Explicit Proxy Best Practices

General Explicit Proxy Deployment Best Practices
:
Deploy Explicit Proxy in at least two regions for redundancy.
If all your users are behind a NAT device, and if Explicit Proxy sees the IP address of the NAT device as the source IP address, you should allocate one NAT IP address per 500 mobile users.
PAC File Best Practices
—When setting up the PAC file, bypass all SAML, CIE, and Authentication Cache Service (ACS) URLs.
SAML Authentication Best Practices
:
Set the SAML Authentication
Cookie Lifetime
to 24 hours to have the best user experience without authentication interruptions.
If you have configured GlobalProtect in Proxy Mode or GlobalProtect in Tunnel and Proxy Mode, set the
Cookie Lifetime
on the GlobalProtect portal to 12 hours.
Kerberos Authentication Best Practices
—The keytab file should be less than 60 KB in size.
Security Policy Rule Best Practices
—Use security policy rule best practices by setting the
Action
in policies to
Deny
instead of
Drop
or
Reset
. This actions helps in releasing the resources quickly inside the Explicit Proxy Security Processing Node (EP-SPN) for optimal performance.
Decryption Best Practices
—Configure at least one decryption policy and one decryption certificate.
IP Source Address Best Practices
—To restrict access to Explicit Proxy to specific source IP addresses, use special objects, which include Address Objects, Address Groups, and External Dynamic Lists (EDLs).