Secure Mobile Users with an Explicit Proxy
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
5.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Enable Dynamic Privilege Access for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
-
- Onboard Prisma Access
-
3.2 Preferred and Innovation
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
- Prisma Access
- Prisma Access Infrastructure Management
- Cadence for Software and Content Updates for Prisma Access
- Use the Prisma Access App to Get Upgrade Alerts and Updates
- View Prisma Access Software Versions
-
- Determine Your Prisma Access License Type from Panorama
- Cheat Sheet: Integrate ADEM with Panorama Managed Prisma Access
- Cheat Sheet: Integrate IoT Security with Panorama Managed Prisma Access
- Cheat Sheet: Enterprise DLP on Panorama Managed Prisma Access
- Visibility and Monitoring Features in the Prisma Access App
- Monitor Your Prisma Access Data Transfer Usage
- Zone Mapping
- Prisma Access APIs
- Prisma Access Deployment Progress and Status
- Troubleshoot the Prisma Access Deployment
-
- Prisma Access Mobile User Deployments
- How the GlobalProtect App Selects a Prisma Access Location for Mobile Users
- Integrate Prisma Access with On-Premises Gateways
-
- Set Equal Gateway Priorities for On-Premises and Prisma Access Gateways
- Set a Higher Gateway Priority for an On-Premises Gateway
- Set Higher Priorities for Multiple On-Premises Gateways
- Configure Priorities for Prisma Access and On-Premises Gateways
- Allow Mobile Users to Manually Select Specific Prisma Access Gateways
- Report Prisma Access Website Access Issues
-
- Multitenancy Overview
- Multitenancy Configuration Overview
- Plan Your Multitenant Deployment
- Create an All-New Multitenant Deployment
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Sort Logs by Device Group ID in a Multitenant Deployment
-
-
-
- Default Routes With Prisma Access Traffic Steering
- Traffic Steering in Prisma Access
- Traffic Steering Requirements
- Default Routes with Traffic Steering Example
- Default Routes with Traffic Steering Direct to Internet Example
- Default Routes with Traffic Steering and Dedicated Service Connection Example
- Prisma Access Traffic Steering Rule Guidelines
- Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
- Configure Traffic Steering in Prisma Access
-
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
Secure Mobile Users with an Explicit Proxy
Secure Prisma Access mobile users by creating an Explicit
Proxy and using a PAC file.
To secure mobile users with an Explicit Proxy,
complete the following steps.
Before you configure Explicit
Proxy guidelines, be aware of how explicit proxy
works and how explicit proxy
identifies users, go through the planning checklist,
and learn how to set up the Explicit
Proxy PAC file.
- Configure SAML authentication, including configuring a SAML Identity Provider and an Authentication Profile, for Prisma Access. You specify the authentication profile you create in a later step.Use the following guidelines when configuring authentication for the IdP and in Panorama:
- Panorama Guidelines:
- Be sure that you configure the authentication profile under the Explicit_Proxy_Template.
- Use mail as the user attribute in the IdP server profile and in the Authentication Profile on Panorama.
- Explicit Proxy does not support Sign SAML Message to IdP in the SAML Identity Provider Server Profile.
- When you configure the Cloud Identity Engine to retrieve user and group mapping information, use mail or userPrincipalName as the SamAccountName in Group Mapping.
- When configuring Group Mapping Settings during Explicit Proxy setup, use the same Directory Attribute for Primary Username and email, or Prisma Access does not accurately reflect user counts. For example, given the following user profile:
sAMAccountName: muser Netbios: example userPrincipalName: muser@example.com mail: mobile.user@example.com
If, in the Cloud Identity Engine configuration, you use a Primary Username of userPrincipalName and an E-Mail of mail, the user information that Strata Logging Service returns in traffic logs and the user information that the ACS returns in authentication logs will be different. In this example, ACS sends the mail attribute (mobile.user@example.com) to the authentication logs and Strata Logging Service sends the userPrincipalName attribute (muser@example.com) to the traffic logs. As a result of this mismatch, your user count will not be accurate in the Current Users and Users (Last 90 days) fields when checking the Explicit Proxy status in the Status (PanoramaCloud ServicesStatusStatus page. For this reason, use the same directory attribute for Primary Username and E-Mail (for example, mail) when specifying Group Mapping Settings. - When using Panorama to manage Prisma Access, the Cloud Identity Engine does not auto-populate user and group information in security policy rules.
- IdP Guidelines:
- Use the following URLs when configuring SAML:SAML Assertion Consumer Service URL: https://global.acs.prismaaccess.com/saml/acsEntity ID URL: https://global.acs.prismaaccess.com/saml/metadata
- If you use Okta as the IdP, use EmailAddress for the Name ID Format setting.
- Enter a single sign on URL of https://global.acs.prismaaccess.com/saml/acs.
- Single Logout (SLO) is not supported.
- To troubleshoot IdP authentication issues, use the IdP’s monitoring and troubleshooting capabilities. The ACS does not log IdP authentication failures.
