>
    Strata Copilot
    Explicit Proxy Configuration Guidelines
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Mobile Users
    5. Mobile Users: Explicit Proxy
    6. Explicit Proxy Configuration Guidelines
    Download PDF
    Prisma Access

    Explicit Proxy Configuration Guidelines

    Table of Contents

    Explicit Proxy Configuration Guidelines

    Describes the software and network requirements you need to successfully deploy Prisma Access Explicit Proxy.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access license
    System Requirements and Supported Features
    These are the system requirements and supported features for the different connection methods you can use with explicit proxy.
    Agentless SAMLAgentless KerberosProxy Mode on Agent (requires GP 6.2 or later)Proxy Mode on Remote Networks Prisma Browser
    LicenseMobile User Unit per userMobile User Unit per userMobile User Unit per userMobile User unit per user and NET units for bandwidth for remote networks and/or Site-based licensing for headless devicesPrisma Access enterprise license. Prisma Access business premium license or ZTNA license with add-on Prisma Browser license
    Applications and OS Support
    Traffic Type Internet and public SaaS traffic onlyInternet and public SaaS traffic onlyInternet and public SaaS traffic, and private application trafficInternet and public SaaS traffic onlyInternet and public SaaS traffic, and private application traffic
    Protocol SupportsProxy aware HTTP or HTTPSProxy aware HTTP or HTTPSProxy aware HTTP or HTTPS (All TCP traffic with GlobalProtect 6.3.1)Proxy aware HTTP or HTTPSProxy aware HTTP or HTTPS
    Transport Channel to Prisma AccessHTTP ConnectHTTP ConnectHTTP Connect inside TLSHTTP Connect inside IPSec from branch to Prisma AccessHTTP Connect inside TLS
    Environments SupportedWindows, Mac, Linux, ChromeOS, VDI
    Windows, Mac, Linux,
    ChromeOS, VDI
    		Windows and Mac
    All HTTP proxy devices with skip authentication
    		Windows, Mac, Android, iOS
    App SupportProxy aware HTTP(s) appsAny app that honors a PAC file or system proxy setting and supports Kerberos Proxy aware HTTP(s) appsProxy aware HTTP(s) appsProxy aware HTTP(s) apps
    Browser SupportChrome⁂, Edge, Firefox versions 115 or laterChrome⁂, Edge, Firefox versions 115 or laterChrome⁂, Edge, Firefox versions 115 or later*Chrome⁂, Edge, Firefox versions 115 or laterNot Applicable
    O365 Support†Browser and client appsBrowser and client appsBrowser and client appsBrowser and client appsBrowser
    Identity
    User-ID‡ Decrypted and non-HTTP CORS trafficAll Supported TrafficAll Supported TrafficDepending on whether you're using SAML or Kerberos: decrypted/non-CORS X-Authenticated-User trafficAll browser supported traffic based on the users authenticated by the browser.
    Auth SupportedSAML (Any SAML 2.0 IDPs or through CIE)KerberosAll GlobalProtect Supported Auth SAML, Kerberos, X-Authenticated-User-basedPrisma Browser supported authentication
    Skip Auth«By Domain and by Source IPBy Domain and by Source IPBy DomainBy Domain and by Source IPNot Supported
    User Group DirectoryAll CIE-Supported DirectoriesAll CIE-Supported DirectoriesAll CIE-Supported DirectoriesAll CIE-Supported DirectoriesAll CIE-Supported Directories
    Management
    Multitenant Panorama
    Supported on first tenant
    Supported on first tenant
    Supported on first tenant
    Supported on first tenant
    Supported on first tenant
    Multitenant Cloud Management SupportedSupportedSupportedSupportedSupported
    Security Services
    SaaS InlineSupportedSupportedSupportedSupportedSupported
    DLPSupportedSupportedSupportedSupportedSupported
    DNS Security§SupportedSupportedSupportedSupportedSupported
    Advanced URL FilteringSupportedSupportedSupportedSupportedSupported
    Advanced WildFireSupportedSupportedSupportedSupportedSupported
