Prisma Access Browser
Manage Prisma Access Browser Requests to Bypass Policy Rules
Table of Contents
Expand All
|
Collapse All
Prisma Access Browser Docs
Manage Prisma Access Browser Requests to Bypass Policy Rules
Learn how to manage end user requests to bypass Prisma Access Browser rules for access
to otherwise blocked sites and apps.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
In some cases, end users may find that the Prisma Access Browser rules are too strict to
allow users to access the resources they need. For example, in a user might need to
download a file that is restricted based on a browser rule, or may need access to a
website that is normally off limits.
To address this issue, Prisma Access Browser allows you allow users to temporarily
bypass rules. This allows users to examine the bypass requests from users and decide
whether or not to grant the bypass. This also allows you to see which rules might be
too restrictive so that you can go back and tune them.
You define the
bypass conditions within the policy rules. Then, when users attempt to
perform and action or visit a site blocked by the corresponding rule, they can
submit a bypass request. Bypass requests are an extension of
Prompt actions where Prisma Access Browser prompts the user
with a message indicating that the action or site is blocked and allowing them to
continue anyway. To set bypass conditions, you configure the prompt action to enable
permission requests. With bypass conditions you must review and approve the request
before Prisma Access Browser allows the user to perform the blocked action or access
the blocked site.
Configure the Bypass Conditions
Configure the conditions for bypass rules when you create or edit an Access and Data
Control rule. The way you configure the conditions depends on the
type of user activity for which you want to allow bypass.
- Set bypass conditions for Web access rules.
- In the Policy Rules - Edit ruleWeb access page, select Prompt.Define the bypass conditions for the web access rule by selecting one of the following options:
- Warn and allow to proceed anyway—notifies users that the web application they are trying to access is restricted, but allow them to proceed anyway.
- Warn and allow the user to proceed anyway with a reason—notifies users that the web application they are trying to access is restricted, but allow them to proceed after supplying a reason they need access.
- Permission request—notify users that the web application they are trying to access is restricted, and prompt them to submit a request for access. In this case, you must review and approve the request before the user can access the app.
Set the duration for the Bypass timeframe.The range is 10 minutes to 90 days; the default is 9 hours.Set the number of access attempts to Approve request for.Be aware that the Once setting works differently on different websites. On sites where the page is refreshed every time a new page is selected, Once refers to a single access for a single article, and a new request must be generated for each page. For example, allowing Once on https://editions.cnn.com will grant the user one article only (since moving to the next page requires the page to be refreshed). On sites that are not regularly refreshed, such as https://chat.openai.com, Once allows a user to keep working until the page is refreshed.Set bypass conditions for login restriction rules.The Login restriction section in Access & Data Control rules enables you to restrict login to specific email domains.- In the Policy Rules - Edit ruleLogin restriction page, select Prompt.Define the bypass conditions for the login restriction rule by selecting one of the following options:
- Allow—allows all domains.
- Block—restricts all domains.
- Allow specific email domains—allows access only to the domains you specify.
- Block specific email domains—blocks access only to the domains you specify.
Specify the email domains this rule governs access to.Select Prompt when login blocked.With this setting enabled, when users attempt to login using a restricted email, Prisma Access Browser notifies them. You can set the following bypass conditions:- Warn and allow to proceed anyway—notifies users that the email they are trying to use for login is restricted, but allow them to proceed anyway.
- Warn and allow the user to proceed anyway with a reason—notifies users that the email they are trying to use for login is restricted, but allow them to proceed after supplying a reason.
- Permission request—notify users that the email they are trying to use for login is restricted, and prompt them to submit a request for access. In this case, you must review and approve the request before the user can proceed.
Set the Approve request for.The time range is 10 minutes to 90 days.Set bypass conditions for file download.The File Download profile in Access & Data Control rules allows you restrict file downloads. This option is available from either the Profiles or from the Data controls, but we recommend using the Data controls to manage policies.- In the Policy Rules - Edit ruleData controls page, select File Download.Select either Allow or Allow (Protected).Click Prompt Before download and select Before download.Select Popup notification and define the bypass conditions for file downloads by selecting one of the following options:
- Warn and allow to proceed anyway—notifies users that file download is restricted, but allow them to proceed anyway.
- Warn and allow the user to proceed anyway with a reason—notifies users that file download is restricted, but allow them to proceed after supplying a reason.
- Permission request—notify users that file download is restricted, and prompt them to submit a request for access. In this case, you must review and approve the request before the user can proceed.
Set the duration for the Bypass timeframe.The range is 10 minutes to 90 days.Set the number of access attempts to Approve request for.Select Once to allow a single download.Set bypass conditions for file upload.The File Upload profile in Access & Data Control rules allows you restrict file uploads. This option is available from either the Profiles or from the Data controls, but we recommend using the Data controls to manage policies.- In the Policy Rules - Edit ruleData controls page, select File Upload.Select either Allow.Click Prompt Before Upload and select Before upload.Select Popup notification and define the bypass conditions for file uploads by selecting one of the following options:
- Warn and allow to proceed anyway—notifies users that file upload is restricted, but allow them to proceed anyway.
- Warn and allow the user to proceed anyway with a reason—notifies users that file upload is restricted, but allow them to proceed after supplying a reason.
- Permission request—notify users that file upload is restricted, and prompt them to submit a request for access. In this case, you must review and approve the request before the user can proceed.
Set the duration for the Bypass timeframe.The range is 10 minutes to 90 days.Set the number of access attempts to Approve request for.Select Once to allow a single download.Manage Permission Requests
After you set bypass request conditions on policy rules, you must review incoming requests and decide whether or not to allow the requests.- From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyRequests.Select the request you want to review and click Reply.Review the request and then select one of the following responses:
- Approve—Grants approval for the request for the pre-configured duration, or select a different duration.
- Decline—Rejects the request. Prisma Access Browser continues to block the requested action or site access.
(Optional) Add a comment for the user.Submit your response.Investigate Bypass Requests
If you have configured bypass conditions on your policy rules and you find that you are approving similar requests, this might indicate that you need to tune your policy rules. You can investigate current and past bypass rules to assess whether you need to make some adjustments to your policy on the ManageConfigurationPrisma Access Browser PolicyRequests page.- Search for specific bypass requests by URL.Filter requests based on the following parameters:
- Request type—Filter on the type of bypass: Web access, File upload, File download, or App login.
- Status—Filter on requests that are Pending, Approved, or Declined.
- Created at—Filter on requests made during a specific time frame.
- User—Filter on specific users making requests.
- Policy rule—Filter on the rule that trigged the bypass requests.
- URL—Filter based on the URL of the web application that generated the request.