>
    Manage Prisma Access Browser Policy Rules
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Browser
    3. Manage Prisma Access Browser Policy Rules
    Download PDF
    Prisma Access Browser

    Manage Prisma Access Browser Policy Rules

    Table of Contents

    Manage Prisma Access Browser Policy Rules

    Learn how to manage policy rules for Prisma Access Secure Enterprise Browser (Prisma Access Browser).
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Prisma Access Browser standalone
    • Prisma Access with Prisma Access Browser bundle license or Prisma Access Browser standalone license
    • Superuser or Prisma Access Browser role
    To see the rules from Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyRules.
    You can use rules to specify the users, user groups, and device groups that will be impacted by the various policies you create. These rules govern access to web applications, security policies, and customization options. By utilizing rules you can precisely control user access to organizational tools and components.
    Each Rule is composed of different parameters and controls so that you can create finely tuned Rules for each use case. Each Rule type has its specific contents and requirements.
    You have three available Rule types in the Prisma Access Browser. The components are displayed on each tab's Policy Rules page.
    For each Rule type, the Rules are evaluated according to their priority. The first Rule that matches all the requirements creates the trigger that will be enforced. When this happens, the browser stops looking for Rules.
    Example with Access & Data Control rules:
    Rule 1: Scope - Mike (a member of the General Contractors Users group)
    Web application - linkedin.com
    Access to the named web application AllowedData controls - File Download - Blocked
    Rule 2: Scope -Gowri (a member of the General Contractors Users group)
    Web application - linkedin.com
    Access to the named web application - AllowedData controls - File Upload - Allowed When contains - email address.
    Rule 3: Scope - Summer Interns Users Group
    Web application - linkedin.com
    Access to the named web application -Blocked
    Rule 4: Scope - General Contractors Users Group
    Web application - linkedin.com
    Access to the named web application - AllowedData controls - File Upload- Blocked
    Mike will be allowed to access linkedin.com, however, he’ll be blocked when he tries to download a file since his action matches Rule 1.
    When he tries to upload a file, the Policy Engine will see that Rule 1 does not apply. It then will move on to check the next Rule. Rule 2 does not apply due to the Data controls. Rule 3 does not apply to Mike, as he is outside the Rule's scope. Rule 4 will block Mike from uploading on linkedin.com.
    As long as there is no matching rule, the Policy Engine will keep checking. When it reaches the end of the list, the action will proceed according to the default rule, as there is no other rule to apply.
    RuleScopeAccess to linkedin.comDownloadUploadWhen contains
    1MikeAllowedBlocked
    2GowriAllowedAllowedemail address
    3Summer InternsBlocked- - - - - - - - - - - -
    4General ContractorsAllowedBlocked
    Mike wants to download a file from linkedin.com.
    • Rule 1 applies, and the download is Blocked. Policy Engine stops looking for rule matches.
    Mike wants to upload a file to linkedin.com.
    • Rule 1 does not apply (The rule is for downloads). Policy Engine continues.
    • Rule 2 does not apply (Mike is out of scope). Policy Engine continues.
    • Rule 3 applies, and the upload is Blocked. Policy Engine stops looking for rule matches.
    Gowri wants to upload a file to linkedin.com.
    • Rule 1 does not apply (Gowri is out of scope). Policy Engine continues.
    • Rule 2 applies - but only if the upload includes an email address; if not, Policy Engine continues.
    • Rule 3 does not apply (Gowri isn't a Summer Intern). Policy Engine continues.
    • Rule 4 applies, and the upload is Blocked.

    Control the Rules List

    Three control icons on the right side of each rule appear only when hovering over an existing rule. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyRules and hover over an existing rule.
    1. Edit - Opens the rule for editing.
    2. Display Presents the items from the Rule Menu. This menu provides the following options:
      • Set to Monitoring (Access & Data Control Rules only) - Allows admins to toggle the rule mode if needed. Monitoring allows admins to see the effects of the rule before it is actually enabled.
      • Set to disabled / enabled - Toggles the rule on or off.
      • Clone - Creates a copy of the rule.
    3. Delete - Delete the rule.

    Edit Rules

    On occasion, rules need to be edited based on changing circumstances and conditions. You can edit all rule types in the Prisma Access Browser.
    1. On the Policy Rules page, filter the list to display the rules of a particular type, and if needed, continue the filtering to make it easier to find the rule that needs to be edited.
    2. Click the pencil icon (edit).
    3. Edit the rule based on the new requirements.

    Delete Rules

    There are rare occasions when a rule needs to be deleted. It could be that the rule is no longer required, or that a new rule covers the same requirements, or that the underlying scope is not longer applicable.
    NOTE: When a rule is deleted, it is no longer available, and any conditions that the rule established will no longer exist.
    1. On the Policy Rules page, filter the list to display the rules of a particular type, and if needed, continue the filtering to make it easier to find the rule that needs to be deleted.
    2. Open the Rule Menu and select Delete.
    3. Delete at the prompt.
      The rule will be removed from the list.

    © 2024 Palo Alto Networks, Inc. All rights reserved.