PAN-OS: Configure a Web Proxy

Introduction to Web Proxy on PAN-OS

PAN-OS firewalls provide built-in web proxy capabilities, allowing you to leverage proxy functionalities within the Next-Generation Firewall platform. This offers a unified interface for managing both security policy and web proxy features.

There are two main types of web proxy configurations:

• Explicit Proxy: Clients (e.g., browsers) are explicitly configured to send web traffic to the firewall's proxy IP address and port. The client is aware of the proxy.
• Transparent Proxy: Clients are unaware of the proxy. The firewall intercepts web traffic destined for external servers (typically using NAT) and redirects it internally to its proxy service for inspection.

This guide covers the configuration steps for setting up these proxy modes.

Prerequisites and Initial Setup

1. License Activation (Specific Models):

   Web proxy functionality requires license activation on PA-1400 Series, PA-3400 Series, and VM-Series firewalls.

   • VM-Series Example: Log in to CSP, edit the deployment profile, select Web Proxy (Promotional Offer) or the appropriate license, and update.

   [Image Placeholder: Screenshot of CSP Deployment Profile showing Web Proxy option. Original src: An%20explicit%20proxy%20is%20one%20of%20the%20types%20of_files/image001.png]

   • On the firewall, retrieve license keys ( Device > Licenses > Retrieve license keys from license server ). Restart if needed.
   • PA-1400/PA-3400: Follow standard subscription license activation steps .

2. Interfaces and Zones Setup:

   Configure necessary interfaces (Layer 3 recommended) and assign them to distinct zones within the same virtual router.

   • Client Interface: Interface facing clients (e.g., ethernet1/1 in zone Trust ).
   • Internet Interface: Interface facing the internet (e.g., ethernet1/2 in zone Untrust ).
   • Loopback Interface (Highly Recommended for Proxy Service): Configure a dedicated Loopback interface (e.g., loopback.1 ). Assign it an IP address (e.g., 192.168.254.254/32 ) and place it in its own zone (e.g., Proxy-Zone or similar) within the same virtual router. This loopback IP is often used as the target for NAT redirection (Transparent) or as a stable upstream interface (Explicit). Note its IP address.

3. DNS Proxy Setup:

   The web proxy needs reliable DNS resolution.

   • Configure a DNS Proxy Object ( Network > DNS Proxy ) and enable it on the appropriate interface(s) (often client-facing).
   • Configure a DNS Server Profile ( Device > Server Profiles > DNS ) with reliable Primary and Secondary DNS servers.

   Ensure both Primary and Secondary DNS servers are configured for the profile used by the proxy.

4. Certificate Setup (for Decryption):

   If decrypting HTTPS traffic (recommended for visibility and required for many features), configure SSL Forward Proxy. This requires a Forward Trust CA certificate setup and client deployment.

   (See Create a Self-Signed Root CA Certificate or relevant Enterprise CA documentation).

5. Authentication Prerequisites (Explicit Proxy):

   If using authentication with Explicit Proxy, complete the setup for your chosen method (Kerberos SPN/Keytab, SAML IdP, CIE) before configuring the proxy.

1. Navigate to Network > Proxy .
2. Click Edit for Proxy Enablement .
3. Select the desired Proxy Type :
   • Explicit Proxy
   • Transparent Proxy

[Image Placeholder: Screenshot of Proxy Enablement settings showing Proxy Type dropdown. Original src: An%20explicit%20proxy%20is%20one%20of%20the%20types%20of_files/image004.png / configuring%20transparent%20proxy_files/image002.png]

If the only option is `None`, verify license activation on applicable platforms.

