Manage Prisma Access Browser Requests to Bypass Policy Rules
Focus
Focus
Prisma Access Browser

Manage Prisma Access Browser Requests

Table of Contents

Manage Prisma Access Browser Requests to Bypass Policy Rules

Learn how to manage end user requests to bypass Prisma Access Browser rules for access to otherwise blocked sites and apps.
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • Prisma Access Browser standalone
  • Prisma Access with Prisma Access Browser bundle license
  • Superuser or Prisma Access Browser role
In some cases, end users may find that the Prisma Access Browser rules are too strict to allow users to access the resources they need. For example, in a user might need to download a file that is restricted based on a browser rule, or may need access to a website that is normally off limits.
To address this issue, Prisma Access Browser allows you allow users to temporarily bypass rules. This allows users to examine the bypass requests from users and decide whether or not to grant the bypass. This also allows you to see which rules might be too restrictive so that you can go back and tune them.
You define the bypass conditions within the policy rules. Then, when users attempt to perform and action or visit a site blocked by the corresponding rule, they can submit a bypass request. Bypass requests are an extension of Prompt actions where Prisma Access Browser prompts the user with a message indicating that the action or site is blocked and allowing them to continue anyway. To set bypass conditions, you configure the prompt action to enable permission requests. With bypass conditions you must review and approve the request before Prisma Access Browser allows the user to perform the blocked action or access the blocked site.

Configure the Bypass Conditions

Configure the conditions for bypass rules when you create or edit an Access and Data Control rule. The way you configure the conditions depends on the type of user activity for which you want to allow bypass.
  • Set bypass conditions for Web access rules.
    1. In the Policy Rules - Edit ruleWeb access page, select Prompt.
    2. Define the bypass conditions for the web access rule by selecting one of the following options:
      • Warn and allow to proceed anyway—notifies users that the web application they are trying to access is restricted, but allow them to proceed anyway.
      • Warn and allow the user to proceed anyway with a reason—notifies users that the web application they are trying to access is restricted, but allow them to proceed after supplying a reason they need access.
      • Permission request—notify users that the web application they are trying to access is restricted, and prompt them to submit a request for access. In this case, you must review and approve the request before the user can access the app.
    3. Set the duration for the Bypass timeframe.
      The range is 10 minutes to 90 days; the default is 9 hours.
    4. Set the number of access attempts to Approve request for.
      Be aware that the Once setting works differently on different websites. On sites where the page is refreshed every time a new page is selected, Once refers to a single access for a single article, and a new request must be generated for each page. For example, allowing Once on https://editions.cnn.com will grant the user one article only (since moving to the next page requires the page to be refreshed). On sites that are not regularly refreshed, such as https://chat.openai.com, Once allows a user to keep working until the page is refreshed.
  • Set bypass conditions for login restriction rules.
    The Login restriction section in Access & Data Control rules enables you to restrict login to specific email domains.
    1. In the Policy Rules - Edit ruleLogin restriction page, select Prompt.
    2. Define the bypass conditions for the login restriction rule by selecting one of the following options:
      • Allow—allows all domains.
      • Block—restricts all domains.
      • Allow specific email domains—allows access only to the domains you specify.
      • Block specific email domains—blocks access only to the domains you specify.
    3. Specify the email domains this rule governs access to.
    4. Select Prompt when login blocked.
      With this setting enabled, when users attempt to login using a restricted email, Prisma Access Browser notifies them. You can set the following bypass conditions:
      • Warn and allow to proceed anyway—notifies users that the email they are trying to use for login is restricted, but allow them to proceed anyway.
      • Warn and allow the user to proceed anyway with a reason—notifies users that the email they are trying to use for login is restricted, but allow them to proceed after supplying a reason.
      • Permission request—notify users that the email they are trying to use for login is restricted, and prompt them to submit a request for access. In this case, you must review and approve the request before the user can proceed.
    5. Set the Approve request for.
      The time range is 10 minutes to 90 days.
  • Set bypass conditions for file download.
    The File Download profile in Access & Data Control rules allows you restrict file downloads. This option is available from either the Profiles or from the Data controls, but we recommend using the Data controls to manage policies.
    1. In the Policy Rules - Edit ruleData controls page, select File Download.
    2. Select either Allow or Allow (Protected).
    3. Click Prompt Before download and select Before download.
    4. Select Popup notification and define the bypass conditions for file downloads by selecting one of the following options:
      • Warn and allow to proceed anyway—notifies users that file download is restricted, but allow them to proceed anyway.
      • Warn and allow the user to proceed anyway with a reason—notifies users that file download is restricted, but allow them to proceed after supplying a reason.
      • Permission request—notify users that file download is restricted, and prompt them to submit a request for access. In this case, you must review and approve the request before the user can proceed.
    5. Set the duration for the Bypass timeframe.
      The range is 10 minutes to 90 days.
    6. Set the number of access attempts to Approve request for.
      Select Once to allow a single download.
  • Set bypass conditions for file upload.
    The File Upload profile in Access & Data Control rules allows you restrict file uploads. This option is available from either the Profiles or from the Data controls, but we recommend using the Data controls to manage policies.
    1. In the Policy Rules - Edit ruleData controls page, select File Upload.
    2. Select either Allow.
    3. Click Prompt Before Upload and select Before upload.
    4. Select Popup notification and define the bypass conditions for file uploads by selecting one of the following options:
      • Warn and allow to proceed anyway—notifies users that file upload is restricted, but allow them to proceed anyway.
      • Warn and allow the user to proceed anyway with a reason—notifies users that file upload is restricted, but allow them to proceed after supplying a reason.
      • Permission request—notify users that file upload is restricted, and prompt them to submit a request for access. In this case, you must review and approve the request before the user can proceed.
    5. Set the duration for the Bypass timeframe.
      The range is 10 minutes to 90 days.
    6. Set the number of access attempts to Approve request for.
      Select Once to allow a single download.

Manage Permission Requests

After you set bypass request conditions on policy rules, you must review incoming requests and decide whether or not to allow the requests.
  1. From Strata Cloud Manager, select ManageConfigurationPrisma Access Browser PolicyRequests.
  2. Select the request you want to review and click Reply.
  3. Review the request and then select one of the following responses:
    • Approve—Grants approval for the request for the pre-configured duration, or select a different duration.
    • Decline—Rejects the request. Prisma Access Browser continues to block the requested action or site access.
  4. (Optional) Add a comment for the user.
  5. Submit your response.

Investigate Bypass Requests

If you have configured bypass conditions on your policy rules and you find that you are approving similar requests, this might indicate that you need to tune your policy rules. You can investigate current and past bypass rules to assess whether you need to make some adjustments to your policy on the ManageConfigurationPrisma Access Browser PolicyRequests page.
  • Search for specific bypass requests by URL.
  • Filter requests based on the following parameters:
    • Request type—Filter on the type of bypass: Web access, File upload, File download, or App login.
    • Status—Filter on requests that are Pending, Approved, or Declined.
    • Created at—Filter on requests made during a specific time frame.
    • User—Filter on specific users making requests.
    • Policy rule—Filter on the rule that trigged the bypass requests.
    • URL—Filter based on the URL of the web application that generated the request.