Prisma Access
Cloud Management
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Cloud Management
Cloud Management
Set up Explicit Proxy in a
Prisma Access (Managed by Strata Cloud Manager)
deployment. Set up an explicit proxy connection for mobile
users; with explicit proxy, a proxy auto-config (PAC) file on mobile
user devices redirects browser traffic to
Prisma Access
.Before
you begin, make sure you review the explicit proxy guidelines.
- Enable explicit proxy and allocate usersGo toto start setting up explicit proxy. When you enable explicit proxy, you’ll be prompted to specify the number of mobile users who will use this connection type.ManageService SetupMobile UsersIf you're usingStrata Cloud Manager, go toto start setting up explicit proxy.WorkflowsPrisma AccessSetupMobile Users
- Add the proxy settings which mobile users will use to connect toPrisma AccessGo to theInfrastructure Settings:
- Specify an Explicit Proxy URL.By default, the name isproxyname.proxy.prismaaccess.com, whereproxynameis the subdomain you specify, and uses port 8080. To use your company domain in the explicit proxy URL, add a CNAME record to your organization’s domain.You can use SAML or Kerberos authentication types to authenticate mobile users.
- (Optional) SelectEnable Agent Proxyto enable the agent-based proxy functionality.Use this feature to enablePrisma Access.
- Download the PAC file and customize it so that it meets your needs. Then, import it again here, and we’ll give you the URL for the location wherePrisma Accesshosts the PAC file.
- Choose thePrisma Accesslocation to which your mobile users will connectAdd thePrisma Accesslocations where you want to support mobile users.The map displays thePrisma Accesslocations.For the best user experience, if you are limiting the number of locations, choose locations that are closest to your users or in the same country as your users. If a location is not available in the country where your mobile users reside, choose a location that is closest to your users for the best performance.You should enable Explicit Proxy locations in at least two regions to ensure regional redundancy.
- Authenticate mobile usersSet upUser Authenticationso that only legitimate users have access to your services and applications.SAML and Kerberos are the supported authentication protocols.Prisma Accesssupports PingOne, Azure AD, and Okta as SAML authentication providers, but you should be able to use any vendor that supports SAML 2.0 as a SAML identity provider (IdP). Learn more on how to Enable Mobile Users to Authenticate to Prisma Access.
- Review the best practice security rules that are turned on by defaultPrisma Accessenforces best practice security policy rules by default. These rules allow your users to securely browse to general internet sites. Users are:
- Blocked from visiting known bad websites based on URL
- Blocked from uploading or downloading files that are known to be malicious
- Protected from unknown, never-before-seen threats
- Protected from viruses, spyware (command and control attacks), and vulnerabilities
After going through the initial setup, you can review and update these default rules to meet your enterprise needs. - Verify that the mobile users location is activeAfter you push your initial configuration toPrisma Access,Prisma Accessbegins provisioning your mobile user environment. This can take up to 15 minutes. When your mobile user locations are up and running, you’ll be able to verify them on the Mobile Users setup pages, the Overview, and within Insights.You can also validate your setup by selectingand edit Infrastructure Settings to confirm a gateway is set up in each of the locations you provisioned.ManageService SetupMobile Users
- Enable decryption for explicit proxy traffic
- Set the maximum supported TLS version to 1.2.
- SetStrip ALPN(Advanced SSL Forward Proxy settings) because explicit proxy does not support native HTTP/2, and you must remove the ALPN headers.
- Download the root CA and install it on your endpoint for SSL decryption.
- Edit the PAC file contentEdit a proxy auto-configuration (PAC) file for explicit proxy that meets your requirement. GlobalProtect app proxies traffic toPrisma Accessbased on forwarding rules and logic from the PAC file.Go to theForwarding Rules:
- Download the PAC file and customize it so that it meets your needs. Then, import it again here, and we’ll give you the URL for the location wherePrisma Accesshosts the PAC file.
- Edit the PAC file using thePAC File Editormode orForwarding rules mode.
- ThePAC File Editormode is selected by default. ClickOKto edit in the PAC file edit mode.
- SelectForwarding rules modeand clickOKto edit in the forwarding rules mode. Switching to forwarding rules mode discards the existing settings.
