Public Web Application Access for Secure Agentless Access
Focus
Focus
Prisma Access

Public Web Application Access for Secure Agentless Access

Table of Contents

Public Web Application Access for Secure Agentless Access

You can enable secure, isolated access to public web applications (SaaS apps) for unmanaged users, protecting enterprise data through browser-based isolation without requiring endpoint agents.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Minimum Prisma Access version: 6.1 Preferred
  • Minimum PAN-OS dataplane version: 11.2.7
  • Prisma Access license with a Mobile User subscription
  • Remote Browser Isolation (RBI) license for data controls for SaaS applications
  • Cloud Identity Engine (CIE) for user authentication
  • Network Administrator or Superuser role
Organizations increasingly rely on SaaS applications such as Salesforce, Microsoft 365, and other cloud-hosted services for day-to-day operations. When employees, contractors, and partners access these applications from unmanaged devices, sensitive corporate data is exposed to risks including data exfiltration, malware injection, and session hijacking. Traditional security approaches that require endpoint agents or VPN clients are not viable for these unmanaged users, who may lack administrative rights on their devices or be subject to policies that prohibit installing additional software.
Public Web Application Access with Remote Browser Isolation addresses this challenge by rendering SaaS application content in a secure, cloud-hosted browser environment rather than directly on the user's device. This approach ensures that corporate data never reaches the endpoint while still providing users with a seamless browsing experience. The user interacts with a visual stream of the application, and all data processing occurs within the isolated environment managed by Palo Alto Networks.
Unlike private web applications that reside within an organization's data center, public web applications are hosted by third-party SaaS providers on the public internet. Secure Agentless Access with Remote Browser Isolation extends the existing SAA architecture to provide isolated access to these SaaS applications, preventing data leakage through clipboard restrictions, download controls, and session isolation—all without requiring any software installation on the user's device.

How It Works

When an unmanaged user accesses a public web application through the Secure Agentless Access portal, the following occurs:
  1. The user authenticates through Cloud Identity Engine and accesses the SAA portal.
  2. The user selects a public web application (for example, Salesforce) from the portal.
  3. Secure Agentless Access routes the request through the Mobile User (MU) gateway, which evaluates the security policy.
  4. The MU gateway determines that the traffic must be isolated based on the URL Access Management configuration.
  5. The session is redirected to Remote Browser Isolation, which renders the application in a secure cloud environment.
  6. The user interacts with the application through the isolated session. All in-tab navigation remains within the isolated environment.

Key Capabilities

  • Mandatory isolation—App isolation is enabled by default for public web applications and cannot be disabled. All SaaS application traffic from unmanaged users is rendered through Remote Browser Isolation.
  • Managed certificate lifecycle—Palo Alto Networks can generate and maintain Let's Encrypt certificates for the access domain, eliminating certificate management overhead for administrators.
  • Seamless user experience—Users access SaaS applications through a familiar browser interface with an isolation banner indicating the secure session. In-tab navigation remains fully functional within the isolated environment.
  • No endpoint software required—Users access applications through a standard web browser without installing agents, VPN clients, or browser extensions.
  • Granular URL-based isolation—You define which application domains are isolated through custom URL categories and URL Access Management profiles, providing precise control over which SaaS applications receive isolation treatment.
  • Session management—Idle timeout (30 minutes) and authentication token expiration (3 hours) protect against unauthorized access from unattended sessions.
  • Targeted Isolation for Unmanaged Users: You can enable browser isolation exclusively for unmanaged users while allowing managed users (for example, users with GlobalProtect or the Prisma Access Agent) to access the same SaaS applications directly. This provides secure access for unmanaged users without impacting the seamless user experience or performance for managed users.