>
    Configure Prisma Access Browser Data Controls
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Browser
    3. Manage Prisma Access Browser Policy Profiles
    4. Configure Prisma Access Browser Data Controls
    Download PDF
    Prisma Access Browser

    Configure Prisma Access Browser Data Controls

    Table of Contents

    Configure
    Prisma Access Browser
     Data Controls

    Configure data controls for
    Prisma Access Secure Enterprise Browser
     (
    Prisma Access Browser
    ).
    Where Can I Use This?
    What Do I Need?
    • Strata Cloud Manager
    • Prisma Access Browser
       standalone
    • Prisma Access
       with
      Prisma Access Browser
       bundle license or
      Prisma Access Browser
       standalone license
    • Superuser or
      Prisma Access Browser
       role
    You can configure the controls in the following ways:
    The following topics only display one way.

    Data Controls – Data Leak Prevention

    File Download

    Full Mobile support
    File Download control provides multiple capabilities related to downloading files from websites that match a specified URL, application, or website classification. To set the File Download control:
    1. From
      Strata Cloud Manager
      , select
      Manage
      Configuration
      Prisma Access Browser
      Policy
      Profiles
      Data Control
    2. Select
      File Download
      .
    3. Select one of the following options:
      • Allow
         - the
        Prisma Access Browser
         will allow all downloads.
      • Allow (Protected
        ) – the
        Prisma Access Browser
         will allow downloads that can open only in the browser.
        • Allow to open outside of the browser
           - users will be able to unprotect the file, allowing viewing and editing of the file using external applications. This includes any browser and any Desktop application.
        • To unprotect a file:
          1. Click the Download History folder link in the Browser bar.
          2. Select the file to open. It will be indicated by a folder with a slash.
          3. Click on the icon to unprotect the file.
      • Block
         - the
        Prisma Access Browser
         will block all downloads.
      • Apply on:- select between one of the following options:
          • Any file
             - the download restrictions will apply to all files.
          • Specific files
            - the download restrictions will apply to files that meet the selected specifications (the rule can contain as many of these specifications as needed):
          • File size
             - set the size of the file.
          • File types
             - set the file types that need to match this rule.
          • File hash
             - set the SHA-256 hash to be matched for this rule.
          • MIP label
             - set the level of the MIP label that can be used to protect contents with sensitive content.
      • Prompt
        - when there is a restriction, select between one of the following options:
        • None
           - there will be no prompts.
        • Before download
          - inform the user that there is a restriction and how to bypass it.
          • Warn and allow to proceed anyway
             - informs users about the risk or sensitivity of downloading files but allowing them to continue.
          • Warn and allow to proceed anyway with a reason
             - informs users about the risk or sensitivity of downloading files and require them to select a reason to continue.
          • Permission request
             - allows users to send a permission request to the admin. The user will be informed once the request is approved or denied.
      • Require MFA
         - you can add authentication to the file download. Authentication is only available when a lock screen with PIN or biometric authentication is enabled.
    4. When you use this control, you can use your own dialog text to replace the default. To set the text, click
      Set dialog text
      .
    5. Set
      .

    File Upload

    Full Mobile support
    The File Upload policy controls whether users can upload files that come from websites that match the URL or from a selected application or category.
    1. From
      Strata Cloud Manager
      , select
      Manage
      Configuration
      Prisma Access Browser
      Policy
      Profiles
      Data Control
    2. Select
      File Upload
      .
    3. Select one of the following options:
      • Allow -
        the
        Prisma Access Browser
         will allow all uploads.
      • Allow protected files only between the rule’s web applications
         - Protected files sourced from the
        Web application
         of this rule. Only previously downloaded protected files from the Web application of this rule can be uploaded.
        Requires setting the File Download control to “Allow (Protected)” .
      • Allow only nonprotected files
         – only nonprotected files from any source can be uploaded.
      • Block
        - the
        Prisma Access Browser
         will block all uploads. You can block uploads from specific file extensions. Other extensions will be blocked.
      • Apply on:
        - select between one of the following options:
        • Any file
           - the download restrictions will apply to all files.
        • Specific files
          - the upload restrictions will apply to files that meet the selected specifications (the rule can contain as many of these specifications as needed):
          • File size
             - set the size of the file.
          • File types
             - set the file types that need to match this rule.
          • File hash
             - set the SHA-256 hash to be matched for this rule.
          • MIP label
             - set the level of the MIP label that can be used to protect contents with sensitive content. Install the Microsoft Information Protection integration to use this feature.
      • Prompt
        - when there is a restriction, select between one of the following options:
        • None
           - there will be no prompts.
        • Before upload
          - inform the user that there is a restriction and how to bypass it.
          • Warn and allow to proceed anyway
             - informs users about the risk or sensitivity of uploading or downloading files, but allowing them to continue.
          • Warn and allow to proceed anyway with a reason
             - informs users about the risk or sensitivity of uploading files, and require them to select a reason to continue.
          • Permission request
             - allows users to send a permission request to the admin. The user will be informed once the request is approved or denied.
      • Require MFA
         - you can add authentication to the file upload. Authentication is only available when a Browser Lock is enabled.
    4. When you use this control, you can use your own dialog text to replace the default. To set the text, click
      Set dialog text
      .
    5. Set
      .

