Monitor and Troubleshoot Explicit Proxy
Focus
Focus
Prisma Access

Monitor and Troubleshoot Explicit Proxy

Table of Contents

Monitor and Troubleshoot Explicit Proxy

Monitor and troubleshoot your Prisma Access Explicit Proxy deployment.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access license
Learn how to monitor and troubleshoot your Prisma Access Explicit Proxy deployment.

Monitor and Troubleshoot Explicit Proxy (Strata Cloud Manager)

Monitor and troubleshoot your Prisma Access Explicit Proxy deployment.
Monitor Prisma Access Explicit Proxy deployment details to help you troubleshoot any issue.
  • Click MonitorUsers and select Explicit Proxy connected method.
  • Select MonitorUsers and select the connection method as Explicit Proxy to view Mobile Users that connect to Prisma Access security services through Explicit Proxy on a web browser on their devices.
  • Select Monitor > Prisma Access Locations > Explicit Proxy Mobile Users to see an overview of the health of all your Prisma Access locations for mobile users.
  • Check the traffic logs (Incidents & Alerts > Log Viewer and select the log type Traffic) and authentication logs (Incidents & Alerts > Log Viewer and select the log type Authentication) to troubleshoot authentication-related issues.

Monitor and Troubleshoot Explicit Proxy (Panorama)

Monitor and troubleshoot your Prisma Access Explicit Proxy deployment.
After you have configured Explicit Proxy for mobile users, monitor the status and troubleshoot any issues by checking the status of your Prisma Access Explicit Proxy deployment.
  • Select PanoramaCloud ServicesStatusStatus to see Explicit Proxy status.
    The mobile users Status and Config Status fields indicate whether the connection between Prisma Access and your mobile users is OK, unable to fetch the status on the tunnel (Warning), or that the mobile users cannot connect to Explicit Proxy (Error).
    Click the hyperlink next to Current Users and Users (Last 90 days) to get more information about mobile users.
    • Current Users—The current number of authenticated users who have browsed traffic in the last five minutes.
    • Users (Last 90 days)—The number of unique authenticated Explicit Proxy users for the last 90 days.
  • Select PanoramaCloud ServicesStatusMonitorMobile Users—Explicit Proxy to display a map showing the deployed Explicit Proxy locations.
  • Select PanoramaCloud ServicesStatusNetwork DetailsMobile Users—Explicit Proxy to view the following details:
    • Explicit Proxy URL—The URL used for Explicit Proxy.
    • ACS FQDN—The FQDN of the ACS.
    • SAML Meta Data—The authentication profile metadata used by SAML. You can Export SAML Metadata to save the metadata file.
  • To troubleshoot authentication-related issues, check the traffic logs (MonitorLogsTraffic) and authentication logs (MonitorLogsAuthentication). Explicit Proxy displays the following IP addresses and locations in the logs:
    • IP Addresses—If mobile users bypass the ACS FQDN in the PAC file, the IP address displayed in the Source column in the Traffic logs and the Traffic logs and the IP Address column in the Authentication logs, when viewed under the Explicit_Proxy_Device_Group, will be same as the mobile user’s IP address. If users do not bypass the ACS FQDN in the PAC file, the source IP address is the public IP address of the Explicit Proxy cloud firewall where redirects are going to ACS.
    • Locations—If mobile users bypass the ACS FQDN in the PAC file, the Region Name displayed in the Region Column in Authentication Logs, Current Users, and Users (Last 90 days) is one of the five 5 regions (us-west-2, us-east-1, eu-west-2, eu-west-3, ap-south-1) where the ACS is deployed, and shows the region where Explicit Proxy is performing the redirects from the client’s browser. If users do not bypass the ACS FQDN in the PAC file, the Region Name displayed in the Region Column in Authentication Logs, Current Users, and Users (Last 90 days) is one of the five 5 regions (us-west-2, us-east-1, eu-west-2, eu-west-3, ap-south-1) where the ACS is deployed, and shows the region where Explicit Proxy is performing the redirects from the Explicit Proxy firewall.