GlobalProtect supports sending internet traffic to an external proxy or sending internet
and private application traffic through tunnels terminating in mobile users, or a
combination of both. To support this capability, GlobalProtect runs in the following
modes:
Proxy-only—When in proxy-only mode, GlobalProtect directs traffic exclusively to the
Agent-Based Proxy without establishing a tunnel for mobile user access. Traffic for
the Agent-Based Proxy follows the rules specified in the proxy auto-configuration (PAC) file.
Tunnel-only—In tunnel-only mode, GlobalProtect operates in the same manner as
previously, without redirecting traffic to the Agent-Based Proxy. It establishes a
tunnel for mobile users through which all traffic is routed. All current split
tunnel rules remain applicable and are supported.
Tunnel-only Prisma Access—Tunnel-only Prisma Access mode closely resembles
tunnel-only, with the exception being that in an internal network, GlobalProtect
only establishes a tunnel to an external gateway. This differs from tunnel-only
mode, where GlobalProtect either does not create a tunnel in an internal network or
creates a tunnel to an internal gateway.
Hybrid—In hybrid mode, GlobalProtect directs traffic to the Agent-Based Proxy
according to the rules in the PAC file. Additionally, it establishes a tunnel and
routes private app traffic to mobile users. All current split tunnel rules remain
applicable and supported.
Customers who choose to use Agent-Based Proxy access in Prisma Access require visibility
into application access through Agent-Based Proxy as well as the performance of
Agent-Based Proxy as an element of Prisma Access' service. With ADEM, Agent-Based Proxy
forwards all internet traffic to Prisma Access and allows for customized forwarding
beyond the scope of PAC based on:
Destination, user or user group, operating system, or location (static branch
egress IPs).
From Strata Cloud Manager, select ManageConfigurationNGFW and Prisma Access.
For Configuration Scope, select
Explicit Proxy, and under Security
Services, select
Decryption.
Create a new decryption profile. Under Decryption
Profiles, select Add Profile, and
complete the required information. Ensure that the Block
sessions with untrusted issuer option under
No Decryption is not checked.
Create an Address Group with required ADEM URLs. Navigate
to Objects, and select AddressAddress Groups. Click Add Address Group.
Add the following ADEM URLs to the address group.
agents.dem.prismaaccess.com
agents.jp1.ap-northeast-1.dem.prismaaccess.com
agents.sg1.ap-southeast-1.dem.prismaaccess.com
agents.au1.ap-southeast-2.dem.prismaaccess.com
agents.ca1.ca-central-1.dem.prismaaccess.com
agents.eu1.eu-central-1.dem.prismaaccess.com
agents.uk1.eu-west-2.dem.prismaaccess.com
agents.us1.us-east-2.dem.prismaaccess.com
updates.dem.prismaaccess.com
agents.in1.ap-south-1.dem.prismaaccess.com
Create a Security policy rule and add the newly created address group object
to it.
To do so, click the + icon under DestinationAddresses and add the address group you created, as shown in the
following image.
Create a new decryption policy. Navigate back to Security ServicesDecryption, and in Decryption Policies , click
Add Rule.
Name the decryption policy; for example,
No-Decrypt-ADEM.
Under Destination, select Address
Groups, and add the Address Group
you created in step 2.
Under Action and Advanced Inspection:
Under Action, select Do Not
Decrypt.
Under Decryption Profile, select the
Decryption Profile you created in
step 1.
Under Decryption Policies, move the new
No-Decrypt-ADEM policy above the default
Decrypt All policy so the newly created policy is
preferred for ADEM destinations. For non-ADEM destinations, the
Decrypt All policy is present, so moving the new
policy does not alter any existing security posture.