>
    Set Up Explicit Proxy
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Mobile Users
    4. Mobile Users: Explicit Proxy
    5. Set Up Explicit Proxy
    Download PDF

    Prisma Access

    Set Up Explicit Proxy

    Table of Contents

    Set Up Explicit Proxy

    Set up Prisma Access Explicit Proxy.
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Cloud Management)
    • Prisma Access (Panorama Managed)
    If you'd like to enable Private Source IP based visibility and enforcement on Explicit Proxy in your Prisma Access environment, get in touch with your account team to learn more.
    • Prisma Access
       license
    Use Explicit Proxy to secure mobile users by redirecting browser traffic to Prisma Access.
    Onboarding Guidelines
    —Use the following guidelines when you license and onboard your Explicit Proxy deployment:
    • Explicit Proxy supports a subset of Prisma Access locations.
    • You cannot add locations that are denoted with two asterisks; these are Local Zones and are not supported with Prisma Access.
    • If you have a Local or Evaluation license for Prisma Access for Users and you have a Mobile Users—GlobalProtect deployment as well as a Mobile Users—Explicit Proxy deployment, you can deploy a maximum of five locations for each (five locations maximum for Mobile Users—GlobalProtect and five locations maximum for Mobile Users—Explicit Proxy). If you have a Worldwide license, there are no restrictions for the maximum number of locations.
    • Explicit Proxy supports multitenancy under the following conditions: if you have an existing Prisma Access non-multitenant deployment and convert it to a multitenant deployment, only the first tenant (the tenant you migrated) supports Explicit Proxy. Any subsequent tenants you create for the multitenant deployment after the first do not support Explicit Proxy.
    • When onboarding an Explicit Proxy deployment, Palo Alto Networks recommends that all the configuration be performed in a single browser. You can, however, add security policies from multiple browsers or browser sessions.
    • URL filtering actions of
      continue
       or
      override
       are not supported and do not work with Explicit Proxy.
    Learn how to set up Explicit Proxy.

    Cloud Management

    Set up Explicit Proxy in a Prisma Access Cloud Managed deployment.
    Set up an explicit proxy connection for mobile users; with explicit proxy, a proxy auto-config (PAC) file on mobile user devices redirects browser traffic to Prisma Access.
    Before you begin, make sure you review the explicit proxy guidelines.
    1. Enable explicit proxy and allocate users
      Go to
      Manage
      Service Setup
      Mobile Users
       to start setting up explicit proxy. When you enable explicit proxy, you’ll be prompted to specify the number of mobile users who will use this connection type.
      If you're using
      Strata Cloud Manager
      , go to
      Workflows
      Prisma Access Setup
      Mobile Users
       to start setting up explicit proxy.
    2. Add the proxy settings which mobile users will use to connect to Prisma Access
      Go to the
      Infrastructure Settings
      :
      1. Specify an Explicit Proxy URL.
        By default, the name is
        proxyname
        .proxy.prismaaccess.com, where
        proxyname
         is the subdomain you specify, and uses port 8080. To use your company domain in the explicit proxy URL, add a CNAME record to your organization’s domain.
        You can use SAML or Kerberos authentication types to authenticate mobile users.
      2. (
        Optional
        ) Select
        Enable Agent Proxy
         to enable the agent-based proxy functionality.
      3. Download the PAC file and customize it so that it meets your needs. Then, import it again here, and we’ll give you the URL for the location where Prisma Access hosts the PAC file.
    3. Choose the Prisma Access location to which your mobile users will connect
      Add the Prisma Access locations where you want to support mobile users.
      The map displays the Prisma Access locations.
      For the best user experience, if you are limiting the number of locations, choose locations that are closest to your users or in the same country as your users. If a location is not available in the country where your mobile users reside, choose a location that is closest to your users for the best performance.
      You should enable Explicit Proxy locations in at least two regions to ensure regional redundancy.
    4. Authenticate mobile users
      Set up
      User Authentication
       so that only legitimate users have access to your services and applications.
