Configuring Palo Alto Updates Through The Proxy Server

Configuring Palo Alto Updates Through The Proxy Server

89722
Created On 09/25/18 17:19 PM - Last Modified 08/01/23 02:43 AM


Objective


  • There are certain environments that require all internet bound traffic to be sent through the proxy server.
  • This traffic could also include Palo Alto Networks traffic updates.
  • This article describes the basic points that need to be addressed to allow Palo Alto Networks updates through the proxy server.

Environment


  • Palo Alto Firewall or Panorama
  • Supported PAN-OS
  • Update Server
  • Proxy Server

 

Procedure


The configuration is explained using the following Topology
Palo Alto Networks (management port) --- Proxy server ---- (Trust port) PA (Untrust Port) ---- Internet

Configuration

Screen Shot 2016-09-12 at 7.30.27 PM.png

 

 

  1. Proxy server configuration is done under, Device > Set up > Services
  2. Proxy server port will be the port that the proxy server is configured to, listen for HTTP requests.
  3. Username and password is the one that proxy server is configured for authentication.
  4. Palo Alto Networks firewall will send HTTP Connect method on configured proxy port to the proxy server to make connections to the updates server on port 443.

    Screen Shot 2016-09-25 at 3.29.10 PM.png
  5. The Palo Alto Networks firewall will use the Basic Proxy Authentication method where it sends the credentials in the Proxy-Authorization header.
  6. The Proxy server should be configured to accept the Basic Proxy Authentication method and should not prompt for username and password to be entered.
    Screen Shot 2016-09-25 at 3.34.49 PM.png
  7. If the proxy server connects to the internet through Palo Alto Networks firewall trust interface (as used in this topology), the security policy should be configured to allow the application "paloalto-updates".

    Screen Shot 2016-09-12 at 7.10.06 PM.png
  8. Once the proxy server is able to connect to the Palo Alto Networks update server, it will send a Connection Established message to the firewall management interface, and then SSL handshake and further communication will start to fetch updates through proxy.

    Note: Source IP in snippet is another NIC on proxy server used for internet connectivity through the Palo Alto Networks firewall

Screen Shot 2016-09-25 at 3.46.34 PM.png

 

Additional Information


Here are the CLI commands for proxy server configuration if needed. 
FW> config 
FW# set deviceconfig system secure-proxy-server <x.y.z.q>
FW# set deviceconfig system secure-proxy-port <value>
FW# set deviceconfig system secure-proxy-user <username>
FW# set deviceconfig system secure-proxy-password <value>
FW# commit
FW# exit

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClEpCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language