>
    Strata Copilot
    Prisma Access Browser Prerequisites
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access Browser
    3. Prisma Access Browser Prerequisites
    Download PDF
    Prisma Access Browser

    Prisma Access Browser Prerequisites

    Table of Contents

    Prisma Access Browser Prerequisites

    Learn about the prerequisites for Prisma Access Secure Enterprise Browser (Prisma Access Browser), including: system requirements, domains to allow, and IdP proxy requirements.
    Where Can I Use This?What Do I Need?
    • Strata Cloud Manager
    • Standalone Prisma Access Browser
    • Prisma Access with Prisma Access Browser bundle license or Prisma Access Browser standalone license
    • Superuser or Prisma Access Browser role

    System Requirements

    Windows
    • Windows 10 64-bit
      • x86 architecture (ARM is currently not supported).
      Effective October 14, 2025, Microsoft will discontinue support for Windows 10. After this date, they will no longer provide security updates, bug fixes, technical support, or feature enhancements.
    • Windows 11 64-bit
    • No admin privileges are required
    macOS
    • macOS Monterey 12.0 or later.
    • Intel x86 or Apple M1 and above
    • No admin privileges are required
    Linux
    • Ubuntu 22.04.5 LTS or later
    • Fedora 41 or later
    • IGEL OS12 or later
    • Architecture - x64
      Prisma Browser Linux deployment requires installation with Sudo permissions
    Android
    • Android 12 and above with all security updates
    iOS
    • iOS 17.5 and above.
    • iOS 18 if you need to access to Private Apps.
    Additional Requirements
    • Dataplane (PANOS): 10.2.9-h7, 10.2.4-h17, 10.2.10, 11.2.1
    • PA Infrastructure: 5.1.1
    • Panorama: 10.2.4 and above
    • Cloud Services Plugin: 5.1.0-h15

    Domains to Allow

    The Prisma Access Browser communicates with several domains. Please select your region:

    US Region

    The following domains are for clients in the US region.
    The following domains are for clients in the US region only:
    • *.talon-sec.com
    • pabrowser.com
    • get.pabrowser.com
    • api.wildfire.paloaltonetworks.com
    • wildfire.paloaltonetworks.com
    • cie-api-proxy.us.apps.paloaltonetworks.com
    Palo Alto Networks highly recommends that *.talon-sec.com be used as a network requirement. If you need to exclude specific domains, please use the following list:
    • gateway.talon-sec.com
    • login.talon-sec.com
    • ext-proxy.talon-sec.com
    • classifier-auf.talon-sec.com
    • assets.talon-sec.com
    • auth.talon-sec.com
    • installer.talon-sec.com
    • updates.talon-sec.com
    • bfe078e7921507bb.talon-sec.com
    • prod.talon-sec.com

    EU Region

    The following domains are for clients in the EU region.
    The following domains are for clients in the EU region only:
    • *.talon-sec.com
    • pabrowser.com
    • get.pabrowser.com
    • de.api.wildfire.paloaltonetworks.com
    • de.wildfire.paloaltonetworks.com
    • cie-api-proxy.eu.apps.paloaltonetworks.com
    Palo Alto Networks highly recommends that *.talon-sec.com be used as a network requirement. If you need to exclude specific domains, please use the following list:
    • gateway.eu.talon-sec.com
    • login.eu.talon-sec.com
    • ext-proxy.eu.talon-sec.com
    • classifier-auf.talon-sec.com
    • assets.talon-sec.com
    • auth.eu.talon-sec.com
    • installer.talon-sec.com
    • updates.talon-sec.com
    • bfe078e7921507bb.talon-sec.com
    • prod.talon-sec.com

    UK Region

    The following domains are for clients in the UK region.
    The following domains are for clients in the UK region only:
    • *.talon-sec.com
    • pabrowser.com
    • get.pabrowser.com
    • uk.api.wildfire.paloaltonetworks.com
    • uk.wildfire.paloaltonetworks.com
    • cie-api-proxy.uk.apps.paloaltonetworks.com
    Palo Alto Networks highly recommends that *.talon-sec.com be used as a network requirement. If you need to exclude specific domains, please use the following list:
    • gateway.uk.talon-sec.com
    • classifier-auf.talon-sec.com
    • assets.uk.talon-sec.com
    • users-assets.uk.talon-sec.com
    • installer.talon-sec.com
    • updates.talon-sec.com
    • bfe078e7921507bb.talon-sec.com
    • prod.talon-sec.com

    JP Region

    The following domains are for clients in the JP region.
    The following domains are for clients in the JP region only:
    • *.talon-sec.com
    • pabrowser.com
    • get.pabrowser.com
    • jp.api.wildfire.paloaltonetworks.com
    • jp.wildfire.paloaltonetworks.com
    • cie-api-proxy.jp.apps.paloaltonetworks.com
    Palo Alto Networks highly recommends that *.talon-sec.com be used as a network requirement. If you need to exclude specific domains, please use the following list:
    • gateway.jp.talon-sec.com
    • classifier-auf.talon-sec.com
    • assets.jp.talon-sec.com
    • users-assets.jp.talon-sec.com
    • installer.talon-sec.com
    • updates.talon-sec.com
    • bfe078e7921507bb.talon-sec.com
    • prod.talon-sec.com

