Configure Prisma Access Browser Data Controls
Focus
Focus
Prisma Access Browser

Configure Prisma Access Browser Data Controls

Table of Contents

Configure Prisma Access Browser Data Controls

Configure data controls for Prisma Access Secure Enterprise Browser (Prisma Access Browser).
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • Prisma Access Browser standalone
  • Prisma Access with Prisma Access Browser bundle license or Prisma Access Browser standalone license
  • Superuser or Prisma Access Browser role
You can configure the controls in the following ways:
The following topics only display one way.

Data Controls – Data Leak Prevention

File Download

Full Mobile support
File Download control provides multiple capabilities related to downloading files from websites that match a specified URL, application, or website classification. To set the File Download control:
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access BrowserPolicyProfilesData Control
  2. Select File Download.
  3. Select one of the following options:
    • Allow - the Prisma Access Browser will allow all downloads.
    • Allow (Protected) – the Prisma Access Browser will allow downloads that can open only in the browser.
      • Allow to open outside of the browser - users will be able to unprotect the file, allowing viewing and editing of the file using external applications. This includes any browser and any Desktop application.
      • To unprotect a file:
        1. Click the Download History folder link in the Browser bar.
        2. Select the file to open. It will be indicated by a folder with a slash.
        3. Click on the icon to unprotect the file.
    • Block - the Prisma Access Browser will block all downloads.
    • Apply on:- select between one of the following options:
        • Any file - the download restrictions will apply to all files.
        • Specific files- the download restrictions will apply to files that meet the selected specifications (the rule can contain as many of these specifications as needed):
        • File size - set the size of the file.
        • File types - set the file types that need to match this rule.
        • File hash - set the SHA-256 hash to be matched for this rule.
        • MIP label - set the level of the MIP label that can be used to protect contents with sensitive content.
    • Prompt- when there is a restriction, select between one of the following options:
      • None - there will be no prompts.
      • Before download- inform the user that there is a restriction and how to bypass it.
        • Warn and allow to proceed anyway - informs users about the risk or sensitivity of downloading files but allowing them to continue.
        • Warn and allow to proceed anyway with a reason - informs users about the risk or sensitivity of downloading files and require them to select a reason to continue.
        • Permission request - allows users to send a permission request to the admin. The user will be informed once the request is approved or denied.
    • Require MFA - you can add authentication to the file download. Authentication is only available when a lock screen with PIN or biometric authentication is enabled.
  4. When you use this control, you can use your own dialog text to replace the default. To set the text, click Set dialog text.
  5. Set.

File Upload

Full Mobile support
The File Upload policy controls whether users can upload files that come from websites that match the URL or from a selected application or category.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access BrowserPolicyProfilesData Control
  2. Select File Upload.
  3. Select one of the following options:
    • Allow -the Prisma Access Browser will allow all uploads.
    • Allow protected files only between the rule’s web applications - Protected files sourced from the Web application of this rule. Only previously downloaded protected files from the Web application of this rule can be uploaded.
      Requires setting the File Download control to “Allow (Protected)” .
    • Allow only nonprotected files – only nonprotected files from any source can be uploaded.
    • Block - the Prisma Access Browser will block all uploads. You can block uploads from specific file extensions. Other extensions will be blocked.
    • Apply on:- select between one of the following options:
      • Any file - the download restrictions will apply to all files.
      • Specific files- the upload restrictions will apply to files that meet the selected specifications (the rule can contain as many of these specifications as needed):
        • File size - set the size of the file.
        • File types - set the file types that need to match this rule.
        • File hash - set the SHA-256 hash to be matched for this rule.
        • MIP label - set the level of the MIP label that can be used to protect contents with sensitive content. Install the Microsoft Information Protection integration to use this feature.
    • Prompt- when there is a restriction, select between one of the following options:
      • None - there will be no prompts.
      • Before upload- inform the user that there is a restriction and how to bypass it.
        • Warn and allow to proceed anyway - informs users about the risk or sensitivity of uploading or downloading files, but allowing them to continue.
        • Warn and allow to proceed anyway with a reason - informs users about the risk or sensitivity of uploading files, and require them to select a reason to continue.
        • Permission request - allows users to send a permission request to the admin. The user will be informed once the request is approved or denied.
    • Require MFA - you can add authentication to the file upload. Authentication is only available when a Browser Lock is enabled.
  4. When you use this control, you can use your own dialog text to replace the default. To set the text, click Set dialog text.
  5. Set.