      SAML and Kerberos are the supported authentication protocols. Prisma Access supports PingOne, Azure AD, and Okta as SAML authentication providers, but you should be able to use any vendor that supports SAML 2.0 as a SAML identity provider (IdP). Learn more on how to Enable Mobile Users to Authenticate to Prisma Access.
    5. Review the best practice security rules that are turned on by default
      Prisma Access enforces best practice security policy rules by default. These rules allow your users to securely browse to general internet sites. Users are:
      • Blocked from visiting known bad websites based on URL
      • Blocked from uploading or downloading files that are known to be malicious
      • Protected from unknown, never-before-seen threats
      • Protected from viruses, spyware (command and control attacks), and vulnerabilities
      After going through the initial setup, you can review and update these default rules to meet your enterprise needs.
    6. Verify that the mobile users location is active
      After you push your initial configuration to Prisma Access, Prisma Access begins provisioning your mobile user environment. This can take up to 15 minutes. When your mobile user locations are up and running, you’ll be able to verify them on the Mobile Users setup pages, the Overview, and within Insights.
      You can also validate your setup by selecting
      Manage
      Service Setup
      Mobile Users
       and edit Infrastructure Settings to confirm a gateway is set up in each of the locations you provisioned.
    7. Enable decryption for explicit proxy traffic
      • Set the maximum supported TLS version to 1.2.
      • Set
        Strip ALPN
         (Advanced SSL Forward Proxy settings) because explicit proxy does not support native HTTP/2, and you must remove the ALPN headers.
    8. Download the root CA and install it on your endpoint for SSL decryption.
    9. Edit the PAC file content
      Edit a proxy auto-configuration (PAC) file for explicit proxy that meets your requirement. GlobalProtect app proxies traffic to Prisma Access based on forwarding rules and logic from the PAC file.
      Go to the
      Forwarding Rules
      :
      1. Download the PAC file and customize it so that it meets your needs. Then, import it again here, and we’ll give you the URL for the location where Prisma Access hosts the PAC file.
      2. Edit the PAC file using the
        PAC File Editor
         mode or
        Forwarding rules mode
        .
      3. The
        PAC File Editor
         mode is selected by default. Click
        OK
         to edit in the PAC file edit mode.
      4. Select
        Forwarding rules mode
         and click
        OK
         to edit in the forwarding rules mode. Switching to forwarding rules mode discards the existing settings.
        • Specify an Explicit
          Proxy URL
           with port to be used in the PAC file.
          By default, the name is
          proxyname.proxy.prismaaccess.com
          , where proxyname is the subdomain you specify, and uses port
          8080
          .
        • Configure
          Exclusions in Public Network
           when your Explicit Proxy mobile users connect to Prisma Access from a public network.
          • Configure
            FQDN Exclusions
             and
            IP Address Exclusions
            . The excluded FQDNs and IP addresses won't be forwarded from Prisma Access.
        • Enable Exclusions in Internal Network
           to configure exclusions for specific IP addresses or FQDNs when the explicit proxy mobiles users connect to Prisma Access on the internal network.
          • Specify the below exclusions to have different traffic exclusions when the user is on the internal network.
            • Enter the
              IP Address
               of a host that can be resolved from the internal network only.
            • Enter the
              FQDN
               that resolves to the IP address you enter.
          • Configure exclusions for specific FQDNs and IP addresses. The traffic to specified FQDNs and IP addresses won't be forwarded from Prisma Access.
        • Save
           the changes.
    10. Configure
      Advanced Security Settings
      .
      • If you want to forward traffic to Explicit Proxy from your branches through a secure IPSec tunnel,
        Enable Proxy Mode
         and retrieve anycast IP addresses if you want to use Explicit Proxy in conjunction with a Prisma Access remote network.
        This solution uses anycast addresses with a remote network IPSec tunnel to allow Explicit Proxy to be used for users and devices at a remote network site or branch location.
      • Proxy Mode Deployments Only
         If Proxy Mode is enabled on your remote networks, add a policy to allow traffic bound to anycast and unicast IP on remote networks. If you have enabled
        Source IP visibility and enforcement
        , use the
        Source IP
         field in Security policies in Explicit Proxy to secure the traffic. You need additional policies in the remote networks.
