Prisma Access
Panorama
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Panorama
Panorama
Learn how to use multicast and unicast IP address to
secure mobile users and devices at Remote Networks with an Explicit
Proxy.
To secure users at remote networks using Explicit Proxy in
Prisma Access (Managed by Panorama)
Access, complete the following steps.- Configure your Explicit Proxy deployment and onboard the Explicit Proxy locations you want to add.
- Retrieve the anycast IP addresses you use for your Explicit Proxy/Remote Network deployment.
- Select.PanoramaCloud ServicesConfigurationMobile Users—Explicit Proxy
- Select the gear icon to edit theSettings.
- SelectEnable Proxy Mode.
- To leverage the private IP addresses of the systems in your branch locations that are forwarding traffic to Explicit Proxy, selectSource IP based visibility and enforcement.This functionality has these requirements:
- A minimumPrisma Accessdataplane of 10.2.4
- APrisma Access (Managed by Panorama)deployment with a minimum Cloud Services plugin of 4.1
- You must use only remote network locations supported with Explicit Proxy.
- Add a policy to allow traffic bound to anycast and unicast IP on remote networks. If you have enabledSource IP visibility and enforcement, use theSource IPfield in Security policies in Explicit Proxy to secure the traffic. You need additional policies in the remote networks.
- (Optional) UnderAuthentication Settings, enter any IP addresses from which undecrypted HTTP or HTTP Cross-Origin Resource Sharing (CORS) traffic should be allowed to theTrusted Source Address Auth Bypass.Add the IP addresses to IP address-based Address Objects andAddthe address objects in the field.Enter a maximum of 100,000 addresses. Make sure that the address object uses IP addresses only.
- (Optional) To bypass authentication of any trusted source addresses you entered, selectAuth Bypass.You can useAuth BypasswithSource IP based visibility and enforcementto skip authentication of headless systems that can't authenticate, set up security policies, and get visibility of the traffic on Prisma Access Explicit Proxy.You can add either IP addresses or subnets. A maximum of 100,000 IP addresses are supported after expanding the subnets.
- Select.PanoramaCloud ServicesConfigurationRemote Networks
- Onboard your Remote Network Locations if you have not done so already.You must enablePrisma AccessRemote Networks in the locations that are supported with Explicit Proxy.
- Click.CommitCommit and Push
- Edit Selectionsand, in thePrisma Accesstab, make sureis selected in thePrisma Accessfor networksPush Scope, then clickOK.
- Commit and Pushyour changes.You must perform a commit and push for your Remote Networks forPrisma Accessto retrieve the IP addresses used in an Explicit Proxy/Remote Network deployment.
- Return to the Explicit ProxySettings() and make a note of thePanoramaCloud ServicesConfigurationMobile Users—Explicit ProxySettingsAdvancedALLOCATED ADDRESSESthat display in underRemote Networks Configuration.
- (Optional) Find the unicast address you use for your Explicit Proxy/Remote Network deployment.Use the unicast IP address in the PAC file only if you want to target a specific Remote Network to forward traffic to Explicit Proxy. If you want to use all deployed Remote Networks to forward traffic to Explicit Proxy, use the anycast addresses.
- Select.PanoramaCloud ServicesStatusNetwork DetailsRemote Networks
- Make a note of theEBGP Routeraddress.If you have IPv4 and IPv6 addresses, make a note of the IPv4 address.This address is also known as the loopback address. If you have made configuration changes that changed the EBGP router address, you can retrieve the loopback IP address using thePrisma Accesslegacy API.
- Ensure that the CPE in your network is set up correctly for endpoints to forward traffic to Explicit Proxy via the anycast and unicast IP addresses.