>
    Access Your Data Center Using Explicit Proxy
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Mobile Users
    5. Mobile Users: Explicit Proxy
    6. Access Your Data Center Using Explicit Proxy
    Download PDF
    Prisma Access

    Access Your Data Center Using Explicit Proxy

    Table of Contents

    Access Your Data Center Using Explicit Proxy

    This is how you use Explicit Proxy to access resources in your data center.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • (For ZTNA Connector and Colo-Connect) Prisma Access 5.2.1 version
    • (For service connections) Prisma Access 5.0 version
    • (For private and partner app access) GlobalProtect app version 6.2 for Windows or macOS
    You can use service connections, ZTNA Connector, or colo-connect to access resources in your data center, such as external dynamic lists or private and partner apps, while still benefiting from an Explicit Proxy connection.
    Following RFC 6598 IP addresses aren't supported for Private application access through Explicit Proxy via service connections, Colo-Connect, or ZTNA Connector:
    • 100.64.0.0/15
    • 100.88.0.0/15
    • 100.72.0.0/15
    The existing ZTNA Connectors using these IP addresses in ZTNA Connector Application IP blocks or Connector IP blocks are disabled from using Prisma Access Browser or GlobalProtect Agent in Proxy Mode through Explicit Proxy. You must Reach out to your Palo Alto Networks representative to migrate your IP addresses to a different block.

    Access Your Data Center Using Explicit Proxy (Strata Cloud Manager)

    This is how you access your data center using Prisma Access Explicit Proxy in Strata Cloud Manager.
    1. Configure a service connection, Colo-Connect or ZTNA Connector in Prisma Access based on your requirement.
    2. Configure DNS settings.
    3. Ensure that the DESTINATION Zones for internet-bound traffic is set to untrust instead of any.
      Failure to perform this step could result in unintended access to your data center.
      1. Go to ManageConfigurationNGFW and Prisma Access, set the Configuration Scope to Prisma AccessMobile Users ContainerExplicit Proxy, then select Security PolicySecurity Services.
      2. Open a rule for internet-bound traffic.
      3. Ensure Zones under DESTINATION is set to untrust.
      4. Repeat for all of your internet-bound traffic rules.
    4. Enable private application access.
      • Enable private application access using Prisma Access Browser.
        1. Select WorkflowsPrisma Access SetupExplicit Proxy Infrastructure Settings
          and Enable Prisma Access Browser. Under Proxy URL Settings, select Enable Private App Access for Explicit Proxy.
      • Enable private application access using a regular browser.
        1. Select WorkflowsPrisma Access SetupExplicit Proxy Infrastructure Settings
          Enable Agent ProxyEnable Private App Access for Explicit Proxy          .
    5. Create security policy rules for the data center resources you want to access.
      1. Go to ManageConfigurationNGFW and Prisma Access, set the Configuration Scope to Prisma AccessMobile Users ContainerExplicit Proxy, then select Security PolicySecurity Services.
      2. Create security policy rules.
      In rules for data center access, ensure Zones under DESTINATION is set to trust.
    6. If you enable Private Application Access under Explicit Proxy, Push Config to save your configuration changes after onboarding the ZTNA Connector.

    Access Your Data Center Using Explicit Proxy (Panorama)

    Access resources hosted in your data center using Prisma Access Explicit Proxy.
    1. Configure a service connection, Colo-Connect or ZTNA Connector in Prisma Access based on your requirement.
    2. Configure DNS settings.
    3. Configure zone mappings.
      1. Select PanoramaCloud ServicesConfigurationMobile Users - Explicit ProxyZone Mapping
      2. Add the zones that you will use to access your data center resources to Trusted Zones.
    4. Ensure that the Destination ZONE in policy rules for internet-bound traffic is set to an untrust zone instead of any.
      Failure to perform this step could result in unintended access to your data center.
      1. Select Policies.
      2. Set the Device Group to Explicit_Proxy_Device_Group.
      3. Change the Destination ZONE from any to one of the untrust zones you configured in an earlier step.
    5. Enable private application access.
      • Enable private application access using Prisma Access Browser.
        1. Go to PanoramaCloud ServicesConfigurationMobile Users - Explicit ProxySettings
          AdvancedEnable Prisma Access BrowserEnable Private Application Access
      • Enable private application access using a regular browser.
        1. Go to PanoramaCloud ServicesConfigurationMobile Users - Explicit ProxySettings
          AdvancedUse GlobalProtect Agent to AuthenticateEnable Private Application Access
    6. Create security policy rules for the data center resources you want to access.
      1. Select Policies.
      2. Set the Device Group to Explicit_Proxy_Device_Group.
      3. Create security policy rules.
        In rules for data center access, ensure that you use the Trusted zones you configured in an earlier step.

    © 2025 Palo Alto Networks, Inc. All rights reserved.