Prisma Access Browser
Configure Prisma Access Browser Browser Security
Table of Contents
Expand All
|
Collapse All
Prisma Access Browser Docs
Configure Prisma Access Browser Browser Security Controls
Configure browser security controls for Prisma Access Secure Enterprise Browser (Prisma Access Browser).
Where Can I Use This? | What Do I Need? |
---|---|
|
|
You can configure the controls in the following ways:
- When you're creating a new browser security rule, you can set the controls in the Browser Security controls page.
- You can edit an existing rule.
- You can create a policy profile and attach it to a rule.
- You can select it from Strata Cloud Manager ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security.
The following topics only display one way.
Browser Security – Browser Session
Browser Lock
Mobile browser support - Partial support
The Prisma Access Browser includes a lock screen feature enabling
you to apply an extra layer of security to your browser. If the Browser Lock
is enabled, users will need to enter a PIN code or a Passkey to unlock the
browser upon first use, or after a configurable idle time has elapsed. This
feature is especially useful for Unmanaged devices. For Unmanaged devices,
you are not able to configure a device lock. This feature allows you to
protect the enterprise data by configuring a lock on the browser.
This PIN code is browser-dependent and is not related to the SSO password.
The Authentication method is configured in Browser Security ->
Authentication Factor.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Browser Lock.
- Select one of the following options:
-
Enable - enable the Browser lock.
- Select the Idle time - 1 minute to 12 hours (or never). This is the time that must elapse before the Browser Lock screen appears.
-
Disable - the Prisma Access Browser will disable malicious file protection.
-
- Set.
Flush Browser Data
Partial Mobile support
This policy creates temporary browser sessions. This means that browser data
will be cleared upon close, or after a configured time period.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Flush Browser Data.
- Select one of the following options:
-
Enable - the Prisma Access Browser flush the browser data.
-
Select the attributes to clear:
-
Browsing history
-
Download history
-
Cookies and other site data
-
Cached images and files
-
Passwords and Passkeys
-
Autofill
-
Site settings.
-
Host app data
-
-
Select the trigger for the browser flush action:
-
Browser close - the data will be flushed when the browser is closed.
-
Time period - the data will be flushed after the configured time elapsed. If this option is selected, you can set the flush time from 1-24 hours.
-
-
-
Disable – disable the Browser flush feature.
-
- Set.
Browser Security – Browser Hardening
Cast
No Mobile support
This feature controls the ability to screencast a tab or the desktop via the
Prisma Access Browser.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Cast.
- Select Allow to permit casting or Block to deny casting.
- Set.
- Restart the browser to apply this feature.
Developer Tools
No Mobile support
This feature actively controls users' ability to open Developer
Tools or manually load browser extensions in "Developer Mode" via "load
unpack". It can also assist with preventing users from running unauthorized
JavaScript code in the Developer Tools console.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Developer Tools.
- Select Allow to permit the Developer options, or Block to deny their use.
- Set.Restart the browser to apply this feature.
Password Saving
Mobile support -
Full support
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Password Saving.
- Select one of the following options:
-
Allow - Users will be able to save passwords in the browser.
-
Block - Users will be restricted to save passwords in the browser.
-
- Set.
Autofill of Forms
No Mobile support
This feature determines whether or not the browser will store
information to autofill forms.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Autofill of Forms.
- Select one of the following options:
-
Allow – The browser will save information to autofill forms in the future.
-
Block – The browser will not save form information to be filled automatically in the future.
-
- Set.
Autofill of Credit Cards
No Mobile support
This feature determines whether or not the browser will allow users to store
credit card information.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Autofill of Credit Cards.
- Select one of the following options:
-
Allow – Prisma Access Browser will be able to save credit card details.
-
Block – Prisma Access Browser will be restricted from saving credit card details for future use.
-
- Set.
Native Messaging Hosts
No Mobile support
Native Messaging Hosts allows the software installed on the device to
communicate with Prisma Access Browser and its installed extensions, and
vice versa. Enterprise software that interacts with the browser typically
requires you to select "Allow only hosts installed with admin
permissions."
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Native Messaging Hosts.
- Select one of the following options:
-
Allow – the browser will be able to communicate with Native Messaging Hosts.
- Allow only hosts installed with admin permissions
-
Block – the browser’s use of Native Messaging Hosts will be restricted.