      • (
        Optional
        ) If you enable you enable proxy mode, to leverage the private IP addresses of the systems in your branch locations that are forwarding traffic to Explicit Proxy, select
        Source IP based visibility and enforcement
        .
        This functionality has these requirements:
        • A minimum Prisma Access dataplane of 10.2.4
        • A Panorama Managed Prisma Access deployment with a minimum Cloud Services plugin of 4.1
        • The source IP addresses only display for Remote Network locations that are supported with Explicit Proxy.
      • Specify
        Block Sources
        .
        Add any source IP address traffic that should be blocked to the
        Block Source Address
         list.
        Specify an address, address group, or EDL.
        To exclude IP address list entries from enforcement,
        Add Exception
         and select the IP addresses to exclude from being blocked.
      • Specify
        Blocked Domains
        .
        Specify the domains or domain categories for malicious websites, or for any websites that you do not want users to access. Prisma Access prevents users from accessing the URLs and IP addresses you specify in this area when users initiate an HTTP GET (for unencrypted requests) or HTTP CONNECT (for encrypted requests). Users receive a block page when they attempt to access blocked websites.
      • If you want to exempt any domains that are included in a blocked domain category list, specify them in the
        Exception List
        .
        Any domains that are entered are exempted from being blocked, even if they appear in a domain category that you have blocked.
      • Explicit Proxy requires decryption to authenticate users. Enter the
        Domains used in the authentication flow
        .
      • Enter any IP addresses from which undecrypted HTTPS or HTTP cross-origin resource sharing (CORS) traffic can be allowed to the
        Trusted Source Address
        .
      • To bypass authentication of any trusted source addresses you entered, select
        Skip authentication
        .
        You can use
        Skip authentication
         with
        Source IP based visibility and enforcement
         to Skip authentication of headless systems that can't authenticate, set up security policies, and get visibility of the traffic on Prisma Access Explicit Proxy.
        You can add either IP addresses or subnets. A maximum of 100,000 IP addresses are supported after expanding the subnets.
        If you select
        Skip authentication
         to skip authentication for an address object, and then later want to enable authentication by deselecting
        Skip authentication
         for that address object, it can take up to 24 hours for the change to take effect after you make the change and Commit and Push your changes.
      • If you have an Explicit Proxy deployment and have added a list of trusted source IP addresses, you can
        Use X-Authenticated-User (XAU) headers on incoming HTTP/HTTPS requests for identity
        . Use this functionality to allow users that are logged in from another proxy that use XAU headers for authentication.
        You must click
        Save
         for the XAU setting to take effect.

    Panorama

    Secure Prisma Access mobile users by creating an Explicit Proxy and using a PAC file.
    To secure mobile users with an Explicit Proxy, complete the following steps.
    Before you configure Explicit Proxy, be aware of how explicit proxy works and how explicit proxy identifies users, go through the planning checklist, and learn how to set up the Explicit Proxy PAC file.
    1. Set up authentication for Explicit Proxy.
      SAML and Kerberos are the supported authentication types.
      Use the following guidelines when configuring SAML authentication for the IdP and in Panorama:
      • Panorama Guidelines:
        • Configure a
          SAML Identity Provider
           and an
          Authentication Profile
          , for Prisma Access. You specify the authentication profile you create in a later step.
        • Be sure that you configure the authentication profile under the
          Explicit_Proxy_Template
          .
        • Use
          mail
           as the user attribute in the IdP server profile and in the
          Authentication Profile
           on Panorama.
        • Explicit Proxy does not support
          Sign SAML Message to IdP
           in the SAML Identity Provider Server Profile.
        • When you configure the Cloud Identity Engine to retrieve user and group mapping information, use
          mail
           or
          userPrincipalName
           as the
          SamAccountName
           in Group Mapping.