- When creating an Authentication Profile for the SAML IdP, in the Advanced tab, select all in the Allow List or Explicit Proxy will not be able to retrieve group mapping.
- Configure Explicit Proxy settings.
- Select PanoramaCloud ServicesConfigurationMobile Users—Explicit Proxy and click the gear icon to edit Explicit Proxy Settings.
- In the Settings tab, edit the following settings:
- (Optional) In the Templates section, Add the template or templates that contains the configuration you want to push for Explicit Proxy.By default, Prisma Access creates a new template stack Explicit_Proxy_Template_Stack and a new template Explicit_Proxy_Template. If you have existing settings you want to import, import them now. If you are starting with a new Explicit Proxy configuration, make sure that you are using this template when you create and edit your Device settings in Panorama.You can Add more than one existing template to the stack and then order them appropriately using Move Up and Move Down. Panorama evaluates the templates in the stack from top to bottom, and settings in templates that are higher in the stack take priority over the same settings specified in templates that are lower in the stack. You cannot move the default Explicit_Proxy_Template from the top of the stack; this prevents you from overriding any required Explicit Proxy settings.
- In the Device Group section, select the Parent Device Group that contains the configuration settings you want to push for the Explicit Proxy, or leave the parent device group as Shared to use the Prisma Access device group shared hierarchy. The Device Group Name cannot be changed.
- (Optional) If you have configured a next-generation firewall as a master device or added a Cloud Identity Engine profile to make user and group information selectable in security policies, select User-ID Master Device or Cloud Identity Engine; then, select either the Master Device or the Cloud Identity Engine profile that you created.
- In the License Allocation section, specify the number of mobile users to allocate for Explicit Proxy.
- In the Group Mapping Settings tab, Enable Directory Sync Integration (now known as the Cloud Identity Engine) to configure Prisma Access to use the Cloud Identity Engine to retrieve user and group information.You use the Cloud Identity Engine to populate user and group mapping information for an Explicit Proxy deployment. To configure the Cloud Identity Engine, you set up the Cloud Identity Engine on your AD and associate the Panorama that manages Prisma Access with the Cloud Identity Engine in the hub; then, set up the Cloud Identity Engine in Prisma Access.Enter mail for the Directory Attribute in the Primary Username field and mail for the E-Mail field.
- Click OK when finished.
- (Optional, Innovation Deployments Starting with 3.0 Innovation Only) Configure Block Settings.Use Block Settings to block access to an internet destination at the DNS resolution stage.To restrict access to Explicit Proxy to specific source IP addresses, you can also use special objects. These Address Objects, Address Groups, and External Dynamic Lists (EDLs) that use specific names allow the IP addresses you specify for internet traffic and block any other IP addresses.
- In the Authentication Settings tab, configure decryption, X-Authenticated-User (XAU), and authentication settings.
- Configure your settings for decrypted traffic.
- Select Decrypt Traffic That Matches Existing Decryption rules; For Undecrypted Traffic, Allow Traffic Only From Known IPs Registered By Authenticated Users to configure the following decryption rules:
- Traffic that matches decryption policy rules you have configured with an Action to Decrypt or Decrypt and Forward will be decrypted.If a user accesses an undecrypted HTTPS site, and a user has not yet authenticated to Explicit Proxy from that IP address, the user is blocked. However, the user can access a decrypted site, complete authentication, and then access undecrypted sites.
- Undecrypted traffic is allowed from IP addresses from which mobile user have already authenticated.
Explicit Proxy requires decryption to authenticate users. Enter the domains that can be decrypted in a custom URL category; then, specify those categories in If Authentication traffic is forwarded through Explicit Proxy, specify the domains used in the authentication flow.Only add the domains that are required for authentication to the Custom URL category you specify, including all ACS and IdP FQDNs. You must add authentication URLs to the Custom URL category, even if you have added them to a decryption policy. - To allow all traffic to be decrypted, select Decrypt All traffic (Overrides Existing Decryption Rules).If you choose this radio button, ensure that:
- You do not have exceptions in your decryption policy.
- You are applying source IP address-based restrictions in your security policy.
Failing to follow these recommendations enables the abuse of Explicit Proxy as an open proxy that can be widely misused as a forwarding service for conducting denial of service attacks.- You have at least one SSL Forward Proxy certificate specified as a Forward Trust Certificate.If you do not have a forward trust certificate, create one on Panorama; then, Commit and Push your changes to Prisma Access. Failure to have a forward trust certificate will cause a commit error when you commit your Explicit Proxy changes.
- (Optional) Enter any IP addresses from which undecrypted HTTP or HTTP Cross-Origin Resource Sharing (CORS) traffic should be allowed to the Trusted Source Address.Add the IP addresses to IP address-based Address Objects and Add the address objects in the field.Enter a maximum of 100,000 addresses. Make sure that the address object uses IP addresses only.
- (Optional) If you want to allow the Trusted Source Address IP addresses to use XAU for identity, select Use X-Authenticated-User (XAU) header on incoming HTTP/HTTPS requests for Identity.Select this option if you if you are using proxy chaining from a third-party proxy to Explicit Proxy, users have authenticated in that proxy, and the proxy uses XAU headers.XAU headers are the only HTTP headers supported for Explicit Proxy header ingestion. X-Forwarded-For (XFF) headers are not supported.