- Specify an ExplicitProxy URLwith port to be used in the PAC file.By default, the name isproxyname.proxy.prismaaccess.com, where proxyname is the subdomain you specify, and uses port8080.
- ConfigureExclusions in Public Networkwhen your Explicit Proxy mobile users connect to Prisma Access from a public network.
- ConfigureFQDN ExclusionsandIP Address Exclusions. The excluded FQDNs and IP addresses won't be forwarded fromPrisma Access.
- Enable Exclusions in Internal Networkto configure exclusions for specific IP addresses or FQDNs when the explicit proxy mobiles users connect toPrisma Accesson the internal network.
- Specify the below exclusions to have different traffic exclusions when the user is on the internal network.
- Enter theIP Addressof a host that can be resolved from the internal network only.
- Enter theFQDNthat resolves to the IP address you enter.
- Configure exclusions for specific FQDNs and IP addresses. The traffic to specified FQDNs and IP addresses won't be forwarded fromPrisma Access.
- Savethe changes.
- ConfigureAdvanced Security Settings.
- If you want to forward traffic to Explicit Proxy from your branches through a secure IPSec tunnel,Enable Proxy Modeand retrieve anycast IP addresses if you want to use Explicit Proxy in conjunction with a .This solution uses anycast addresses with a remote network IPSec tunnel to allow Explicit Proxy to be used for users and devices at a remote network site or branch location.
- Proxy Mode Deployments OnlyIf Proxy Mode is enabled on your remote networks, add a policy to allow traffic bound to anycast and unicast IP on remote networks. If you have enabledSource IP visibility and enforcement, use theSource IPfield in Security policies in Explicit Proxy to secure the traffic. You need additional policies in the remote networks.
- (Optional) If you enable you enable proxy mode, to leverage the private IP addresses of the systems in your branch locations that are forwarding traffic to Explicit Proxy, selectSource IP based visibility and enforcement.This functionality has these requirements:
- A minimumPrisma Accessdataplane of 10.2.4
- APrisma Access (Managed by Panorama)deployment with a minimum Cloud Services plugin of 4.1
- The source IP addresses only display for Remote Network locations that are supported with Explicit Proxy.
- SpecifyBlock Sources.Add any source IP address traffic that should be blocked to theBlock Source Addresslist.Specify an address, address group, or EDL.To exclude IP address list entries from enforcement,Add Exceptionand select the IP addresses to exclude from being blocked.
- SpecifyBlocked Domains.Specify the domains or domain categories for malicious websites, or for any websites that you do not want users to access.Prisma Accessprevents users from accessing the URLs and IP addresses you specify in this area when users initiate an HTTP GET (for unencrypted requests) or HTTP CONNECT (for encrypted requests). Users receive a block page when they attempt to access blocked websites.
- If you want to exempt any domains that are included in a blocked domain category list, specify them in theException List.Any domains that are entered are exempted from being blocked, even if they appear in a domain category that you have blocked.
- Explicit Proxy requires decryption to authenticate users. Enter theDomains used in the authentication flow.
- Enter any IP addresses from which undecrypted HTTPS or HTTP cross-origin resource sharing (CORS) traffic can be allowed to theTrusted Source Address.
- To bypass authentication of any trusted source addresses you entered, selectSkip authentication.You can useSkip authenticationwithSource IP based visibility and enforcementto Skip authentication of headless systems that can't authenticate, set up security policies, and get visibility of the traffic onPrisma AccessExplicit Proxy.You can add either IP addresses or subnets. A maximum of 100,000 IP addresses are supported after expanding the subnets.If you selectSkip authenticationto skip authentication for an address object, and then later want to enable authentication by deselectingSkip authenticationfor that address object, it can take up to 24 hours for the change to take effect after you make the change and Commit and Push your changes.
- If you have an Explicit Proxy deployment and have added a list of trusted source IP addresses, you canUse X-Authenticated-User (XAU) headers on incoming HTTP/HTTPS requests for identity. Use this functionality to allow users that are logged in from another proxy that use XAU headers for authentication.You must clickSavefor the XAU setting to take effect.