>
    PAC File Guidelines
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Mobile Users
    4. Mobile Users: Explicit Proxy
    5. PAC File Guidelines
    Download PDF
    Prisma Access

    PAC File Guidelines

    Table of Contents

    PAC File Guidelines

    Follow these guidelines to configure your PAC file for Explicit Proxy.
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access
       license

    Cloud Management

    Follow these guidelines to configure your PAC file for Explicit Proxy.
    Use the following guidelines and requirements when configuring the PAC file to use with Explicit Proxy:
    • Note that if you are using the GlobalProtect Agent in Proxy Mode, the agent will distribute the PAC file to your hosts. The agent accesses the PAC file over HTTPS. The PAC file is public.
    • PAC files steer user traffic to Explicit Proxy.
    • You can only host one PAC file for use with
      Prisma Access
      , and the Explicit Proxy PAC file is hosted in the United States. If you require alternative PAC file access outside of the United States, you can host the PAC file in your enterprise.
    • To access the PAC file, ensure that your endpoints can reach the following IP addresses:
      • 34.111.7.85
      • 34.160.172.204
      • 34.110.206.116
      • 34.95.107.244
      • 34.149.8.36
    • Only ASCII text format is supported for PAC files. Palo Alto Networks recommends that you create and save the PAC file in a text editor such as VI or Vim.
    • After you create your Explicit Proxy configuration and commit and push your changes, upload your PAC file or specify your PAC configuration in the PAC file editor.
    • You must have at least one Explicit Proxy URL in the
      return"PROXY foo.proxy.prismaaccess.com:8080";
       statement beginning for traffic ingressing to
      Prisma Access
      . Either use a configured domain used when you push your changes or use a valid IPv4 address or DIRECT keyword such as
      PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080
       or
      PROXY 1.2.3.4:8080
      , and so on.
    • If the proxy is not being bypassed, then the you must provide a PROXY keyword. A valid proxy statement is required if no
      DIRECT
       keyword is configured for the proxy bypass.
    • If a valid PROXY statement is found before an invalid PROXY statement, Explicit Proxy skips the validity check all on all PROXY statements after the first. For example, a PAC file with the valid statement
      PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080
       followed by the invalid statement
      PROXY foo.proxy.prismaacess.com:8080
       would be considered valid since Explicit Proxy skips the validity check for
      foo.proxy.prismaacess.com:8080
      .
    • If you are using a PROXY statement to have ACS traffic bypass the
      Prisma Access
       proxy, the PROXY statement should not use the Explicit Proxy URL. In this configuration, Explicit Proxy provides an error message, but allows you to upload the PAC file. You can direct the ACS traffic to other proxies using a valid FQDN or IPv4 address, or directly to the internet, using the
      DIRECT
       keyword.
    • Only IPv4 addresses are supported in PROXY statements. Do not use IPv6 addresses in PROXY statements.
    • The maximum file size for a PAC file is 256 KB.
    • If ACS/IdP traffic needs to go through Explicit Proxy, then add those domains to an auth bypass list and a No Decryption policy rule.
    • If you set up Explicit Proxy in a default route environment, you must exclude the portal, gateway, and SAML FQDNs. You can use the PAC file to bypass the FQDNs.
    • You cannot delete a PAC file after you're uploaded it. You can, however, upload a new PAC file or edit it in the PAC file editor to overwrite the existing one.
    Explicit Proxy provides you with a sample PAC file that you can modify and use as the PAC file for your Explicit Proxy deployment. The sample PAC file that
    Prisma Access
     provides contains the following data:
    function FindProxyForURL(url, host) { 
    /* Bypass localhost and Private IPs */ 
    var resolved_ip = dnsResolve(host); 
    if (isPlainHostName(host) || 
    shExpMatch(host, "*.local") || 
    isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") || 
    isInNet(resolved_ip, "172.16.0.0",  "255.240.0.0") || 
    isInNet(resolved_ip, "192.168.0.0",  "255.255.0.0") || 
    isInNet(resolved_ip, "127.0.0.0", "255.255.255.0")) 
    return "DIRECT"; 
    /* Bypass FTP */ 
    if (url.substring(0,4) == "ftp:") 
        return "DIRECT"; 
    /* Bypass SAML, e.g. Okta */ 
    if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com")) 
        return "DIRECT"; 
        /* Bypass ACS */ 
    if (shExpMatch(host, "*.acs.prismaaccess.com")) 
        return "DIRECT"; 
    /* Forward to 
    Prisma Access
     */ 
    return "PROXY foo.proxy.prismaaccess.com:8080";
    If you want to use the default PAC file that
    Prisma Access
     provides, you can optionally modify the fields in the PAC file as described in the following table.
    Text
    Description
     
    var resolved_ip = dnsResolve(host); 