Clipboard

Mobile Browser - Partial support
The Clipboard Policy manages copy and paste functions when using the Prisma Access Browser. This tool allows you to manage Copy & Paste functions. To configure the Clipboard control:
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access BrowserPolicyProfilesData Control
  2. Select Clipboard.
  3. Select the control that you need to configure (both controls can be configured):
    • Copy & Paste data out - configure whether users are allowed to copy & paste information from the browser to other applications.
      • Allow (anywhere) - allow the copied data to be pasted to any web application or external process.
      • Block (permit only within the rule's web applications)- block copy and paste data out of the rule's web application.
        • Exclude URL address bar – the URL address bar won't be considered as part of the webpage.
      • Prompt- select whether you want to display a prompt.
        • None - don't require a prompt.
        • Before pasting data out to other web applications(Inform the user of the restriction and allow bypassing it).
        • Pop-up Notifications
          1. Warn and allow to proceed anyway.
          2. Warn and allow to proceed anyway with a reason.
          3. Permission request - select a Bypass time frame as well.
    • Copy & Paste data in- configure whether or not users are allowed to copy & paste information from other web applications or external processes.
      • Allow - allow the copied data to be pasted from any web application or external process.
      • Block- don't allow the copied data to be pasted from any web application or external process.
      • Prompt- select whether you want to display a prompt before pasting data in.
        • None - don't require a prompt.
        • Before pasting data in (Inform the user of the restriction and allow bypassing it)
        • Pop-up notification -
          1. Warn and allow to proceed anyway.
          2. Warn and allow to proceed anyway with a reason.
          3. Permission request - select a Bypass time frame as well.
  4. When you use this control, you can use your own dialog text to replace the default. To set the text, click Set dialog text.
  5. Set.

Webpage Data Masking

Mobile Browser - No support
This control allows you to mask textual content within webpages. The masking is set according to either predefined information types (PII or PCI) or a custom regex.
You can set the masking to:
  • All of the characters in the masked data
  • Leave up to the last 4 characters unmasked
  • Leave up to the first 4 characters unmasked
When this is enabled, the browser will inspect and mask any webpage or frame within the webpage. This will be done only in situations where the URL in the browser tab or the URL in the frame is matched. To enable Webpage Data Masking:
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access BrowserPolicyProfilesData Control
  2. Select Webpage Data Masking.
  3. Select one of the following options:
    • Enable - the Prisma Access Browser will mask URLs in tabs or frames that match the conditions. Select the masking pattern:
      • Mask all characters
      • Leave the last characters unmasked
      • Leave first characters unmasked
    • Allow to unmask - allow users to disable masking to view the data. This will create an Event for you to investigate
    • Disable - the Prisma Access Browser won't mask URLs in tabs or frames that match the conditions.
  4. Set.

