>
    Onboard Prisma Access Browser on the Strata Cloud Manager
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Browser
    3. Onboard Prisma Access Browser on the Strata Cloud Manager
    Download PDF
    Prisma Access Browser

    Onboard Prisma Access Browser on the Strata Cloud Manager

    Table of Contents

    Onboard
    Prisma Access Browser
     on the
    Strata Cloud Manager

    Learn how to onboard
    Prisma Access Secure Enterprise Browser
     (
    Prisma Access Browser
    ) on the
    Strata Cloud Manager
     and integrate with
    Prisma Access
    .
    Where Can I Use This?
    What Do I Need?
    • Strata Cloud Manager
    • Prisma Access
       with
      Prisma Access Browser
       bundle license
    • Superuser or
      Prisma Access Browser
       role
    See the prerequisites before you begin this task.

    Complete the Pre-Onboarding Tasks

    Before onboarding
    Prisma Access Browser
    , there are a couple tasks that you must perform before you can proceed.
    1. Define the Cloud Identity Engine entities. This can be configured by using the Cloud Identity Engine that you selected during the activation process.
    2. You need the Authentication profile and the User groups that are part of your onboarding process. These are configured in the Cloud Identity Engine. For more information, refer to the Authentication profile and User groups.
      You can only have one Authentication Profile. If you use more than one Identity Provider (IdP), you can configure multiple IdPs per profile. This can be done with the
      Authentication Mode
       choice of
      Multiple
       when you configure the Authentication Profile.

    Add IdP Configuration

    You can use your current SAML IdP provider to manage a single set of login credentials in your network. The IdP configuration is a component of the Cloud Identity Engine, and you can manage it within that tool.
    1. In the Cloud Identity Engine, select
      Authentication Type
      .
    2. Click
      Add New Authentication Type
      .
      When you use the IdP provider’s information to populate your user groups, you need to make sure to correctly enter a valid email address. The UPN isn't sufficient.
    3. In the Set Up Authentication Type, click SAML 2.0
      Set Up
      .
    4. To continue configuring your SAML Authenticator, refer to Configure a SAML 2.0 Authentication Type in the Cloud Identity Engine.
    5. (
      Optional
      ) Use Google Workspace Integration.

    Onboard the
    Prisma Access Browser

    After you do the pre-onboarding steps, you can onboard the
    Prisma Access Browser
     on the
    Strata Cloud Manager
    .
    You need to activate and configure the
    Prisma Access Browser
     in the
    Strata Cloud Manager
     before you can add users. In general, this is a one-time procedure that you only need to perform once after Activation, however you can return to perform these tasks anytime you need to modify them.
    There is a Wizard that you can use for this process, and you can modify the global configuration at any time. The Wizard provides detailed instructions on completing each step of the integration.
    The controls that you see depend on your
    Prisma Access Browser
     license; not all the Onboarding functionality in the
    Strata Cloud Manager
     is available for all licenses.
    From the
    Strata Cloud Manager
    , select
    Workflows
    Prisma Access
     Setup
    Prisma Access Browser.

    Step 1 - Users

    Define the user authentication method and onboard User groups.
    1. From the dropdown list, select the
      CIE profile that will be used for User Authentication
      .
    2. From the User groups dropdown list, select the
      User groups
       that will be able to access
      Prisma Access Browser
      .
    3. Next:
      Prisma Access
       Integration
      .

    Step 2 -
    Prisma Access
     Integration

    1. Enable external connectivity to
      Prisma Access
      .
      1. Select
        Go to Explicit Proxy settings
        .
      2. This takes you to
        Workflows
        Prisma Access
         Setup
        Explicit Proxy
        .
      3. Enable the
        Prisma Access Browser
        .
      4. Done
        .
    2. Allow the
      Prisma Access Browser
       in the
      Prisma Access
       security policy.
      1. Select
        Manage >
        Prisma Access
         > Security Policy
        .
      2. This takes you to
        Manage
        Prisma Access
        Security Policy.
      3. Add a rule that allows web traffic in your security policy.
      4. Push configuration to accept the rule.
      5. Done
        .
    3. Create a service connection.
      1. Select
        Create a service connection
        .
      2. This takes you to
        Workflows
        Prisma Access
         Setup
        Service Connections
         and
        Add Service Connection
        .
      3. Done
        .
      4. Next: Routing.

    Step 3 - Routing

    The Routing control allows you to manage the way that the
    Prisma Access Browser
     handles network traffic. This feature sets up the default configuration for
    Prisma Access Browser
    . If you need to adjust the granularity of the control for a specific Rule, refer to Browser Customization Controls for traffic flows .
    1. Choose one of the following options:
      • Only route private application traffic through Prisma Access
        .
      • Route all traffic through
        Prisma Access
        .
    2. (
      Optional
      ) Ensure that the
      Prisma Access Browser
       traffic flows in an optimal manner when the browser detects it's running within the internal network. This identification is based on establishing a connection with a host that is only available inside the internal network.
      • Enter the FQDN to resolve.
      • Enter the expected IP address.
    3. Next: Enforce SSO applications
      .

    Step 4 - Enforce SSO Applications

    It's important that the only way your users can authenticate on SSO-enabled applications is by using the
    Prisma Access Browser
    . This will ensure that external actors will have no access to your enterprise applications. To select your IdP:
    1. In the Choose and configure your identity providers, select the available IdP. The options are:
      • Okta
      • Microsoft Azure Active Directory
      • PingID
      • OneLogin
      • VMware workspace ONE Access
    2. When you configure your local settings, be sure to take note of the egress IP addresses.
    3. Next: Download and distribute.

    Step 5 - Download and Distribute

    You can download the
    Prisma Access Browser
     installation files to test on your own device before sending it out to your users. Once you're satisfied with your tests, you can download the relevant installer to be distributed by your mobile device management (MDM) application.
    You can also send your users the download link so that they can download the
    Prisma Access Browser
     on their own. This is a single link for macOS and Windows users only.
    1. Select from the available options:
      • Desktop:
        • macOS
        • Windows
      • Mobile:
        • iOS
        • Android
      You can also send your users the download link so that they can download the
      Prisma Access Browser
       on their own. This is a single link for macOS and Windows users only.
      If you send your users the download link, remind them that they can only log in with the email that is configured in the IdP service.
    2. Next: Browser Policy
      .

    Step 6 - Browser Policy

    You can now begin to explore and configure the
    Prisma Access Browser
     Policy Engine to create a safe and secure user environment.
    1. Select
      Browser Policy
      .
    2. This directs you to
      Manage
      Configuration
      Prisma Access
       Browser
      Policy
      Rules
      .
    3. Manage
      Prisma Access Browser
       Policy Rules.

    Onboard New Users

    The Onboarding workflow is a configurable series of windows displayed when a new end user starts using the browser.
    Based on the IT needs and requirements, you can select up to eight individual pages that allow the end users to customize the browser with their pictures and bookmarks, and to find out some basic information about the browser – a sort of “Quick-Start” guide.
    The Onboarding Wizard customization control configures the Onboarding workflow. You can select which windows will be displayed in your network.
    You configure this in
    Manage
    Configuration
    Prisma Access
     Browser
    Policy
    Profiles
     when you create or edit a
    Browser Customization
     profile and choose
    Onboarding Wizard
    . For configuration details, see the Browser Customization Controls for the Onboarding Wizard.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.