PAN-OS Web Proxy Quiz (Explicit & Transparent)

Web Proxy Knowledge Check (PCNSE Focus)

1. What is the primary difference between an Explicit Proxy and a Transparent Proxy configuration on PAN-OS?

The defining characteristic is client awareness. Explicit proxy requires clients to be configured to send traffic *to* the proxy IP/port. Transparent proxy intercepts traffic destined elsewhere without client configuration.

2. Where is the primary setting to enable either Explicit or Transparent Proxy mode globally on the firewall?

The global switch between Explicit, Transparent, or None is configured under Network > Proxy by editing the Proxy Enablement settings.

3. For Transparent Proxy to function, what critical policy type is required to redirect client web traffic (port 80/443) to the proxy service?

Transparent Proxy relies on a DNAT rule to intercept traffic originally destined for external web servers and translate its destination to the firewall's internal proxy service IP (usually a loopback) and port (usually 8080).

4. In an Explicit Proxy configuration, what information must be configured on the client devices?

Clients using an explicit proxy need to be explicitly told where to send their web traffic - this involves configuring the proxy server's IP address (the firewall's listening interface IP) and the proxy port (default 8080, unless changed) in the browser or OS settings.

5. Which authentication methods can be configured directly within the Explicit Proxy Configuration settings? (Select TWO)

The Explicit Proxy configuration window specifically offers options for enabling 'Kerberos Single Sign On' or 'SAML/CAS' as the authentication service type, requiring corresponding Authentication Profiles. RADIUS/TACACS+ are configured via Authentication Policy rules, not directly in the proxy settings.

6. In a Transparent Proxy configuration, what is the recommended type of interface for the 'Upstream Interface' setting?

For Transparent Proxy, the DNAT rule redirects traffic to the internal proxy service. This service is typically bound to a dedicated Loopback interface, which is then selected as the 'Upstream Interface' in the Transparent Proxy configuration.

7. Which PAN-OS feature is essential for inspecting HTTPS traffic passing through either Explicit or Transparent proxy?

Without SSL Forward Proxy decryption configured via Decryption Policy, the firewall cannot see inside HTTPS tunnels and therefore cannot apply URL Filtering (beyond SNI), Threat Prevention, File Blocking, or accurate App-ID to the encrypted content.

8. An administrator wants to allow printers (which cannot authenticate) to access an update server via the Explicit Proxy. What should they configure?

Authentication exemptions for Explicit Proxy are configured using Authentication Policy rules. A rule matching the source IPs (printers) and potentially destination URL category/address, with the 'Bypass Web Proxy Authentication' option enabled, allows the traffic through without an authentication challenge.

9. In a Transparent Proxy setup, where are Security Profiles like URL Filtering and Threat Prevention applied to inspect the proxied web traffic?

Inspection happens via Security Profiles attached to Security Policy rules. For transparent proxy, the critical inspection point is the rule allowing the traffic *after* it has been redirected to the proxy service and is heading *out* towards the internet.

10. What is the purpose of the 'Strip ALPN' option in the Explicit Proxy configuration?

The ALPN extension allows clients and servers to negotiate protocols like HTTP/2 during the TLS handshake. In some decryption scenarios, removing this extension can improve compatibility or force fallback to HTTP/1.1 if needed.

11. Which component handles DNS resolution for requests made through the web proxy service?

Both Explicit and Transparent Proxy configurations require selecting a configured DNS Proxy object. The proxy service uses this object (and the DNS servers defined within its associated DNS Server Profile) to resolve hostnames requested by clients.

12. True or False: Transparent Proxy mode requires installing a PAC file on client browsers.

False. Transparent Proxy is designed to be invisible to the client; no client-side configuration (like PAC files or manual settings) is needed. Explicit Proxy typically uses these methods.

13. In a Transparent Proxy DNAT rule, what is typically configured as the 'Translated Port'?

The DNAT rule intercepts traffic going to the standard web ports (80/443) and redirects it to the internal proxy service listener port, which defaults to 8080 but can sometimes be configured differently.

14. Can User-ID information be leveraged in Security policies that inspect traffic passing through an Explicit Proxy?

Explicit Proxy supports authentication methods (Kerberos, SAML, CIE) that integrate with User-ID. Successful authentication creates an IP-to-User mapping, allowing subsequent Security policies to use Source User criteria.

15. What feature allows the Explicit Proxy to handle Kerberos authentication without requiring the user to re-enter credentials?

When configured correctly with a keytab file and SPN, Kerberos SSO allows the browser on a domain-joined machine to automatically negotiate authentication with the proxy using the user's existing domain logon ticket.

16. Which proxy type generally offers easier troubleshooting from the client perspective because the client is aware of the proxy?

Since the client is explicitly configured to use the proxy in Explicit mode, troubleshooting often starts by verifying those client settings and connectivity *to* the proxy server, which can be more direct than diagnosing transparent interception issues.

17. Does PAN-OS Web Proxy provide web content caching functionality?

Palo Alto Networks firewalls function as security devices, not content caching servers. The web proxy features are for visibility, control, and security inspection, not for storing and serving web objects locally.

18. What must be configured for the firewall's transparent proxy service (listening on a loopback) to send traffic out to the internet?

Traffic redirected to the proxy loopback needs a Security Policy rule to allow it to egress towards the internet zone. Because it originates from an internal IP (the loopback), it also typically needs a Source NAT (SNAT) rule to translate its source IP to a public address.

19. Which specific firewall models require a Web Proxy license to enable Explicit or Transparent Proxy functionality?

As per the documentation, the Web Proxy feature requires explicit licensing on the VM-Series, PA-1400 Series, and PA-3400 Series platforms.

20. True or False: Authentication exemptions for Explicit Proxy are configured within the main Explicit Proxy Configuration window.

False. Authentication exemptions for Explicit Proxy are configured within Authentication Policy rules (Policies > Authentication) using the 'Bypass Web Proxy Authentication' checkbox, not within the Network > Proxy settings window itself.

References