- (Optional) Specify settings for privacy-sensitive websites by creating security policy rules for those sites, then specifying the Security Policy or policies for those sites in the Enforce Authentication Only area.For any websites you specify in the in the Security Policy or policies you add, Explicit Proxy decrypts the websites based on the decryption policies, but does not inspect or log the decrypted traffic.
- (Optional) If you want to forward traffic to Explicit Proxy from your branches through a secure IPSec tunnel, configure Advanced settings and retrieve anycast IP addresses if you want to use Explicit Proxy in conjunction with a Prisma Access remote network.This solution uses anycast addresses with a remote network IPSec tunnel to allow Explicit Proxy to be used for users and devices at a remote network site or branch location.
- Click Configure to configure Explicit Proxy setup.
- Specify an Explicit Proxy FQDN.By default, the name is proxyname.proxy.prismaaccess.com, where proxyname is the subdomain you specify, and uses port 8080. If you want to use your organization’s domain name in the Explicit Proxy URL (for example, thisproxy.proxy.mycompany.com), enter a CNAME record your organization’s domain.For example, to map a proxy URL named thisproxy.prismaaccess.com to a proxy named thisproxy.proxy.mycompany.com, you would add a CNAME of thisproxy.proxy.prismaaccess.com to the CNAME record in your organization’s domain.
- Specify an Authentication Profile and Cookie Lifetime.
- Specify the SAML Authentication Profile you used in Step1, or add a New authentication profile to use with Prisma Access.You must configure SAML authentication, including configuring a SAML Identity Provider (IdP) and an Authentication Profile, to use an Explicit Proxy.
- (Optional) Specify a Cookie Lifetime for the cookie that stores the users’ authentication credentials.Prisma Access caches the user’s credentials and stores them in the form of a cookie. To change the value, specify the length of time to use in Seconds, Minutes, Hours, or Days.To prevent issues with users not being able to download large files before the cookie lifetime expires, or the cookie expiring when users are accessing a single website for a long period of time, Palo Alto Networks recommends that you configure a Cookie Lifetime of at least one day. If Explicit Proxy users have a cookie lifetime expiration issue, they can browse to a different website to re-authenticate to ACS and refresh the ACS cookie.If you are downloading a file, and the file download takes longer than the Cookie Lifetime, the file download will terminate when the lifetime value expires. For this reason, consider using a longer Cookie Lifetime if you download large files that take a long time to download.
- Select the Locations and the regions associated with those locations where you want to deploy your Explicit Proxy for mobile users. Prisma Access adds a proxy node into each location you select.Explicit Proxy supports a subset of all Prisma Access locations. See Explicit Proxy Locations for the list of locations.The Locations tab displays a map. Highlighting the map shows the global regions (Americas, Europe, and Asia Pacific) and the locations available inside each region. Select a region, then select the locations you want to deploy in each region. Limiting your deployment to a single region provides more granular control over deployed regions and allows you to exclude regions as required by your policy or industry regulations. See Prisma Access Locations for the list of regions and locations. You can select a location in a region that is closest to your mobile users, or select a location as required by your policy or industry regulations.
- Click the Locations tab and select a region.
- Select one or more Explicit Proxy locations within your selected region using the map.Hovering your cursor over a location highlights it. White circles indicate an available location; green circles indicate that you have selected that location.In addition to the map view, you can view a list of regions and locations. Choose between the map and list view from the lower left corner. In the list view, the list displays regions sorted by columns, with all locations sorted by region. You can select All sites within a region (top of the dialog).
- Click OK to add the locations.
- Configure security policy rules to enforce your organization’s security policies.To make required configuration changes and to control the URLs that mobile users can access from Explicit Proxy, use security policies. Use the following guidelines and requirements when configuring your security policies:
- Based on your business goals, create security policies for sanctioned internet and SaaS apps using App-ID and user groups that need access to those applications.
- Attach security profiles to all security policy rules so that you can prevent both known and unknown threats following the security profile best practices.
- Commit your changes to Panorama and push the configuration changes to Prisma Access.
- Click CommitCommit and Push.
- Edit Selections and, in the Prisma Access tab, make sure that Explicit Proxy is selected in the Push Scope, then click OK.
- Click Commit and Push.
- Select the PAC file to use with Explicit Proxy.
- Select PanoramaCloud ServicesConfigurationMobile UsersExplicit Proxy.Be sure that you enter a port of 8080 in the PAC file.
- Select the Connection Name for the Explicit Proxy setup you just configured.
- Enter the PAC (Proxy Auto-Configuration) File to use for Explicit Proxy.Be sure that you understand how PAC files work and how to modify them before you upload them to Prisma Access.Browse and upload the file.Prisma Access provides you with a sample PAC file; you can Download sample PAC file, change the values, and upload that file. See Set Up Your Explicit Proxy PAC File for PAC file requirements and guidelines as we as a description of the contents of the sample PAC file.