    Clipboard

    Mobile Browser
    - Partial support
    The Clipboard Policy manages copy and paste functions when using the Prisma Access Browser. This tool allows you to manage Copy & Paste functions. To configure the Clipboard control:
    1. From
      Strata Cloud Manager
      , select
      Manage
      Configuration
      Prisma Access Browser
      Policy
      Profiles
      Data Control
    2. Select
      Clipboard
      .
    3. Select the control that you need to configure (both controls can be configured):
      • Copy & Paste data out
        - configure whether users are allowed to copy & paste information from the browser to other applications.
        • Allow (anywhere)
           - allow the copied data to be pasted to any web application or external process.
        • Block (permit only within the rule's web applications)
          - block copy and paste data out of the rule's web application.
          • Exclude URL address bar
             – the URL address bar won't be considered as part of the webpage.
        • Prompt
          - select whether you want to display a prompt.
          • None
             - don't require a prompt.
          • Before pasting data out to other web applications
            (Inform the user of the restriction and allow bypassing it).
          • Pop-up Notifications
            1. Warn and allow to proceed anyway.
            2. Warn and allow to proceed anyway with a reason.
            3. Permission request - select a Bypass time frame as well.
      • Copy & Paste data in
        - configure whether or not users are allowed to copy & paste information from other web applications or external processes.
        • Allow
          - allow the copied data to be pasted from any web application or external process.
        • Block
          - don't allow the copied data to be pasted from any web application or external process.
        • Prompt
          - select whether you want to display a prompt before pasting data in.
          • None
             - don't require a prompt.
          • Before pasting data in
            (Inform the user of the restriction and allow bypassing it)
          • Pop-up notification -
            1. Warn and allow to proceed anyway.
            2. Warn and allow to proceed anyway with a reason.
            3. Permission request - select a Bypass time frame as well.
    4. When you use this control, you can use your own dialog text to replace the default. To set the text, click
      Set dialog text
      .
    5. Set
      .

    Webpage Data Masking

    Mobile Browser
    - No support
    This control allows you to mask textual content within webpages. The masking is set according to either predefined information types (PII or PCI) or a custom regex.
    You can set the masking to:
    • All of the characters in the masked data
    • Leave up to the last 4 characters unmasked
    • Leave up to the first 4 characters unmasked
    When this is enabled, the browser will inspect and mask any webpage or frame within the webpage. This will be done only in situations where the URL in the browser tab or the URL in the frame is matched. To enable Webpage Data Masking:
    1. From
      Strata Cloud Manager
      , select
      Manage
      Configuration
      Prisma Access Browser
      Policy
      Profiles
      Data Control
    2. Select
      Webpage Data Masking
      .
    3. Select one of the following options:
      • Enable
         - the
        Prisma Access Browser
         will mask URLs in tabs or frames that match the conditions. Select the masking pattern:
        • Mask all characters
        • Leave the last characters unmasked
        • Leave first characters unmasked
      • Allow to unmask
         - allow users to disable masking to view the data. This will create an Event for you to investigate
      • Disable
         - the
        Prisma Access Browser
         won't mask URLs in tabs or frames that match the conditions.
    4. Set
      .

