Configuring Palo Alto Updates Through The Proxy Server
92464
Created On 09/25/18 17:19 PM - Last Modified 08/01/23 02:43 AM
Objective
- There are certain environments that require all internet bound traffic to be sent through the proxy server.
- This traffic could also include Palo Alto Networks traffic updates.
- This article describes the basic points that need to be addressed to allow Palo Alto Networks updates through the proxy server.
Environment
- Palo Alto Firewall or Panorama
- Supported PAN-OS
- Update Server
- Proxy Server
Procedure
The configuration is explained using the following Topology
Palo Alto Networks (management port) --- Proxy server ---- (Trust port) PA (Untrust Port) ---- Internet
Configuration
- Proxy server configuration is done under, Device > Set up > Services
- Proxy server port will be the port that the proxy server is configured to, listen for HTTP requests.
- Username and password is the one that proxy server is configured for authentication.
- Palo Alto Networks firewall will send HTTP Connect method on configured proxy port to the proxy server to make connections to the updates server on port 443.
- The Palo Alto Networks firewall will use the Basic Proxy Authentication method where it sends the credentials in the Proxy-Authorization header.
- The Proxy server should be configured to accept the Basic Proxy Authentication method and should not prompt for username and password to be entered.
- If the proxy server connects to the internet through Palo Alto Networks firewall trust interface (as used in this topology), the security policy should be configured to allow the application "paloalto-updates".
- Once the proxy server is able to connect to the Palo Alto Networks update server, it will send a Connection Established message to the firewall management interface, and then SSL handshake and further communication will start to fetch updates through proxy.
Note: Source IP in snippet is another NIC on proxy server used for internet connectivity through the Palo Alto Networks firewall
Additional Information
Here are the CLI commands for proxy server configuration if needed.
FW> config
FW# set deviceconfig system secure-proxy-server <x.y.z.q>
FW# set deviceconfig system secure-proxy-port <value>
FW# set deviceconfig system secure-proxy-user <username>
FW# set deviceconfig system secure-proxy-password <value>
FW# commit
FW# exit