Prisma Access
Block Settings for Explicit Proxy
Table of Contents
Block Settings for Explicit Proxy
Use Block Settings in the Prisma Access UI.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
To enable this functionality, reach out to
your Palo Alto Networks account representative or partner, who will
contact the Site Reliability Engineering (SRE) team and submit a
request.
When users access an internet destination using
Explicit Proxy, the DNS resolution for the internet destination
is performed by Explicit Proxy. To block access to an internet destination
at the DNS resolution stage, you can use block settings. You can
block based on DNS Security categories, URL Filtering categories
or external dynamic lists (EDLs).
For
domains that you block, Prisma Access blocks the domains and users
receive a block page during the HTTP GET request (for unencrypted websites)
or HTTP Connect request (for encrypted websites), which means that
domains are blocked during the initial connection request. When
you block access to the site, user are shown a block page after
taking them through the authentication flow, and the username is
captured for further forensics and Security Operations Center (SOC)
workflows.
If you’re using Prisma Access (Managed by Strata Cloud Manager), see
step 8 in Set Up Explicit Proxy.
To configure block settings Panorama Manage Prisma Access, complete
the following steps.
- Configure Block Settings to block domains or domain categories.Specify the domains or domain categories for malicious websites, or for any websites that you do not want users to access. Prisma Access prevents users from accessing the URLs and IP addresses you specify in this area when users initiate an HTTP GET (for unencrypted requests) or HTTP CONNECT (for encrypted requests). Users receive a block page when they attempt to access blocked websites.
![]()
- In Blocked Domain Category List, enter the pre-defined categories to block.Custom URL categories are not supported.In EDL Domain, enter domain-based external dynamic lists (EDLs) to block.You can only select EDLs that have an EDL type of Dynamic Domain Lists; dynamic IP lists and dynamic URL lists are not allowed.If you want to exempt any domains that are included in a Blocked Domain Category List, specify them as an Exempted Domain.Any domains that are entered are exempted from being blocked, even if they appear in a domain category that you have blocked.
- You can enter a maximum of 100 domains.
- The maximum domain record length is 256 characters.
Select the IP addresses to block in the Blocked Source Address area.You can Add addresses, address groups, IP address-based EDLs, or region- and country-based IP addresses.Use the following IP address guidelines:- Use EDLs with a Type of IP List or Predefined IP List only.
- Use Address Objects with a type of IP Range or IP Netmask only.
- Address groups with dynamic objects membership are not supported.
- Do not use custom regions in IP address objects; instead, use predefined regions.
Select Log requests to blocked domains to have Prisma Access log blocked domain requests.Since blocked domain logs can generate a lot of traffic from botnets, use caution when you enable logging, or use it only for troubleshooting purposes. If you restrict your proxy usage (for example, if you restrict usage to specific IP addresses), you might be able to enable logging without restriction.
