PAN-OS K-12 Chromebooks PAC Proxy Google Admin

Maintaining Web Filtering on Take-Home Chromebooks (At Scale)

A field pattern: use PAC + pass-through proxies so off-campus traffic still traverses your Palo Alto policy stack — without turning your proxy layer into a filtering platform.

The design

Key point: Squid is just a transport hop to force traffic back through the firewall. Filtering stays on PAN-OS.

PAC behavior

The PAC file sends selected domains DIRECT and proxies everything else to Squid on :8080. (Sanitize your real domain list before publishing.)

function FindProxyForURL(url, host)
{
  // Example: force specific domains through proxy
  if (shExpMatch(host, "sites.google.com"))
    return "PROXY proxy.example.org:8080";

  // Example: direct-list (sanitized)
  else if (
    shExpMatch(host, "*.example.org") ||
    shExpMatch(host, "*.google.com") ||
    shExpMatch(host, "*.gstatic.com") ||
    shExpMatch(host, "*.googleapis.com") ||
    shExpMatch(host, "*.googleusercontent.com")
  )
    return "DIRECT";

  // Default: proxy everything else
  return "PROXY proxy.example.org:8080";
}

Authentication enforcement

Next follow-ups: (1) the Chrome extension workflow, (2) the re-auth website workflow.