Explicit Proxy — Guidelines
Focus
Focus
Prisma Access

Explicit Proxy — Guidelines

Table of Contents

Explicit Proxy — Guidelines

Describes the software and network requirements you need to successfully deploy
Prisma Access
Explicit Proxy.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • Prisma Access
    license
Review these guidelines to plan your explicit proxy deployment:

Configuration Guidelines

Before you secure mobile users with an Explicit Proxy, make sure that you are aware of the software and network requirements described in this section.
Licensing Guidelines
—Be sure to follow the licensing guidelines and requirements before configuring Explicit Proxy.
Network Guidelines and Requirements
—When configuring Explicit Proxy, make sure that you are aware of the following network guidelines and have made the following configuration changes in your network and security environment:
  • You must configure an SSL decryption policy for all Explicit Proxy traffic.
    Decryption is required for
    Prisma Access
    to read the authentication state cookie set up by
    Prisma Access
    on the mobile user’s browser. Failing to enforce decryption enables the abuse of Explicit Proxy as an open proxy that can be widely misused as a forwarding service for conducting denial of service attacks.
    To prevent users from accessing undecrypted sites, be sure to leave the
    Decrypt traffic that matches existing decryption rules; for undecrypted traffic, allow traffic only from known IPs registered by authenticated users
    check box selected when you configure Explicit Proxy.
  • Explicit Proxy does not support HTTP/2 natively. HTTP/2 protocol requests will be downgraded to HTTP/1.1. Explicit Proxy strips out application-layer protocol negotiation (ALPN) headers from uploaded files, regardless of your configuration.
  • The maximum supported TLS version is 1.3. When creating a decryption profile, specify a
    Max Version
    of
    TLS v1.3
    .
  • If mobile users are connecting from remote sites or headquarters/data center locations using an Explicit Proxy, the mobile user endpoint must be able reach and route to the IdP, ACS FQDN, Explicit Proxy URL, and URL of the PAC file hosted by
    Prisma Access
    . To find the ACS FQDN and the Explicit Proxy URL, select
    Panorama
    Cloud Services
    Status
    Network Details
    Mobile Users—Explicit Proxy
    .
Panorama and Content Version Requirements
—Make sure that your deployment has the following minimum Panorama and Antivirus Content version requirements:
  • Explicit Proxy requires a minimum Panorama version of 10.0.5.
  • Explicit Proxy requires a minimum antivirus Content Version of 3590 to be installed on the Panorama to support the predefined security policies. Install the required Content Version before committing the
    Mobile Users—Explicit Proxy
    configuration.
Palo Alto Networks Subscription Support
—Explicit Proxy includes Threat Prevention, URL Filtering, WildFire, DNS Security, and DLP subscriptions. The DNS Security subscription is also included and includes support for the
Command and Control Domains
and
Malware Domains
DNS Security threat categories.
Mobile User App Support and Browser Guidelines
—Explicit Proxy supports the following apps and has the following browser guidelines and requirements:
  • Explicit Proxy secures internet and SaaS applications accessed over the mobile users’ browser using HTTP and HTTPS traffic only. Non-web ports and protocols are not supported.
  • Palo Alto Networks recommends that you do not use HTTP sites with Explicit Proxy.
  • Explicit Proxy does not support the full client-based version of Microsoft 365 (Office 365), which uses non-web ports. However, it is designed to support web-based M365, including Office Online (office.com).
  • Explicit Proxy does not provide access to private applications.
  • Mobile users will be unidentified in the traffic logs for sites that are not decrypted, with some exceptions.
  • Make a note of the following browser requirements and usage guidelines:
    • If you use Explicit Proxy, do not disable cookies in your browser; if you do, you cannot browse any web pages.
    • If you are using Explicit Proxy with Microsoft Edge, be sure that
      Settings
      Privacy, Search, and Services
      Tracking prevention
      is set to
      Basic
      .
    • If you use Safari with Explicit Proxy, you might experience issues when accessing websites. Instead of Safari, use Microsoft Edge, Firefox, Chrome, or Internet Explorer as your browser.
    • When using Firefox with an Explicit Proxy, go to
      about:config
      and set
      security.csp.enable
      to
      false
      . In addition, some add-ons, such as ones that perform ad blocking or tracking protection, might interfere with tracking protection.
    • To support desktop applications, or applications that do not send HTTP traffic, you can configure GlobalProtect in split tunnel mode and use GlobalProtect in conjunction with Explicit Proxy.
    • If you visit a website for the first time, are prompted to enter Explicit Proxy credentials, then refresh the browser, you might receive an error. If this condition occurs, re-visit the website without refreshing and retry the authentication operation.
PAC File Requirements and Guidelines
—Follow the PAC File Guidelines when you set up the PAC file to use with Explicit Proxy.
Proxy Chaining Guidelines
—If you use proxy chaining from a third-party proxy to Explicit Proxy, specify the
Explicit Proxy URL
(
Panorama
Cloud Services
Status
Network Details
Mobile Users—Explicit Proxy
) in the third-party proxy to forward traffic to Explicit Proxy.
Authentication Requirements
—SAML is the only supported authentication protocol.
Prisma Access
supports PingOne, Azure AD, and Okta as SAML authentication providers, but you should be able to use any vendor that supports SAML 2.0 as a SAML identity provider (IdP). For more details about configuring SAML authentication with
Prisma Access
, including examples for Azure AD, Okta, and Active Directory Federation Services (ADFS) 4.0, see Authenticate Mobile Users in the
Prisma Access
.
Group Mapping Requirements
—You use theCloud Identity Engine to retrieve user and group mapping information.
Private or Data Center Access Support
—Explicit Proxy does not support flows to Private or Data Center access for internal applications. It is internet-outbound only.
Port Listening Guidelines
—Explicit Proxy only listens on port 8080.
On-Premises Support
—Explicit Proxy is a cloud-based proxy solution, and is not offered as an on-premises product.

