Transparent Proxy Overview

With transparent proxy, the client browser is not aware of the proxy's existence. Traffic is intercepted and redirected to the proxy based on network configuration (specifically NAT policies on the firewall).

This mode supports inline firewall deployments but does not support WCCP (Web Cache Communication Protocol). Authentication is typically not performed directly by the transparent proxy itself in this mode, as the client isn't configured to interact with it for authentication.

While PAN-OS can achieve transparent interception and inspection, it differs from traditional dedicated transparent proxy appliances. The PAN-OS approach relies on policy-based interception (NAT, Security, Decryption) rather than a specific "proxy mode" setting for traffic flow itself, although specific proxy *features* are enabled under Network > Proxy .

1. License Activation (VM-Series, PA-1400, PA-3400):

   For specific models like VM-Series, PA-1400, and PA-3400, the web proxy feature requires license activation.

   • VM-Series: Log in to the Customer Support Portal (CSP), edit the relevant deployment profile, select Web Proxy (Promotional Offer) or the appropriate license, and click Update Deployment Profile .
   
   • On the firewall, retrieve the license keys from the server ( Device > Licenses > Retrieve license keys from license server ). Restart if retrieval fails initially.
   • PA-1400/PA-3400: Follow standard subscription license activation steps ( Activate Subscription Licenses ).

2. Set Up Interfaces and Zones:

   Configure the necessary interfaces. Best practice is to use Layer 3 interfaces, each in its own zone within the same virtual router.

   • Client Interface: Interface facing the clients whose traffic will be proxied (e.g., ethernet1/1 in zone Trust ).
   • Internet Interface: Interface facing the internet/external network (e.g., ethernet1/2 in zone Untrust ).
   • Proxy Loopback Interface: Configure a dedicated Loopback interface (e.g., loopback.1 ). Assign it an IP address (e.g., 192.168.254.254/32 ) and place it in its own zone (e.g., Proxy-Zone ) within the same virtual router as the client and internet interfaces. This loopback IP is where client traffic will be redirected via NAT. Note down this IP address.

3. Set Up DNS Proxy:

   Configure DNS Proxy to handle DNS requests intercepted by the proxy function.

   • Configure a DNS Proxy Object ( Network > DNS Proxy ). Enable it on the interface facing the clients (e.g., ethernet1/1 ).
   • Configure a DNS Server Profile ( Device > Server Profiles > DNS ) specifying Primary and Secondary DNS servers.
   • (Note: While the text mentions specifying the loopback interface for the proxy connection in DNS setup, typically DNS Proxy is enabled on the client-facing interface, and the firewall uses its standard routing/Service Routes to reach external DNS servers).

   Ensure reliable DNS resolution is available for the firewall.

4. (Optional) Certificate Setup for Decryption:

   If you intend to decrypt HTTPS traffic intercepted by the transparent proxy (which is essential for full visibility), configure SSL Forward Proxy. This involves generating/importing a Forward Trust CA certificate and deploying it to clients. Refer to SSL Forward Proxy documentation for details.

   (See Create a Self-Signed Root CA Certificate or use an Enterprise CA).

5. Enable Transparent Proxy Mode:

   • Navigate to Network > Proxy .
   • Click Edit for Proxy Enablement .
   • Select Transparent Proxy as the Proxy Type .
   • Click OK .
   

   If 'Transparent Proxy' is not an option, verify the license activation (Step 1).

   • Click Edit for Transparent Proxy Configuration .
   
   • Specify the Connect Timeout (seconds the proxy waits for server response, default usually fine).
   • Select the Upstream Interface : Choose the dedicated Loopback interface created in Step 2 (e.g., loopback.1 ).
   • Enter the IP address of the loopback interface as the Proxy IP .
   • Select the DNS Proxy object created in Step 3.
   • Click OK .

6. Configure Destination NAT (DNAT) Policy (CRITICAL):

   This rule redirects the client's original web request (port 80/443) to the proxy loopback interface.

   • Navigate to Policies > NAT and Add a NAT rule.
   • Place this rule before any general outbound Source NAT (SNAT) rules.
   
   • Original Packet Tab:
     • Source Zone: Zone containing clients (e.g., Trust ).
     • Destination Zone: Zone facing the internet (e.g., Untrust ).
     • Destination Interface: Any (or specific external interface).
     • Service: Typically service-http and service-https (or a service group containing TCP/80, TCP/443).
     • Destination Address: Any (or specific external destinations if limiting scope).
   
   • Translated Packet Tab:
     • Source Address Translation: Set Type to None (No SNAT in this rule).
     • Destination Address Translation:
       • Set Translation Type to Dynamic IP (with session distribution) (or Static IP if preferred, DIPP generally suitable here).
       • Set Translated Address to the IP address of the Proxy Loopback interface (e.g., 192.168.254.254 ).
       • Set Translated Port to the port the transparent proxy listener expects (typically 8080 ).
       • Session Distribution: Can usually be left as default (e.g., Round Robin - not strictly applicable here but required field).
   
   • Click OK .

7. Configure Supporting Security Policies:

   Multiple rules are needed to allow the complete flow:

   • Client to Proxy Zone: Allow traffic from the client zone (e.g., `Trust`) to the Proxy Loopback zone (`Proxy-Zone`) for destination port 8080 (or the configured proxy port). Apply relevant Security Profiles here for initial inspection before traffic leaves the firewall.
   • Proxy Zone to Internet: Allow traffic originating from the Proxy Loopback zone (`Proxy-Zone`) to the internet zone (`Untrust`). Apply necessary Security Profiles (URL Filtering, Threat Prevention, etc.) here for outbound inspection.
   • DNS Access: Ensure both clients (via DNS Proxy) and the firewall itself (potentially via the Proxy Loopback interface or another Service Route) can reach necessary DNS servers.