    AU Region

    The following domains are for clients in the AU region.
    The following domains are for clients in the AU region only:
    • *.talon-sec.com
    • pabrowser.com
    • get.pabrowser.com
    • au.api.wildfire.paloaltonetworks.com
    • au.wildfire.paloaltonetworks.com
    • cie-api-proxy.au.apps.paloaltonetworks.com
    Palo Alto Networks highly recommends that *.talon-sec.com be used as a network requirement. If you need to exclude specific domains, please use the following list:
    • gateway.au.talon-sec.com
    • classifier-auf.talon-sec.com
    • assets.au.talon-sec.com
    • users-assets.au.talon-sec.com
    • installer.talon-sec.com
    • updates.talon-sec.com
    • bfe078e7921507bb.talon-sec.com
    • prod.talon-sec.com

    SGP Region

    The following domains are for clients in the SGP region.
    The following domains are for clients in the SGP region only:
    • *.talon-sec.com
    • pabrowser.com
    • get.pabrowser.com
    • sg.api.wildfire.paloaltonetworks.com
    • sg.wildfire.paloaltonetworks.com
    • cie-api-proxy.sg.apps.paloaltonetworks.com
    Palo Alto Networks highly recommends that *.talon-sec.com be used as a network requirement. If you need to exclude specific domains, please use the following list:
    • gateway.sgp.talon-sec.com
    • classifier-auf.talon-sec.com
    • assets.sgp.talon-sec.com
    • users-assets.sgp.talon-sec.com
    • installer.talon-sec.com
    • updates.talon-sec.com
    • bfe078e7921507bb.talon-sec.com
    • prod.talon-sec.com

    CA Region

    The following domains are for clients in the CA region.
    The following domains are for clients in the CA region only:
    • *.talon-sec.com
    • pabrowser.com
    • get.pabrowser.com
    • ca.api.wildfire.paloaltonetworks.com
    • ca.wildfire.paloaltonetworks.com
    • cie-api-proxy.ca.apps.paloaltonetworks.com
    Palo Alto Networks highly recommends that *.talon-sec.com be used as a network requirement. If you need to exclude specific domains, please use the following list:
    • gateway.ca.talon-sec.com
    • classifier-auf.talon-sec.com
    • assets.ca.talon-sec.com
    • users-assets.ca.talon-sec.com
    • installer.talon-sec.com
    • updates.talon-sec.com
    • bfe078e7921507bb.talon-sec.com
    • prod.talon-sec.com

    IN Region

    The following domains are for clients in the IN region.
    The following domains are for clients in the IN region only:
    • *.talon-sec.com
    • pabrowser.com
    • get.pabrowser.com
    • in.api.wildfire.paloaltonetworks.com
    • in.wildfire.paloaltonetworks.com
    • cie-api-proxy.in.apps.paloaltonetworks.com
    Palo Alto Networks highly recommends that *.talon-sec.com be used as a network requirement. If you need to exclude specific domains, please use the following list:
    • gateway.in.talon-sec.com
    • classifier-auf.talon-sec.com
    • assets.in.talon-sec.com
    • users-assets.in.talon-sec.com
    • installer.talon-sec.com
    • updates.talon-sec.com
    • bfe078e7921507bb.talon-sec.com
    • prod.talon-sec.com

    IND Region

    The following domains are for clients in the IND region.
    The following domains are for clients in the IND region only:
    • *.talon-sec.com
    • pabrowser.com
    • get.pabrowser.com
    • id.api.wildfire.paloaltonetworks.com
    • id.wildfire.paloaltonetworks.com
    • cie-api-proxy.id.apps.paloaltonetworks.com
    Palo Alto Networks highly recommends that *.talon-sec.com be used as a network requirement. If you need to exclude specific domains, please use the following list:
    • gateway.id.talon-sec.com
    • classifier-auf.talon-sec.com
    • assets.ind.talon-sec.com
    • users-assets.ind.talon-sec.com
    • installer.talon-sec.com
    • updates.talon-sec.com
    • bfe078e7921507bb.talon-sec.com
    • prod.talon-sec.com

    FedRAMP Moderate

    The following domains are for clients in the FedRAMP Moderate domain.
    The following domains are for clients in the FedRAMP Moderate domain only:
    • *.talon-sec.com
    • pabrowser.com
    • get.pabrowser.com
    • api.pubsec-cloud.wildfire.paloaltonetworks.com
    • pubsec-cloud.wildfire.paloaltonetworks.com
    • cie-api-proxy.gov.apps.paloaltonetworks.com
    Palo Alto Networks highly recommends that *.talon-sec.com be used as a network requirement. If you need to exclude specific domains, please use the following list:
    • gateway.gov.talon-sec.com
    • assets.gov.talon-sec.com
    • users-assets.gov.talon-sec.com

    For SSO Enforcement or Private App Access

    For SSO Enforcement or Private App Access, you need to white-list *.prismaaccess.com.
    For SSO Enforcement, refer to IP-Based Enforcement Using an Authentication Gateway.

    For Prisma Access Customers Leveraging SSH/RDP/VNC Connections

    *.panwpra.com

    Prisma Browser Ecosystem and Identity Providers

    The Prisma Access Browser ecosystem is designed to integrate with all modern Identity Providers (IdP), including:
    • Microsoft Entra ID
    • Okta
    • Google Workspace
    • PingOne
    • PingFederate
    The Prisma Access Browser does not support older versions of ADFS. Authentication may fail if the ADFS server blocks calls to the IdP page.

    Required Attributes for IdP Integration

    For successful synchronization of users and groups, the IdP must populate specific attributes into the Cloud Identity Engine (CIE). The following attributes are mandatory:
    • For Group Synchronization:
      • Common-Name: The group's display name.
      • Unique Identifier: The group's ObjectGUID.
    • For User Synchronization:
      • Common-Name: The user's display name.
      • Unique Identifier: The user's ObjectGUID.
      • Mail: The user's email address.
      • User Principal Name (UPN): The user's UPN.

    © 2025 Palo Alto Networks, Inc. All rights reserved.