Prisma Access
Explicit Proxy and GlobalProtect: Set It Up
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Explicit Proxy and GlobalProtect: Set It Up
Where Can I Use
This? | What Do I Need? |
---|---|
|
|
For your mobile users to connect securely, you can combine an explicit proxy with
GlobalProtect or a third-party VPN.
- Explicit Proxy and GlobalProtect
- Use GlobalProtect in split tunnel mode to provide secure access to private apps only.
- Use explicit proxy to secure public apps, including internet traffic and external SaaS applications.
- Explicit Proxy and third-party VPN
- Use a VPN client for access to data center and private applications and to secure access to private apps.
- Use an explicit proxy and a PAC file to secure access to public apps.
Before you decide which applications or traffic you should protect with an explicit proxy
and with either GlobalProtect or a third-party VPN, you should understand how
GlobalProtect and
Prisma Access
make their forwarding decisions based on the explicit
proxy and VPN configuration.When a mobile user requests a private or internet-based resource or app, the request is
sent to the explicit proxy PAC file that is installed on the endpoint.
- Traffic that is specified in the PAC file as return "DIRECT"; bypasses explicit proxy processing. The DNS resolve (host) used with return "DIRECT"; allows specified IP pass explicit proxy processing.
- Traffic that is specified in the PAC file as return "PROXY sitename:8080"; is forwarded to an explicit proxy.
After the traffic is processed, it's then sent to GlobalProtect, direct to the internet,
or to explicit proxy, based on the PAC file and VPN processing.
The PAC file has the configuration to allow "internal-app.corp.com" to bypass explicit
proxy. When the mobile user requests "internal-app.corp.com" from their browser, the
browser evaluates the conditions in the PAC file. GlobalProtect notes that
"internal-app.corp.com" is listed in the Include Domain and sends it through the VPN
tunnel. GlobalProtect sends the request to the resource in "internal-app.corp.com" based
on the configuration options in GlobalProtect.
Cloud Management
Cloud Management
To implement GlobalProtect—Mobile Users with
Explicit Proxy, complete the following steps.
These configuration
steps make the following assumptions about your network environment;
if your network environment is different, the configuration might
be different:
- Mobile users are able to reach and resolve the GlobalProtect portal hostname, gateway FQDNs, Explicit Proxy URL, and PAC File URL.Here’s where to find this information:
- GlobalProtect Gateway FQDNsandPortal Hostname➡ Go toManageService SetupGlobalProtectInfrastructure SettingsIf you're using Strata Cloud Manager, go toand editWorkflowsPrisma AccessSetupGlobalProtectInfrastructureInfrastructure Settings.
- Explicit Proxy URLandPAC File URL➡ Go toManageService SetupExplicit ProxyInfrastructure SettingsIf you're using Strata Cloud Manager, go toand editWorkflowsPrisma AccessSetupExplicit ProxyInfrastructureInfrastructure Settings.
- Mobile Users are able to resolve internal domains from GlobalProtect.
- Decide which applications you want to send to GlobalProtect and which applications you want to send to Explicit Proxy.The following steps direct private applications hosted at your data center to GlobalProtect and requests to internet and public SaaS applications to Explicit Proxy.
- Edit GlobalProtect portal settings.Go toGlobalProtectApp SettingsApp ConfigurationAdvanced Settings
- InProxysettings:
- CheckDetect Proxy for Each Connection
- ClearSet Up Tunnel Over Proxy (Windows & Mac Only)
- InAuthenticationsettings:
- CheckUse Default Browser for SAML Authentication
- Create a split tunnel in GlobalProtect that allows you to direct the internal traffic to GlobalProtect.Go to. Configure a split tunnel based on domain (FQDN), access routes, or applications.GlobalProtectTunnel SettingsSplit Tunneling
- Configure the PAC file to exclude the domains you specified for the GlobalProtect split tunnel.To download the PAC file so you can edit it, go toManageService SetupExplicit ProxyInfrastructure SettingsProxy Auto Configuration.If you're using Strata Cloud Manager, go to.WorkflowsPrisma AccessSetupExplicit ProxyInfrastructureInfrastructure SettingsProxy Auto Configuration.The following example shows a PAC file with the URL that hosts private apps (internal-app.corp.com) bypassing the internal proxy. The parameters in the following PAC file are all example values:
- The portal hostname issplittunnel.gpcloudservice.com.
- The mobile user gateways are contained in the wildcard FQDN*examplegateways.gw.gpcloudservice.com.
- The PAC File URL ishttps://pacfileurl.pac.
- internal-app.corp.comis hosting the private apps that are being protected by Mobile Users—GlobalProtect.
- Okta is being used for SAML authentication.