8. Configure Source NAT (SNAT) Policy:

   • Create a standard outbound SNAT rule (placed *after* the DNAT rule) to translate traffic originating from the Proxy Loopback zone going to the internet (`Untrust` zone) to use an appropriate external IP address (e.g., the firewall's external interface IP).

9. (Optional) Configure Decryption Policy:

   • If inspecting HTTPS, create Decryption Policy rules (as described in SSL Forward Proxy documentation) matching traffic from the client zone (`Trust`) to the internet zone (`Untrust`) for Service `service-https`.
   • (Optional but recommended) In the Decryption Profile ( Objects > Decryption Profile > SSL Decryption > SSL Forward Proxy ), check Block sessions on SNI mismatch with Server Certificate (SAN/CN) for added security.
   

10. Commit Changes:

    Commit the configuration. The documentation suggests making a minor change in DNS Proxy and Interface settings and committing again if this is the initial setup to ensure all settings populate correctly (this might be less necessary in modern versions but worth noting).

Why is destination NAT needed

A Destination NAT (DNAT) rule is absolutely essential for a Palo Alto Networks firewall to function as a transparent proxy because of how client traffic is initially addressed and how the proxy service needs to intercept it.

Here's why:

1. Client Unawareness: In a transparent proxy setup, the client's web browser is not configured to use a proxy. It believes it's sending web requests (e.g., to www.example.com on port 80 or 443) directly to the internet. The client has no knowledge of the firewall's internal proxy service or its dedicated IP address and port (e.g., the loopback IP 192.168.254.254 on port 8080, as per the example).
2. Need for Interception: For the firewall's proxy engine to inspect and apply policies to this web traffic, the traffic must be forcibly redirected to it. Without intervention, the client's web request would simply be routed through the firewall (if allowed by Security policies) straight to the internet, completely bypassing the proxy features.
3. DNAT as the Redirector: The DNAT rule is the mechanism that performs this necessary redirection.
   • It matches specific traffic: The DNAT rule is configured to identify web traffic (typically TCP ports 80 and 443) originating from the client zone (e.g., Trust) and destined for the internet zone (e.g., Untrust).
   • It changes the destination: When a packet matches these criteria, the DNAT rule rewrites the destination IP address of the packet from the original internet server's IP to the firewall's proxy loopback IP. It also rewrites the destination port from the original web port (80/443) to the port the proxy service is listening on (e.g., 8080).
4. Enabling Proxy Processing: Once the DNAT rule has altered the packet's destination, the firewall's internal routing directs this modified packet to its own proxy service (listening on the loopback interface and specified port). The proxy engine can then process the request, apply URL filtering, threat prevention, decryption (if configured), and other security policies.

In summary, the DNAT rule is the critical component that makes the "transparent" interception possible. It hijacks the client's original web-bound connection and steers it towards the firewall's internal proxy service without the client needing to be aware or reconfigured. Without DNAT, the proxy service would never receive the traffic it's supposed to inspect.

In laymen term

Layman's Explanation: Why DNAT is Needed for Transparent Proxy

Imagine you want to send a letter (your internet request) to a friend in another city (a website).

• Normally: You put your friend's address (the website's address) on the envelope, and the post office (your internet router/firewall) just sends it along.
• With a "Transparent Proxy": The firewall wants to secretly act like a security checkpoint. It wants to open your letter, check if it's safe and appropriate (like checking for viruses or if you're allowed to visit that website), and then send it on to your friend.
  • The Problem: You've addressed the letter directly to your friend. Your letter will just bypass this new security checkpoint because it's not addressed to the checkpoint.
  • The Solution (DNAT): DNAT is like a super-smart mail sorter inside the post office (firewall). When this sorter sees a letter (web request) going to any friend (any website), it quickly and secretly erases your friend's address and writes down the address of the "Internal Security Checkpoint" (the proxy service inside the firewall).
  • What Happens Next: Your letter now goes to this internal checkpoint. The checkpoint opens it, inspects it, and if everything is okay, it puts it in a new envelope, addresses it to your actual friend, and sends it out.

Why "Transparent"? Because you (your computer) never knew the address was changed. You still think you sent the letter directly to your friend. The DNAT and the proxy did their work invisibly in the background.

So, DNAT is needed to trick the internet traffic into going to the firewall's internal inspection engine (the proxy) instead of directly out to the internet, all without you having to change any settings on your computer.

For the PCNSE exam, understand:

• The concept of Transparent Proxy (client unawareness).
• How PAN-OS achieves this via policy interception (DNAT redirecting to proxy service).
• The key configuration components: Enabling Transparent Proxy mode, specifying the Loopback interface/IP and DNS Proxy object in the Transparent Proxy Configuration.
• The critical role of the DNAT policy rule to redirect traffic (port 80/443) to the proxy loopback IP and port (e.g., 8080).
• The need for supporting Security Policy rules allowing client-to-proxy-zone traffic and proxy-zone-to-internet traffic.
• The need for a corresponding SNAT rule for traffic leaving the proxy zone to the internet.
• That inspection relies on Security Profiles attached to the Security rules, and HTTPS inspection requires SSL Forward Proxy Decryption.
• The requirement for the Web Proxy license on specific platforms (VM, PA-1400, PA-3400).

Take the Quiz

take the quiz click here