Planning Checklist—Explicit Proxy
Table of Contents
Planning Checklist—Explicit Proxy
Describes the software and network requirements you need
to successfully deploy Prisma Access Explicit Proxy.
Before you secure mobile users with an Explicit Proxy,
make sure that you are aware of the software and network requirements
described in this section.
Licensing Guidelines—Be sure to follow the licensing guidelines
and requirements before configuring Explicit Proxy.
Onboarding Guidelines—Use the following guidelines when
you license and onboard your Explicit Proxy deployment:
- Explicit Proxy supports a subset of Prisma Access locations.If you have a Local or Evaluation license for Prisma Access for Users and you have a Mobile Users—GlobalProtect deployment as well as a Mobile Users—Explicit Proxy deployment, you can deploy a maximum of five locations for each (five locations maximum for Mobile Users—GlobalProtect and five locations maximum for Mobile Users—Explicit Proxy). If you have a Worldwide license, there are no restrictions for the maximum number of locations.
- Explicit Proxy supports multitenancy under the following conditions: if you have an existing Prisma Access non-multitenant deployment and convert it to a multitenant deployment, only the first tenant (the tenant you migrated) supports Explicit Proxy. Any subsequent tenants you create for the multitenant deployment after the first do not support Explicit Proxy.In addition, group-based security policies will not work in a multitenant deployment. Explicit Proxy uses the Directory Sync component of the Cloud Identity Engine to perform group mapping, and multitenancy does not support the Cloud Identity Engine.
- When onboarding an Explicit Proxy deployment, Palo Alto Networks recommends that all the configuration be performed in a single browser. You can, however, add security policies from multiple browsers or browser sessions.
Network Guidelines and Requirements—When configuring Explicit
Proxy, make sure that you are aware of the following network guidelines
and have made the following configuration changes in your network
and security environment:
- You must configure an SSL decryption policy for all Explicit Proxy traffic.Decryption is required for Prisma Access to read the authentication state cookie set up by Prisma Access on the mobile user’s browser. Failing to enforce decryption enables the abuse of Explicit Proxy as an open proxy that can be widely misused as a forwarding service for conducting denial of service attacks.To prevent users from accessing undecrypted sites, be sure to leave the Decrypt traffic that matches existing decryption rules; for undecrypted traffic, allow traffic only from known IPs registered by authenticated users check box selected when you configure Explicit Proxy.
- Explicit Proxy does not support HTTP/2 natively. HTTP/2 protocol requests will be downgraded to HTTP/1.1. Explicit Proxy strips out application-layer protocol negotiation (ALPN) headers from uploaded files, regardless of your configuration.
- The maximum supported TLS version is 1.3. When creating a decryption profile, specify a Max Version of TLS v1.3.
- If mobile users are connecting from remote sites or headquarters/data center locations using an Explicit Proxy, the mobile user endpoint must be able reach and route to the IdP, ACS FQDN, Explicit Proxy URL, and URL of the PAC file hosted by Prisma Access. To find the ACS FQDN and the Explicit Proxy URL, select .
Panorama and Content Version Requirements—Make sure that
your deployment has the following minimum Panorama and Antivirus Content
version requirements:
- Explicit Proxy requires a minimum Panorama version of 10.0.5.
- Explicit Proxy requires a minimum antivirus Content Version of 3590 to be installed on the Panorama to support the predefined security policies. Install the required Content Version before committing the Mobile Users—Explicit Proxy configuration.
Palo Alto Networks Subscription Support—Explicit Proxy
includes Threat Prevention, URL Filtering, WildFire, DNS Security,
and DLP subscriptions. The DNS Security subscription is also included
and includes support for the Command and Control Domains and Malware
Domains DNS Security signature categories.
Mobile User App Support and Browser Guidelines—Explicit
Proxy supports the following apps and has the following browser
guidelines and requirements:
- Explicit Proxy secures internet and SaaS applications accessed over the mobile users’ browser using HTTP and HTTPS traffic only. Non-web ports and protocols are not supported.
- Explicit Proxy does not support the full client-based version of Microsoft 365 (Office 365), which uses non-web ports. However, it is designed to support web-based M365, including Office Online (office.com).
- Explicit Proxy does not provide access to private applications.
- Mobile users will be unidentified in the traffic logs for sites that are not decrypted, with some exceptions. See How Explicit Proxy Identifies Users for more information.
- Make a note of the following browser requirements and usage guidelines:
- If you use Explicit Proxy, do not disable cookies in your browser; if you do, you cannot browse any web pages.
- If you are using Explicit Proxy with Microsoft Edge, be sure that is set to Basic.
- If you use Safari with Explicit Proxy, you might experience issues when accessing websites. Instead of Safari, use Microsoft Edge, Firefox, Chrome, or Internet Explorer as your browser.
- When using Firefox with an Explicit Proxy, go to about:config and set security.csp.enable to false. In addition, some add-ons, such as ones that perform ad blocking or tracking protection, might interfere with tracking protection.
- To support desktop applications, or applications that do not send HTTP traffic, you can configure GlobalProtect in split tunnel mode and use GlobalProtect in conjunction with Explicit Proxy.
- If you visit a website for the first time, are prompted to enter Explicit Proxy credentials, then refresh the browser, you might receive an error. If this condition occurs, re-visit the website without refreshing and retry the authentication operation.
PAC File Requirements and Guidelines—Explicit Proxy has
certain requirements for its PAC files; see Set Up Your Explicit Proxy PAC File for details.
Proxy Chaining Guidelines—If you use proxy chaining from
a third-party proxy to Explicit Proxy, specify the Explicit
Proxy URL () in the third-party proxy to forward
traffic to Explicit Proxy.
Authentication and Group Mapping Guidelines—SAML is the
only supported authentication protocol. Prisma Access supports PingOne,
Azure AD, and Okta as SAML authentication providers, but you should
be able to use any vendor that supports SAML 2.0 as a SAML identity provider
(IdP). For more details about configuring SAML authentication with
Prisma Access, including examples for Azure AD, Okta, and Active
Directory Federation Services (ADFS) 4.0, see Authenticate Mobile Users in
the Prisma Access Integration Guide
(Panorama Managed).
In addition, you must use the Cloud Identity Engine to
retrieve user and group mapping information.
Private or Data Center Access Support—Explicit Proxy does
not support flows to Private or Data Center access for internal
applications. It is internet-outbound only.
Port Listening Guidelines—Explicit Proxy only listens
on port 8080.
On-Premises Support—Explicit Proxy is a cloud-based proxy
solution, and is not offered as an on-premises product.