Prisma Access
Cloud Management
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Cloud Management
Cloud Management
To implement GlobalProtect—Mobile Users with
Explicit Proxy, complete the following steps.
These configuration
steps make the following assumptions about your network environment;
if your network environment is different, the configuration might
be different:
- Mobile users are able to reach and resolve the GlobalProtect portal hostname, gateway FQDNs, Explicit Proxy URL, and PAC File URL.Here’s where to find this information:
- GlobalProtect Gateway FQDNsandPortal Hostname➡ Go toManageService SetupGlobalProtectInfrastructure SettingsIf you're using Strata Cloud Manager, go toand editWorkflowsPrisma AccessSetupGlobalProtectInfrastructureInfrastructure Settings.
- Explicit Proxy URLandPAC File URL➡ Go toManageService SetupExplicit ProxyInfrastructure SettingsIf you're using Strata Cloud Manager, go toand editWorkflowsPrisma AccessSetupExplicit ProxyInfrastructureInfrastructure Settings.
- Mobile Users are able to resolve internal domains from GlobalProtect.
- Decide which applications you want to send to GlobalProtect and which applications you want to send to Explicit Proxy.The following steps direct private applications hosted at your data center to GlobalProtect and requests to internet and public SaaS applications to Explicit Proxy.
- Edit GlobalProtect portal settings.Go toGlobalProtectApp SettingsApp ConfigurationAdvanced Settings
- InProxysettings:
- CheckDetect Proxy for Each Connection
- ClearSet Up Tunnel Over Proxy (Windows & Mac Only)
- InAuthenticationsettings:
- CheckUse Default Browser for SAML Authentication
- Create a split tunnel in GlobalProtect that allows you to direct the internal traffic to GlobalProtect.Go to. Configure a split tunnel based on domain (FQDN), access routes, or applications.GlobalProtectTunnel SettingsSplit Tunneling
- Configure the PAC file to exclude the domains you specified for the GlobalProtect split tunnel.To download the PAC file so you can edit it, go toManageService SetupExplicit ProxyInfrastructure SettingsProxy Auto Configuration.If you're using Strata Cloud Manager, go to.WorkflowsPrisma AccessSetupExplicit ProxyInfrastructureInfrastructure SettingsProxy Auto Configuration.The following example shows a PAC file with the URL that hosts private apps (internal-app.corp.com) bypassing the internal proxy. The parameters in the following PAC file are all example values:
- The portal hostname issplittunnel.gpcloudservice.com.
- The mobile user gateways are contained in the wildcard FQDN*examplegateways.gw.gpcloudservice.com.
- The PAC File URL ishttps://pacfileurl.pac.
- internal-app.corp.comis hosting the private apps that are being protected by Mobile Users—GlobalProtect.
- Okta is being used for SAML authentication.
- The Explicit Proxy URL isexample.proxy.prismaacess.com.
function FindProxyForURL(url, host) { /* Bypass FTP */ if (url.substring(0,4) == "ftp:") return "DIRECT"; /* Bypass thePrisma AccessPortal Hostname */ if (shExpMatch(host, "*.splittunnel.gpcloudservice.com")) return "DIRECT"; /* Bypass thePrisma AccessGateway */ if (shExpMatch(host, "*examplegateways.gw.gpcloudservice.com")) return "DIRECT"; /* Bypass thePrisma AccessPAC File URL */ if (shExpMatch(host, "https://pacfileurl.pac")) return "DIRECT"; /* Bypass the URLs Being Sent to the GlobalProtect Portal */ if (shExpMatch(host, "*.internal-app.corp.com")) return "DIRECT"; /* Bypass ACS */ if (shExpMatch(host, "*.acs.prismaaccess.com")) return "DIRECT"; /* Forward toPrisma Access*/ return "PROXY example.proxy.prismaaccess.com:8080"; }