Focus

Configure Exemptions for Explicit Proxy Authentication

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0 (EoL)
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

Configure Authentication for Explicit Web Proxy

Exclude All Explicit Proxy Traffic From Authentication

Configure Exemptions for Explicit Proxy Authentication

Learn how you can exempt proxy traffic from authentication using a source, destination, or both.

Using a web proxy allows you to use the information from the proxy devices in your network through a unified interface. However, resources such as printers or other IoT devices can't respond to authentication requests from the proxy or support a certificate or PAC file.

You can exempt these devices from the authentication request from the proxy using an address object for the source, a custom URL category exception list as the destination, or both. Configuring an authentication exemption for the explicit proxy ensures that traffic from these key resources isn't interrupted and allows traffic from these trusted devices to pass through the proxy in compliance with your network architecture.

You can create up to 20 web proxy exemptions in your authentication policy.

If you do not need to authenticate your explicit proxy traffic, you can Exclude All Explicit Proxy Traffic From Authentication.

If you have not already done so, Configure Explicit Proxy then define the type of proxy traffic that you want to exempt from authentication requests.
You can exempt traffic based on the source, the destination domain, or both.
- Configure an address object (ObjectsAddresses) that contains the source IP addresses of your trusted devices. The source IP can be an address or address group.
- Configure a custom URL category exception list ( ObjectsCustom ObjectsURL Category) that contains the destination URL domain or domains of the web services you want to allow.
Enable the Authentication Portal if you have not already done so.
This step is required to enforce the policy rule.
Edit or create your authentication policy rule (PoliciesAuthentication) and select Bypass Web Proxy Authentication.

When you enable the Bypass Web Proxy Authentication option, the Authentication Enforcement option on the Action tab is set to None; you cannot change this setting while the Bypass Web Proxy Authentication option is enabled.
Define the type of proxy traffic that you want to exempt from authentication in your authentication policy rule and Commit your changes.
You can exempt a source, a destination, or both.
- Select the Source tab then select the address object you configured in the first step as the Source Address and click OK.
- Select the Destination tab then select the URL category you configured in the first step
  
  You must create the custom URL category exception list before you can select it as a destination. You can't create a new custom URL category exception list as a destination during this step.
Commit your changes and verify your configuration.
1. View your policy rules (Policies Authentication) and confirm that a checkmark displays in the Bypass Web Proxy Authentication column for the rules where you enabled the exemption.
2. Depending on your authentication method, use the CLI commands to view the exemptions for proxy traffic.
  If you're using the SAML authentication method, you can use the show counter global name ctd_eproxy_skip_auth_url_match command to verify the configuration. This command displays the number of SAML authentication exemptions for proxy traffic.
  If you're using the Kerberos authentication service type, you can use the show counter global name flow_swg_ep_kerberos_skip_auth command to verify the configuration. This command displays the number of Kerberos authentication exemptions for proxy traffic.