    Typing Guard

    Mobile Browser
    - No support
    Scans manual input made by users in real-time within the browser. It operates based on defined rules that can be customized based on specific organizational requirements. To set the Typing Guard control:
    1. From
      Strata Cloud Manager
      , select
      Manage
      Configuration
      Prisma Access Browser
      Policy
      Profiles
      Data Control
    2. Select
      Typing Guard
      .
    3. Select one of the following options:
      • Enable
        - the
        Prisma Access Browser
         will enable the Typing Guard, blocking the users from entering potentially sensitive data to the policy rule's application.
      • Disable
        - the
        Prisma Access Browser
         will disable the Typing Guard, and won't block potentially sensitive data.
      • Pop-up notification
         level (optional).
    4. Prompt
       - Optionally select one of the following prompt options:
      • Warn and allow to proceed anyway
         - the prompt will freeze the sensitive information until the user acknowledges the message.
      • Warn and allow to proceed anyway with a reason
         - the prompt will freeze the sensitive information until the user acknowledges the message and selects a reason.
      • Permission request
         - the prompt will freeze and mask the sensitive information until permission is granted.
    5. When you use this control, you can use your own dialog text to replace the default. To set the text, click
      Set dialog text
      .
    6. Set
      .
    The new control enables you to control users typing activities within the context of an
    Access & Data Control
    rule. This is designed to restrict the specific content definitions of the rule.
    1. In an
      Access & Data Control
       rule, go to the
      When contains
       section.
    2. Select
      Specific content
       and select the appropriate sensitive information for the rules.
    3. Additionally, you can set custom content types to add content that might not be included in the predefined types.
    4. When users try to type in the sensitive information, the sensitive information will be sanitized.

    Webpage Watermarking

    Mobile Browser
    - No support
    This feature places a visible overlay on the webpages. This serves to discourage employees from leaking information.
    The watermark places information on the page, including:
    • Company Logo (if it's configured in the browser customization)
    • Company Name (if it's configured in the browser customization)
    • User's Email
    • Date and Timestamp
    You can also control the opacity of the watermark.
    This control isn't affected by specific content inspection - the settings in the
    When contains
     schedule.
    To set the
    Webpage Watermarking
     control:
    1. From
      Strata Cloud Manager
      , select
      Manage
      Configuration
      Prisma Access Browser
      Policy
      Profiles
      Data Control
    2. Select
      Webpage Watermarking
      .
    3. Select one of the following options:
      • Enable
         - the
        Prisma Access Browser
         will display the watermark information to deter users from taking pictures.
        1. Select the Opacity level from the 5 choices:
          • Low
          • Light
          • Standard
          • Medium
          • High
        2. Rotation
           – select the rotation of the watermark. The options are -45, 0, or 45 degrees.
        3. Density
           - select the density of the watermark. The options are:
          • Low
          • Standard
          • High
      • Disable
         - the
        Prisma Access Browser
         won't display the watermark.
    4. Set
      .

    Print

    Mobile Browser
    - Full support
    This feature controls whether or not users can print from websites that match the URL, application, or category in the rule. To set the Print control:
    1. From
      Strata Cloud Manager
      , select
      Manage
      Configuration
      Prisma Access Browser
      Policy
      Profiles
      Data Control
    2. Select
      Webpage Watermarking
      .
    3. Select one of the following options:
      • Allow
        - the
        Prisma Access Browser
         will permit printing of webpages and files opened in the Prisma Access Browser.
      • Block
        - the
        Prisma Access Browser
         will block all printing of webpages and files opened in the Prisma Access Browser.
    4. When you use this control, you can use your own dialog text to replace the default. To set the text, click
      Set dialog text
      .
    5. Set
      .

    Screenshot

    Mobile Browser
    - Full support
    This feature controls whether or not users can take screenshots (using snipping tools or Print Screen), record the screen, or share the screen with video conferencing tools from websites that match the URL, application, or category in the rule. This control isn't affected by specific content inspection - the settings in the
    When contains
     schedule. To set the Screenshot control:
    1. From
      Strata Cloud Manager
      , select
      Manage
      Configuration
      Prisma Access Browser
      Policy
      Profiles
      Data Control
    2. Select
      Screenshot
      .
    3. Select one of the following options:
      • Allow
        - the
        Prisma Access Browser
         will allow screen capture, screen recording, and screen sharing using video conference tools.
      • Allow
         (Protected) – the Prisma Access Browser will allow screen captures only from the Prisma Access Browser's built-in snipping tool. Any other tool will be blocked.
      • Block
        -
        Prisma Access Browser
         will block screen capture, screen recording, and screen sharing using video conference tools.
    4. Set
      .
    The
    Prisma Access Browser
     has a built-in snipping tool that works with the Secured Screenshot tool. This gives your end-users the ability to take screenshots only using the built-in snipping tool, especially in situations where this is the only option for users to take screenshots.
    When the tool is set to Allow (Protected), other screenshot, screen share, or recording tools will be blocked. The only available tool for screenshots is the built-in tool.
    The control for the snipping tool is located at the bottom of the sidebar. The control for the tool is located at the bottom of the browser's sidebar.
    To enable the Snipping tool, enable and display the Sidebar. The Snipping Tool icon will be displayed.
    When you take a screen capture, the image will be sent to the clipboard. A message to this effect will be displayed for a few seconds.
    The file that you save is stored as a protected file - it's stored as an encrypted file in the Clipboard. If the File Download control is set as protected, then the screenshot file will be saved as a protected file. If the Clipboard control is set to block between applications, you won't be able to paste the screenshot to any unapproved applications.

