Prisma Access
Explicit Proxy Configuration Guidelines
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
5.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Enable Dynamic Privilege Access for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
-
- Onboard Prisma Access
-
4.0 & Later
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
- Set Up Prisma Access
- Configure the Prisma Access Service Infrastructure
- Remote Networks: IPSec Termination Nodes and Service IP Addresses
- Remote Networks: IP Address Changes Related To Bandwidth Allocation
- Remote Networks: Service IP Address and Egress IP Address Allocation
- API Examples for Retrieving Prisma Access IP Addresses
- Get Notifications When Prisma Access IP Addresses Change
- Prisma Access Zones
- DNS for Prisma Access
- High Availability for Prisma Access
-
- Enable ZTNA Connector
- Delete Connector IP Blocks
- Set Up Auto Discovery of Applications Using Cloud Identity Engine
- Private Application Target Discovery
- Security Policy for Apps Enabled with ZTNA Connector
- Monitor ZTNA Connector
- View ZTNA Connector Logs
- Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT
-
- Enable Dynamic Privilege Access for Prisma Access Through Common Services
- Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
- Enable the Access Agent
- Set Up the Agent Infrastructure for Dynamic Privilege Access
- Create a Snippet
- Create a Project
- Traffic Steering for Dynamic Privilege Access
- Push the Prisma Access Agent Configuration
- Download the Dynamic Privilege Access Enabled Prisma Access Agent Package
-
- Install the Prisma Access Agent
- Log in to the Dynamic Privilege Access Enabled Prisma Access Agent
- Change Preferences for the Dynamic Privilege Access Enabled Prisma Access Agent
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Location
- Switch to a Different Project
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Server
- Disable the Dynamic Privilege Access Enabled Prisma Access Agent
- Switch Between the Prisma Access Agent and GlobalProtect App
- View and Monitor Dynamic Privilege Access Users
- View and Monitor Dynamic Privilege Access Projects
- App Acceleration in Prisma Access
-
-
- Planning Checklist for GlobalProtect on Prisma Access
- Set Up GlobalProtect Mobile Users
- GlobalProtect — Customize Tunnel Settings
- GlobalProtect — Customize App Settings
- Ticket Request to Disable GlobalProtect
- GlobalProtect Pre-Logon
- GlobalProtect — Clientless VPN
- Monitor GlobalProtect Mobile Users
- How the GlobalProtect App Selects Prisma Access Locations for Mobile Users
- Allow Listing GlobalProtect Mobile Users
-
- Explicit Proxy Configuration Guidelines
- GlobalProtect in Proxy Mode
- GlobalProtect in Tunnel and Proxy Mode
- Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
- SAML Authentication for Explicit Proxy
- Set Up Explicit Proxy
- Cloud Identity Engine Authentication for Explicit Proxy Deployments
- Proxy Mode on Remote Networks
- How Explicit Proxy Identifies Users
- Explicit Proxy Forwarding Profiles
- PAC File Guidelines
- Explicit Proxy Best Practices
- Monitor and Troubleshoot Explicit Proxy
- Block Settings for Explicit Proxy
- Use Special Objects to Restrict Explicit Proxy Internet Traffic to Specific IP Addresses
- Access Your Data Center Using Explicit Proxy
- App-Based Office 365 Integration with Explicit Proxy
- Configure Proxy Chaining with Blue Coat Proxy
- IP Address Optimization for Explicit Proxy Users- Proxy Deployments
- DNS Resolution for Mobile Users—Explicit Proxy Deployments
- View User to IP Address or User Groups Mappings
- Report Mobile User Site Access Issues
- Enable Mobile Users to Access Corporate Resources
-
-
- Planning Checklist for Remote Networks
- Allocate Remote Network Bandwidth
- Onboard a Remote Network
- Connect a Remote Network Site to Prisma Access
- Enable Routing for Your Remote Network
- Onboard Multiple Remote Networks
- Configure Remote Network and Service Connection Connected with a WAN Link
- Remote Networks—High Performance
- Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server
-
- Multitenancy Configuration Overview
- Plan Your Multitenant Deployment
- Create an All-New Multitenant Deployment
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Sort Logs by Device Group ID in a Multitenant Deployment
-
- Add a New Compute Location for a Deployed Prisma Access Location
- How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections
- Proxy Support for Prisma Access and Strata Logging Service
- Block Incoming Connections from Specific Countries
- Prisma Access for No Default Route Networks
-
-
- Default Routes With Prisma Access Traffic Steering
- Traffic Steering in Prisma Access
- Traffic Steering Requirements
- Default Routes with Traffic Steering Example
- Default Routes with Traffic Steering Direct to Internet Example
- Default Routes with Traffic Steering and Dedicated Service Connection Example
- Prisma Access Traffic Steering Rule Guidelines
- Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
- Configure Traffic Steering in Prisma Access
- Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT
-
- Prisma Access Internal Gateway
-
- Configure Privileged Remote Access Settings
- Set Up the Privileged Remote Access Portal
- Configure Applications for Privileged Remote Access
- Set Up Privileged Remote Access Profiles
- Define Permissions for Accessing Privileged Remote Access Apps
- Configure Split Tunneling for Privileged Remote Access Traffic
- Manage Privileged Remote Access Connections
- Use Privileged Remote Access
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
Explicit Proxy Configuration Guidelines
Describes the software and network requirements you need to successfully deploy
Prisma Access Explicit Proxy.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
System Requirements and Supported Features
These are the system requirements and supported features for the different connection
methods you can use with Explicit Proxy.
