Focus

Monitor and Troubleshoot Explicit Proxy

Table of Contents

Use Special Objects to Restrict Explicit Proxy Internet Traffic to Source IP Addresses

Monitor and Log Out GlobalProtect Users in Prisma Access

Monitor and troubleshoot your Prisma Access Explicit Proxy deployment.

After you have configured Explicit Proxy for mobile users, monitor the status and troubleshoot any issues by checking the status of your Prisma Access Explicit Proxy deployment.

Select PanoramaCloud ServicesStatusStatus to see Explicit Proxy status.

The mobile users Status and Config Status fields indicate whether the connection between Prisma Access and your mobile users is OK, unable to fetch the status on the tunnel (Warning), or that the mobile users cannot connect to Explicit Proxy (Error).
Click the hyperlink next to Current Users and Users (Last 90 days) to get more information about mobile users.
- Current Users—The current number of authenticated users who have browsed traffic in the last five minutes.
- Users (Last 90 days)—The number of unique authenticated Explicit Proxy users for the last 90 days.
Select PanoramaCloud ServicesStatusMonitorMobile Users—Explicit Proxy to display a map showing the deployed Explicit Proxy locations.
Select PanoramaCloud ServicesStatusNetwork DetailsMobile Users—Explicit Proxy to view the following details:
- Explicit Proxy URL—The URL used for Explicit Proxy.
- ACS FQDN—The FQDN of the ACS.
- SAML Meta Data—The authentication profile metadata used by SAML. You can Export SAML Metadata to save the metadata file.
To troubleshoot authentication-related issues, check the traffic logs (MonitorLogsTraffic) and authentication logs (MonitorLogsAuthentication). Explicit Proxy displays the following IP addresses and locations in the logs:
- IP Addresses—If mobile users bypass the ACS FQDN in the PAC file, the IP address displayed in the Source column in the Traffic logs and the Traffic logs and the IP Address column in the Authentication logs, when viewed under the Explicit_Proxy_Device_Group, will be same as the mobile user’s IP address. If users do not bypass the ACS FQDN in the PAC file, the source IP address is the public IP address of the Explicit Proxy cloud firewall where redirects are going to ACS.
- Locations—If mobile users bypass the ACS FQDN in the PAC file, the Region Name displayed in the Region Column in Authentication Logs, Current Users, and Users (Last 90 days) is one of the five 5 regions (us-west-2, us-east-1, eu-west-2, eu-west-3, ap-south-1) where the ACS is deployed, and shows the region where Explicit Proxy is performing the redirects from the client’s browser. If users do not bypass the ACS FQDN in the PAC file, the Region Name displayed in the Region Column in Authentication Logs, Current Users, and Users (Last 90 days) is one of the five 5 regions (us-west-2, us-east-1, eu-west-2, eu-west-3, ap-south-1) where the ACS is deployed, and shows the region where Explicit Proxy is performing the redirects from the Explicit Proxy firewall.