        • When configuring
          Group Mapping Settings
           during Explicit Proxy setup, use the same Directory Attribute for Primary Username and email, or Prisma Access does not accurately reflect user counts. For example, given the following user profile:
          sAMAccountName: muser
Netbios: example
userPrincipalName: muser@example.com
mail: mobile.user@example.com
          If, in the Cloud Identity Engine configuration, you use a
          Primary Username
          of
          userPrincipalName
           and an
          E-Mail
           of
          mail
          , the user information that Cortex Data Lake returns in traffic logs and the user information that the ACS returns in authentication logs will be different. In this example, ACS sends the
          mail
           attribute (mobile.user@example.com) to the authentication logs and Cortex Data Lake sends the
          userPrincipalName
           attribute (muser@example.com) to the traffic logs. As a result of this mismatch, your user count will not be accurate in the
          Current Users
           and
          Users (Last 90 days)
           fields when checking the Explicit Proxy status in the Status (
          Panorama
          Cloud Services
          Status
          Status
           page. For this reason, use the same directory attribute for
          Primary Username
           and
          E-Mail
           (for example,
          mail
          ) when specifying
          Group Mapping Settings
          .
        • When using Panorama to manage Prisma Access, the Cloud Identity Engine does not auto-populate user and group information in security policy rules.
      • IdP Guidelines:
        • Use the following URLs when configuring SAML:
          SAML Assertion Consumer Service
           URL:
          https://global.acs.prismaaccess.com/saml/acs
          Entity ID
           URL:
          https://global.acs.prismaaccess.com/saml/metadata
        • If you use Okta as the IdP, use
          EmailAddress
           for the
          Name ID Format
           setting.
        • Enter a single sign on URL of
          https://global.acs.prismaaccess.com/saml/acs
          .
        • Single Logout (SLO) is not supported.
        • To troubleshoot IdP authentication issues, use the IdP’s monitoring and troubleshooting capabilities. The ACS does not log IdP authentication failures.
        • When creating an
          Authentication Profile
           for the SAML IdP, in the
          Advanced
           tab, select
          all
           in the
          Allow List
           or Explicit Proxy will not be able to retrieve group mapping.
    2. Configure Explicit Proxy settings.
      1. Select
        Panorama
        Cloud Services
        Configuration
        Mobile Users—Explicit Proxy
         and click the gear icon to edit Explicit Proxy
        Settings
        .
      2. In the
        Settings
         tab, edit the following settings:
        • (
          Optional
          ) Verify the template and template stack names.
          By default, Prisma Access creates a new template stack
          Explicit_Proxy_Template_Stack
           and a new template
          Explicit_Proxy_Template
          . Make sure that you are using this template when you create and edit your
          Device
           settings in Panorama.
        • In the Device Group section, select the
          Parent Device Group
           that contains the configuration settings you want to push for the Explicit Proxy, or leave the parent device group as
          Shared
           to use the Prisma Access device group shared hierarchy. The
          Device Group Name
           cannot be changed.
        • (
          Optional
          ) If you have configured a next-generation firewall as a master device or added a Cloud Identity Engine profile to populate user and group information in security policy rules, select User-ID Master Device or Cloud Identity Engine; then, select either the Master Device or the Cloud Identity Engine profile that you created.
        • In the License Allocation section, specify the number of mobile users to allocate for Explicit Proxy.
      3. In the
        Group Mapping Settings
         tab,
        Enable Directory Sync Integration
         (now known as the Cloud Identity Engine) to configure Prisma Access to use the Cloud Identity Engine to retrieve user and group information.
        You use the Cloud Identity Engine to populate user and group mapping information for an Explicit Proxy deployment.
        Enter
        mail
         for the Directory Attribute in the
        Primary Username
         field and
        mail
         for the
        E-Mail
         field.
      4. Click
        OK
         when finished.
    3. (
      Optional, Innovation Deployments Starting with 3.0 Innovation Only
      ) Configure Block Settings.
      Use Block Settings to block access to an internet destination at the DNS resolution stage.
      To restrict access to Explicit Proxy to specific source IP addresses, you can also use special objects. These Address Objects, Address Groups, and External Dynamic Lists (EDLs) that use specific names allow the IP addresses you specify for internet traffic and block any other IP addresses.
    4. In the
      Authentication Settings
       tab, configure decryption, X-Authenticated-User (XAU), and authentication settings.
