Prisma Access Browser
Manage Prisma Access Browser Sign-in Rules
Table of Contents
Manage Prisma Access Browser Sign-in Rules
Learn how to create browser sign-in rules as a first level of securing your Prisma Access Browser deployment.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Use sign-in rules to determine which users and devices have access to Prisma Access Browser. The Sign-in Rules page displays information about existing
sign-in rules:
To view the rules:The last rule on the
list is the Default Rule.
The Default Rule is the policy rule that is
used when no other policy rule is applicable. Since this rule must be available
for any given user or device, only certain controls can be edited.
- Priority—The priority order for rule enforcement.
- Mode—Indicates whether the rule is active or disabled.
- Name—Identifies and describes the rule.
- Users—The users and user groups associated the each rule.
- Device groups—The device group associated the each rule.
- Network & Location—The specific networks and geolocations associated with the rule.
- Action—The action Prisma Access Browser takes for users and devices matching the rule: Allow, Block, or Prompt the user.
- Updated—Last updated date for the rule; hover to see the full timestamp.
When you create a sign-in rule, you define the scope of the rule. When a user
attempts to access Prisma Access Browser, the browser compares the scope of the rules
in order until it finds a rule match for the user/device and then it enforces the
corresponding access rule. In some cases, you may want the sign-in rules you define
to block Prisma Access Browser if they match the scope of the rule. For example,
suppose the scope of the rule is set to match a device group for devices with a
specific OS and you do not want to allow access to devices that are still running
that OS. In that case, you would set the sign-in rule to block access for users that
match to it. In other cases, you might want allow users that match the sign-in rule
access to Prisma Access Browser. For example, suppose the scope of the rule allows
users in a specific user group and in a device group that only allows devices
running a specific OS version, a specific client certificate, and has active
endpoint protection. In this case you might want the matching sign-in rule to allow
access to Prisma Access Browser. The way you create your user groups and device groups
(including the corresponding device posture rules you enforce at the device group
level) informs how you will want to create your sign-in rules.
When a user
attempts to access the browser, Prisma Access Browser evaluates the sign-in rules in
top-down order until it finds a match for the user and device and then it enforces
the corresponding sign-in rule. If the user/device do not match any of the defined
sign-in rules, Prisma Access Browser enforces the Default
sign-in rule allow rule.
There are two ways to create sign-in rules: one for
managed devices and one for unmanaged devices, as described in the following
sections.
Create a Sign-in Rule for Managed Users
- Select and click Add rule.Enter a Name for the rule.Set an Action, which can be Active or Disabled.You can change the Action at any time. You may want to keep the rule disabled until you are ready to launch the new rulebase.Click Next: Scope and then define the match criteria for the rule.Select one or more values to define the scope of the sign-in rule. You can select one or more of the following options:
- Users/User groups—Select the users and user groups that you want to match this sign-in rule to access Prisma Access Browser.
- Device groups—Select the device groups to match this sign-in rule for access to Prisma Access Browser.
- Networks—Select the public networks the device must be attached to in order to access Prisma Access Browser. Use one of the following formats to specify the network: 94.45.21.1 or 129.144.9.8/29
- Location – Select the geolocation from which to enable the Prisma Access Browser rule. If the OS Location services are not enabled on the device, the PAB will use the GeoIP. For more information, refer to Location-based Policy
![]()
Click Next: Action.Set the action for the sign-in rule:- Allow—Allow access to Prisma Access Browser for users and devices that match the defined rule scope.
- Block—Block access to Prisma Access Browser for users and devices that match the defined rule scope.
- Prompt—Notify users that match the sign-in rule scope that their Prisma Access Browser is blocked by default, but allow them to bypass the block and continue to the browser.
![]()
Save the rule.Create a Sign-in Rule for Unmanaged Users
Unmanaged device users are responsible for their own devices. Whenever they face a posture compliance issue, the user must manage the issue on their own because they do not have access to the corporate IT department. To help unmanaged users better navigate access issues, you can create a special type of sign-in rule that provide information about the compliance issue that is preventing access to Prisma Access Browser.The following limitations apply to this feature: the default rule action is either Block or Prompt. Each user has only one allow rule in one device group.- Create a device group for the unmanaged users.This device group must match the device posture you require for unmanaged users.Create a sign-in rule to match your unmanaged users.
- Define the scope to match the device group you created for your unmanaged users.
- Set the action to either Block or Prompt
(Optional) Create a browser customization rule for the device group.Provide text in the customization rule to help the user understand the posture errors (on the Security checks tab).![]()
