Remote Browser Isolation
Configure Remote Browser Isolation
Table of Contents
Configure Remote Browser Isolation
Remote Browser Isolation
Learn how to configure
Remote Browser Isolation
using Strata Cloud Manager
or Panorama Managed
Prisma Access
.Where Can I Use This? | What Do I Need? |
|---|---|
|
|
To onboard your end users to
RBI
, you need to configure RBI
using Strata Cloud Manager
or Panorama Managed
Prisma Access
and push the
configuration to the endpoints.In this procedure, you will:
- Set up the infrastructure settings forRBIthat define the session and browser appearance during isolated browsing
- Set up isolation profiles that define what browser actions a user can or cannot perform
- Use the existing policy framework inPrisma Accessto quickly and easily define the URLs or websites (including categories) that a user can access usingRBI
Configure Remote Browser Isolation (Cloud Management)
Remote Browser Isolation
(Cloud Management)Learn how to configure
Remote Browser Isolation
using Strata Cloud Manager
.You can secure your end users' browsing experience by configuring
Remote Browser Isolation (RBI)
to isolate their browser traffic.Configure
RBI
by completing the following steps:- Before you can begin to configureRBI, ensure that you:
- Purchase a valid Prisma Access license with a Mobile Users or Remote Networks license subscription.
- Purchase and activate the Remote Browser Isolation license.
- Configure at least onePrisma Accessconnection method, such as GlobalProtect, Explicit Proxy, or Remote Networks, otherwise you won't be able to enableRBI.
- Enable decryption so thatPrisma Accesscan decrypt and inspect traffic to determine what needs to be isolated according to the policies that you configured.
- InStrata Cloud Manager, go to theRemote Browser IsolationSetup page by selecting .TheRemote Browser IsolationSetup page is available only if you purchased and activated theRemote Browser Isolationlicense.Alternatively, you can select . Then, selectSettings, open theThird Party, and clickRemote Browser IsolationSettingsConfigure Remote Browser Isolation.TheConfigure Remote Browser Isolationbutton is available only if you purchased and activated theRemote Browser Isolationlicense.
- Set up the infrastructure settings forRBIthat will define the browser behavior and appearance during isolated browsing sessions.
- If you're setting upRBIfor the first time, select .
Otherwise, edit theSettingsand selectCustomize.
- Define the browser behavior during an isolated browsing session.
- Idle Tab Timeout (Mins)—Specify the duration that elapses before a browser tab will time out due to user inactivity. The default timeout value is 10 minutes. The range is 5-20 minutes.The inactivity timer starts from the user's last action, such as mouse click, scrolling, navigation, file upload or download, and stopping video or audio. Just moving the cursor isn't considered an activity.
- Max Tabs Per Browser—Select the maximum number of tabs that the user can open per browser. You can choose either 5, 10, or 15 maximum tabs. The default is 10.When the number of tabs exceeds the maximum, the users will be prompted to close existing tabs if they want to open more tabs for browsing.
- Clear cache and cookies when isolated browsing session ends—Enable this setting to clear the browser's cache and cookies when the user ends the isolated browsing session (by closing the browser). Clearing the cache and cookies can potentially help resolve some browser issues by speeding page loads or removing website tracking data.
- Allow users to report issues encountered in isolation sessions—When this setting isEnabled, mobile users can report issues that they encountered during isolated browsing. The users can click the floating action button and selectReport an issue.
- Set up advanced settings for isolated browsing, such as split tunnel settings.
- Agent Split Tunneling for RBI—To further improve the user experience while in isolation, enable split tunneling, which allows the remote browser to connect directly to endpoints for quicker access.This setting is enabled by default and applies only to mobile user connections such as GlobalProtect and Explicit Proxy. For Remote Networks, all traffic goes through the tunnel toPrisma Access. For Explicit Proxy, you need to exclude theRBIdomain in the PAC file by adding the following statements:if (shExpMatch(host, "*.rbi.io")) return "DIRECT";TheRBIsplit tunnel configuration is not viewable in the split tunnel configuration area of GlobalProtect.RBIuses split tunneling based on the domain and application, and the configuration is FQDN-based. For split tunneling to work, you must enable Split DNS to enable mobile users to direct their DNS queries for applications and resources over the tunnel or outside the tunnel in addition to network traffic.