      1. Configure your settings for decrypted traffic.
        • Select
          Decrypt Traffic That Matches Existing Decryption rules; For Undecrypted Traffic, Allow Traffic Only From Known IPs Registered By Authenticated Users
           to configure the following decryption rules:
          • Traffic that matches decryption policy rules you have configured with an
            Action
             to
            Decrypt
             or
            Decrypt and Forward
             will be decrypted.
            If a user accesses an undecrypted HTTPS site, and a user has not yet authenticated to Explicit Proxy from that IP address, the user is blocked. However, the user can access a decrypted site, complete authentication, and then access undecrypted sites.
          • Undecrypted traffic is allowed from IP addresses from which mobile user have already authenticated.
          Explicit Proxy requires decryption to authenticate users. Enter the domains that can be decrypted in a custom URL category; then, specify those categories in
          If Authentication traffic is forwarded through Explicit Proxy, specify the domains used in the authentication flow
          .
          Only add the domains that are required for authentication to the Custom URL category you specify, including all ACS and IdP FQDNs. You must add authentication URLs to the Custom URL category, even if you have added them to a decryption policy.
        • To allow all traffic to be decrypted, select
          Decrypt All traffic (Overrides Existing Decryption Rules)
          .
          If you choose this radio button, ensure that:
          • You do not have exceptions in your decryption policy.
          • You are applying source IP address-based restrictions in your security policy.
          Failing to follow these recommendations enables the abuse of Explicit Proxy as an open proxy that can be widely misused as a forwarding service for conducting denial of service attacks.
          • You have at least one SSL Forward Proxy certificate specified as a
            Forward Trust Certificate
            .
            If you do not have a forward trust certificate, create one on Panorama; then,
            Commit and Push
             your changes to Prisma Access. Failure to have a forward trust certificate will cause a commit error when you commit your Explicit Proxy changes.
      2. (
        Optional
        ) Enter any IP addresses from which undecrypted HTTP or HTTP Cross-Origin Resource Sharing (CORS) traffic should be allowed to the
        Trusted Source Address Auth Bypass
        .
        Add the IP addresses to IP address-based Address Objects and
        Add
         the address objects in the field.
        Enter a maximum of 100,000 addresses. Make sure that the address object uses IP addresses only.
      3. (
        Optional
        ) To bypass authentication of any trusted source addresses you entered, select
        Auth Bypass
        .
        You can use
        Auth Bypass
         with
        Source IP based visibility and enforcement
         to skip authentication of headless systems that can't authenticate, set up security policies, and get visibility of the traffic on Prisma Access Explicit Proxy.
        You can add either IP addresses or subnets. A maximum of 100,000 IP addresses are supported after expanding the subnets.
        If you select
        Auth Bypass
         to skip authentication for an address object, and then later want to enable authentication by deselecting
        Auth Bypass
         for that address object, it can take up to 24 hours for the change to take effect after you make the change and Commit and Push your changes.
      4. (
        Optional
        ) To allow the trusted source Address IP addresses to use XAU for identity, select
        Use X-Authenticated-User (XAU) header on incoming HTTP/HTTPS requests for Identity
        .
        Select this option if you if you are using proxy chaining from a third-party proxy to Explicit Proxy, users have authenticated in that proxy, and the proxy uses XAU headers.
        XAU headers are the only HTTP headers supported for Explicit Proxy header ingestion. X-Forwarded-For (XFF) headers are not supported.
      5. (
        Optional
        ) Specify settings for privacy-sensitive websites by creating security policy rules for those sites, then specifying the
        Security Policy
         or policies for those sites in the
        Enforce Authentication Only
         area.
        For any websites you specify in the in the
        Security Policy
         or policies you add, Explicit Proxy decrypts the websites based on the decryption policies, but does not inspect or log the decrypted traffic.
    5. (
      Optional
      ) Configure
      Advanced
       settings.
      1. If you want to forward traffic to Explicit Proxy from your branches through a secure IPSec tunnel,
        Enable Proxy Mode
         and retrieve anycast IP addresses if you want to use Explicit Proxy in conjunction with a Prisma Access remote network.
        This solution uses anycast addresses with a remote network IPSec tunnel to allow Explicit Proxy to be used for users and devices at a remote network site or branch location.