Agentless SAML | Agentless Kerberos | Proxy Mode on Agent (requires GP 6.2 or later) | Proxy Mode on Remote Networks | Prisma Access Browser | |
Applications and OS Support | |||||
Traffic Type | Internet and public SaaS traffic only | Internet and public SaaS traffic only | Internet and public SaaS traffic only | Internet and public SaaS traffic only | Internet and public SaaS traffic only |
Protocol Supports | Proxy aware HTTP or HTTPS | Proxy aware HTTP or HTTPS | Proxy aware HTTP or HTTPS | Proxy aware HTTP or HTTPS | Proxy aware HTTP or HTTPS |
Transport Channel to Prisma Access | HTTP Connect | HTTP Connect | HTTP Connect inside TLS | HTTP Connect inside IPSec from branch to remote network security processing node (SPN) | HTTP Connect inside TLS |
Environments Supported | Windows, Mac, Linux, ChromeOS, VDI |
Windows, Mac, Linux,
ChromeOS, VDI
| Windows and Mac |
Windows, Mac, Linux,
ChromeOS, VDI
| Windows, Mac, Android, iOS |
App Support | Proxy aware HTTP(s) apps | Any app that honors a PAC file or system proxy setting and supports Kerberos | Proxy aware HTTP(s) apps | Proxy aware HTTP(s) apps | Proxy aware HTTP(s) apps |
Browser Support | Chrome⁂, Edge, Firefox versions 115 or later | Chrome⁂, Edge, Firefox versions 115 or later | Chrome⁂, Edge, Firefox versions 115 or later* | Chrome⁂, Edge, Firefox versions 115 or later | Not Applicable |
O365 Support† | Browser and client apps | Browser and client apps | Browser and client apps | Browser and client apps | Browser |
Identity | |||||
User-ID‡ | Decrypted and non-HTTP CORS traffic | All Supported Traffic | All Supported Traffic | Depending on whether you're using SAML or Kerberos: decrypted/non-CORS X-Authenticated-User traffic | |
Auth Supported | SAML (Any SAML 2.0 IDPs or through CIE) | Kerberos | All GlobalProtect Supported Auth | SAML, Kerberos, X-Authenticated-User-based | SAML, OIDC, Kerberos, X-Authenticated-User-based |
Skip Auth | By Domain and by Source IP | By Domain and by Source IP | By Domain | By Domain and by Source IP | Not Supported |
User Group Directory | All CIE-Supported Directories | All CIE-Supported Directories | All CIE-Supported Directories | All CIE-Supported Directories | All CIE-Supported Directories |
License | Mobile User Unit per user | Mobile User Unit per user | Mobile User Unit per user | Mobile User unit per user or headless device and NET units for bandwidth for remote networks | Prisma Access Browser license |
Management | |||||
Multitenant Panorama | |||||
Multitenant Cloud Management | Supported | Supported | Supported | Supported | Supported |
Security Services | |||||
SaaS Inline | Supported | Supported | Supported | Supported | Supported |
DLP | Supported | Supported | Supported | Supported | Supported |
DNS Security§ | Supported | Supported | Supported | Supported | Supported |
Advanced URL Filtering | Supported | Supported | Supported | Supported | Supported |
Advanced WildFire | Supported | Supported | Supported | Supported | Supported |
Advanced Threat Prevention | Supported | Supported | Supported | Supported | Supported |
Remote Browser Isolation | Supported | Supported | Supported | Supported | Not Supported |
Private IP Visibility and Enforcement | Not Supported | Not Supported | Supported for known sites or branches | Supported | Not Supported |
Egress NAT | Supported | Supported | Supported | Supported | Not Supported |
Private App Access | Not Supported | Not Supported | Supported via Service Connections | Not Supported | Supported |
