Remote Browser Isolation
Configure Remote Browser Isolation (Cloud Management)
Table of Contents
Configure Remote Browser Isolation (Cloud Management)
Remote Browser Isolation
(Cloud Management)Learn how to configure
Remote Browser Isolation
using Strata Cloud Manager
.You can secure your end users' browsing experience by configuring
Remote Browser Isolation (RBI)
to isolate their browser traffic.Configure
RBI
by completing the following steps:- Before you can begin to configureRBI, ensure that you:
- Purchase a valid Prisma Access license with a Mobile Users or Remote Networks license subscription.
- Purchase and activate the Remote Browser Isolation license.
- Configure at least onePrisma Accessconnection method, such as GlobalProtect, Explicit Proxy, or Remote Networks, otherwise you won't be able to enableRBI.
- Enable decryption so thatPrisma Accesscan decrypt and inspect traffic to determine what needs to be isolated according to the policies that you configured.
- InStrata Cloud Manager, go to theRemote Browser IsolationSetup page by selecting.WorkflowsPrisma AccessSetupRemote Browser IsolationTheRemote Browser IsolationSetup page is available only if you purchased and activated theRemote Browser Isolationlicense.Alternatively, you can select. Then, selectManageConfigurationNGFW andPrisma AccessSecurity ServicesURL Access ManagementSettings, open theThird Party, and clickRemote Browser IsolationSettingsConfigure Remote Browser Isolation.TheConfigure Remote Browser Isolationbutton is available only if you purchased and activated theRemote Browser Isolationlicense.
- Set up the infrastructure settings forRBIthat will define the browser behavior and appearance during isolated browsing sessions.
- If you're setting upRBIfor the first time, select.InfrastructureSet Up Infrastructure SettingsOtherwise, edit theSettingsand selectCustomize.
- Define the browser behavior during an isolated browsing session.
- Idle Tab Timeout (Mins)—Specify the duration that elapses before a browser tab will time out due to user inactivity. The default timeout value is 10 minutes. The range is 5-20 minutes.The inactivity timer starts from the user's last action, such as mouse click, scrolling, navigation, file upload or download, and stopping video or audio. Just moving the cursor isn't considered an activity.
- Max Tabs Per Browser—Select the maximum number of tabs that the user can open per browser. You can choose either 5, 10, or 15 maximum tabs. The default is 10.When the number of tabs exceeds the maximum, the users will be prompted to close existing tabs if they want to open more tabs for browsing.
- Clear cache and cookies when isolated browsing session ends—Enable this setting to clear the browser's cache and cookies when the user ends the isolated browsing session (by closing the browser). Clearing the cache and cookies can potentially help resolve some browser issues by speeding page loads or removing website tracking data.
- Allow users to report issues encountered in isolation sessions—When this setting isEnabled, mobile users can report issues that they encountered during isolated browsing. The users can click the floating action button and selectReport an issue.
- Set up advanced settings for isolated browsing, such as split tunnel settings.
- Agent Split Tunneling for RBI—To further improve the user experience while in isolation, enable split tunneling, which allows the remote browser to connect directly to endpoints for quicker access.This setting is enabled by default and applies only to mobile user connections such as GlobalProtect and Explicit Proxy. For Remote Networks, all traffic goes through the tunnel toPrisma Access. For Explicit Proxy, you need to exclude theRBIdomain in the PAC file by adding the following statements:if (shExpMatch(host, "*.rbi.io")) return "DIRECT";TheRBIsplit tunnel configuration is not viewable in the split tunnel configuration area of GlobalProtect.RBIuses split tunneling based on the domain and application, and the configuration is FQDN-based. For split tunneling to work, you must enable Split DNS to enable mobile users to direct their DNS queries for applications and resources over the tunnel or outside the tunnel in addition to network traffic.
- Action for sites that cannot be decrypted (technical or policy reason)—Prisma Accessneeds to decrypt encrypted websites so that it can inspect traffic to determine which websites to isolate according to the policies that you configured.Choose whether toAlloworBlockaccess to websites that can't be decrypted due to technical or policy reasons.
- Set up theme settings for the isolated browsing session. When a user enters an isolated browsing session, an end-user notification appears to let them know that they are entering isolation. You can customize this notification to align with your organization's look and feel.The following is an example of a notification banner:Here is where you set up the isolation theme:
- Name—Enter the name that will appear on the notification banner when the user enters an isolated session on their browser. (Required field)
- Description—Enter the text that goes on the notification banner. (Required field)
- Banner Logo—Choose Fileto upload a graphics file that will appear as the logo for the banner. If you do not upload a file, the Palo Alto Networks logo will be used by default. You can upload only one file. The valid file formats are JPG and PNG.
