Brief Analogy

You know. There was a time when every function had its own box, a firewall here, an email gateway there, and a separate proxy too.

But now? We’re in an era of orchestration, where one intelligent system replaces three or four traditional systems. It’s not just about consolidation. It’s about doing more with less. And doing it smarter. That’s what Palo Alto Networks is doing.

What’s Palo Alto Web Proxy

It is a feature that allows the firewall to act as a central point for controlling and inspecting web (HTTP/HTTPS) traffic without needing to re-route all traffic through the firewall. Put it this way, you do not need another appliance to route traffic independently.

This feature was introduced in PAN-OS 10.0 in July 2020. But added full support, Transparent mode, new auth options in (PAN-OS 11.0) 2023. To activate this feature, you will need to purchase a subscription.

When is a Palo Alto Web Proxy necessary, or more specifically, when does it become essential?

The answer is simple. If you want to dispose of old appliances and consolidate everything into a single platform using Palo Alto Firewalls, you will need this feature.

Here are some reasons.

• You got branch offices or guest networks, don’t wanna backhaul traffic? Perfect.
• BYOD or unmanaged devices? Lock ’em down without installing anything.
• Replacing old proxies like Blue Coat? Palo Alto’s built-in and smarter.
• Need logs for compliance? It’s got your back.
• Just wanna control what users do on the web without touching your routing? Done.

How does it work?

The Web Proxy feature comes with two modes (Explicit and Transparent)

Explicit Proxy

Like the word explicit implies. Users and devices are explicitly configured to direct their HTTP/HTTPS traffic to the firewall’s proxy IP and port (usually via a PAC file or browser settings).

Pros

• Granular user-level control (policies based on identity)
• Deep visibility into web activity
• Better SSL decryption handling (can prompt users for certs)
• Easier to troubleshoot (since traffic is intentionally directed)
• Supports advanced web filtering and authentication
• Great for branch offices, guest networks, and BYOD environments

Cons

• Requires configuration on user devices (PAC file, browser settings)
• Devices without proxy settings bypass it unless forced
• Users may tamper with settings or use VPNs to evade it
• Doesn’t handle non-web traffic (only HTTP/HTTPS)
• More management overhead in large, dynamic environments

The best way to think of it, it’s like a classic proxy setup. Users know exactly where to send web traffic.

Transparent Proxy

A transparent proxy intercepts web traffic without requiring any configuration on the user’s device. Users are unaware that they’re being proxied. Traffic is silently redirected for filtering, inspection, or logging.

Pros

• Users don’t know they’re being proxied. No configuration is needed on endpoints.
• Useful when you can’t modify user/browser settings (e.g., unmanaged devices or IoT).
• Commonly implemented using Policy-Based Forwarding (PBF) or NAT tricks to redirect web traffic to the proxy transparently.

Cons

• Harder to troubleshoot (users don’t know it’s there)
• May break SSL/TLS connections without proper certificate handling
• Limited user-based policy enforcement (unless integrated with identity tools)
• More complex to set up with NAT/PBF
• Some apps/protocols may not work well with interception

The best way to think of it is like a silent gatekeeper. Users have no idea it’s there, but it’s watching every web request and filtering it behind the scenes. No setup is required on the device. It simply intercepts the traffic mid-flight.

What steps are needed to deploy this Up?

• PAN‑OS 11.0 or newer
• Web Proxy license activated
• 4+ vCPUs, 8+ GB RAM (If you are using a VM)
• DNS Proxy configured
• Loopback interface
• NAT Policies
• Security and Decryption Policies

How to set it up?

I’ll talk about that in a future chapter at a later date.

Cheers,