-
- Set.
JavaScript Running from Omnibox
No Mobile
support
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select JavaScript Running from Onmibox.
- Select one of the following options:
-
Allow – the Prisma Access Browser will allow JavaScript to run from omnibox..
-
Block – the Prisma Access Browser will restrict JavaScript from running from omnibox.
-
- Set.
Keylogging Protection
No Mobile support
This policy allows you to determine if keylogging protection will be enabled.
Keylogging tools can monitor and report a user's actions as they interact
with the computer. As the name suggests, a keylogger records what the user
types, and reports the information back to whoever installed the logger.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Keylogging Protection.
- Select one of the following options:
-
Allow – Keyloggers will be prevented from listening to keystrokes typed on Prisma Access Browsers.
-
Block – Keylogging protection is turned off.
-
- Set.
Popups
No Mobile support
With this feature, you can control the display of popups in the
browser.
The popups can be allowed, allowed with exceptions, blocked, or
blocked with exceptions.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Popups.
- Select one of the following options:
-
Allow – Popups will be permitted in the browser. You can specifically exclude domains from being allowed. This will block popups from those domains only.
-
Block – Popups will be blocked. You can specifically exclude domains from being blocked. This will allow popups from those domains only.
-
- Set.
Notifications
No Mobile support
You can use this feature to control notifications being displayed within the
browser. The notifications can be allowed, allowed with exceptions, blocked,
or blocked with exceptions.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Notifications.
- Select one of the following options:
-
Allow - Notifications will be permitted in the browser. You can specifically exclude specific domains. This will block notifications from these domains.
-
Block - Notifications will be blocked. You can specifically exclude specific domains from the rule. This will allow popups from those domains only.
-
- Set.
Authentication Factor
No Mobile support
You can use this feature to configure the settings for the Authentications
methods. When you need to enable the Browser Lock or step-up MFA across the
different data controls, this control is needed to select the options for
the lock.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Authentication Factor.
- Select one of the following options:
-
PIN Code – configure the size of the code (between 4-6 digits) and the number of attempts that can be made before the account will be locked out.
-
Passkey – select whether the passkey will be an Internal or External authenticator.
-
- Set.
Browser Security – Network Protection
Pages with SSL Errors
No Mobile support
This feature manages how the Prisma Access Browser will react when
it encounters a page with an SSL error. In general, most browsers ask for
permission to "Proceed to [FQDN] (unsafe)".
Since SSL errors can occur during an SSL MitM attack, you can use
this control to block the "Proceed..." functionality.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Pages with SSL Errors.
- Select one of the following options:
-
Allow - Allow users to bypass the blocking page when an SSL issue is identified.
-
Block – the Prisma Access Browser will block the "Proceed..." option when an SSL issue is identified.
-
- Set.
DNS-Over-HTTPS
No Mobile support
This feature manages how the Prisma Access Browser will react when
it encounters a page with an SSL error. In general, most browsers ask for
permission to "Proceed to [FQDN] (unsafe)".
Since SSL errors can occur during an SSL MitM attack, you can use
this control to block the "Proceed..." functionality.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select DNS-Over-HTTPS.
- Select one of the following options:
-
Enable - Enter the following information:Upon DNS over HTTPS resolve failure:
-
Fail-open: Resolve using plain DNS.
-
Fail-close: Do not resolve.
-
-
Enter the DNS-over-HTTPS resolver's URL.
-
Disable – Prisma Access Browser will not enable DNS over HTTPS resolution.
-
- Set.
Trusted Certificate Authorities
No Mobile support
This feature manages how the Prisma Access Browser will react when
it encounters a page with an SSL error. In general, most browsers ask for
permission to "Proceed to [FQDN] (unsafe)".
Since SSL errors can occur during an SSL MitM attack, you can use
this control to block the "Proceed..." functionality.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Trusted Certificate Authorities.
- Select the certificate authorities that are to be trusted by the Prisma
Access Browser (this limits the trust to certificates that are already
trusted):
-
Device trust store - Trust the certificate authorities installed in the device's certificate store.
-
Prisma Access Browser trust store - Trust only certificate authorities that are trusted by Palo Alto Networks, and ignores certificates installed in the Device trust store.
-
None - Do not trust certificates in any trust store.
