Panorama

Configure your Explicit Proxy deployment and onboard the Explicit Proxy locations you want to add.
Retrieve the anycast IP addresses you use for your Explicit Proxy/Remote Network deployment.
Select

Panorama

Cloud Services

Configuration

Mobile Users—Explicit Proxy

.

Select the gear icon to edit the

Settings

.

Select

Enable Proxy Mode

.



To leverage the private IP addresses of the systems in your branch locations that are forwarding traffic to Explicit Proxy, select

Source IP based visibility and enforcement

.

This functionality has these requirements:

A minimum
Prisma Access
dataplane of 10.2.4
A
Prisma Access (Managed by Panorama)
deployment with a minimum Cloud Services plugin of 4.1

You must use only remote network locations supported with Explicit Proxy.



Add a policy to allow traffic bound to anycast and unicast IP on remote networks. If you have enabled

Source IP visibility and enforcement

, use the

Source IP

field in Security policies in Explicit Proxy to secure the traffic. You need additional policies in the remote networks.

(

Optional

) Under

Authentication Settings

, enter any IP addresses from which undecrypted HTTP or HTTP Cross-Origin Resource Sharing (CORS) traffic should be allowed to the

Trusted Source Address Auth Bypass

.

Add the IP addresses to IP address-based Address Objects and

Add

the address objects in the field.

Enter a maximum of 100,000 addresses. Make sure that the address object uses IP addresses only.

(

Optional

) To bypass authentication of any trusted source addresses you entered, select

Auth Bypass

.

You can use

Auth Bypass

with

Source IP based visibility and enforcement

to skip authentication of headless systems that can't authenticate, set up security policies, and get visibility of the traffic on Prisma Access Explicit Proxy.

You can add either IP addresses or subnets. A maximum of 100,000 IP addresses are supported after expanding the subnets.



Select

Panorama

Cloud Services

Configuration

Remote Networks

.

Onboard your Remote Network Locations if you have not done so already.

You must enable

Prisma Access

Remote Networks in the locations that are supported with Explicit Proxy.

Click

Commit

Commit and Push

.

Edit Selections

and, in the

Prisma Access

tab, make sure

Prisma Access

for networks

is selected in the

Push Scope

, then click

OK

.

Commit and Push

your changes.

You must perform a commit and push for your Remote Networks for

Prisma Access

to retrieve the IP addresses used in an Explicit Proxy/Remote Network deployment.

Return to the Explicit Proxy

Settings

(

Panorama

Cloud Services

Configuration

Mobile Users—Explicit Proxy

Settings

Advanced

) and make a note of the

ALLOCATED ADDRESSES

that display in under

Remote Networks Configuration

.


(
Optional
) Find the unicast address you use for your Explicit Proxy/Remote Network deployment.
Use the unicast IP address in the PAC file only if you want to target a specific Remote Network to forward traffic to Explicit Proxy. If you want to use all deployed Remote Networks to forward traffic to Explicit Proxy, use the anycast addresses.
Select

Panorama

Cloud Services

Status

Network Details

Remote Networks

.

Make a note of the

EBGP Router

address.

If you have IPv4 and IPv6 addresses, make a note of the IPv4 address.

This address is also known as the loopback address. If you have made configuration changes that changed the EBGP router address, you can retrieve the loopback IP address using the

Prisma Access

legacy API.


Ensure that the CPE in your network is set up correctly for endpoints to forward traffic to Explicit Proxy via the anycast and unicast IP addresses.