4. Click OK .

If you selected Explicit Proxy in the previous step:

1. Click Edit for Explicit Proxy Configuration .

[Image Placeholder: Screenshot of Explicit Proxy Configuration dialog. Original src: An%20explicit%20proxy%20is%20one%20of%20the%20types%20of_files/image005.png]

2. Specify the Connect Timeout (seconds).
3. Select the Listening Interface (interface clients connect to, e.g., client-facing L3 interface).
4. Select the Upstream Interface (interface proxy uses to send traffic onward, often the configured Loopback interface).
5. Enter the IP address of the Listening Interface as the Proxy IP .
6. Select the DNS Proxy object.
7. (Optional) Check Check domain in CONNECT & SNI are the same .
8. Select the Authentication service type ( Kerberos Single Sign On or SAML/CAS ) and configure the corresponding Authentication Profile . Refer to specific authentication method documentation for details.
9. (Optional) Check Strip ALPN if using HTTPS decryption.
10. Click OK .

Remember to configure Authentication Policy rules to enforce the chosen authentication method.

If you selected Transparent Proxy in the Proxy Enablement step:

1. Click Edit for Transparent Proxy Configuration .

[Image Placeholder: Screenshot of Transparent Proxy Configuration dialog. Original src: configuring%20transparent%20proxy_files/image003.png]

2. Specify the Connect Timeout (seconds).
3. Select the Upstream Interface : This must be the dedicated Loopback interface configured earlier.
4. Enter the IP address of the Loopback interface as the Proxy IP .
5. Select the DNS Proxy object created earlier.
6. Click OK .

Transparent Proxy relies critically on NAT and Security policies (configured separately) to redirect traffic to this proxy service running on the loopback interface.

Required for Both Modes:

• Security Policy: Rules allowing traffic:
  • From client zone to proxy service (Proxy Zone if using Loopback, or egress zone).
  • From proxy service (Proxy Zone or egress zone) to the internet (Untrust).
  • Apply appropriate Security Profiles (URL Filtering, Threat Prevention, etc.) to the outbound rule for inspection.
• Source NAT (SNAT): Typically required for traffic leaving the proxy zone (or egress interface) towards the internet, translating the source to an external IP. Place *after* any DNAT rules.
• Decryption Policy (Highly Recommended): Configure SSL Forward Proxy rules to decrypt HTTPS traffic intercepted by the proxy for full visibility and inspection.

Required Specifically for Transparent Proxy:

• Destination NAT (DNAT): A rule placed *before* SNAT rules that intercepts client web traffic (TCP/80, TCP/443) destined for the internet (`Untrust` zone) and translates the destination IP to the Proxy Loopback IP and destination port to the proxy listener port (typically TCP/8080 ).

If you have a DNS Security subscription, you can integrate Explicit Proxy (via Panorama Cloud Services configuration) to apply DNS Security policy actions (like sinkholing) to requests handled by the proxy.

• Configure under Panorama > Cloud Services > Configuration > On-Prem Proxy .
• Associate the proxy firewall's Device Group.
• Optionally configure Block/Exempt domain lists specific to the proxy context.

[Image Placeholder: Screenshot of Panorama On-Prem Proxy settings for DNS Security. Original src: An%20explicit%20proxy%20is%20one%20of%20the%20types%20of_files/image002.png]

[Image Placeholder: Screenshot of Block/Exempt settings within On-Prem Proxy config. Original src: An%20explicit%20proxy%20is%20one%20of%20the%20types%20of_files/image003.png]

• Commit Changes: Commit the configuration to the firewall (and push from Panorama if applicable).
• Client Configuration (Explicit Proxy Only): Configure client browsers or operating systems to use the firewall's listening interface IP and configured port (default 8080, unless changed) as their proxy server. This can often be done via PAC files or Group Policy.
• Verify: Test connectivity through the proxy from client machines. Check firewall logs (Traffic, URL, Threat, Decryption, Authentication) to confirm traffic is being proxied, inspected, and authenticated (if applicable) correctly.

References

• PAN-OS Networking Admin Guide: Configure a Web Proxy (Main Overview)
• Configure Explicit Proxy
• Configure Transparent Proxy
• Configure Authentication for Explicit Web Proxy
• NAT Configuration
• Decryption Configuration