Configure Agent-Based Proxy for ADEM
Focus
Focus
Autonomous DEM

Configure Agent-Based Proxy for ADEM

Table of Contents

Configure Agent-Based Proxy for ADEM

Learn how to configure Agent-Based Proxy support for Autonomous DEM (ADEM).
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access license
  • ADEM or Strata Cloud Manager Pro license
GlobalProtect supports sending internet traffic to an external proxy or sending internet and private application traffic through tunnels terminating in mobile users, or a combination of both. To support this capability, GlobalProtect runs in the following modes:
  • Proxy-only—When in proxy-only mode, GlobalProtect directs traffic exclusively to the Agent-Based Proxy without establishing a tunnel for mobile user access. Traffic for the Agent-Based Proxy follows the rules specified in the proxy auto-configuration (PAC) file.
  • Tunnel-only—In tunnel-only mode, GlobalProtect operates in the same manner as previously, without redirecting traffic to the Agent-Based Proxy. It establishes a tunnel for mobile users through which all traffic is routed. All current split tunnel rules remain applicable and are supported.
  • Tunnel-only Prisma Access—Tunnel-only Prisma Access mode closely resembles tunnel-only, with the exception being that in an internal network, GlobalProtect only establishes a tunnel to an external gateway. This differs from tunnel-only mode, where GlobalProtect either does not create a tunnel in an internal network or creates a tunnel to an internal gateway.
  • Hybrid—In hybrid mode, GlobalProtect directs traffic to the Agent-Based Proxy according to the rules in the PAC file. Additionally, it establishes a tunnel and routes private app traffic to mobile users. All current split tunnel rules remain applicable and supported.
Customers who choose to use Agent-Based Proxy access in Prisma Access require visibility into application access through Agent-Based Proxy as well as the performance of Agent-Based Proxy as an element of Prisma Access' service. With ADEM, Agent-Based Proxy forwards all internet traffic to Prisma Access and allows for customized forwarding beyond the scope of PAC based on:
  • Destination, user or user group, operating system, or location (static branch egress IPs).
  • Branches with dynamic egress IP addresses.
  • Geographic locations within the country.

Connect Agent-Based Proxy in ADEM

After you enable ADEM for Mobile Users, connect Agent-Based Proxy for ADEM.
  1. Create a new decryption profile.
    1. From Strata Cloud Manager, select ManageConfigurationNGFW and Prisma Access.
    2. For Configuration Scope, select Explicit Proxy, and under Security Services, select Decryption.
    3. Create a new decryption profile. Under Decryption Profiles, select Add Profile, and complete the required information. Ensure that the Block sessions with untrusted issuer option under No Decryption is not checked.
  2. Create an Address Group with required ADEM URLs. Navigate to Objects, and select AddressAddress Groups. Click Add Address Group.
  3. Add the following ADEM URLs to the address group.
    • agents.dem.prismaaccess.com
    • agents.jp1.ap-northeast-1.dem.prismaaccess.com
    • agents.sg1.ap-southeast-1.dem.prismaaccess.com
    • agents.au1.ap-southeast-2.dem.prismaaccess.com
    • agents.ca1.ca-central-1.dem.prismaaccess.com
    • agents.eu1.eu-central-1.dem.prismaaccess.com
    • agents.uk1.eu-west-2.dem.prismaaccess.com
    • agents.us1.us-east-2.dem.prismaaccess.com
    • updates.dem.prismaaccess.com
    • agents.in1.ap-south-1.dem.prismaaccess.com
  4. Create a Security policy rule and add the newly created address group object to it.
    To do so, click the + icon under DestinationAddresses and add the address group you created, as shown in the following image.
  5. Create a new decryption policy. Navigate back to Security ServicesDecryption, and in Decryption Policies , click Add Rule.
    1. Name the decryption policy; for example, No-Decrypt-ADEM.
    2. Under Destination, select Address Groups, and add the Address Group you created in step 2.
    3. Under Action and Advanced Inspection:
      1. Under Action, select Do Not Decrypt.
      2. Under Decryption Profile, select the Decryption Profile you created in step 1.
  6. Under Decryption Policies, move the new No-Decrypt-ADEM policy above the default Decrypt All policy so the newly created policy is preferred for ADEM destinations. For non-ADEM destinations, the Decrypt All policy is present, so moving the new policy does not alter any existing security posture.