    Advanced Threat PreventionSupportedSupportedSupportedSupportedSupported
    Remote Browser IsolationфSupportedSupportedSupportedSupportedSupported
    HIP SupportNot SupportedNot SupportedSupported (Tunnel and Proxy mode)Not SupportedNot Supported
    Infrastructure Services
    Private IP Visibility and EnforcementNot SupportedNot SupportedSupported for known sites or branchesSupportedNot Supported
    Egress NATSupportedSupportedSupportedSupportedSupported
    ZTNA ConnectorNot SupportedNot SupportedSupportedNot SupportedSupported
    Colo ConnectNot SupportedNot SupportedSupportedNot SupportedSupported
    Service Connections¤SupportedSupportedSupportedSupportedSupported
    DNS ProxySupportedSupportedSupportedSupportedSupported
    License
    Site-Based LicenseNot SupportedNot SupportedNot SupportedSupportedNot Supported
    ⁂ For the Chrome browser, follow the instructions listed below to disable TLS 1.3 Kyber, if decryption is enabled:
    1. Open the Chrome browser.
    2. Add chrome://flags/#enable-tls13-kyber in the address bar and disable it.
    3. Click Relaunch.
    If you need to disable Kyber in Prisma Browser use the management console.
    * For Proxy Mode on Agent, Firefox requires a manual policy rule pushed through Mobile Device Management that instructs it to honor the system proxy
    Explicit proxy supports only HTTP traffic, not UDP. With SAML, explicit proxy does not provide User-ID for client apps flows. For agent proxy, you need to use a PAC file to send client app authentication flows to the cloud proxy.
    No User-ID is available for auth bypass.
    § You can't apply DNS Security profiles to explicit proxy flows. Block domains instead.
    фExplicit proxy in AWS locations support Remote Browser Isolation from Prisma Access release 6.0 and later.
    ¤Service Connections is supported for DNS Proxy and Proxy Chaining only.
    «Skip auth-bypass for private apps is not supported.
    App Support Considerations
    1. Explicit proxy does not support apps that need IP address affinity. The app must support traffic coming from multiple IP addresses for a given user session.
    2. Explicit proxy downgrades decrypted HTTP/2 Flows to HTTP/1.
    3. Explicit proxy does not fetch on-premises external dynamic lists.
    4. Agentless SAML only:
      1. Configure an SSL decryption policy to allow auth bypass by domain for agentless PAC-based explicit proxy with SAML Auth
        Decryption is required for Prisma Access to read the authentication state cookie set up by Prisma Access on the mobile user's browser. Failing to enforce decryption enables the abuse of explicit proxy as an open proxy that can attackers can use as a forwarding service for denial-of-service attacks.
      2. In traffic logs, explicit proxy will show undecrypted and HTTP-CORS mobile user traffic logs as SWG-authenticated users.
      3. Make a note of the following browser requirements and usage guidelines:
        • If you use explicit proxy, don't disable cookies in your browser; if you do, you can't browse any webpages.
        • If you're using explicit proxy with Microsoft Edge, be sure to set SettingsPrivacy, Search, and ServicesTracking prevention to Basic.
    Connectivity Requirements
    If mobile users are connecting from remote sites or headquarters or data center locations using an explicit proxy, the mobile user endpoint must be able to reach and route to the IdP, ACS FQDN, explicit proxy URL, and URL of the PAC file hosted by Prisma Access.
    PAC File Requirements and Guidelines—Follow the PAC File Guidelines when you set up the PAC file to use with explicit proxy.
    Proxy Chaining Guidelines
    On-Premises Support—Explicit Proxy is a cloud-based proxy solution and not an on-premises product. For an on-premises proxy solution, configure a PAN-OS web proxy.

    © 2026 Palo Alto Networks, Inc. All rights reserved.