Focus

Configure a Web Proxy

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Configure a DNS Server Profile

Configure Explicit Proxy

Configure a Web Proxy

If your network uses a proxy device, learn how to configure a web proxy as either an explicit proxy or a transparent proxy to route authentication traffic.

Where Can I Use This?	What Do I Need?
NGFW (Cloud Managed) NGFW (PAN-OS or Panorama Managed)	Web proxy license (For cloud-managed NGFW) AIOps for NGFW Premium license.

If your network uses a proxy device for security, you can now leverage the same level of protection using the on-premises web proxy capability with PAN-OS 11.0. The web proxy features enables additional options for migrating from an existing web proxy architecture to a simple unified management console. Using the web proxy feature with Prisma Access provides a seamless method for migrating, deploying, and maintaining secure web gateway (SWG) configurations from an easy to use and simplified interface. Web proxy helps during the transition from on-premises to the cloud with no loss to security or efficiency.

The web proxy supports two methods for routing traffic:

For the explicit proxy method, the request contains the destination IP address of the configured proxy and the client browser sends requests to the proxy directly. You can use one of following methods to authenticate users with the explicit proxy:
- Kerberos, which requires a web proxy license.
- SAML 2.0, which requires Panorama, a Prisma Access license, the Cloud Services 3.2.1 plugin (and later versions), and the add-on web proxy license.
- Cloud Identity Engine, which requires Panorama, a Prisma Access license, the Cloud Services 3.2.1 plugin (and later versions), and the add-on web proxy license.
For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP).

You can also use advanced routing with web proxy.

The following products support web proxy:

PA-1400 Series Firewalls
PA-3400 Series Firewalls
PA-5400 Series Firewalls

From PAN-OS 12.1 version and later versions, PA-5450 series firewall is supported. However, for PAN-OS versions earlier than 12.1, PA-5450 series firewall is not supported for web proxy.
VM-Series Firewalls (with a minimum of four vCPUs)
Panorama management systems running PAN-OS 11.1

To configure explicit proxy using SAML authentication, web proxy requires the Cloud Services plugin 3.2.1 or a later version.

Web proxy supports IPv4.

To learn how to configure a web proxy, select the type of proxy or proxy capability that you want to configure:

Configure a DNS Server Profile

Configure Explicit Proxy

Next-Generation Firewall Docs

Configure a Web Proxy

Next-Generation Firewall Docs

Configure a Web Proxy

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner