Configure Explicit Proxy

The explicit proxy method allows you to troubleshoot issues more easily, since the client browser is aware of the existence of the proxy.
  1. (
    VM Series only
    ) If you have not already done so, activate the license for web proxy.
    You must activate the web proxy license for the PA-1400 Series, PA-3400 Series, and VM-Series. Learn how to activate your subscription licenses for the PA-1400 Series and PA-3400 Series or activate the web proxy license for the VM-Series in the following step.
    1. Log in to the Customer Service Portal (CSP).
    2. Select
      Web Proxy (Promotional Offer)
    3. Click
      Update Deployment Profile
    4. On the firewall, retrieve the license keys from the server.
      If the license key retrieval is not successful, restart the firewall and repeat this step before proceeding.
  2. Set up the necessary interfaces and zones.
    As a best practice, use Layer 3 (L3) for the three interfaces the web proxy uses and configure a separate zone for each interface within the same virtual routers and the same virtual systems.
    1. Configure an interface for the client traffic.
      Be sure to carefully copy the IP address for this interface and save it in a secure location because you must enter it as the
      Proxy IP
      address when you configure the web proxy.
    2. Configure an interface for the outgoing traffic to the internet.
    3. Configure a loopback interface for the proxy.
      All incoming traffic is routed through this interface to the proxy.
  3. Set up the DNS proxy for Explicit Proxy.
    1. Configure a DNS proxy object for the proxy connection.
    2. Configure a DNS Server profile with both primary and secondary DNS servers.
      You must configure both a primary and a secondary DNS server for web proxy.
    3. Specify the interface for the proxy connection.
      Specify either the traffic ingress interface or a loopback interface.
  4. To enable decryption for MITM detection, create a self-signed root CA certificate or import a certificate signed by your enterprise certificate authority (CA). For more information, refer to the best practices for administrative access.
  5. Ensure you have completed the pre-deployment steps for the authentication method you want to configure.
  6. If you have a DNS security subscription, integrate the web proxy firewall with Explicit Proxy to sinkhole any requests that match the DNS security categories that you specify.
    1. Select
      Cloud Services
      On-Prem Proxy
    2. Edit
      the settings then select the
      Device Group
      you want the web proxy firewall to use or
      a new device group.
      To integrate the web proxy firewall with Prisma Access, you must configure the web proxy firewall in a separate device group that contains no other firewalls or virtual systems. If the firewall is already a member of a device group, create a child device group as a sub-group and move the firewall to the child device group.
    3. (Optional) Select
      Block Settings
      Blocked Domain
      or any domains that are
      Exempted Domains
      because they are sinkholed due to matching one or more of the DNS Security categories.
    4. (Optional) Select whether you want to
      Log any requests made to blocked domains
    5. Click
  7. Set up the Explicit Proxy.
    1. On the firewall, select
      Proxy Enablement
    2. Select
      Explicit Proxy
      as the
      Proxy Type
      then click
      to confirm the changes.
      If the only available option is None, verify that you have an active license for the web proxy feature.
    3. Edit
      Explicit Proxy Configuration
    4. Specify the
      Connect Timeout
      to define (in seconds) how long the proxy waits for a response from the web server. If there is no response after the specified amount of time has elapsed, the proxy closes the connection.
    5. Select the
      Listening Interface
      that contains the firewall where you want to enable the web proxy.
      Specify the ingress interface for the client traffic.
    6. Select the
      Upstream Interface
      that contains the interface with the web proxy that reroutes the traffic to the server.
      If you are using a loopback interface, specify that interface as the
      Upstream Interface
    7. Specify the IP address of the listening interface as the
      Proxy IP
      Enter the IP address of the interface you created in Step 2.a
    8. Specify the
      DNS Proxy
      object you created in Step 3.a.
    9. Select
      Check domain in CONNECT & SNI are the same
      to prevent domain fronting attacks by specifying different domains between the CONNECT request and the Server Name Indication (SNI) field in the HTTP header.
    10. Select the
      Authentication service type
      you want to use (either
      Kerberos Single Sign On
      Be sure to complete all necessary pre-deployment and configuration steps for the authentication method you select. Select only one of the following authentication methods:
    11. Click
      to confirm the changes.
  8. Configure the necessary security policy rules to decrypt traffic and reroute applicable traffic to the proxy.
    You will need to create the following types of rules:
    • Source NAT (if applicable)
    • Decryption
    • Security
    1. Configure a decryption policy to decrypt the traffic so it can be rerouted if necessary.
      To avoid decrypting traffic twice, select the zone that contains the upstream interface as the source zone for the decryption policy.
    2. (Optional but recommended) Select
      Decryption Profile
      and select
      Block sessions on SNI mismatch with Server Certificate (SAN/CN)
      to automatically deny any sessions where the Server Name Indication (SNI) does not match the server certificate.
    3. Configure the necessary security policy rules.
      • Create a security policy rule to allow traffic from the client to the interface you selected as the listening interface.
      • Configure a security policy rule to allow traffic from the zone that contains the upstream interface to the internet.
      • Configure a security policy rule to allow traffic from the DNS proxy zone to the internet.
    4. Configure a security policy rule using the authentication profile you configured in Step 5 to route traffic to the proxy as appropriate.

Recommended For You