Strata Cloud Manager

1. (VM Series only) If you have not already done so, activate the license for web proxy.
   This step is required for the PA-1400, PA-3400, and VM Series. The following steps are for the VM series; for the PA-1400 and PA-3400, follow the steps to activate subscription licenses.
   1. Log in to the Customer Service Portal (CSP).
   2. Edit the deployment profile.
   3. Select Web Proxy (Promotional Offer).

   4. Click Update Deployment Profile.
   5. On the firewall, retrieve the license keys from the server.
      If the license key retrieval is not successful, restart the firewall and repeat this step before proceeding.
2. Set up the necessary interfaces and zones.
   Do not edit the proxy zone.

   As a best practice, use Layer 3 (L3) for all interfaces and configure a separate zone for each interface within the same virtual routers and the same virtual systems.
   1. Configure an interface for the client.
   2. Configure an interface for the outgoing traffic to the internet.
3. Set up the Transparent Proxy.
   1. In Strata Cloud Manager, select ManageConfigurationNGFW and Prisma AccessDevice SettingsConfiguration Scope.
   2. Select the folder, snippet, or device for which you want to configure Transparent Proxy.
   3. Select Device SettingsProxyProxy Settings
      Customize.
   4. Select Transparent Proxy as the Mode.

   5. Specify the Client Facing Interface.
      This is the interface for client traffic that you configured in an earlier step.
   6. Specify an Outbound Zone for outgoing traffic to the internet.
      You can Create New if you don't already have an outbound zone configured.
   7. Specify the IP addresses for the primary and secondary DNS servers that you want to connect to and the interface for the DNS proxy connection.
      After you push your configuration, Strata Cloud Manager will automatically create a DNS Proxy Object with these specifications on your devices. You can view the object on the devices themselves but not in Strata Cloud Manager.
   8. (Optional) Specify the Connect Timeout to define (in seconds) how long the proxy waits for a response from the web server. If there is no response after the specified amount of time has elapsed, the proxy closes the connection. The default is 5 seconds.
   9. (Optional) Specify the Web Traffic Service Port if you'd like web traffic to use special ports. The default ports are 80 and 443.
   10. (Optional) Use the default loopback interface (loopback.999) or enter a different one.
       The loopback interface must follow the format loopback.x, with x being any integer value.

       After you push your configuration, Strata Cloud Manager will automatically create a loopback interface with these specifications on your devices. You can view the interface on the devices themselves but not in Strata Cloud Manager.
   11. (Optional) Choose Whether to nat outbound traffic and enter an Outbound Interface.
       This creates a source NAT rule. Select this if your network cannot directly reach the internet.
   12. Save.
4. Configure Transparent Proxy Policy Rules.
   These are a set of rules that determine what traffic passes through the proxy. After you push your configuration, these rules create Destination NAT rules on your devices, which apply NAT to the traffic that passes through the loopback interface configured earlier.

   In Strata Cloud Manager, however, Transparent Proxy Policy rules are visible only in web proxy configuration, not under NAT elsewhere in the app.
   1. Select Add Rule.

   2. Name the rule.
   3. (Optional) Add tags to label your rule.
   4. Specify a source address or leave it as Any.
   5. Specify a destination address or leave it as Any.
      (Optional) Specify a destination interface.
   6. (Optional) Select a Service.
   7. Save.

5. Push your configuration and verify on your firewalls.
   1. To verify, log in to the firewall and select NetworkProxy.
   2. You should see information corresponding to the transparent proxy that you just configured.