Ctrlk
Contact SupportSubmit a Ticket
For the complete documentation index, see llms.txt. This page is also available as Markdown.

Palo Alto Firewall

Configuration Steps

1. Identify GPT Enterprise Traffic

First, create an application filter or custom application to identify OpenAI/GPT Enterprise traffic:

  • GPT Enterprise typically uses *.openai.com and *.azure.com (for Azure OpenAI)

  • You may need to create a custom App-ID or use URL filtering categories

2. Configure ICAP Server Profile

In your Palo Alto firewall:

  • Navigate to Objects > Security Profiles > ICAP Server

  • Create a new ICAP server profile pointing to your Docker container's IP and port (typically port 1344)

  • Configure the ICAP URI path (e.g., /request and /response)

3. Create a Data Filtering Profile

  • Go to Objects > Security Profiles > Data Filtering

  • Create a profile that uses your ICAP server for inspection

  • Configure it to inspect both request and response traffic

4. Apply to Security Policy

Create or modify a security policy rule:

  • Source: Your internal zones/users

  • Destination: External zone

  • Application: OpenAI/GPT Enterprise (custom app or URL category)

  • Action: Allow

  • Profile Settings: Attach your Data Filtering profile with ICAP

5. SSL Decryption (Critical)

Since GPT Enterprise uses HTTPS, you'll need SSL decryption:

  • Create an SSL decryption policy to decrypt traffic to *.openai.com

  • Use forward proxy with appropriate certificates

  • This is essential for ICAP to inspect the actual payloads

Key Considerations

  • Performance: ICAP inspection adds latency - ensure your Docker container has adequate resources

  • Certificate Trust: Deploy your SSL decryption certificate to client machines

  • Bypass Rules: Consider bypass rules for non-sensitive traffic to reduce load

  • High Availability: Consider running multiple ICAP server instances

PreviousProduction Configuration GuidesNextSupported Network Appliances

Last updated