Configure a Web Proxy
Focus
Focus

Configure a Web Proxy

Table of Contents

Configure a Web Proxy

If your network uses a proxy device, learn how to configure a web proxy as either an explicit proxy or a transparent proxy to route authentication traffic.
Where Can I Use This?What Do I Need?
  • NGFW (Cloud Managed)
  • NGFW (PAN-OS or Panorama Managed)
  • Web proxy license
  • (For cloud-managed NGFW) AIOps for NGFW Premium license.
If your network uses a proxy device for security, you can now leverage the same level of protection using the on-premises web proxy capability with PAN-OS 11.0. The web proxy features enables additional options for migrating from an existing web proxy architecture to a simple unified management console. The web proxy feature is a complementary solution to Prisma Access and an additional mode of deployment with Prisma Access Explicit Proxy via SAML authentication. Web proxy helps during the transition from on-premises to the cloud with no loss to security or efficiency.
The web proxy supports two methods for routing traffic:
  • For the explicit proxy method, the request contains the destination IP address of the configured proxy and the client browser sends requests to the proxy directly. You can use one of following methods to authenticate users with the explicit proxy:
    • Kerberos, which requires a web proxy license.
    • SAML 2.0, which requires Panorama, a Prisma Access license, the Cloud Services 3.2.1 plugin (and later versions), and the add-on web proxy license.
    • Cloud Identity Engine, which requires Panorama, a Prisma Access license, the Cloud Services 3.2.1 plugin (and later versions), and the add-on web proxy license.
  • For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support Web Cache Communications Protocol (WCCP) or X-Authenticated Users (XAU).
You can also use advanced routing with web proxy.
The following products support web proxy:
  • PA-1400 Series Firewalls
  • PA-3400 Series Firewalls
  • PA-5400F Series Firewalls
    The PA-5450F series firewall is supported starting from PAN-OS 12.1 and later. However, the PA-5450F series firewall does not support the web proxy feature for PAN-OS versions prior to 12.1.
  • VM-Series Firewalls (with a minimum of four vCPUs)
  • Panorama management systems running PAN-OS 11.1
To configure explicit proxy using SAML authentication, web proxy requires the Cloud Services plugin 3.2.1 or a later version.
Web proxy supports IPv4.
To learn how to configure a web proxy, select the type of proxy or proxy capability that you want to configure: