PAN-OS: Configure a Web Proxy

Web Proxy Overview

PAN-OS firewalls include functionality to act as a web proxy , allowing you to leverage proxy capabilities within a unified interface for managing network security. This centralizes control and visibility for web traffic.

There are two main types of web proxy configurations available:

• Explicit Proxy: Clients (e.g., browsers) are explicitly configured to point to the firewall's proxy service IP address and port. The client is aware it is using a proxy. This method can sometimes simplify troubleshooting because the client's awareness aids diagnostics.
• Transparent Proxy: Clients are unaware of the proxy. The firewall intercepts web traffic destined for the internet and redirects it internally to the proxy service using network policies (typically NAT). This requires no client-side configuration changes.

Prerequisites and Initial Setup

1. License Activation (Specific Models):

   The web proxy feature requires license activation on PA-1400 Series , PA-3400 Series , and VM-Series firewalls.

   • VM-Series Example: Log in to the Customer Support Portal (CSP), edit the relevant deployment profile, select Web Proxy (Promotional Offer) or the appropriate license, and update.
   • On the firewall, retrieve license keys ( Device > Licenses > Retrieve license keys from license server ). Restart the firewall if retrieval fails initially before proceeding.
   • PA-1400/PA-3400: Follow standard subscription license activation steps .

2. Interfaces and Zones Setup:

   Configure the necessary network interfaces. Using Layer 3 interfaces, each in its own dedicated Security Zone within the same Virtual Router, is recommended.

   • Client Interface: The interface receiving traffic from clients (e.g., ethernet1/1 in zone Trust ). Note its IP address for Explicit Proxy configuration.
   • Internet Interface: The interface facing the external network (e.g., ethernet1/2 in zone Untrust ).
   • Proxy Loopback Interface: A dedicated Loopback interface (e.g., loopback.1 ) with an IP address (e.g., 192.168.254.254/32 ) in its own zone (e.g., Proxy-Zone ). This is crucial for Transparent Proxy redirection and often used as the Upstream Interface in Explicit Proxy.

3. DNS Proxy Setup:

   Ensure reliable DNS resolution for the proxy.

   • Configure a DNS Proxy Object ( Network > DNS Proxy ). Enable it on appropriate interfaces (client-facing or loopback).
   • Configure a DNS Server Profile ( Device > Server Profiles > DNS ) specifying both Primary and Secondary DNS servers .

4. Certificate Setup (for Decryption / MITM):

   If decrypting HTTPS traffic (required for full inspection and often for specific proxy features), configure SSL Forward Proxy. This involves setting up a Forward Trust CA certificate and deploying its public key to clients. For Transparent Proxy MITM detection features, a self-signed or enterprise CA certificate is also needed.

   (See Create a Self-Signed Root CA Certificate or refer to administrative access best practices and enterprise CA integration guides).

5. Authentication Prerequisites (Explicit Proxy Only):

   Complete the specific setup for your chosen authentication method (Kerberos, SAML, CIE) before enabling it in the Explicit Proxy settings.

1. Enable Proxy Type

1. Navigate to Network > Proxy .
2. Click Edit for Proxy Enablement .
3. Select the desired Proxy Type : Explicit Proxy or Transparent Proxy .

Verify the Web Proxy license is active if options are limited.

4. Click OK .

2. Configure Mode-Specific Settings

Based on the type selected above, configure the details:

• For Explicit Proxy:
  • Click Edit for Explicit Proxy Configuration .
  • Set Connect Timeout.
  • Select Listening Interface (client-facing).
  • Select Upstream Interface (often loopback).
  • Enter Proxy IP (Listening Interface IP).
  • Select DNS Proxy object.
  • (Optional) Check SNI/CONNECT domain match.
  • Select Authentication service type (Kerberos or SAML/CAS) and corresponding Authentication Profile.
  • (Optional) Select Strip ALPN if decrypting HTTPS.
  • Click OK.
• For Transparent Proxy:
  • Click Edit for Transparent Proxy Configuration .
  • Set Connect Timeout.
  • Select Upstream Interface ( Must be the dedicated Loopback interface ).
  • Enter Proxy IP (Loopback Interface IP).
  • Select DNS Proxy object.
  • Click OK.

Configure Policies:

• Authentication Policy (Explicit Proxy): Define rules to enforce Kerberos/SAML/CIE authentication or configure bypass rules for specific traffic (see Configure Authentication and Exemptions ).
• NAT Policy:
  • For Transparent Proxy: A Destination NAT (DNAT) rule is required to redirect client port 80/443 traffic to the Proxy Loopback IP and Port (e.g., 8080). Place this *before* SNAT.
  • Source NAT (SNAT) is typically needed for traffic leaving the proxy interface/zone towards the internet. Place *after* DNAT.
• Security Policy: Rules are needed to allow traffic between relevant zones (Client Zone <-> Proxy Zone/Interface, Proxy Zone/Interface <-> Internet Zone). Apply Security Profiles (URL Filtering, Threat Prevention, File Blocking, WildFire Analysis) to the rule allowing traffic from the proxy service to the internet for inspection.
• Decryption Policy (Optional): If inspecting HTTPS, configure SSL Forward Proxy rules targeting the proxied traffic.

Commit and Verify:

• Commit all changes.
• Client Configuration (Explicit Proxy Only): Configure clients to use the Proxy IP and port.
• Test client connectivity through the proxy and verify inspection in firewall logs (Traffic, URL, Threat, Decryption).

(For initial Transparent Proxy setup, the documentation sometimes suggests making a minor change in DNS Proxy/Interface config and recommitting to ensure settings populate fully).

References

• PAN-OS Networking Admin Guide: Configure a Web Proxy (Main Source)
• Configure Explicit Proxy
• Configure Transparent Proxy
• Configure Authentication for Explicit Web Proxy
• NAT Configuration
• Decryption Configuration
• Authentication Policy