A consultant deploys a PAN-OS 11.0 VM-Series firewall with the Web Proxy feature in Transparent Proxy mode.
Which three elements must be in place before a transparent web proxy can function? (Choose three.)
A consultant deploys a PAN-OS 11.0 VM-Series firewall with the Web Proxy feature in Transparent Proxy mode.
Which three elements must be in place before a transparent web proxy can function? (Choose three.)
For a transparent web proxy to function, the following elements must be in place: First, User-ID for the proxy zone is essential because it ensures that user identities are associated with their web traffic, allowing for user-based policy enforcement. Second, a DNS Security license is necessary to inspect and control DNS traffic, which is a critical component in managing web traffic securely through the proxy. Finally, while it might seem counterintuitive due to the name, a Prisma Access explicit proxy license is still required as the license covers both explicit and transparent proxy functionalities under the Prisma Access suite. Therefore, the correct choices are User-ID for the proxy zone, DNS Security license, and Prisma Access explicit proxy license.
answers should be: - loopback interface, - User-ID configuration in the proxy zone (A) - specific Destination NAT (DNAT) rules
A. User-ID for the proxy zone >> is correct for Transparent B. DNS Security license >> DNS proxy C. Prisma Access explicit proxy license >> same license for explicit and transparent Doesn't seem like a great question but D and E are definitely not correct. Transparent mode does not need addiontional authentication and CDL has nothing to do with web proxy.
Web Proxy comes from Prisma Access, which uses CDL for logging specifically.
@lgkhan - are you sure the Q is written / documented correctly? The link: https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy Shows answers C and D for Explicit Proxy, not Transparent Proxy. The only actual documented requirement for TRANSPARENT Proxy from that link, among the answers provided here, is A.
A. User-ID for the proxy zone: User-ID is essential to associate user identities with their web traffic. This helps in enforcing user-based policies and allows the firewall to track user activities for web proxy functions. B. DNS Security license: A DNS Security license is required to inspect and enforce policies related to DNS traffic. This is an important component of transparent web proxy functionality as it allows the firewall to filter and control DNS requests made by users. E. Authentication Policy Rule set to default-web-form: An Authentication Policy Rule set to the "default-web-form" allows the firewall to handle authentication for users accessing the internet through the transparent web proxy. It is essential for user identification and tracking.
C is for Prisma Access, not PAN-OS Proxy
E is not needed for Transparent proxy: "Transparent proxy is transparent to the user without requiring additional authentication"
The problem comes in Palo's own documentation. See the 11.0 What's new below. When you get to the transparent how to, you see "if you have not done so already, you have to download the free web proxy license on the Customer Support Portal. I think this is where answer "c" comes from. Cheers
The correct answers are ABC
I don't know.... For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP).
A. User-ID for the proxy zone >> is correct for Transparent B. DNS Security license >> can`t see why !! C. Prisma Access explicit proxy license >> for Explicit not transparent D. Cortex Data Lake license >> not related E. Authentication Policy Rule set to default-web-form >> not related no idea !!
ABC is the correct answer.
the correct choices are A. User-ID for the proxy zone, B. DNS Security license, and E. Authentication Policy Rule set to default-web-form.
link to how you came about that? Why E and no C?
should be ABC
https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy#id3d1ea0dd-360f-44ee-8c48-30678c80d509_id2b5c6385-2ec6-4ba8-b1f1-2bea8b5139f5 > (answer C)Configure Explicit Proxy or Configure Transparent Proxy If you have not already done so, activate the license for web proxy. >(answer A) For the transparent proxy method:User-ID configuration in the proxy zone >(answer B) Set up the DNS proxy for Transparent Proxy. X(not D) With transparent proxy, the client browser is not aware of the proxy. Transparent proxy supports inline mode deployment and does not support web cache communication protocol (WCCP). Transparent proxy is transparent to the user without requiring additional authentication. My own understanding: The real exam question could list answers: loopback interface, Destination NAT (DNAT), so keep an lookout for these as well.We know we need license, and user id in proxy zone as per A and C
ACD. I think some people are confusing Web Proxy with DNS proxy A. Required as stated here in the summary at the top > https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-new-features/networking-features/web-proxy B. Why not B? DNS sec is used for DNS sinkhole in threat prevention. It can be used in conjunction with other stuff like web proxy, but is not required for the latter to work >> https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/threat-prevention/dns-security/about-dns-security C. The web proxy feature is part of the Prisma Access product suite, and although I can't find extensive references to a transp proxy license, it's the first config step on this doc to activate it > https://docs.paloaltonetworks.com/pan-os/11-0/pan-os-networking-admin/dns/configure-a-web-proxy/configure-transparent-proxy D. Prisma Access logging relies on CDL, so you need that license too, but I guess it's only required if you want logging. E. Not related
the question does not make sense, there must be a mistake. user-id is not necessary, it is optional. DNS security license is optional too. Prisma Access Explicit Proxy, well, it is for explicit proxy. CDL? loool And there is no authentication for Transparent Proxy.
This is a messed up question. By process of elimination A - User-ID is required B - I couldn't find anything on dns sec license but dns proxy is required C - This make no sense as it states explicit proxy license and the question stated transparent proxy D - CDL is required for Prisma E - Transparent proxy is transparent to the user without requiring additional authentication. That should eliminate "E". This looks like a "pick the lest wrong answer", so I'm guessing A definitely. Even though it shouldn't be right because the question specifies transparent eliminating E and CDL is only required for Prisma logging. I have to go with B and C.
D and E don't make sense at all; A is correct, and BC are the least inaccurate compared with DE
A - User-ID is required B. DNS Security License D.CDL transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP). There is a web-proxy license and there is no license called Prisma Access explicit proxy.