...

return "DIRECT";
    If you do not modify the data in this file, the following hostnames and IP addresses bypass Explicit Proxy:
    • if (isPlainHostName(host)
      —Bypasses Explicit Proxy for hostnames that contain no dots (for example, http://intranet).
    • shExpMatch(host, "*.local") ||
      —Bypasses the proxy for any hostnames that are hosted in the internal network (localhost).
    • isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") || isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") || isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") || isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
      —Bypasses Explicit Proxy for any IP addresses that are in the private or loopback IP address range. 
    if (url.substring(0,4) == "ftp:") 
return "DIRECT";
    Bypasses Explicit Proxy for FTP sessions.
    if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com")) 
return "DIRECT";
    Bypasses Explicit Proxy for the SAML IdP. Be sure to add all FQDNs used by the IdP.
    If you use Okta as the IdP used for SAML authentication, enter
    *.okta.com
     and
    *.oktacdn.com
    . 
    if (shExpMatch(host, "*.acs.prismaaccess.com")) 
return "DIRECT";
    Bypasses Explicit Proxy for the
    Prisma Access
     Authentication Cache Service (ACS).
    Instead of using a wildcard, you can add the specific
    ACS FQDN
     for your deployment. Find this FQDN under
    Panorama
    Cloud Services
    Status
    Network Details
    Mobile Users—Explicit Proxy
    ACS FQDN
    .
    return "PROXY foo.proxy.prismaaccess.com:8080"
    Bypasses Explicit Proxy for the Explicit Proxy URL.
    You must have at least one Explicit Proxy URL in the
    return"PROXY foo.proxy.prismaaccess.com:8080";
     statement for traffic ingressing to
    Prisma Access
    . Either use a configured domain used when you push your changes, or use a valid IPv4 address or DIRECT keyword such as
    PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080
     or
    PROXY 1.2.3.4:8080
    .

