Configure Proxy Chaining on Prisma Access Explicit Proxy (Strata Cloud Manager)

Configure Proxy Chaining on Prisma Access Explicit Proxy (Strata Cloud Manager)

1. Set up an explicit proxy.
2. Go to ManageConfigurationNGFW and Prisma AccessNetwork PoliciesUpstream Proxy Policy. Set the Configuration Scope to Explicit Proxy.

   
3. Create an Upstream Proxy Profile.

   1. Under Upstream Proxy Policy, select Profiles and Add Profile.

      

   2. Add a Name, Description, a Primary Proxy, and optionally a Secondary Proxy. By default, the port is set as 8080. You can add the port as per your requirement.

      The FQDN should be resolvable to an IPv4 address or IP address should be IPv4 and reachable.

      

   3. (Optional) Select the headers XFF or XAU, select layer as HTTP or Connect to send information to an upstream proxy.

      If you add XFF and XAU headers and select the Connect layer, we recommend to enable Connect Upstream Proxy over SSL Channel to securely connect Prisma Access explicit proxy to another proxy.

      If you select HTTP and add XAU or XFF headers, we recommend having decryption on PAN-OS.
   4. Save your changes.
4. Configure proxy policy rules. Rules must be Enabled for the configuration to be saved.

   1. Go to Rules and select Add Upstream Proxy Policy Rules and build your rule by configuring the following rule components. Components marked with an asterisk(*) are mandatory.

      

      Section	Element	Details
      General	*Name	Give your rule a unique name the tells other administrators what it does. Optionally provide a detailed description of the rule's intent.
      Match Criteria	Source	Define the matching criteria for the source fields for the traffic. Specify the source IP *Addresses, or add an Address Groups or leave the value set to Any. Specify source *Users or leave the value set to Any. You can select Users to enforce the policy for individual users or a group of users.
      	Destination	Define the destination address for the traffic. Specify a URL category as match criteria for the proxy chaining rule. Select URL Category to specify it as a match criteria in the proxy chaining rule or leave the value set to Any.
      Action	*Upstream Proxy	Define what Action you want to take for the traffic that matches the rule. Select an upstream proxy or select Direct. When you select Direct, the traffic egresses using Prisma Access explicit proxy to an upstream web or application server.
      	Fallback Action	Specifies a Failclose or Failopen action to apply when the selected upstream proxy isn't reachable. Failclose: Either resets the connection or silently drops packets. Failopen: Allows the traffic based on your matching criteria using Prisma Access explicit proxy.

      

   2. Save your proxy rule and Push Config.
5. In Prisma Access, security rules are evaluated from top to bottom, where traffic matches the conditions of the first rule it meets, that rule is applied, and the evaluation process stops there; therefore, you should consider placing the most specific rules at the top of the list.
   You can delete, enable, disable, move, or clone an upstream proxy rule. To perform any of these actions, select the rule and then select the action.