- Floating Banner Logo—Choose Fileto upload a graphics file that will appear in the floating action button that users can click to invoke an action such as reporting an issue. If you do not upload a file, the Palo Alto Networks logo will be used by default. You can upload only one file. The valid file formats are JPG and PNG.
- Saveyour infrastructure settings.
- Set up one or more isolation profiles that define what browser actions users can perform during an isolated session.
- From theRemote Browser IsolationSetup page, selectIsolation Profiles.
- A default isolation profile is provided for you. You can create custom isolation profiles when youAdd Isolation Profile.
- Enter aNameandDescriptionfor the isolation profile.
- Select the security controls that you want to put in place for the browser. You can allow or prohibit a user from doing the following actions:
- View files in isolation
- Upload files
- Download files
- Copy content
- Paste content
- Use the keyboard for input
- Print content
By selecting an action, the action will be enabled and allowed for the user in isolation. - Saveyour isolation profile settings.
- Create or update a URL access management profile and attach the isolation profile to it.
- FromStrata Cloud Manager, select.ManageConfigurationNGFW andPrisma Access
- Select.Security ServicesURL Access Management
- Edit an existing URL access management profile by selecting the profile name orAdd Profileto create a new one.
- If you are adding a profile, enter aNameandDescriptionfor the profile, select the check box next to theCategorycolumn heading, and select.Set AccessIsolateThis action automatically sets theSite Accesstoisolate, and associates theDefault_Isolation_Profileto all the URL categories.
- If necessary, change theAccess Controlfor specific website categories.
- Searchfor a URL category or scroll to a category.
- If you are editing an existing URL management profile, click theSite Accessdrop-down for a URL category and selectIsolateto permit isolated browsing of websites in that category.For websites that belong in multiple URL categories, the effective URL category action is the highest priority match action across all these categories. The priority in descending order is as follows:. Therefore, forBlockIsolateOverrideContinueAlertAllowRBIto work, you need to set the action toIsolatefor all categories that match a website.For example, cnn.com belongs in both thenewsandlow-riskcategories. If thenewscategory is set toBlockand thelow-riskcategory is set toIsolate, the cnn.com website will be blocked because theBlockaction overrides theIsolateaction. For isolated browsing to work for cnn.com, you must set both categories to theIsolateaction.
- After you select the site access, theDefault_Isolation_Profileis automatically attached to the URL category. If you created additional isolation profiles that control the browser actions in isolation mode, you can attach a different profile by clicking theIsolation Profiledrop-down and selecting an available profile.
- Saveyour settings.
- Create a security policy rule that uses the URL access management profile that you set up for isolation.
- FromStrata Cloud Manager, select.ManageConfigurationNGFW andPrisma Access
- If you have not done so already, create a profile group.
- SelectandSecurity ServicesProfile GroupsAdd Profile Group.
- Enter theNameof the profile group.
- Select the security profiles that you want to use, and ensure that you select theURL Access Management Profilethat you want to use for isolation.
- Saveyour changes.
- Associate the profile group to a security rule. If you have not done so already, create a security rule.
- Select.Security ServicesSecurity RulesAdd RulePre Rules
- Enter theNamefor the security rule.
- Select a source zone for theMatch Criteria.
- Select a destination zone and address for theMatch Criteria.
- Select anApplication.
- Select theAllowaction and select theProfile Groupthat you created for isolation.You can use the groups that you created or populated in Cloud Identity Engine for user and user group mapping forRBI.
- You can also create a web security rule where you can control the access for websites in URL categories based on the isolation profile that you set up previously.
- FromStrata Cloud Manager, select.ManageConfigurationNGFW andPrisma Access
- Select.Security ServicesWeb SecurityAdd Policy
- Enter theNamefor the custom web access policy.
- Add theAllowed URL Categoriesfor isolated browsing. For example, to allow websites in the Entertainment and Arts category for isolated browsing, click+and selectEntertainment and Arts.
- ClickNonein the Additional Action column and selectIsolate.
- In theIsolation Profilecolumn, use the default isolation profile or select an isolation profile that you created.
- Saveyour changes.
- Push the configuration to your mobile users or remote networks by selecting, selecting thePush ConfigPushTargetfor the configuration, andPush.