>
    Strata Copilot
    File Hash-Based Block for Explicit Proxy
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Mobile Users
    5. Mobile Users: Explicit Proxy
    6. File Hash-Based Block for Explicit Proxy
    Download PDF
    Prisma Access

    File Hash-Based Block for Explicit Proxy

    Table of Contents

    File Hash-Based Block for Explicit Proxy

    Block files by SHA-256 hash during Explicit Proxy downloads using a customer-managed block list.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    If you'd like to use this feature in your Prisma Access environment, get in touch with your account team to learn more.
    • Prisma Access license
    • Mobile user license
    • PAN-OS 12.1.7 version
    File based Hash Blocking on Explicit Proxy lets you block files, when a file is downloaded through Explicit Proxy. Prisma® Access Explicit proxy computes the files SHA-256 hash and compares it against your uploaded Hash file list. If the hash matches, the download is blocked immediately — regardless of the WildFire verdict.
    This feature helps meet compliance requirements for the customer who needs to show that they have incorporated feeds from the country authorities to block files hash irrespective of the verdict on those files.
    Use Hash Block to enforce blocks for:
    • Hashes flagged by your threat intelligence feeds or security operations team
    • Files identified in internal incident response investigations
    This features needs that the traffic flow is decrypted.
    Fail-Closed Behavior
    Hash Block supports fail-closed operation to prevent unverified files from reaching user endpoints when the hash check service is unavailable.
    SettingFail-Open (Allow)Fail-Closed (Block)
    Hash Block — Fail BehaviorFiles pass through when the hash check cannot be completed.Files are blocked when the hash check cannot be completed.

    File Hash-Based Block for Explicit Proxy (Strata Cloud Manager)

    Upload a SHA-256 hash list and enable Hash Block enforcement for Explicit Proxy in Strata Cloud Manager.
    1. Select ConfigurationNGFW and Prisma Access, set the Configuration Scope to Explicit Proxy, and select Setup.
    2. On the Setup tab, select Set Up Advanced Security Settings.
    3. In the Advanced Security Settings panel, locate the hash block section.
    4. Select Upload .csv and upload a plain-text file containing one SHA-256 hash per line.
    5. Enable the hash block checkbox to activate enforcement against the uploaded list.
    6. Save and Push Config to apply the configuration changes.

    File Hash-Based Block for Explicit Proxy (Panorama)

    Upload a SHA-256 hash list and enable Hash Block enforcement for Explicit Proxy in Panorama.
    1. On Panorama, select Cloud ServicesConfigurationMobile Users - Explicit Proxy and then select the settings icon.
    2. Select the Advanced tab and locate the hash block section.
    3. Select Upload CSV and upload a plain-text file containing one SHA-256 hash per line.
    4. Enable the hash block checkbox to activate enforcement against the uploaded list.
    5. For Fail Behavior, choose how files with an unresolvable hash are handled.
      • Allow — permit files that cannot be hash-checked.
      • Block — block files that cannot be hash-checked (fail-closed).
    6. Commit and Push to Explicit_Proxy_Device_Group.

    © 2026 Palo Alto Networks, Inc. All rights reserved.