- Action for sites that cannot be decrypted (technical or policy reason)—Prisma Accessneeds to decrypt encrypted websites so that it can inspect traffic to determine which websites to isolate according to the policies that you configured.Choose whether toAlloworBlockaccess to websites that can't be decrypted due to technical or policy reasons.
- Set up theme settings for the isolated browsing session. When a user enters an isolated browsing session, an end-user notification appears to let them know that they are entering isolation. You can customize this notification to align with your organization's look and feel.The following is an example of a notification banner:
Here is where you set up the isolation theme:
- Name—Enter the name that will appear on the notification banner when the user enters an isolated session on their browser. (Required field)
- Description—Enter the text that goes on the notification banner. (Required field)
- Banner Logo—Choose Fileto upload a graphics file that will appear as the logo for the banner. If you do not upload a file, the Palo Alto Networks logo will be used by default. You can upload only one file. The valid file formats are JPG and PNG.
- Floating Banner Logo—Choose Fileto upload a graphics file that will appear in the floating action button that users can click to invoke an action such as reporting an issue. If you do not upload a file, the Palo Alto Networks logo will be used by default. You can upload only one file. The valid file formats are JPG and PNG.
- Saveyour infrastructure settings.
- Set up one or more isolation profiles that define what browser actions users can perform during an isolated session.
- From theRemote Browser IsolationSetup page, selectIsolation Profiles.
- A default isolation profile is provided for you. You can create custom isolation profiles when youAdd Isolation Profile.
- Enter aNameandDescriptionfor the isolation profile.
- Select the security controls that you want to put in place for the browser. You can allow or prohibit a user from doing the following actions:
- View files in isolation
- Upload files
- Download files
- Copy content
- Paste content
- Use the keyboard for input
- Print content
By selecting an action, the action will be enabled and allowed for the user in isolation.
- Saveyour isolation profile settings.
- Create or update a URL access management profile and attach the isolation profile to it.
- FromStrata Cloud Manager, select .
- Select .
- Edit an existing URL access management profile by selecting the profile name orAdd Profileto create a new one.
- If you are adding a profile, enter aNameandDescriptionfor the profile, select the check box next to theCategorycolumn heading, and select .This action automatically sets theSite Accesstoisolate, and associates theDefault_Isolation_Profileto all the URL categories.
- If necessary, change theAccess Controlfor specific website categories.
- Searchfor a URL category or scroll to a category.
- If you are editing an existing URL management profile, click theSite Accessdrop-down for a URL category and selectIsolateto permit isolated browsing of websites in that category.
For websites that belong in multiple URL categories, the effective URL category action is the highest priority match action across all these categories. The priority in descending order is as follows: . Therefore, forRBIto work, you need to set the action toIsolatefor all categories that match a website.For example, cnn.com belongs in both thenewsandlow-riskcategories. If thenewscategory is set toBlockand thelow-riskcategory is set toIsolate, the cnn.com website will be blocked because theBlockaction overrides theIsolateaction. For isolated browsing to work for cnn.com, you must set both categories to theIsolateaction. - After you select the site access, theDefault_Isolation_Profileis automatically attached to the URL category. If you created additional isolation profiles that control the browser actions in isolation mode, you can attach a different profile by clicking theIsolation Profiledrop-down and selecting an available profile.
- Saveyour settings.
- Create a security policy rule that uses the URL access management profile that you set up for isolation.
- FromStrata Cloud Manager, select .
- If you have not done so already, create a profile group.
- Select andAdd Profile Group.
- Enter theNameof the profile group.
- Select the security profiles that you want to use, and ensure that you select theURL Access Management Profilethat you want to use for isolation.
- Saveyour changes.
- Associate the profile group to a security rule. If you have not done so already, create a security rule.
- Select .
- Enter theNamefor the security rule.