    Panorama

    Follow these guidelines to configure your PAC file for Explicit Proxy.
    Use the following guidelines and requirements when configuring the PAC file to use with Explicit Proxy:
    • Note that if you are using the GlobalProtect Agent in Proxy Mode, the agent will distribute the PAC file to your hosts. The agent accesses the PAC file over HTTPS. The PAC file is public.
    • PAC files steer user traffic to Explicit Proxy.
    • You can only host one PAC file for use with
      Prisma Access
      , and the Explicit Proxy PAC file is hosted in the United States. If you require alternative PAC file access outside of the United States, you can host the PAC file in your enterprise.
    • To access the PAC file, ensure that your endpoints can reach the following IP addresses:
      • 34.111.7.85
      • 34.160.172.204
      • 34.110.206.116
      • 34.95.107.244
      • 34.149.8.36
    • Only ASCII text format is supported for PAC files. Palo Alto Networks recommends that you create and save the PAC file in a text editor such as VI or Vim.
    • Upload the PAC file after you create your Explicit Proxy configuration and commit and push your changes. After you upload your PAC file, a commit and push operation is not required.
    • You must have at least one Explicit Proxy URL in the
      return"PROXY foo.proxy.prismaaccess.com:8080";
       statement beginning for traffic ingressing to
      Prisma Access
      . Either use a configured domain used when you push your changes or use a valid IPv4 address or DIRECT keyword such as
      PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080
       or
      PROXY 1.2.3.4:8080
      , and so on.
    • If the proxy is not being bypassed, then the you must provide a PROXY keyword. A valid proxy statement is required if no
      DIRECT
       keyword is configured for the proxy bypass.
    • If a valid PROXY statement is found before an invalid PROXY statement, Explicit Proxy skips the validity check all on all PROXY statements after the first. For example, a PAC file with the valid statement
      PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080
       followed by the invalid statement
      PROXY foo.proxy.prismaacess.com:8080
       would be considered valid since Explicit Proxy skips the validity check for
      foo.proxy.prismaacess.com:8080
      .
    • If you are using a PROXY statement to have ACS traffic bypass the
      Prisma Access
       proxy, the PROXY statement should not use the Explicit Proxy URL. In this configuration, Explicit Proxy provides an error message, but allows you to upload the PAC file. You can direct the ACS traffic to other proxies using a valid FQDN or IPv4 address, or directly to the internet, using the
      DIRECT
       keyword.
    • Only IPv4 addresses are supported in PROXY statements. Do not use IPv6 addresses in PROXY statements.
    • The maximum file size for a PAC file is 256 KB.
    • If ACS/IdP traffic needs to go through Explicit Proxy, then add those domains to an auth bypass list and a No Decryption policy rule.
    • If you set up Explicit Proxy in a default route environment, you must exclude the portal, gateway, and SAML FQDNs. You can use the PAC file to bypass the FQDNs.
    • You cannot delete a PAC file after you're uploaded it. You can, however, upload a new PAC file to overwrite the existing one.
    • If you change the Explicit Proxy URL in
      Prisma Access
       but do not change the PAC file to reflect the change, the change won't be applied. You must upload a new PAC file specifying the new Explicit Proxy URL.
    Explicit Proxy provides you with a sample PAC file that you can modify and use as the PAC file for your Explicit Proxy deployment. The sample PAC file that
    Prisma Access
     provides contains the following data:
    function FindProxyForURL(url, host) { 
    /* Bypass localhost and Private IPs */ 
    var resolved_ip = dnsResolve(host); 
    if (isPlainHostName(host) || 
    shExpMatch(host, "*.local") || 
    isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") || 
    isInNet(resolved_ip, "172.16.0.0",  "255.240.0.0") || 
    isInNet(resolved_ip, "192.168.0.0",  "255.255.0.0") || 
    isInNet(resolved_ip, "127.0.0.0", "255.255.255.0")) 
    return "DIRECT"; 
    /* Bypass FTP */ 
    if (url.substring(0,4) == "ftp:") 
        return "DIRECT"; 
    /* Bypass SAML, e.g. Okta */ 
    if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com")) 
        return "DIRECT"; 
        /* Bypass ACS */ 
    if (shExpMatch(host, "*.acs.prismaaccess.com")) 
        return "DIRECT"; 
    /* Forward to 
    Prisma Access
     */ 
    return "PROXY foo.proxy.prismaaccess.com:8080";
    If you want to use the default PAC file that
    Prisma Access
     provides, you can optionally modify the fields in the PAC file as described in the following table.
    Text
    Description
     
    var resolved_ip = dnsResolve(host); 

...

return "DIRECT";
    If you do not modify the data in this file, the following hostnames and IP addresses bypass Explicit Proxy:
    • if (isPlainHostName(host)
      —Bypasses Explicit Proxy for hostnames that contain no dots (for example, http://intranet).
    • shExpMatch(host, "*.local") ||
      —Bypasses the proxy for any hostnames that are hosted in the internal network (localhost).
    • isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") || isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") || isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") || isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
      —Bypasses Explicit Proxy for any IP addresses that are in the private or loopback IP address range. 
    if (url.substring(0,4) == "ftp:") 
return "DIRECT";
    Bypasses Explicit Proxy for FTP sessions.
    if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com")) 
return "DIRECT";
    Bypasses Explicit Proxy for the SAML IdP. Be sure to add all FQDNs used by the IdP.
    If you use Okta as the IdP used for SAML authentication, enter
    *.okta.com
     and
    *.oktacdn.com
    . 
    if (shExpMatch(host, "*.acs.prismaaccess.com")) 
return "DIRECT";
    Bypasses Explicit Proxy for the
    Prisma Access
     Authentication Cache Service (ACS).
    Instead of using a wildcard, you can add the specific
    ACS FQDN
     for your deployment. Find this FQDN under
    Panorama
    Cloud Services
    Status
    Network Details
    Mobile Users—Explicit Proxy
    ACS FQDN
    .
    return "PROXY foo.proxy.prismaaccess.com:8080"
    Bypasses Explicit Proxy for the Explicit Proxy URL.
    You must have at least one Explicit Proxy URL in the
    return"PROXY foo.proxy.prismaaccess.com:8080";
     statement for traffic ingressing to
    Prisma Access
    . Either use a configured domain used when you push your changes, or use a valid IPv4 address or DIRECT keyword such as
    PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080
     or
    PROXY 1.2.3.4:8080
    .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.