Proxy Mode on Remote Networks (Panorama)

1. Configure your explicit proxy deployment and onboard the explicit proxy locations you want to add.
2. Retrieve the anycast IP addresses you use for your explicit proxy/remote network deployment.

   For Remote Network—High Performance deployments, select any one of the retrieved anycast addresses. You cannot use multiple addresses in a single deployment.

   1. Select PanoramaCloud ServicesConfigurationMobile Users—Explicit Proxy.
   2. Select the gear icon to edit the Settings.
   3. Select Enable Proxy Mode.

   4. To leverage the private IP addresses of the systems in your branch locations that are forwarding traffic to explicit proxy, select Source IP based visibility and enforcement.

      This functionality has these requirements:

      • A minimum Prisma Access dataplane of 10.2.4
      • A Prisma Access (Managed by Panorama) deployment with a minimum Cloud Services plugin of 4.1

      • You must use only remote network locations supported with explicit proxy.

   5. Add a policy to allow traffic bound to anycast and unicast IP on remote networks. If you have enabled Source IP visibility and enforcement, use the Source IP field in Security policies in explicit proxy to secure the traffic. You need additional policies in the remote networks.
   6. (Optional) Under Authentication Settings, enter any IP addresses from which undecrypted HTTP or HTTP Cross-Origin Resource Sharing (CORS) traffic should be allowed to the Trusted Source Address Auth Bypass.

      Add the IP addresses to IP address-based Address Objects and Add the address objects in the field.

      Enter a maximum of 100,000 addresses. Make sure that the address object uses IP addresses only.
   7. (Optional) To bypass authentication of any trusted source addresses you entered, select Auth Bypass.

      You can use Auth Bypass with Source IP based visibility and enforcement to skip authentication of headless systems that can't authenticate, set up security policies, and get visibility of the traffic on Prisma Access explicit proxy.

      You can add either IP addresses or subnets. A maximum of 100,000 IP addresses are supported after expanding the subnets.

   8. Select PanoramaCloud ServicesConfigurationRemote Networks.
   9. Onboard your Remote Network Locations if you have not done so already.

      You must enable Prisma Access remote networks in the locations that are supported with explicit proxy.
   10. Select CommitCommit and Push.
   11. Edit Selections and, in the Prisma Access tab, make sure Prisma Access for networks is selected in the Push Scope, then click OK.
   12. Commit and Push your changes.

       You must perform a commit and push for your remote networks for Prisma Access to retrieve the IP addresses used in an explicit proxy/remote network deployment.
   13. Return to the explicit proxy Settings (PanoramaCloud ServicesConfigurationMobile Users—Explicit ProxySettingsAdvanced) and make a note of the ALLOCATED ADDRESSES that display in under Remote Networks Configuration.

3. (Optional) Find the unicast address you use for your explicit proxy/remote network deployment.

   Use the unicast IP address in the PAC file only if you want to target a specific remote network to forward traffic to explicit proxy. If you want to use all deployed remote networks to forward traffic to explicit proxy, use the anycast addresses.

   You cannot use unicast addresses with Remote Network—High Performance networks; however, you can use any one of the Anycast addresses.

   1. Select PanoramaCloud ServicesStatusNetwork DetailsRemote Networks.
   2. Make a note of the EBGP Router address.

      If you have IPv4 and IPv6 addresses, make a note of the IPv4 address.

      This address is also known as the loopback address. If you have made configuration changes that changed the EBGP router address, you can retrieve the loopback IP address using the Prisma Access legacy API.

4. Ensure that the CPE in your network is set up correctly for endpoints to forward traffic to explicit proxy via the anycast and unicast IP addresses.