Focus

Prisma Access

Cloud Management

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Administration
Version
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Integrations
Incidents & Alerts
Release Notes
Version
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred

Cloud Management

Learn how to use multicast and unicast IP address to secure mobile users and devices at Remote Networks with an Explicit Proxy.

To secure users at remote networks using Explicit Proxy in Cloud Managed Prisma Access, complete the following steps.

Configure your Explicit Proxy setup and onboard the Explicit Proxy locations you want to add.

Onboard your remote networks if you have not done so already.

You must enable Prisma Access Remote Networks in the locations that are supported with Explicit Proxy.

Push Config

, being sure that

Mobile Users—Remote Workforce

and

Remote Networks

are selected in the

Push

scope.

The push operation retrieves and Anycast addresses you need to integrated Explicit Proxy with the remote network.

Get the anycast IP addresses you use for your Explicit Proxy/Remote Network deployment.

Go to

Manage

Service Setup

Explicit Proxy

Advanced Security Settings

If you're using Strata Cloud Manager, go to

Workflows

Prisma Access Setup

Explicit Proxy

Advanced Security Settings

Enable Proxy Mode

To leverage the source IP addresses of the systems in your branch locations that are forwarding traffic to Explicit Proxy, select

Source IP based visibility and enforcement

This functionality has these requirements:

A minimum Prisma Access dataplane of 10.2.4

You must use only remote network locations supported with Explicit Proxy.

Add a policy to allow traffic bound to anycast and unicast IP on remote networks. If you have enabled

Source IP visibility and enforcement

, use the

Source IP

field in Security policies in Explicit Proxy to secure the traffic. You need additional policies in the remote networks.

(Optional) To bypass authentication of any trusted source addresses you entered, specify IP addresses that should have authentication skipped in the

Trusted Source Address

area and select

Skip authentication

You can use

Skip authentication

with

Source IP based visibility and enforcement

to Skip authentication of headless systems that can't authenticate, set up security policies, and get visibility of the traffic on Prisma Access Explicit Proxy.

You can add either IP addresses or subnets. A maximum of 100,000 IP addresses are supported after expanding the subnets.

Go to

Manage

Service Setup

Remote Networks

If you're using Strata Cloud Manager, go to

Workflows

Prisma Access Setup

Remote Networks

Push Config

, being sure that

Mobile Users—Remote Workforce

and

Remote Networks

are selected in the

Push

scope.

Go to

Advanced Settings

in your Remote Networks Setup and find the anycast IP addresses used to forward traffic to Explicit Proxy.

(Optional) Find the unicast address to use for your Explicit Proxy/Remote Network deployment.

Use the unicast IP address in the PAC file only if you want to target a specific Remote Network to forward traffic to Explicit Proxy. If you want to use all deployed Remote Networks to forward traffic to Explicit Proxy, use the anycast addresses.

Go to

Manage

Service Setup

Remote Networks

If you're using Strata Cloud Manager, go to

Workflows

Prisma Access Setup

Remote Networks

Make a note of the

Loopback IP

address.

If you have IPv4 and IPv6 addresses, make a note of the IPv4 address.

Prisma Access Docs

Cloud Management

Prisma Access Docs

Cloud Management

Recommended For You

Activation & Onboarding

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

Best Practices

Experts Corner