-
- Additional trusted certificate authorities- Add
customer-provided certificates not already trusted by the Prisma Access
Browser..
-
Enter a name for the certificate.
-
Drag or Browse a certificate in .pem, .der, .crt, or .cer formats.
-
- Set.
Basic Authentication over HTTP
No Mobile support
This feature controls whether the Prisma Access Browser can use
Basic Authentication over HTTP websites.
Since Basic Authentication sends authentication tokens in clear
text, sending them over HTTP can be visible to attackers as part of a MitM
attack.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Basic Authentication over HTTP.
- Select one of the following options:
-
Allow - allow Prisma Access Browser to use Basic Authentication over HTTP websites.
-
Block – block Prisma Access Browser from using Basic Authentication over HTTP websites.
-
- Set.
Pages with Insecure Content
No Mobile support
This feature controls whether users can load insecure content (data
located on HTTP servers) to secure websites (located on HTTPS servers).
You can choose to exclude specific domains from this feature when
there are specific applications that need an exception to the rule.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Pages with Insecure Content.
- Select one of the following options:
-
Allow- Prisma Access Browser will allow insecure content.
-
Exclude specific domains - list domains that will receive an exception to the rule.
-
-
Block – Prisma Access Browser will not allow insecure content.
-
Exclude specific domains - list domains that will receive an exception to the rule.
-
-
- Set.
Force HTTPS
No Mobile support
You can force the use of the HTTPS protocol, minimizing the
risk of MitM attacks.
You will be able to force HTTPS for all domains, force HTTPS but
exclude certain domains, or disable forced HTTPS and work without any
restrictions.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Force HTTPS.
- Select one of the following options:
-
Enable- Prisma Access Browser will require use of the HTTPs protocol. You can select specific domains that will be excluded - meaning that these domains will not require the HTTPs protocol.
-
Disable – Prisma Access Browser will not require use of the HTTPs protocol.
-
- Set.
Browser Security – Extensions
Allowed or Blocked Extensions
No Mobile support
Allowed or Blocked Extensions give you control over which extensions are
permitted in the Prisma Access Browser.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Allowed or Blocked Extensions.
- Select one of the following options:
-
Allow all - allow all extensions.
-
Block specific extensions - you can select specific extensions to block. The extension must be identified by its ID.
-
Allow only specific extensions - you can select specific extensions to permit. The extension must be identified by its ID.
-
Block all - block all extensions.
-
- Set.
Block Extensions by Permission
No Mobile support
This control allows you to block extensions based on their required
permissions.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Block Extensions by Permission.
- Select one of the following options:
-
Grant all permissions - permit running extensions without regard to their required permissions.
-
Block extensions that use specific permissions - block that requires specific permissions. Permissions that were not selected will be permitted. You can select as many permissions as required.
-
- Set.
Hide Sensitive Data from Extensions
No Mobile support
This control allows you to hide sensitive data - any data that can compromise
user information and be used for illicit logins - from extensions.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Hide Sensitive Data from Extensions.
- Select one of the following options:
-
Enable - enable hiding sensitive data from extensions.
-
Disable - do not hide sensitive data from extensions.
-
- Set.
Restrict Extension Host Permissions
No Mobile support
This control allows you to hide sensitive data - any data that can compromise
user information and be used for illicit logins - from extensions.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Restrict Extension Host Permissions.
- Select one of the following options:
-
Enable - prevent extensions from running scripts and accessing content.
-
Enable for specific domains - prevent extensions from running scripts and accessing content from specific domains. Click here to see information regarding domain syntax.
-
Disable - do not prevent extensions from running scripts and accessing content.
-
- Set.
Browser Security – Internet Explorer Compatibility Mode
Internet Explorer Compatibility Mode
Microsoft has announced end-of-support dates for different versions
of IE. For more information, refer to Microsoft's Lifecycle FAQ.
Organizations may require compatibility with Internet Explorer, as
they are running internal legacy websites.
You can select these particular sites and allow users to access
them in the Prisma Access Browser using Internet Explorer Compatibility
Mode. This will render the application or site as if it were being accessed
via Internet Explorer.
Click here for more information
regarding entering URLs.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Internet Explorer Compatibility Mode.
- Select one of the following options:
-
Enable compatibility mode - You need to add the target URLs that need Internet Explorer Compatibility.