- Select a source zone for theMatch Criteria.
- Select a destination zone and address for theMatch Criteria.
- Select anApplication.
- Select theAllowaction and select theProfile Groupthat you created for isolation.You can use the groups that you created or populated in Cloud Identity Engine for user and user group mapping forRBI.
- You can also create a web security rule where you can control the access for websites in URL categories based on the isolation profile that you set up previously.
- FromStrata Cloud Manager, select .
- Select .
- Enter theNamefor the custom web access policy.
- Add theAllowed URL Categoriesfor isolated browsing. For example, to allow websites in the Entertainment and Arts category for isolated browsing, click+and selectEntertainment and Arts.
- ClickNonein the Additional Action column and selectIsolate.
- In theIsolation Profilecolumn, use the default isolation profile or select an isolation profile that you created.
- Saveyour changes.
- Push the configuration to your mobile users or remote networks by selecting , selecting theTargetfor the configuration, andPush.
Configure Remote Browser Isolation (Panorama)
Remote Browser Isolation
(Panorama
)Learn how to configure
Remote Browser Isolation
using Panorama Managed
Prisma Access
.You can secure your end users' browsing experience by configuring
Remote Browser Isolation (RBI)
to isolate their browser traffic.Configure
RBI
by completing the following steps:- Before you can begin to configureRBI, ensure that you:
- Purchase a valid Prisma Access license with a Mobile Users or Remote Networks license subscription.
- Purchase and activate the Remote Browser Isolation license.
- Configure at least onePrisma Accessconnection method, such as GlobalProtect, Explicit Proxy, or Remote Networks, otherwise you won't be able to enableRBI.
- Enable decryption so thatPrisma Accesscan decrypt and inspect traffic to determine what needs to be isolated according to the policies that you configured.
- Follow the instructions to configure a URL filtering profile and apply it to a security rule.When setting theSite Accessfor aCategory, selectIsolateto permit isolated browsing of websites in the URL category.
For websites that belong in multiple URL categories, the effective URL category action is the highest priority match action across all these categories. The priority in descending order is as follows: . Therefore, forRBIto work, you need to set the action toIsolatefor all categories that match a website.For example, cnn.com belongs in both thenewsandlow-riskcategories. If thenewscategory is set toBlockand thelow-riskcategory is set toIsolate, the cnn.com website will be blocked because theBlockaction overrides theIsolateaction. For isolated browsing to work for cnn.com, you must set both categories to theIsolateaction. - If you are setting upRBIfor the first time inPanorama Managed Prisma Access, select .TheConfigurebutton is available only if you purchased theRemote Browser Isolationlicense.
If you set upRBIpreviously and want to edit the configuration, select . - Set up the infrastructure settings forRBIthat will define the browser behavior and appearance during isolated browsing sessions.
- Edit theSettings.
- Selecting theGeneraltab to start defining the browser behavior during an isolated browsing session by
- Configure general browser settings:
- Idle Tab Timeout (Mins)—Specify the duration that elapses before a browser tab will time out due to user inactivity. The default timeout value is 10 minutes. The range is 5-20 minutes.The inactivity timer starts from the user's last action, such as mouse click, scrolling, navigation, file upload or download, and stopping video or audio. Just moving the cursor isn't considered an activity.
- Max Tabs Per Browser—Select the maximum number of tabs that the user can open per browser. You can choose either 5, 10, or 15 maximum tabs. The default is 10.When the number of tabs exceeds the maximum, the users will be prompted to close existing tabs if they want to open more tabs for browsing.
- Clear cache and cookies when isolated browsing session ends—Enable this setting to clear the browser's cache and cookies when the user ends the isolated browsing session (by closing the browser). Clearing the cache and cookies can potentially help resolve some browser issues by speeding page loads or removing website tracking data.
- Set up theme settings for the isolated browsing session. When a user enters an isolated browsing session, an end-user notification appears to let them know that they are entering isolation. You can customize this notification to align with your organization's look and feel.The following is an example of a notification banner:Here is where you specify what goes on the banner:
- Title—Enter the name that will appear on the notification banner when the user enters an isolated session on their browser.