Typing Guard

Mobile Browser - No support
Scans manual input made by users in real-time within the browser. It operates based on defined rules that can be customized based on specific organizational requirements. To set the Typing Guard control:
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access BrowserPolicyProfilesData Control
  2. Select Typing Guard.
  3. Select one of the following options:
    • Enable - the Prisma Access Browser will enable the Typing Guard, blocking the users from entering potentially sensitive data to the policy rule's application.
    • Disable - the Prisma Access Browser will disable the Typing Guard, and won't block potentially sensitive data.
    • Pop-up notification level (optional).
  4. Prompt - Optionally select one of the following prompt options:
    • Warn and allow to proceed anyway - the prompt will freeze the sensitive information until the user acknowledges the message.
    • Warn and allow to proceed anyway with a reason - the prompt will freeze the sensitive information until the user acknowledges the message and selects a reason.
    • Permission request - the prompt will freeze and mask the sensitive information until permission is granted.
  5. When you use this control, you can use your own dialog text to replace the default. To set the text, click Set dialog text.
  6. Click Set.
The new control enables you to control users typing activities within the context of an Access & Data Control rule. This is designed to restrict the specific content definitions of the rule.
  1. In an Access & Data Control rule, go to the When contains section.
  2. Select Specific content and select the appropriate sensitive information for the rules.
  3. Additionally, you can set custom content types to add content that might not be included in the predefined types.
  4. When users try to type in the sensitive information, the sensitive information will be sanitized.

Webpage Watermarking

Mobile Browser - No support
This feature places a visible overlay on the webpages. This serves to discourage employees from leaking information.
The watermark places information on the page, including:
  • Company Logo (if it's configured in the browser customization)
  • Company Name (if it's configured in the browser customization)
  • User's Email
  • Date and Timestamp
You can also control the opacity of the watermark.
This control isn't affected by specific content inspection - the settings in the When contains schedule.
To set the Webpage Watermarking control:
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access BrowserPolicyProfilesData Control
  2. Select Webpage Watermarking.
  3. Select one of the following options:
    • Enable - the Prisma Access Browser will display the watermark information to deter users from taking pictures.
      1. Select the Opacity level from the 5 choices:
        • Low
        • Light
        • Standard
        • Medium
        • High
      2. Rotation – select the rotation of the watermark. The options are -45, 0, or 45 degrees.
      3. Density - select the density of the watermark. The options are:
        • Low
        • Standard
        • High
    • Disable - the Prisma Access Browser won't display the watermark.
  4. Set.

Print

Mobile Browser - Full support
This feature controls whether or not users can print from websites that match the URL, application, or category in the rule. To set the Print control:
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access BrowserPolicyProfilesData Control
  2. Select Print.
  3. Select one of the following options:
    • Allow - the Prisma Access Browser will permit printing of webpages and files opened in the Prisma Access Browser.
    • Block - the Prisma Access Browser will block all printing of webpages and files opened in the Prisma Access Browser.
  4. If you want to enable Prompting notifications when tou allow printing, click the down arrow next tp Prompt: Pop-up notifications.
    The Prompting notifications are not applicable for the Prisma Access Mobile Browser.
    1. Configure the following options:
      • Warn and allow to proceed anyway - Informs users about the risk or sensitivity of printing files, but allowing them to continue.
      • Warn and allow to proceed anyway with a reason - Informs users about the risk or sensitivity of printing files, and requires them to provide a reason to continue.
      • Permission request - Allows users to send a permission request to the admin. The user will be informed once the request is approved or denied.
        • Choose the timeframe for the permission. You can configure the permission to be used once, or for a timeframe ranging from 10 minutes to 90 days.
  5. When you use this control, you can use your own dialog text to replace the default. To set the text, click Set dialog text.
  6. Click Set.

