PAN-OS: Configuring Authentication for Explicit Web Proxy

Introduction

When you configure an explicit web proxy on a PAN-OS firewall, you need to decide how users connecting through the proxy will be authenticated for User-ID mapping and policy enforcement. PAN-OS supports several methods for explicit proxy authentication.

This guide covers the configuration details for:

• Kerberos Authentication
• SAML Authentication
• Cloud Identity Engine (CIE) Authentication

If you need to exempt specific traffic (like printers or IoT devices) from authentication, refer to Configure Exemptions for Explicit Proxy Authentication . If no authentication is required at all, see Exclude All Explicit Proxy Traffic From Authentication .

Overview

Kerberos Single Sign-On (SSO) allows domain-joined clients, whose users are logged into the domain, to authenticate transparently to the explicit proxy without needing to re-enter credentials.

Prerequisites:

1. Create a dedicated service account in Active Directory for the proxy service.
2. Enable support for AES128 and AES256 encryption in the service account's properties within AD.
3. Register a Service Principal Name (SPN) for the proxy's Fully Qualified Domain Name (FQDN) associated with the service account (e.g., `HTTP/proxy.example.com@EXAMPLE.COM`).
4. Generate a Kerberos keytab file for this SPN using the service account's credentials. The principal name in the keytab must match the hostname clients use to resolve the proxy interface IP address.

Firewall Configuration Steps:

3. Create a Kerberos Server Profile ( Device > Server Profiles > Kerberos ) pointing to your Key Distribution Center (KDC), usually your Domain Controllers.
4. Configure an Authentication Profile ( Device > Authentication Profile ):
   • Set Type to Kerberos .
   • Select the Kerberos Server Profile created above.
   • Import the keytab file generated in the prerequisites.
5. (Optional but Recommended) Configure a Log Forwarding Profile ( Objects > Log Forwarding ) to send Authentication logs to Panorama or Strata Logging Service for easier troubleshooting. Apply this profile later in the Authentication Policy.
6. Navigate to the Explicit Proxy Configuration ( Network > Proxy > Explicit Proxy ).
7. Select Kerberos Single Sign On as the Authentication service type .

8. (Optional) If using SSL Decryption for proxy traffic, check Strip ALPN to remove Application-Layer Protocol Negotiation values. (Requires HTTPS proxying enabled).

9. Select the Authentication Profile (using Kerberos) created in Step 4.
10. Complete the remaining Explicit Proxy configuration steps (interfaces, ports, etc.).
11. Configure an Authentication Policy rule ( Policies > Authentication ) matching the proxy traffic and setting the Authentication Enforcement to use the Kerberos Authentication Profile. Apply the Log Forwarding profile here if configured.
12. Commit the changes.

If users experience issues with browser challenges, particularly with Chrome, testing an alternate browser may be helpful during troubleshooting.

Auto-Generated Rules (SAML / CIE)

When configuring SAML or Cloud Identity Engine authentication for explicit proxy, the firewall or Panorama automatically generates several supporting policy rules and objects to allow the necessary communication flows. You generally do not need to manually create these specific rules. If using Panorama, you must select an individual managed firewall to view these auto-generated rules.

Auto-Generated Security Rules:

• SWG-allow-vpc-dns-rule : Allows DNS traffic from the proxy upstream zone to the configured proxy DNS servers. Applies the auto-generated SWG-DNS-Security-Profile .

• SWG-block-unsolicited-dns-rule : Blocks other unauthorized DNS traffic to the proxy DNS servers.
• SWG-allow-outbound-auth-domain-rule : Allows traffic from the proxy upstream zone to required Palo Alto Networks cloud services (used for SAML/CIE). Applies the auto-generated hybrid-swg-authdomain-bypass URL Category.

Auto-Generated Objects:

• Anti-Spyware Profile: SWG-DNS-Security-Profile

• URL Category: hybrid-swg-authdomain-bypass (Contains predefined Palo Alto Networks authentication domains).

Overview

SAML allows leveraging an external Identity Provider (IdP) like Okta, Azure AD, Ping Identity, etc., for user authentication, often enabling Single Sign-On (SSO) and Multi-Factor Authentication (MFA).

SAML authentication for explicit web proxy requires Panorama and the Cloud Services plugin (version 3.2.1 or later).

Prerequisites:

1. Configure Explicit Proxy for mobile users via Prisma Access/Panorama (even if not using Prisma Access for tunnels, the framework might be leveraged). Commit and push changes.
2. Configure a SAML Identity Provider Server Profile ( Device > Server Profiles > SAML Identity Provider ) and an Authentication Profile ( Device > Authentication Profile ) using Type `SAML` and referencing the IdP profile.

Firewall Configuration Steps:

3. (Optional - Required for XAU) If receiving authentication information from a downstream proxy via the X-Authenticated-User header, configure the downstream proxy's IP as a Trusted Source Address :
   • Select Device > User Identification > User Identification > Settings (Cog icon) > Trusted Authentication Gateways (path may vary slightly by version).
   • Enable the feature and Add the IP address object(s) of the downstream proxy server(s).
   
4. Navigate to the Explicit Proxy Configuration ( Network > Proxy > Explicit Proxy ).
5. Select SAML/CAS as the Authentication service type .

6. (Optional but recommended) If using SSL Decryption, check Strip ALPN .
7. Select the Authentication Profile (using SAML) created previously.
8. Complete the remaining Explicit Proxy configuration steps .
9. Configure an Authentication Policy rule ( Policies > Authentication ) matching the proxy traffic and setting the Authentication Enforcement to use the SAML Authentication Profile. Apply Log Forwarding if desired.
10. Commit the changes.

Overview

The Cloud Identity Engine (CIE) provides a cloud-based service to centralize identity information from various sources (like Azure AD, Okta, GCP) and simplifies authentication and group mapping configuration on the firewall.

Prerequisites:

1. Configure Explicit Proxy for mobile users via Prisma Access/Panorama. Commit and push changes.
2. Set up the Cloud Identity Engine and configure a Cloud Identity Engine Authentication Profile ( Device > Authentication Profile ) using Type `Cloud Identity Engine`.

Firewall Configuration Steps:

3. (Optional - Required for XAU) Configure Trusted Source Addresses as described in the SAML section if needed.

4. Navigate to the Explicit Proxy Configuration ( Network > Proxy > Explicit Proxy ).
5. Select SAML/CAS as the Authentication service type (CIE authentication leverages SAML flows).

6. (Optional but recommended) Check Strip ALPN if using SSL Decryption.
7. Select the Authentication Profile (using Cloud Identity Engine) created previously.
8. Complete the remaining Explicit Proxy configuration steps .
9. Configure an Authentication Policy rule ( Policies > Authentication ) matching the proxy traffic and setting the Authentication Enforcement to use the CIE Authentication Profile. Apply Log Forwarding if desired.
10. Commit the changes.

References

• PAN-OS Networking Admin Guide: Configure Authentication for Explicit Web Proxy (Primary Source)
• PAN-OS Admin Guide: Configure Kerberos Server Authentication
• PAN-OS Admin Guide: Configure SAML Authentication
• Cloud Identity Engine Guide: Authenticate Users
• PAN-OS Admin Guide: Configure an Authentication Profile and Sequence
• PAN-OS Admin Guide: Authentication Policy
• PAN-OS Networking Admin Guide: Configure a Web Proxy