a secondary DNS server for web proxy.
    3. Specify the loopback interface for the proxy connection.
  3. Set up the Transparent Proxy.
    1. On the firewall, select
      Network
      Proxy
      then
      Edit
      the
      Proxy Enablement
      settings.
    2. Select
      Transparent Proxy
      as the
      Proxy Type
      then click
      OK
      to confirm the changes.
      If the only available option is None, verify that you have an active license for the web proxy feature.
    3. Edit
      the
      Transparent Proxy Configuration
      .
    4. Specify the
      Connect Timeout
      to define (in seconds) how long the proxy waits for a TCP response from the web server. If there is no response after the specified amount of time has elapsed, the proxy closes the connection.
    5. Select the
      Upstream Interface
      .
      The upstream interface must be a loopback interface that is not associated with any other subnets.
    6. Specify the IP address of the loopback interface as the
      Proxy IP
      .
      Enter the IP address of the interface you configured in Step 1.3.
    7. Specify the
      DNS Proxy
      object you created in Step 2.
      Specify the loopback interface as the
      Upstream Interface
      .
    8. Click
      OK
      to confirm the changes.
  4. Configure the destination network address translation (DNAT) policy.
    You must configure the DNAT policy rule exactly as described in the following steps for the firewall to successfully use the web proxy to route traffic. Be sure to configure the DNAT policy rule so that it precedes the source network address translation (SNAT) policy rule.
    1. Select
      Policies
      NAT
      and
      Add
      a NAT policy rule.
    2. Enter a unique
      Name
      and verify that
      Group Rules by Tag
      is
      None
      then select the
      NAT Type
      .
    3. Select
      Original Packet
      and
      Add
      a trusted zone as the
      Source Zone
      and the
      Destination Zone
      as the interface that contains the web proxy.
    4. Select
      Translated Packet
      and verify that
      Translation Type
      for
      Source Address Translation
      is
      None
      .
      To allow traffic for specific permitted cloud applications, like Office365 or Zoom, use negation of DNAT to send traffic through the proxy.
    5. Select
      Dynamic IP (with session distribution)
      as the
      Translation Type
      for the
      Destination Address Translation
      .
    6. Enter the IP address of the web proxy as the
      Translated Address
      .
      Enter the same IP address as the Proxy IP address specified in Step 1.3 and Step 4.6.
    7. Enter
      8080
      as the
      Translated Port
      .
    8. Select a
      Session Distribution Method
      (for example,
      Round Robin
      ).
      The session distribution method is not applicable for web proxy.
    9. Click
      OK
      and
      Commit
      the changes.
  5. Configure a security policy to allow and route the proxy traffic.
    1. Configure a source network address translation (SNAT) policy rule after the DNAT rule.
    2. Configure a decryption policy to decrypt traffic.
      Select the zone that contains the proxy interface as the source zone.
    3. Configure policy rules to allow access to the DNS proxy servers for both the client and the proxy.
    4. Configure a policy rule to allow traffic from the client to the proxy.
    5. Configure a policy rule to allow traffic from the proxy to the internet.

Recommended For You