All TCP Traffic | Not Supported | Not Supported | Supported (with GlobalProtect version 6.3.1) | Not Supported | Not Supported |
ZTNA Connector | Not Supported | Not Supported | Supported | Not Supported | Supported |
Colo Connect | Not Supported | Not Supported | Supported | Not Supported | Supported |
Service Connections | Supported | Supported | Supported | Supported | Supported |
HIP Support (Tunnel and Proxy mode) | Not Supported | Not Supported | Supported | Not Supported | Not Supported |
DNS Proxy | Supported | Supported | Supported | Supported | Supported |
Traffic Steering | Not Supported | Not Supported | Not Supported | Not Supported | Not Supported |
Accept Default Route | Not Supported | Not Supported | Not Supported | Not Supported | Not Supported |
⁂ For the Chrome browser, follow the instructions listed below to disable TLS 1.3 Kyber,
if decryption is enabled:
- Open the Chrome browser.
- Add chrome://flags/#enable-tls13-kyber in the address bar and disable it.
- Click Relaunch.
* For Proxy Mode on Agent, Firefox requires a manual policy rule pushed through Mobile Device Management that instructs it to
honor the system proxy
† Explicit Proxy supports only HTTP traffic, not UDP. With SAML, Explicit Proxy
does not provide User-ID for client apps flows. For Agent proxy, you need to use a PAC
file to send client app authentication flows to the cloud proxy.
‡ No User-ID is available for auth bypass.
§ You can't apply DNS Security profiles to Explicit Proxy flows. Block domains instead.
App Support Considerations
- Explicit Proxy does not support apps that need IP affinity. The app must support traffic coming from multiple IPs for a given user session.
- Explicit Proxy downgrades decrypted HTTP/2 Flows to HTTP/1.
- Explicit Proxy does not fetch on-premises external dynamic lists.
- Agentless SAML only:
- Configure an SSL decryption policy to allow auth bypass by domain for
agentless PAC-based Explicit Proxy with SAML AuthDecryption is required for Prisma Access to read the authentication state cookie set up by Prisma Access on the mobile user's browser. Failing to enforce decryption enables the abuse of Explicit Proxy as an open proxy that can attackers can use as a forwarding service for denial-of-service attacks.
- In traffic logs, Explicit Proxy will show undecrypted and HTTP-CORS mobile user traffic logs as SWG-authenticated users.
- Make a note of the following browser requirements and usage guidelines:
- If you use Explicit Proxy, don't disable cookies in your browser; if you do, you can't browse any webpages.
- If you're using Explicit Proxy with Microsoft Edge, be sure to set SettingsPrivacy, Search, and ServicesTracking prevention to Basic.
- Configure an SSL decryption policy to allow auth bypass by domain for
agentless PAC-based Explicit Proxy with SAML Auth
Connectivity Requirements
If mobile users are connecting from remote sites or headquarters or data center locations
using an Explicit Proxy, the mobile user endpoint must be able to reach and route to the
IdP, ACS FQDN, Explicit Proxy URL, and URL of the PAC file hosted by Prisma Access.
PAC File Requirements and Guidelines—Follow the PAC File Guidelines when you set up the PAC file to use with Explicit
Proxy.
Proxy Chaining Guidelines—If you use proxy chaining from a third-party proxy to
Explicit Proxy, specify the Explicit Proxy URL in the third-party
proxy to forward traffic to Explicit Proxy
On-Premises Support—Explicit Proxy is a cloud-based proxy solution and not an
on-premises product. For an on-premises proxy solution, configure a PAN-OS web proxy.