-
No compatibility mode support - Users will not be able to use sites that require IE Compatibility.
-
- Set.
Browser Security – Printers
Allowed Printers
No Mobile support
The Prisma Access Browser allows you to configure particular
printers for users who need to print from the browser. This provides an
additional level of security, where end-users will only be able to print to
permitted devices, such as printers in the office.
This feature does not preclude users from printing from other
devices when using applications not managed through the Prisma Access
Browser.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Allowed Printers.
- Select one of the following options:
-
No printers – end-users cannot print from the browser.
-
Set printers - Click Add Printer to enter the network location of each printer that end users will be able to select when printing is required.
-
- Set.
Browser Security – Privacy
Third-party Cookies
No Mobile support
The Prisma Access Browser allows you to configure particular
printers for users who need to print from the browser. This provides an
additional level of security, where end-users will only be able to print to
permitted devices, such as printers in the office.
This feature does not preclude users from printing from other
devices when using applications not managed through the Prisma Access
Browser.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Third-party Cookies.
- Select one of the following options:
-
Allow - Third-party elements can set cookies.
-
Block - Third-party elements cannot set cookies.
-
- Set.
Browser History
No Mobile support
The Prisma Access Browser allows you to configure particular
printers for users who need to print from the browser. This provides an
additional level of security, where end-users will only be able to print to
permitted devices, such as printers in the office.
This feature does not preclude users from printing from other
devices when using applications not managed through the Prisma Access
Browser.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Browser History.
- Select one of the following options:
-
Enable - browser history is saved.
-
Disable - browser history is not saved, and tab syncing is disabled. This setting cannot be changed by users.
-
Block Deletion - browser history and download history cannot be deleted.
-
- Set.
Cookies
No Mobile support
This policy controls the ability to store cookies on the browser. It allows
companies to keep the data only for the session to avoid theft of the
credentials.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Cookies.
- Select one of the following options:
-
Allow - default cookies behavior, as controlled by the end-user.After choosing this option, you can select specific domains to exclude. This means that the selected domains will not be able to set cookies.
-
Block - do not allow any websites to set the local data.After choosing this option, you can select specific domains to include. This means that the selected domains will be able to set cookies.
-
Session only - keep cookies for the duration of the session. After choosing this option, you can select the URLs that will keep cookies for the duration of the session.
-
- Set.
Browser Security – Anti-exploitation (Attack surface reduction)
Anti-Exploitation controls enable you to reduce the potential attack
surface of the browser. These controls effectively limit usage of browser
components that are complex and are occasionally found to contain
vulnerabilities. While the latest version of the browser would never include
known vulnerabilities, disabling unnecessary components limits the potential
exposure between when a vulnerability is found and the time it is fixed.
You should be aware that by disabling these components, you may impact
some web page functionality. To minimize the impact on end-users, a
non-intrusive dialog will be displayed if a capability is canceled. You need to
be aware of these dialogs and the corresponding events in case users report
issues with web pages. For example, disabling WebGL may impact functionality of
an online maps website. When the users complain, you can identify the issue by
looking for corresponding events and dialogs when users browse to these sites.
When a web page is affected by a disabled component, an abbreviated
message is shown. Users can click on the message to display a more informative
one. The message will pop up once per viewed website. A Log event will also be
generated.
JavaScript v8 JIT
No Mobile support
Just-in-time (JIT) helps improve the performance of JavaScript code
by compiling bytecode into native machine code at run time.
This anti-exploitation policy controls the use of the JavaScript v8
JIT mechanism, which can be potentially exploited.
In addition, disabling JIT activates multiple vulnerability
mitigation techniques, including Control Flow Guard (CFG), Control-flow
Enforcement Technology (CET), and Arbitrary Code Guard (ACG).
Note: Disabling JavaScript v8 JIT may impact browser performance.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select JavaScript v8 JIT.
- Select one of the following options:
-
-
Allow - allow the use of JavaScript v8 JIT.
-
Block- block the use of JavaScript v8 JIT.
-
To exclude specific applications, enter their domains into the exclusion list. Click here for more information regarding entering URLs.
-
-
- Set.
WebRTC
No Mobile support
Web Real-Time Communication (WebRTC) is an open-source project that
enables real-time voice, text, and video communication capabilities between
web browsers and devices.
This anti-exploitation policy controls the use of the WebRTC
protocol, which can be potentially exploited.
