>
    Explicit Proxy Forwarding Profiles
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Mobile Users
    5. Mobile Users: Explicit Proxy
    6. Explicit Proxy Forwarding Profiles
    Download PDF
    Prisma Access

    Explicit Proxy Forwarding Profiles

    Table of Contents

    Explicit Proxy Forwarding Profiles

    Use Explicit Proxy Forwarding Profiles to create easy-to-use forwarding rules to define the direction of web traffic or deploy multiple PAC files at once.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access Mobile Users license
    Explicit Proxy Forwarding Profiles enable you to employ multiple PAC files to define which traffic to forward to Prisma Access. Forwarding Profiles also give you the option to create easy-to-use forwarding rules instead of dealing with the complexity of authoring and maintaining a PAC file.

    Use Forwarding Profiles to Define Multiple PAC Files

    Forwarding Profiles enable you to use multiple PAC files in your deployment simultaneously so that you can define which traffic to forward to Prisma Access.
    1. Create a Forwarding Profile.
      1. From Strata Cloud Manager, select WorkflowsPrisma Access SetupMobile UsersForwarding Profiles Setup
        .
      2. Add Forwarding Profile.
    2. Select PAC File.
      PAC File is for Prisma Access Explicit Proxy. GlobalProtect Proxy is for using GlobalProtect in Proxy Mode.
    3. Upload a PAC file.
      1. Select Upload PAC File to upload an existing PAC file or create a PAC file using the PAC file guidelines.
      2. Browse file to browse your file system for the PAC file.
      3. Save the profile.
    4. Repeat the two previous steps to create another Forwarding Profile with a different PAC file.
      Both PAC files are now operating in your deployment simultaneously.
    5. Retrieve the PAC file URL.
      1. Return to the profile to which you uploaded the PAC file.
        You should see the URL where the PAC file is hosted.
    6. (Optional) Edit the PAC file.
      To quickly make changes to the PAC file, You can edit it directly within the web interface
      1. From within the Forwarding Profile, Edit PAC File.
      2. Make changes and Save.

    Define Which Traffic to Forward to Explicit Proxy with Forwarding Rules

    Instead of authoring your own PAC file from scratch, you can create simple forwarding rules to generate a PAC file.
    1. Create a Forwarding Profile.
      1. From Strata Cloud Manager, select WorkflowsPrisma Access SetupMobile UsersForwarding Profiles Setup
        .
      2. Add Forwarding Profile.
    2. Select PAC File.
      PAC File is for Prisma Access Explicit Proxy. GlobalProtect Proxy is for using GlobalProtect in Proxy Mode.
    3. Add a forwarding rule.
      1. Select Add.
      2. Complete the required fields:
        Name Name of the profile.
        User LocationsLocation of the users for which you're creating the forwarding rule. You can create custom locations from WorkflowsPrisma Access SetupMobile UsersForwarding Profiles Setup
        User Locations        .
        You can't use wildcard characters when configuring custom user locations based on IP address.
        DestinationsDestination of the web traffic. You can select from predefined destinations, or you can create custom destinations from WorkflowsPrisma Access SetupMobile UsersForwarding Profiles Setup
        Destinations        .
        Connectivity
        Direct causes the traffic to bypass the proxy.
        Global Proxy causes the traffic to pass through the proxy.
      3. Select Add when done.
      4. Enable Traffic Enforcement if you want to block all outbound traffic (such as UDP) that does not match the forwarding rules. This option requires GlobalProtect agent version 6.3.1 and is disabled by default. If you have applications that need you to allow UDP connections, you can add these exceptions using User location or Destination objects.
        You can customize your block actions as follows:
        • Block all UDP outbound connections from the endpoints.
        • Allow TCP from specific locations. For example, you can allow all TCP traffic from your office.
        • Allow UDP from specific locations. For example, you can allow all TCP traffic from your office.
        • If certain applications need UDP connections, you can allow outbound UDP connections to specific destinations.
      5. Save the profile with the forwarding rule you created.
        The profile appears in your list of Forwarding Profiles. When you open it, you will see a URL to the PAC file generated from the rule. View PAC file to see its contents.

    Attach Forwarding Profiles to GlobalProtect App Configuration

    You can use Forwarding Profiles to simplify configuration of your GlobalProtect App proxy.
    1. Create a Forwarding Profile.
      1. From Strata Cloud Manager, select WorkflowsPrisma Access SetupMobile UsersForwarding Profiles Setup
        .
      2. Add Forwarding Profile.
    2. Select GlobalProtect Proxy.
    3. Configure the Forwarding Profile by uploading a PAC file or creating forwarding rules.
    4. Add the Forwarding Profile to your GlobalProtect app proxy configuration.
      1. Select WorkflowsPrisma Access SetupGlobalProtectGlobalProtect App.
      2. Select a configuration file.
      3. Under App Configuration, Show Advanced Options.
      4. Expand Proxy settings.
      5. Select either Proxy or Tunnel and Proxy depending on your GlobalProtect Agent mode
        You can not add a Forwarding Profile if you select Tunnel mode.
      6. Select Forwarding Profiles and choose the Forwarding Profile you wish to use.
      7. Save your changes.
      8. Select Push ConfigPush.

    © 2025 Palo Alto Networks, Inc. All rights reserved.