    Read-only Webpage

    Mobile Browser
    - No support
    You can now configure read-only mode for webpages that are contained within the Rule's scope.
    This allows users to browse the information on web applications. Users can read the information, download files, but can't input data to any editable element in the page. This control isn't affected by specific content inspection - the settings in the
    When contains
     schedule. To configure the read-only webpage:
    1. From
      Strata Cloud Manager
      , select
      Manage
      Configuration
      Prisma Access Browser
      Policy
      Profiles
      Data Control
    2. Select
      Read-Only webpage
      .
    3. Select one of the following options:
      • Enable
        - the
        Prisma Access Browser
         will allow users to read and download the information on web applications but won't allow users to input information to any editable part of the page. Developer tools will be disabled on any webpage affected by this control.
      • Disable
        - the
        Prisma Access Browser
         does not block any user interaction with the web applications, subject to other rules.
    4. When you use this control, you can use your own dialog text to replace the default. To set the text, click
      Set dialog text
      .
    5. Set
      .

    Camera

    No Mobile support
    This feature controls whether or not websites that match the URL, application, or category in the rule have access to the device camera. This control isn't affected by specific content inspection - the settings in the When contains schedule. To set the Camera control:
    1. From
      Strata Cloud Manager
      , select
      Manage
      Configuration
      Prisma Access Browser
      Policy
      Profiles
      Data Control
    2. Select
      Camera
      .
    3. Select one of the following options:
      • Allow
        - the
        Prisma Access Browser
         will allow using the camera in specific webpages.
      • Block
        - the
        Prisma Access Browser
         will block using the camera in specific webpages.
    4. Set
      .

    Microphone

    No Mobile support
    This feature controls whether or not websites that match the URL, application, or category in the rule have access to the device microphone. this control isn't affected by specific content inspection - the settings in the
    When contains
     schedule. To set the Microphone control:
    1. From
      Strata Cloud Manager
      , select
      Manage
      Configuration
      Prisma Access Browser
      Policy
      Profiles
      Data Control
    2. Select
      Microphone
      .
    3. Select one of the following options:
      • Allow
        - the
        Prisma Access Browser
         will allow using the microphone in specific webpages.
      • Block
        - the
        Prisma Access Browser
         will block using the microphone in specific webpages.
    4. Set
      .

    Data Controls – Malware Protection

    Malicious File Protection

    No Mobile support
    This feature allows you to configure scanning with malicious file protection.
    Users can select their preferred scanning engines. The Prisma Access Browser by default uses the
    Advanced WildFire
     scanning engine. Additional third-party scanning engines can be installed at your discretion with the appropriate integration.
    • Votiro
    • CrowdStrike Falcon Intelligence
    • OPSWAT Meta-Defender
    • YazamTech SelectorIT
    • Symantec DLP
    To set the Malicious File Protection control:
    1. From
      Strata Cloud Manager
      , select
      Manage
      Configuration
      Prisma Access Browser
      Policy
      Profiles
      Data Control
    2. Select
      Malicious File Protection
      .
    3. Select one of the following options:
      • Enable
        - the
        Prisma Access Browser
         will enable malicious file protection.
        • Prevent
           - Blocks the action.
        • Detect only
           - Notify only when there is malicious file event.
      • Engine
        - Select the Engine (described above).
        • Optionally select “In case of scan availability, file will be blocked”.
      • Disable
        - the
        Prisma Access Browser
         will disable malicious file protection.
    4. When you use this control, you can use your own dialog text to replace the default. To set the text, click
      Set dialog text
      .
    5. Set
      .

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.