Note: Disabling WebRTC will prevent some video conferencing
tools, including Microsoft Teams and Google Meet from working. To overcome
this issue, add their domains to the exclusion list as described below.
When a user attempts to access a domain that is blocked, they will
receive an on-screen notification, and a Log event will be created.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select WebRTC.
- Select one of the following options:
-
-
Allow - Allow the use of WebRTC.
-
Block- Block the use of WebRTC.
-
To exclude specific applications, enter their domains into the exclusion list. Click here for more information regarding entering URLs.
-
-
- Set.
PDFium
No Mobile support
The PDFium library is used to render PDF files in Chromium
browsers.
This anti-exploitation policy controls the use of the PDFium
library, which can be potentially exploited.
When PDFium is disabled, the Prisma Access Browser will not be able
to open regular or protected PDF files.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select PDFium.
- Select one of the following options:
-
-
Allow - Permit use of the PDFium library to render PDF files.
-
Block- Block use of the PDFium library to render PDF files.
-
-
- Set.
WebGL API
No Mobile support
WebGL is a JavaScript-based API that is used for rendering high
performance interactive 2-and 3D graphics using hardware graphics
acceleration features provided in the user's device.
This anti-exploitation policy controls the use of the WebGL API,
which can be potentially exploited.
Note: Disabling WebGL API may impact different websites
using it in a legitimate way.
When a user attempts to access a domain that is blocked, they will
receive an on-screen notification, and a Log event will be created.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select WebGL API.
- Select one of the following options:
-
-
Allow - Permit use of the WebGL API.
-
Block- Block use of the WebGL API.
-
-
- Set.
File System API
No Mobile support
The File System Access API (formerly known as the Native File
System API and Writable Files API) enables developers to build powerful web
apps that interact with files on the user's local device, such as IDEs,
photos, video editors, text editors, and more. After a user grants a web app
access, this API allows them to read or save changes directly to files and
folders on the user's device. Beyond reading and writing files, the File
System Access API allows opening a directory and enumerating its
contents.
This anti-exploitation policy controls the use of the File System
API, which can be potentially exploited.
Note: Disabling File System API may impact different
websites using it in a legitimate way.
When a user attempts to access a domain that is blocked, they will
receive an on-screen notification, and a Log event will be created.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select File System API.
- Select one of the following options:
-
-
Allow - Permit use of the File System API.
-
Block- Block use of the File System API.
-
-
- Set.
Sensors API
No Mobile support
The Sensors API controls access to several different low-level and
high-level device sensor types.
This anti-exploitation policy controls the use of the Sensors API,
which can be potentially exploited.
The Sensors API controls access to several different low-level and
high-level device sensor types.
This anti-exploitation policy controls the use of the Sensors API,
which can be potentially exploited.
Note: Disabling Sensors API may impact different websites
using it in a legitimate way.
When a user attempts to access a domain that is blocked, they will
receive an on-screen notification, and a Log event will be created.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Sensors API.
- Select one of the following options:
-
Allow - Permit use of the Sensors API.
- Block - Block use of the Sensors API.
-
- Set.
WebSerial API
No Mobile support
The WebSerial API provides a method for websites to read from and
write to serial devices. The devices can be connected via serial port, or by
USB or Bluetooth devices that emulate a serial port.
This anti-exploitation policy controls the use of the WebSerial
API, which can be potentially exploited.
Note: Disabling WebSerial API may impact different websites
using it in a legitimate way.
When a user attempts to access a domain that is blocked, they will
receive an on-screen notification, and a Log event will be created.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select WebSerial API.
- Select one of the following options:
-
Allow - Permit use of the WebSerial API.
- Block - Block use of the WebSerial API.
-
- Set.
WebBluetooth API
No Mobile support
The WebBluetooth API provides a way for websites to communicate
over GATT (Generic ATTribute Profile) with nearby user-selected Bluetooth
devices in a secure and privacy-preserving way.
This anti-exploitation policy controls the use of the WebBluetooth
API, which can be potentially exploited.
Note: Disabling WebBluetooth API may impact different
websites using it in a legitimate way.
When a user attempts to access a domain that is blocked, they will
receive an on-screen notification, and a Log event will be created.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select WebBluetooth API.
- Select one of the following options:
-
Allow - Permit use of the WebBluetooth API.