PAC File Guidelines

Use the following guidelines and requirements when configuring the PAC file to use with Explicit Proxy:
  • PAC files are required to steer user traffic to Explicit Proxy.
  • You can only host one PAC file for use with
    Prisma Access
    , and the Explicit Proxy PAC file is hosted in the United States. If you require alternative PAC file access outside of the United States, you can host the PAC file in your enterprise.
  • Palo Alto Networks recommends that you use the PAC file hosted at the Prisma Access-managed endpoint instead of the AWS S3 endpoint to make it easier to enable access to the PAC file. To access the PAC file at the Prism Access-managed endpoint, ensure that your endpoints can reach the following IP addresses:
    • 34.111.7.85
    • 34.160.172.204
    • 34.110.206.116
    • 34.95.107.244
    • 34.149.8.36
  • Only ASCII text format is supported for PAC files. Palo Alto Networks recommends that you create and save the PAC file in a text editor such as VI or Vim.
  • Upload the PAC file after you create your Explicit Proxy configuration and commit and push your changes. After you upload your PAC file, a commit and push operation is not required.
  • You must have at least one Explicit Proxy URL in the
    return"PROXY foo.proxy.prismaaccess.com:8080";
    statement beginning for traffic ingressing to
    Prisma Access
    . Either use a configured domain used when you push your changes or use a valid IPv4 address or DIRECT keyword such as
    PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080
    or
    PROXY 1.2.3.4:8080
    , and so on.
  • If the proxy is not being bypassed, then the you must provide a PROXY keyword. A valid proxy statement is required if no
    DIRECT
    keyword is configured for the proxy bypass.
  • If a valid PROXY statement is found before an invalid PROXY statement, Explicit Proxy skips the validity check all on all PROXY statements after the first. For example, a PAC file with the valid statement
    PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080
    followed by the invalid statement
    PROXY foo.proxy.prismaacess.com:8080
    would be considered valid since Explicit Proxy skips the validity check for
    foo.proxy.prismaacess.com:8080
    .
  • If you are using a PROXY statement to have ACS traffic bypass the
    Prisma Access
    proxy, the PROXY statement should not use the Explicit Proxy URL. In this configuration, Explicit Proxy provides an error message, but allows you to upload the PAC file. You can direct the ACS traffic to other proxies using a valid FQDN or IPv4 address, or directly to the internet, using the
    DIRECT
    keyword.
  • Only IPv4 addresses are supported in PROXY statements. Do not use IPv6 addresses in PROXY statements.
  • The maximum file size for a PAC file is 256 KB.
  • You must specify IdP and ACS URLs to be bypassed.
  • If you set up Explicit Proxy in a default route environment, you must exclude the portal, gateway, and SAML FQDNs. You can use the PAC file to bypass the FQDNs.
  • You cannot delete a PAC file after you're uploaded it. You can, however, upload a new PAC file to overwrite the existing one.
  • If you change the Explicit Proxy URL in
    Prisma Access
