Prisma Access
Explicit Proxy Configuration Guidelines
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Explicit Proxy Configuration Guidelines
Describes the software and network requirements you need to successfully deploy
Prisma Access Explicit Proxy.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
System Requirements and Supported Features
These are the system requirements and supported features for the different connection
methods you can use with Explicit Proxy.
Agentless SAML | Agentless Kerberos | Proxy Mode on Agent (requires GP 6.2 or later) | Proxy Mode on Remote Networks | |
Applications and OS Support | ||||
Traffic Type | Internet and public SaaS traffic only | Internet and public SaaS traffic only | Internet and public SaaS traffic only | Internet and public SaaS traffic only |
Protocol Supports | Proxy aware HTTP or HTTPS | Proxy aware HTTP or HTTPS | Proxy aware HTTP or HTTPS | Proxy aware HTTP or HTTPS |
Transport Channel to Prisma Access | HTTP Connect | HTTP Connect | HTTP Connect inside TLS | HTTP Connect inside IPSec from branch to remote network security processing node (SPN) |
Environments Supported | Windows, Mac, Linux, ChromeOS, VDI |
Windows, Mac, Linux,
ChromeOS, VDI
| Windows and Mac |
Windows, Mac, Linux,
ChromeOS, VDI
|
App Support | Proxy aware HTTP(s) apps | Any app that honors a PAC file or system proxy setting and supports Kerberos | Proxy aware HTTP(s) apps | Proxy aware HTTP(s) apps |
Browser Support | Chrome⁂, Edge, Firefox versions 115 or later | Chrome⁂, Edge, Firefox versions 115 or later | Chrome⁂, Edge, Firefox versions 115 or later* | Chrome⁂, Edge, Firefox versions 115 or later |
O365 Support† | Browser and client apps | Browser and client apps | Browser and client apps | Browser and client apps |
Identity | ||||
User-ID‡ | Decrypted and non-HTTP CORS traffic | All Supported Traffic | All Supported Traffic | Depending on whether you're using SAML or Kerberos: decrypted/non-CORS X-Authenticated-User traffic |
Auth Supported | SAML (Any SAML 2.0 IDPs or through CIE) | Kerberos | All GlobalProtect Supported Auth | SAML, Kerberos, X-Authenticated-User-based |
Skip Auth | By Domain and by Source IP | By Domain and by Source IP | By Domain | By Domain and by Source IP |
License | Mobile User Unit per user | Mobile User Unit per user | Mobile User Unit per user | Mobile User unit per user or headless device and NET units for bandwidth for remote networks |
Management | ||||
Multitenant Cloud Management | Supported | Supported | Supported | Supported |
Security Services | ||||
SaaS Inline | Supported | Supported | Supported | Supported |
DLP | Supported | Supported | Supported | Supported |
DNS Security§ | Supported | Supported | Supported | Supported |
Advanced URL Filtering | Supported | Supported | Supported | Supported |
Advanced WildFire | Supported | Supported | Supported | Supported |
Advanced Threat Prevention | Supported | Supported | Supported | Supported |
Private IP Visibility and Enforcement | Not Supported | Not Supported | Supported for known sites or branches | Supported |
Egress NAT | Supported | Supported | Supported | Supported |
Private App Access | Not Supported | Not Supported | Supported via Service Connections | Not Supported |
All TCP Traffic | Not Supported | Not Supported | Supported (with GlobalProtect version 6.3.1) | Not Supported |
ZTNA Connector | Not Supported | Not Supported | Supported | Not Supported |
Colo Connect | Not Supported | Not Supported | Supported | Not Supported |
Service Connections | Supported | Supported | Supported | Supported |
HIP Support (Tunnel and Proxy mode) | Not Supported | Not Supported | Supported | Not Supported |
⁂ For the Chrome browser, follow the instructions listed below to disable TLS 1.3 Kyber,
if decryption is enabled:
- Open the Chrome browser.
- Add chrome://flags/#enable-tls13-kyber in the address bar and disable it.
- Click Relaunch.
* For Proxy Mode on Agent, Firefox requires a manual policy rule pushed through Mobile Device Management that instructs it to
honor the system proxy
† Explicit Proxy supports only HTTP traffic, not UDP. With SAML, Explicit Proxy
does not provide User-ID for client apps flows. For Agent proxy, you need to use a PAC
file to send client app authentication flows to the cloud proxy.
‡ No User-ID is available for auth bypass.
§ You can't apply DNS Security profiles to Explicit Proxy flows. Block domains instead.
App Support Considerations
- Explicit Proxy does not support apps that need IP affinity. The app must support traffic coming from multiple IPs for a given user session.
- Explicit Proxy downgrades decrypted HTTP/2 Flows to HTTP/1.
- Explicit Proxy does not fetch on-premises external dynamic lists.
- Agentless SAML only:
- Configure an SSL decryption policy to allow auth bypass by domain for
agentless PAC-based Explicit Proxy with SAML AuthDecryption is required for Prisma Access to read the authentication state cookie set up by Prisma Access on the mobile user's browser. Failing to enforce decryption enables the abuse of Explicit Proxy as an open proxy that can attackers can use as a forwarding service for denial-of-service attacks.
- In traffic logs, Explicit Proxy will show undecrypted and HTTP-CORS mobile user traffic logs as SWG-authenticated users.
- Make a note of the following browser requirements and usage guidelines:
- If you use Explicit Proxy, don't disable cookies in your browser; if you do, you can't browse any webpages.
- If you're using Explicit Proxy with Microsoft Edge, be sure to set SettingsPrivacy, Search, and ServicesTracking prevention to Basic.
- Configure an SSL decryption policy to allow auth bypass by domain for
agentless PAC-based Explicit Proxy with SAML Auth
Connectivity Requirements
If mobile users are connecting from remote sites or headquarters or data center locations
using an Explicit Proxy, the mobile user endpoint must be able to reach and route to the
IdP, ACS FQDN, Explicit Proxy URL, and URL of the PAC file hosted by Prisma Access.
PAC File Requirements and Guidelines—Follow the PAC File Guidelines when you set up the PAC file to use with Explicit
Proxy.
Proxy Chaining Guidelines—If you use proxy chaining from a third-party proxy to
Explicit Proxy, specify the Explicit Proxy URL in the third-party
proxy to forward traffic to Explicit Proxy
On-Premises Support—Explicit Proxy is a cloud-based proxy solution and not an
on-premises product. For an on-premises proxy solution, configure a PAN-OS web proxy.