Prisma Access Browser
Manage Prisma Access Browser Requests
Table of Contents
Manage Prisma Access Browser Requests to Bypass Policy Rules
Prisma Access Browser
Requests to Bypass Policy RulesLearn how to manage end user requests to bypass
Prisma Access Browser
rules for access
to otherwise blocked sites and apps.Where Can I Use This? | What Do I Need? |
|---|---|
|
|
In some cases, end users may find that the
Prisma Access Browser
rules are too strict to
allow users to access the resources they need. For example, in a user might need to
download a file that is restricted based on a browser rule, or may need access to a
website that is normally off limits.To address this issue,
Prisma Access Browser
allows you allow users to temporarily
bypass rules. This allows users to examine the bypass requests from users and decide
whether or not to grant the bypass. This also allows you to see which rules might be
too restrictive so that you can go back and tune them.
You define the
bypass conditions within the policy rules. Then, when users attempt to
perform and action or visit a site blocked by the corresponding rule, they can
submit a bypass request. Bypass requests are an extension of
Prompt
actions where Prisma Access Browser
prompts the user
with a message indicating that the action or site is blocked and allowing them to
continue anyway. To set bypass conditions, you configure the prompt action to enable
permission requests. With bypass conditions you must review and approve the request
before Prisma Access Browser
allows the user to perform the blocked action or access
the blocked site.Configure the Bypass Conditions
Configure the conditions for bypass rules when you create or edit an Access and Data
Control rule. The way you configure the conditions depends on the
type of user activity for which you want to allow bypass.
- Set bypass conditions for Web access rules.
![]()
- In the page, selectPrompt.
- Define the bypass conditions for the web access rule by selecting one of the following options:
- Warn and allow to proceed anyway—notifies users that the web application they are trying to access is restricted, but allow them to proceed anyway.
- Warn and allow the user to proceed anyway with a reason—notifies users that the web application they are trying to access is restricted, but allow them to proceed after supplying a reason they need access.
- Permission request—notify users that the web application they are trying to access is restricted, and prompt them to submit a request for access. In this case, you must review and approve the request before the user can access the app.
- Set the duration for theBypass timeframe.The range is 10 minutes to 90 days; the default is 9 hours.
- Set the number of access attempts toApprove request for.Be aware that theOncesetting works differently on different websites. On sites where the page is refreshed every time a new page is selected,Oncerefers to a single access for a single article, and a new request must be generated for each page. For example, allowingOnceon https://editions.cnn.com will grant the user one article only (since moving to the next page requires the page to be refreshed). On sites that are not regularly refreshed, such as https://chat.openai.com,Onceallows a user to keep working until the page is refreshed.
- Set bypass conditions for login restriction rules.The Login restriction section in Access & Data Control rules enables you to restrict login to specific email domains.
![]()
- In the page, selectPrompt.
- Define the bypass conditions for the login restriction rule by selecting one of the following options:
- Allow—allows all domains.
- Block—restricts all domains.
- Allow specific email domains—allows access only to the domains you specify.
- Block specific email domains—blocks access only to the domains you specify.
- Specify the email domains this rule governs access to.
- SelectPrompt when login blocked.With this setting enabled, when users attempt to login using a restricted email,Prisma Access Browsernotifies them. You can set the following bypass conditions:
- Warn and allow to proceed anyway—notifies users that the email they are trying to use for login is restricted, but allow them to proceed anyway.
- Warn and allow the user to proceed anyway with a reason—notifies users that the email they are trying to use for login is restricted, but allow them to proceed after supplying a reason.
- Permission request—notify users that the email they are trying to use for login is restricted, and prompt them to submit a request for access. In this case, you must review and approve the request before the user can proceed.
- Set theApprove request for.The time range is 10 minutes to 90 days.
- Set bypass conditions for file download.The File Download profile in Access & Data Control rules allows you restrict file downloads. This option is available from either the Profiles or from the Data controls, but we recommend using the Data controls to manage policies.
![]()
- In the page, selectFile Download.
- Select eitherAlloworAllow (Protected).
- ClickPrompt Before downloadand selectBefore download.
- SelectPopup notificationand define the bypass conditions for file downloads by selecting one of the following options:
- Warn and allow to proceed anyway—notifies users that file download is restricted, but allow them to proceed anyway.
- Warn and allow the user to proceed anyway with a reason—notifies users that file download is restricted, but allow them to proceed after supplying a reason.
- Permission request—notify users that file download is restricted, and prompt them to submit a request for access. In this case, you must review and approve the request before the user can proceed.
- Set the duration for theBypass timeframe.The range is 10 minutes to 90 days.
- Set the number of access attempts toApprove request for.SelectOnceto allow a single download.
- Set bypass conditions for file upload.The File Upload profile in Access & Data Control rules allows you restrict file uploads. This option is available from either the Profiles or from the Data controls, but we recommend using the Data controls to manage policies.
![]()
- In the page, selectFile Upload.
- Select eitherAllow.
- ClickPrompt Before Uploadand selectBefore upload.
- SelectPopup notificationand define the bypass conditions for file uploads by selecting one of the following options:
- Warn and allow to proceed anyway—notifies users that file upload is restricted, but allow them to proceed anyway.
- Warn and allow the user to proceed anyway with a reason—notifies users that file upload is restricted, but allow them to proceed after supplying a reason.
- Permission request—notify users that file upload is restricted, and prompt them to submit a request for access. In this case, you must review and approve the request before the user can proceed.
- Set the duration for theBypass timeframe.The range is 10 minutes to 90 days.
- Set the number of access attempts toApprove request for.SelectOnceto allow a single download.
Manage Permission Requests
After you set bypass request conditions on policy rules, you must review incoming
requests and decide whether or not to allow the requests.
- FromStrata Cloud Manager, select .
- Select the request you want to review and clickReply.
![]()
- Review the request and then select one of the following responses:
- Approve—Grants approval for the request for the pre-configured duration, or select a different duration.
- Decline—Rejects the request.Prisma Access Browsercontinues to block the requested action or site access.
![]()
- (Optional) Add a comment for the user.
- Submityour response.
Investigate Bypass Requests
If you have configured bypass conditions on your policy rules and
you find that you are approving similar requests, this might indicate that
you need to tune your policy rules. You can investigate current and past bypass
rules to assess whether you need to make some adjustments to your policy on the page.
- Searchfor specific bypass requests by URL.
- Filterrequests based on the following parameters:
- Request type—Filter on the type of bypass: Web access, File upload, File download, or App login.
- Status—Filter on requests that arePending,Approved, orDeclined.
- Created at—Filter on requests made during a specific time frame.
- User—Filter on specific users making requests.
- Policy rule—Filter on the rule that trigged the bypass requests.
- URL—Filter based on the URL of the web application that generated the request.