- Block - Block use of the WebBluetooth API.
-
- Set.
WebUSB API
No Mobile support
The WebUSB API is a JavaScript specification for providing secure
access from web pages to USB devices.
This anti-exploitation policy controls the use of the WebUSB API,
which can be potentially exploited.
Note: Disabling WebUSB API may impact different websites
using it in a legitimate way.
When a user attempts to access a domain that is blocked, they will
receive an on-screen notification, and a Log event will be created.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select WebUSB API.
- Select one of the following options:
-
Allow - Permit use of the WebUSB API.
- Block - Block use of the WebUSB API.
-
- Set.
WebHID API
No Mobile support
The WebHID API is used for providing access for Human Interface
Devices. This feature permits access to alternative auxiliary devices, such
as secondary keyboards and mouse-pointing devices.
This anti-exploitation policy controls the use of the WebHID API,
which can be potentially exploited.
Note: Disabling WebHID API may impact different websites
using it in a legitimate way.
When a user attempts to access a domain that is blocked, they will
receive an on-screen notification, and a Log event will be created.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select WebHID API.
- Select one of the following options:
-
Allow - Permit use of the WebHID API.
- Block - Block use of the WebHID API.
-
- Set.
Print Preview
No Mobile support
Print Preview displays the print preview in a new tab, a DOM UI
page. The print preview page consists of a left pane that allows for printer
selection and printer options and a right pane for displaying the preview
and page thumbnails.
This anti-exploitation policy controls the use of the print
preview, which can be potentially exploited.
If this is disabled, users will not see a preview of the page or
file.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Print Preview.
- Select one of the following options:
-
Allow - Permit use of the Print Preview.
- Block - Block use of the Preview.
-
- Set.
Google Cloud Print
No Mobile support
Google Cloud Print is a discontinued Google service that allows
users to print from any Cloud Print-aware application (web, desktop, mobile)
on any device in the network cloud to any printer with native support for
connecting to Cloud Print services.
This anti-exploitation policy controls the use of the Google Cloud
Print API, which can be potentially exploited.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Google Cloud Print.
- Select one of the following options:
-
Allow - Permit use of Google Cloud Print.
-
Block - Block use of Google Cloud Print.
-
- Set.
QUIC Protocol
No Mobile support
QUIC (Quick UDP Internet Connections) is a new internet transport
protocol developed by Google. QUIC solves several application-layer issues
experienced by modern web applications while requiring little or no change
from application writers. QUIC is very similar to TCP+TLS+HTTP2 but
implemented on top of UDP.
This anti-exploitation policy controls the use of the QUIC
protocol, which can be potentially exploited.
Note: Disabling QUIC protocol may impact different websites using it
in a legitimate way.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select QUIC Protocol.
- Select one of the following options:
-
Allow - Permit use of the QUIC Protocol
- Block - Block use of the QUIC Protocol.
-
- Set.
Web Clipboard API
No Mobile support
QUIC (Quick UDP Internet Connections) is a new internet transport
protocol developed by Google. QUIC solves several application-layer issues
experienced by modern web applications while requiring little or no change
from application writers. QUIC is very similar to TCP+TLS+HTTP2 but
implemented on top of UDP.
This anti-exploitation policy controls the use of the QUIC
protocol, which can be potentially exploited.
Note: Disabling QUIC protocol may impact different websites using it
in a legitimate way.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Web Clipboard API.
- Select one of the following options:
-
Allow - Permit the Web Clipboard API to access the clipboard.
-
Block - Block the Web Clipboard API from accessing the clipboard.
-
- Set.
Local Fonts
No Mobile support
QUIC (Quick UDP Internet Connections) is a new internet transport
protocol developed by Google. QUIC solves several application-layer issues
experienced by modern web applications while requiring little or no change
from application writers. QUIC is very similar to TCP+TLS+HTTP2 but
implemented on top of UDP.
This anti-exploitation policy controls the use of the QUIC
protocol, which can be potentially exploited.
Note: Disabling QUIC protocol may impact different websites using it
in a legitimate way.
- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
- Select Local Fonts.
- Select one of the following options:
-
Allow - Permit the Prisma Access Browser to access local fonts installed on the device.
-
Block - Block the Prisma Access Browser from accessing local fonts installed on the device.
-
- Set.