PAN-OS K-12 Chromebooks PAC Proxy Google Admin

Maintaining Web Filtering on Take-Home Chromebooks (At Scale)

A field pattern: use PAC + pass-through proxies so off-campus traffic still traverses your Palo Alto policy stack — without turning your proxy layer into a filtering platform.

The design

Ubuntu instances running Apache (hosting the PAC file) and Squid (pass-through only; not filtering).
Proxy settings pushed to Chromebooks via Google Admin (and iPads via MDM).
Internal DNS intentionally does not resolve the proxy name → on-network traffic goes direct and is filtered normally.
External DNS resolves the proxy name to a pool of proxies → off-network traffic lands on a proxy and still gets filtered.
Palo Alto enforces user authentication for proxy use — if you’re not authenticated, nothing works.

Key point: Squid is just a transport hop to force traffic back through the firewall. Filtering stays on PAN-OS.

PAC behavior

The PAC file sends selected domains DIRECT and proxies everything else to Squid on :8080. (Sanitize your real domain list before publishing.)

function FindProxyForURL(url, host)
{
  // Example: force specific domains through proxy
  if (shExpMatch(host, "sites.google.com"))
    return "PROXY proxy.example.org:8080";

  // Example: direct-list (sanitized)
  else if (
    shExpMatch(host, "*.example.org") ||
    shExpMatch(host, "*.google.com") ||
    shExpMatch(host, "*.gstatic.com") ||
    shExpMatch(host, "*.googleapis.com") ||
    shExpMatch(host, "*.googleusercontent.com")
  )
    return "DIRECT";

  // Default: proxy everything else
  return "PROXY proxy.example.org:8080";
}

Authentication enforcement

A Chrome extension authenticates users to the firewall using their external IP context.
A separate re-auth method exists via a website tied to AD + PAN-OS API (best as its own dedicated post).

Next follow-ups: (1) the Chrome extension workflow, (2) the re-auth website workflow.