search
Contact SupportSubmit a Ticket

Palo Alto Firewall

hashtag
Configuration Steps

1. Identify GPT Enterprise Traffic

First, create an application filter or custom application to identify OpenAI/GPT Enterprise traffic:

  • GPT Enterprise typically uses *.openai.com and *.azure.com (for Azure OpenAI)

  • You may need to create a custom App-ID or use URL filtering categories

2. Configure ICAP Server Profile

In your Palo Alto firewall:

  • Navigate to Objects > Security Profiles > ICAP Server

  • Create a new ICAP server profile pointing to your Docker container's IP and port (typically port 1344)

  • Configure the ICAP URI path (e.g., /request and /response)

3. Create a Data Filtering Profile

  • Go to Objects > Security Profiles > Data Filtering

  • Create a profile that uses your ICAP server for inspection

  • Configure it to inspect both request and response traffic

4. Apply to Security Policy

Create or modify a security policy rule:

  • Source: Your internal zones/users

  • Destination: External zone

  • Application: OpenAI/GPT Enterprise (custom app or URL category)

  • Action: Allow

  • Profile Settings: Attach your Data Filtering profile with ICAP

5. SSL Decryption (Critical)

Since GPT Enterprise uses HTTPS, you'll need SSL decryption:

  • Create an SSL decryption policy to decrypt traffic to *.openai.com

  • Use forward proxy with appropriate certificates

  • This is essential for ICAP to inspect the actual payloads

hashtag
Key Considerations

  • Performance: ICAP inspection adds latency - ensure your Docker container has adequate resources

  • Certificate Trust: Deploy your SSL decryption certificate to client machines

  • Bypass Rules: Consider bypass rules for non-sensitive traffic to reduce load

  • High Availability: Consider running multiple ICAP server instances

PreviousProduction Configuration GuidesNextSupported Network Appliances

Last updated