- Banner Content—Enter the text that goes on the notification banner.
- Logo Type (Banner)—Select the type of logo that will appear on the banner. The default logo is the Palo Alto Networks icon. To customize the logo, clickCustomandBrowseto upload a graphics file of your choice. You can upload only one file. The valid file formats are JPG and PNG.
- Logo Type (Floating Action Button)—Select the type of logo that will appear on the floating action button on the isolation browser. The floating action button provides a list of actions that the user can perform, such as reporting an issue. The user can drag the button to different locations on the browser.TheDefaultlogo for the floating action button is the Palo Alto Networks icon. To customize the logo, clickCustomandBrowseto upload a graphics file of your choice. You can upload only one file. The valid file formats are JPG and PNG.The following image shows an example of the floating action button:
- EnableAllow users to report issues encountered in isolated sessions?if you want your end users to report issues they encountered during isolated browsing. The users can click the floating action button and selectReport an issue.
- Review a map of theRBIlocations by selecting theLocationstab. The locations shown are the same as the GlobalProtect, Explicit Proxy, and Remote Network locations that you have already set up.If you did not set up any locations, you can click the links on the map to navigate to the relevant configuration pages.
- Set up advanced settings for isolated browsing, such as split tunnel settings, by selecting theAdvancedtab.
- Agent Split Tunneling for RBI—To further improve the user experience while in isolation, enable split tunneling, which allows the remote browser to connect directly to endpoints for quicker access.This setting is enabled by default and applies only to mobile user connections such as GlobalProtect and Explicit Proxy. For Remote Networks, all traffic goes through the tunnel toPrisma Access. For Explicit Proxy, you need to exclude theRBIdomain in the PAC file by adding the following statements:if (shExpMatch(host, "*.rbi.io")) return "DIRECT";TheRBIsplit tunnel configuration is not viewable in the split tunnel configuration area of GlobalProtect.RBIuses split tunneling based on the domain and application, and the configuration is FQDN-based. For split tunneling to work, you must enable Split DNS to enable mobile users to direct their DNS queries for applications and resources over the tunnel or outside the tunnel in addition to network traffic.
- Action for sites that cannot be decrypted (technical or policy reason)—Prisma Accessneeds to decrypt encrypted websites so that it can inspect traffic to determine which websites to isolate according to the policies that you configured.Choose whether toAlloworBlockaccess to websites that can't be decrypted due to technical or policy reasons.
- Set up one or more isolation profiles that define what browser actions users can perform during an isolated session.
- From theRemote Browser Isolationconfiguration page, selectIsolation Profile.
- A default isolation profile is provided for you. You canAdda custom isolation profile.
- Enter aNameandDescriptionfor the isolation profile.
- Select the security controls for the browser. You can allow or prohibit a user from doing the following actions:
- View files in isolation
- Upload files
- Download files
- Copy content
- Paste content
- Use the keyboard for input
- Print content
By selecting a security control, the browser action will be allowed for the user in isolation.
- ClickOKto save your isolation profile.
- Attach an isolation profile to a security rule to which you applied a URL filtering profile containing categories for isolated browsing.
- From theRemote Browser Isolationconfiguration page, selectIsolation Security Rules Association.
- Adda device group and associate an isolation profile and URL categories with the security rules for the device group.
If you want to update an existing device group, select the check box next to the device group name and selectModifyin the Actions column. - Select a predefinedDevice Groupand a predefinedSecurity Rulefor the selected device group.
- Search for or scroll to the URL categories that you want to associate with the device group and select the check boxes next to the URL categories.To quickly configure the access control for all URL categories, select the check box next to theURL Categoriestable heading. All the URL categories will be selected.
- To attach an isolation profile to the security rule, clickIsolation Profileand select an available isolation profile.
All the selected URL categories will be associated with the selected isolation profile. - ClickOKto save your settings.
- Commit and push your configuration changes to the cloud firewall.
- After the configuration has been pushed successfully, you can view the status of theRBIconfiguration in the page.