    but do not change the PAC file to reflect the change, the change won't be applied. You must upload a new PAC file specifying the new Explicit Proxy URL.
Explicit Proxy provides you with a sample PAC file that you can modify and use as the PAC file for your Explicit Proxy deployment. The sample PAC file that
Prisma Access
provides contains the following data:
function FindProxyForURL(url, host) { /* Bypass localhost and Private IPs */ var resolved_ip = dnsResolve(host); if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") || isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") || isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") || isInNet(resolved_ip, "127.0.0.0", "255.255.255.0")) return "DIRECT"; /* Bypass FTP */ if (url.substring(0,4) == "ftp:") return "DIRECT"; /* Bypass SAML, e.g. Okta */ if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com")) return "DIRECT"; /* Bypass ACS */ if (shExpMatch(host, "*.acs.prismaaccess.com")) return "DIRECT"; /* Forward to
Prisma Access
*/ return "PROXY foo.proxy.prismaaccess.com:8080";
If you want to use the default PAC file that
Prisma Access
provides, you can optionally modify the fields in the PAC file as described in the following table.
Text
Description
var resolved_ip = dnsResolve(host); ... return "DIRECT";
Enter any hostnames or IP addresses that should not be sent to Explicit Proxy between the JavaScript functions
var resolved_ip =
and
return “DIRECT”;
.
If you do not modify the data in this file, the following hostnames and IP addresses bypass Explicit Proxy:
  • if (isPlainHostName(host)
    —Bypasses Explicit Proxy for hostnames that contain no dots (for example, http://intranet).
  • shExpMatch(host, "*.local") ||
    —Bypasses the proxy for any hostnames that are hosted in the internal network (localhost).
  • isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") || isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") || isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") || isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
    —Bypasses Explicit Proxy for any IP addresses that are in the private or loopback IP address range.
if (url.substring(0,4) == "ftp:") return "DIRECT";
Bypasses Explicit Proxy for FTP sessions.
if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com")) return "DIRECT";
Bypasses Explicit Proxy for the SAML IdP. Be sure to add all FQDNs used by the IdP.
If you use Okta as the IdP used for SAML authentication, enter
*.okta.com
and
*.oktacdn.com
.
if (shExpMatch(host, "*.acs.prismaaccess.com")) return "DIRECT";
Bypasses Explicit Proxy for the
Prisma Access
Authentication Cache Service (ACS).
Instead of using a wildcard, you can add the specific
ACS FQDN
for your deployment. Find this FQDN under
Panorama
Cloud Services
Status
Network Details
Mobile Users—Explicit Proxy
ACS FQDN
.
return "PROXY foo.proxy.prismaaccess.com:8080"
Bypasses Explicit Proxy for the Explicit Proxy URL.
You must have at least one Explicit Proxy URL in the
return"PROXY foo.proxy.prismaaccess.com:8080";
statement for traffic ingressing to
Prisma Access
. Either use a configured domain used when you push your changes, or use a valid IPv4 address or DIRECT keyword such as
PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080
or
PROXY 1.2.3.4:8080
.

Recommended For You