Screenshot

Mobile Browser - Full support
This feature controls whether or not users can take screenshots (using snipping tools or Print Screen), record the screen, or share the screen with video conferencing tools from websites that match the URL, application, or category in the rule. This control isn't affected by specific content inspection - the settings in the When contains schedule. To set the Screenshot control:
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access BrowserPolicyProfilesData Control
  2. Select Screenshot.
  3. Select one of the following options:
    • Allow - the Prisma Access Browser will allow screen capture, screen recording, and screen sharing using video conference tools.
    • Allow (Protected) – the Prisma Access Browser will allow screen captures only from the Prisma Access Browser's built-in snipping tool. Any other tool will be blocked.
    • Block - Prisma Access Browser will block screen capture, screen recording, and screen sharing using video conference tools.
  4. Set.
The Prisma Access Browser has a built-in snipping tool that works with the Secured Screenshot tool. This gives your end-users the ability to take screenshots only using the built-in snipping tool, especially in situations where this is the only option for users to take screenshots.
When the tool is set to Allow (Protected), other screenshot, screen share, or recording tools will be blocked. The only available tool for screenshots is the built-in tool.
The control for the snipping tool is located at the bottom of the sidebar. The control for the tool is located at the bottom of the browser's sidebar.
To enable the Snipping tool, enable and display the Sidebar. The Snipping Tool icon will be displayed.
When you take a screen capture, the image will be sent to the clipboard. A message to this effect will be displayed for a few seconds.
The file that you save is stored as a protected file - it's stored as an encrypted file in the Clipboard. If the File Download control is set as protected, then the screenshot file will be saved as a protected file. If the Clipboard control is set to block between applications, you won't be able to paste the screenshot to any unapproved applications.

Read-only Webpage

Mobile Browser - No support
You can now configure read-only mode for webpages that are contained within the Rule's scope.
This allows users to browse the information on web applications. Users can read the information, download files, but can't input data to any editable element in the page. This control isn't affected by specific content inspection - the settings in the When contains schedule. To configure the read-only webpage:
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access BrowserPolicyProfilesData Control
  2. Select Read-Only webpage.
  3. Select one of the following options:
    • Enable - the Prisma Access Browser will allow users to read and download the information on web applications but won't allow users to input information to any editable part of the page. Developer tools will be disabled on any webpage affected by this control.
    • Disable - the Prisma Access Browser does not block any user interaction with the web applications, subject to other rules.
  4. When you use this control, you can use your own dialog text to replace the default. To set the text, click Set dialog text.
  5. Set.

Camera

No Mobile support
This feature controls whether or not websites that match the URL, application, or category in the rule have access to the device camera. This control isn't affected by specific content inspection - the settings in the When contains schedule. To set the Camera control:
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access BrowserPolicyProfilesData Control
  2. Select Camera.
  3. Select one of the following options:
    • Allow - the Prisma Access Browser will allow using the camera in specific webpages.
    • Block - the Prisma Access Browser will block using the camera in specific webpages.
  4. Set.

Microphone

No Mobile support
This feature controls whether or not websites that match the URL, application, or category in the rule have access to the device microphone. this control isn't affected by specific content inspection - the settings in the When contains schedule. To set the Microphone control:
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access BrowserPolicyProfilesData Control
  2. Select Microphone.
  3. Select one of the following options:
    • Allow - the Prisma Access Browser will allow using the microphone in specific webpages.
    • Block - the Prisma Access Browser will block using the microphone in specific webpages.
  4. Set.

Data Controls – Malware Protection

Malicious File Protection

No Mobile support
This feature allows you to configure scanning with malicious file protection.
Users can select their preferred scanning engines. The Prisma Access Browser by default uses the Advanced WildFire scanning engine. Additional third-party scanning engines can be installed at your discretion with the appropriate integration.
  • Votiro
  • CrowdStrike Falcon Intelligence
  • OPSWAT Meta-Defender
  • YazamTech SelectorIT
  • Symantec DLP
To set the Malicious File Protection control:
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access BrowserPolicyProfilesData Control
  2. Select Malicious File Protection.
  3. Select one of the following options:
    • Enable - the Prisma Access Browser will enable malicious file protection.
      • Prevent - Blocks the action.
      • Detect only - Notify only when there is malicious file event.
    • Engine- Select the Engine (described above).
      • Optionally select “In case of scan availability, file will be blocked”.
    • Disable - the Prisma Access Browser will disable malicious file protection.
  4. When you use this control, you can use your own dialog text to replace the default. To set the text, click Set dialog text.
  5. Set.