Configure Proxy Chaining on Prisma Access Explicit Proxy (Panorama)

Configure Proxy Chaining on Prisma Access Explicit Proxy (Panorama)

1. Set up an explicit proxy.
2. Go to PanoramaCloud ServicesConfigurationExplicit ProxyUpstream Proxy Configuration.

   
3. Create a Profile.

   1. Under Profiles, Add to create a proxy profile.
   2. Add a Name, Description, a Primary Proxy, and optionally a Secondary Proxy. By default, the port is set as 8080. You can add the port as per your requirement.

      The FQDN should be resolvable to an IPv4 address or IP address should be IPv4 and reachable.
   3. (Optional) Select the headers XFF or XAU, select layer as HTTP or Connect to send information to an upstream proxy.

      If you add XFF and XAU headers and select the Connect layer, we recommend to enable Connect Upstream Proxy over SSL Channel to securely connect Prisma Access explicit proxy to another proxy.

      If you select HTTP and add XAU or XFF headers, we recommend having decryption on PAN-OS.

      

   4. Select OK to save the configuration changes.
4. Configure proxy policy rules. You must Enable the rules for the configuration to get saved.

   1. Go to Rules and Add a proxy rule. Build your rule by configuring the following rule components. Components marked with an asterisk(*) are mandatory.

      

      Section	Element	Details
      General	*Name	Give your rule a unique name that tells the other administrators what it does. Optionally provide a detailed description of the rule's intent and Enable.
      Match Criteria	Source	Define the matching criteria for the source fields for the traffic. Specify the source IP *Addresses, or add an Address Groups or leave the value set to Any. Specify source *Users or leave the value set to Any. You can select Users to enforce the policy for individual users or a group of users.
      	Destination	Define the destination address for the traffic. Specify a URL category as match criteria for the proxy chaining rule. Select URL Category to specify it as a match criteria in the proxy chaining rule or leave the value set to Any.
      Action	*Upstream Proxy	Define what Action you want to take for the traffic that matches the rule. Select an upstream proxy or select Direct. When you select Direct, the traffic egresses using Prisma Access explicit proxy to an upstream web or application server.
      	Fallback Action	Specifies a Failclose or Failopen action to apply when the selected upstream proxy isn't reachable. Failclose: Either resets the connection or silently drops packets. Failopen: Allows the traffic based on your matching criteria using Prisma Access explicit proxy.

      

   2. Select OK to save the security rule, and Commit and push configurations to the Explicit_Proxy_Device_Group.
5. In Prisma Access, security rules are evaluated from top to bottom, where traffic matches the conditions of the first rule it meets, that rule is applied, and the evaluation process stops there; therefore, you should consider placing the most specific rules at the top of the list.
   You can delete, enable, disable, move up, move down, or clone an upstream proxy rule. To perform any of these actions, select the rule and then select the action.