- The Explicit Proxy URL isexample.proxy.prismaacess.com.
function FindProxyForURL(url, host) { /* Bypass FTP */ if (url.substring(0,4) == "ftp:") return "DIRECT"; /* Bypass thePrisma AccessPortal Hostname */ if (shExpMatch(host, "*.splittunnel.gpcloudservice.com")) return "DIRECT"; /* Bypass thePrisma AccessGateway */ if (shExpMatch(host, "*examplegateways.gw.gpcloudservice.com")) return "DIRECT"; /* Bypass thePrisma AccessPAC File URL */ if (shExpMatch(host, "https://pacfileurl.pac")) return "DIRECT"; /* Bypass the URLs Being Sent to the GlobalProtect Portal */ if (shExpMatch(host, "*.internal-app.corp.com")) return "DIRECT"; /* Bypass ACS */ if (shExpMatch(host, "*.acs.prismaaccess.com")) return "DIRECT"; /* Forward toPrisma Access*/ return "PROXY example.proxy.prismaaccess.com:8080"; }
Panorama
Panorama
Use this task to use
Prisma Access
Explicit Proxy with
GlobalProtect .To implement GlobalProtect—Mobile Users with
Explicit Proxy, complete the following steps.
These configuration
steps make the following assumptions about your network environment;
if your network environment is different, the configuration might
be different:
- Mobile users are able to reach and resolve the GlobalProtect portal hostname, gateway FQDNs, Explicit Proxy URL, and PAC File URL.
- To find the gateway FQDNs, select.PanoramaCloud ServicesStatusNetwork DetailsMobile Users—GlobalProtectGateways
- To find thePAC File URL, select.PanoramaCloud ServicesConfigurationMobile Users—Explicit ProxyPAC File URL
- Mobile Users are able to resolve internal domains from GlobalProtect.
- Plan your Mobile Users—Explicit Proxy deployment and your GlobalProtect deployment (either your Mobile Users—GlobalProtect or standalone GlobalProtect deployment).
- Decide which applications you want to send to GlobalProtect and which applications you want to send to Explicit Proxy.The following steps direct private applications hosted at your data center to GlobalProtect and requests to internet and public SaaS applications to Explicit Proxy.
- In the Panorama that managesPrisma Access, configure GlobalProtect portal settings.
- Select.NetworkGlobalProtectPortalsBe sure that you are in theMobile_User_Templatefrom theTemplatedrop-down.
- SelectGlobalProtect_Portalto edit thePrisma Accessportal configuration.
- Select theAgenttab and select theDEFAULTconfiguration orAdda new one.
- Select theApptab.
- Make the following app configuration changes:
- InDetect Proxy for Each Connection, selectYes.
- InSet Up Tunnel Over Proxy (Windows & Mac Only), selectNo.
- InUse Default Browser for SAML Authentication, selectYes.
- Create a split tunnel in GlobalProtect that allows you to direct the internal traffic to GlobalProtect.The following example uses a split tunnel to direct traffic based on domain (FQDN); you could also configure a split tunnel based on the access route of traffic.
- While you are still in the GlobalProtect Agent configuration (), selectNetworkGlobalProtectGatewaysGlobalProtect External Gateway.AgentClient Settings
- Select theDEFAULTconfiguration orAdda new one.
- Select.Split TunnelDomain and Application
- AddtheInclude Domainand, optionally, thePortsto use with the domain.This example uses internal-app.corp.com as the URL you use to host apps in your data center. You add this URL and the SAML authentication URL in theExclude Domain.
- ClickOKto save your changes.
- Commit and Pushyour changes.
- Configure the PAC file to exclude the domains you entered for split tunnel.The following example shows a PAC file with the URL that hosts private apps (internal-app.corp.com) bypassing the internal proxy. The parameters in the following PAC file are all example values:
- The portal hostname issplittunnel.gpcloudservice.com.
- The mobile user gateways () are contained in the wildcard FQDNPanoramaCloud ServicesStatusNetwork DetailsMobile Users—GlobalProtectGateways*examplegateways.gw.gpcloudservice.com.
- ThePAC File URL() isPanoramaCloud ServicesConfigurationMobile Users—Explicit ProxyPAC File URLhttps://pacfileurl.pac.
- internal-app.corp.comis hosting the private apps that are being protected by Mobile Users—GlobalProtect.
- Okta is being used for SAML authentication.
- The Explict Proxy URL isexample.proxy.prismaacess.com.
function FindProxyForURL(url, host) { /* Bypass FTP */ if (url.substring(0,4) == "ftp:") return "DIRECT"; /* Bypass thePrisma AccessPortal Hostname */ if (shExpMatch(host, "*.splittunnel.gpcloudservice.com")) return "DIRECT"; /* Bypass thePrisma AccessGateway */ if (shExpMatch(host, "*examplegateways.gw.gpcloudservice.com")) return "DIRECT"; /* Bypass thePrisma AccessPAC File URL */ if (shExpMatch(host, "https://pacfileurl.pac")) return "DIRECT"; /* Bypass the URLs Being Sent to the GlobalProtect Portal */ if (shExpMatch(host, "*.internal-app.corp.com")) return "DIRECT"; /* Bypass ACS */ if (shExpMatch(host, "*.acs.prismaaccess.com")) return "DIRECT"; /* Forward toPrisma Access*/ return "PROXY example.proxy.prismaaccess.com:8080"; }