Configure Network Protection
Focus
Focus
Prisma Access Browser

Configure Network Protection

Table of Contents

Configure Network Protection

Configure Network Protection.
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • Prisma Access Browser standalone
  • Prisma Access with Prisma Access Browser bundle license or Prisma Access Browser standalone license
  • Superuser or Prisma Access Browser role

Pages with SSL Errors

Mobile Browser - Full support
This feature manages how the Prisma Access Browser will react when it encounters a page with an SSL error. In general, most browsers ask for permission to "Proceed to [FQDN] (unsafe)".
Since SSL errors can occur during an SSL MitM attack, you can use this control to block the "Proceed..." functionality.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Pages with SSL Errors.
  3. Select one of the following options:
    • Allow - Allow users to bypass the blocking page when an SSL issue is identified.
    • Block – The Prisma Access Browser will block the "Proceed..." option when an SSL issue is identified.
  4. Click Set.

DNS-Over-HTTPS

Mobile Browser - No support
This feature manages the DNS resolution over the HTTPS protocol. It is used for encrypting requests.
This assists in preventing MitM attacks.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select DNS-Over-HTTPS.
  3. Select one of the following options:
    • Enable - Enter the following information:
      Upon DNS over HTTPS resolve failure:
      • Fail-open: Resolve using plain DNS.
      • Fail-close: Do not resolve.
    • Enter the DNS-over-HTTPS resolver's URL.
    • Disable – Prisma Access Browser will not enable DNS over HTTPS resolution.
  4. Click Set.

Trusted Certificate Authorities

Mobile Browser - Partial support
This feature manages how the Prisma Access Browser manages certificates.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Trusted Certificate Authorities.
  3. Select the certificate authorities that are to be trusted by the Prisma Access Browser (this limits the trust to certificates that are already trusted):
    • Device trust store - Trust the certificate authorities installed in the device's certificate store.
    • Prisma Access Browser trust store - Trust only certificate authorities that are trusted by Palo Alto Networks, and ignores certificates installed in the Device trust store.
    • None - Do not trust certificates in any trust store.
      Prisma Access Mobile Browser rules using this control must use one of the Trust Stores. The None option is ignored.
  4. Additional trusted certificate authorities- Add customer-provided certificates not already trusted by the Prisma Access Browser..
    1. Enter a name for the certificate.
    2. Drag or Browse a certificate in .pem, .der, .crt, or .cer formats.
  5. Click Set.

Basic Authentication over HTTP

Mobile Browser - No support
This feature controls whether the Prisma Access Browser can use Basic Authentication over HTTP websites.
Since Basic Authentication sends authentication tokens in clear text, sending them over HTTP can be visible to attackers as part of a MitM attack.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Basic Authentication over HTTP.
  3. Select one of the following options:
    • Allow - allow Prisma Access Browser to use Basic Authentication over HTTP websites.
    • Block – block Prisma Access Browser from using Basic Authentication over HTTP websites.
  4. Click Set.

Pages with Insecure Content

Mobile Browser - No support
This feature controls whether users can load insecure content (data located on HTTP servers) to secure websites (located on HTTPS servers).
You can choose to exclude specific domains from this feature when there are specific applications that need an exception to the rule.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Pages with Insecure Content.
  3. Select one of the following options:
    • Allow- Prisma Access Browser will allow insecure content.
      1. Exclude specific domains - list domains that will receive an exception to the rule.
    • Block – Prisma Access Browser will not allow insecure content.
      1. Exclude specific domains - list domains that will receive an exception to the rule.
  4. Click Set.

Force HTTPS

Mobile Browser - Partial support
You can force the use of the HTTPS protocol, minimizing the risk of MitM attacks.
You will be able to force HTTPS for all domains, force HTTPS but exclude certain domains, or disable forced HTTPS and work without any restrictions.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Force HTTPS.
  3. Select one of the following options:
    • Enable- Prisma Access Browser will require use of the HTTPS protocol.
      You can enter specific domains that will be excluded from this requirement in the Exclude specific Domains field.
      Exclude specific domains is not available for the for Prisma Access Mobile Browser.
    • Disable – Prisma Access Browser will not require use of the HTTPS protocol.
  4. Click Set.

Post-Quantum Key Support

Mobile Browser - No support
This feature manages the ability to enable or disable the use of post-quantum key agreement protocols within TLS (Transport Layer Security). Post-quantum cryptography refers to algorithms designed to be secure against quantum computer attacks, which could potentially break traditional cryptographic methods. While enabling this feature enhances security by preparing for future quantum threats, it may cause compatibility issues with existing network security products that do not yet support or recognize post-quantum algorithms. Disabling it may help avoid these conflicts, but it reduces future-proofing against emerging quantum-based vulnerabilities.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Post-Quantum Key Security.
  3. Select one of the following options:
    1. Enable - Permits the use of Post Quantum Key Security.
    2. Disable - Disables the use of Post Quantum Key Security.
    3. Not set - The feature is not enabled. This is the default setting.
  4. Click Set.

Kerberos Delegation Allowlist

Mobile Browser - No support
List the hosts that may forward a user’s Kerberos ticket to downstream services. When this is enabled, the Kerberos ticket is used in place of your SSO so that back-end services are easier yo use.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Kerberos Delegation Allowlist .
  3. Select one of the following options:
    1. Enable - Activates real-time host scanning of the selected hosts. For information on specifying hosts in the correct pattern, refer to this page. of t.
    2. Disable - Disables the use of the real-time host scanning.
  4. Click Set.

Remote Host Firewall Traversal.

Mobile Browser - No support
This policy controls whether the Remote Desktop can bypass firewalls. When enabled, users can connect remotely from any network. When disabled, access is limited to the same local network or VPN, enhancing security by restricting remote access.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyProfilesBrowser Security
  2. Select Remote Host Firewall Traversal .
  3. Select one of the following options:
    1. Allow - Allow users to connect remotely from any network.
    2. Block - Remote connection is only permitted from the same local network or VPN. This selection increases the
  4. Click Set.