      2. (
        Optional
        ) To leverage the private IP addresses of the systems in your branch locations that are forwarding traffic to Explicit Proxy, select
        Source IP based visibility and enforcement
        .
        This functionality has these requirements:
        • A minimum Prisma Access dataplane of 10.2.4
        • A Panorama Managed Prisma Access deployment with a minimum Cloud Services plugin of 4.1
        • The source IP addresses only display for IP addresses from a remote network after you have configured a Remote Networks-Explicit Proxy deployment and only source addresses in Remote Network locations that are supported with Explicit Proxy.
      3. Proxy Mode Deployments Only
         If Proxy Mode is enabled on your remote networks, add a policy to allow traffic bound to anycast and unicast IP on remote networks. If you have enabled
        Source IP visibility and enforcement
        , use the
        Source IP
         field in Security policies in Explicit Proxy to secure the traffic. You need additional policies in the remote networks.
      4. Click
        OK
        .
    6. Click
      Configure
       to configure Explicit Proxy setup.
      1. Specify an
        Explicit Proxy FQDN
        .
        By default, the name is
        proxyname
        .proxy.prismaaccess.com, where
        proxyname
         is the subdomain you specify, and uses port 8080. If you want to use your organization’s domain name in the Explicit Proxy URL (for example, thisproxy.proxy.mycompany.com), enter a CNAME record your organization’s domain.
        For example, to map a proxy URL named thisproxy.prismaaccess.com to a proxy named thisproxy.proxy.mycompany.com, you would add a CNAME of thisproxy.proxy.prismaaccess.com to the CNAME record in your organization’s domain.
      2. (
        Optional
        ) Select
        Use GlobalProtect Agent to Authenticate
         to enable the agent-based proxy functionality.
        Enable this feature if you want to use Prisma Access Explicit Proxy connectivity in GlobalProtect.
        You also must select this check box to enable
        Source IP based visibility and enforcement
        .
      3. Specify an
        Authentication Profile
         and
        Cookie Lifetime
        .
        • Specify the SAML
          Authentication Profile
           you used in Step 1, or add a
          New
           authentication profile to use with Prisma Access.
          You must configure SAML authentication, including configuring a
          SAML Identity Provider
           (IdP) and an
          Authentication Profile
          , to use an Explicit Proxy.
        • (
          Optional
          ) Specify a
          Cookie Lifetime
           for the cookie that stores the users’ authentication credentials.
          Prisma Access caches the user’s credentials and stores them in the form of a cookie. To change the value, specify the length of time to use in Seconds, Minutes, Hours, or Days.
          To prevent issues with users not being able to download large files before the cookie lifetime expires, or the cookie expiring when users are accessing a single website for a long period of time, Palo Alto Networks recommends that you configure a Cookie Lifetime of at least one day. If Explicit Proxy users have a cookie lifetime expiration issue, they can browse to a different website to re-authenticate to ACS and refresh the ACS cookie.
          If you are downloading a file, and the file download takes longer than the
          Cookie Lifetime
          , the file download will terminate when the lifetime value expires. For this reason, consider using a longer
          Cookie Lifetime
           if you download large files that take a long time to download.
    7. Select the
      Locations
       and the regions associated with those locations where you want to deploy your Explicit Proxy for mobile users. Prisma Access adds a proxy node into each location you select.
      Explicit Proxy supports a subset of all Prisma Access locations. See Explicit Proxy — Guidelines for the list of locations.
      The
      Locations
       tab displays a map. Highlighting the map shows the global regions (Americas, Europe, and Asia Pacific) and the locations available inside each region. Select a region, then select the locations you want to deploy in each region.
      You should enable Explicit Proxy locations in at least two regions to ensure regional redundancy.
      1. Click the
        Locations
         tab and select a region.
      2. Select one or more Explicit Proxy locations within your selected region using the map.
        Hovering your cursor over a location highlights it. White circles indicate an available location; green circles indicate that you have selected that location.
        In addition to the map view, you can view a list of regions and locations. Choose between the map and list view from the lower left corner. In the list view, the list displays regions sorted by columns, with all locations sorted by region. You can select
        All
         sites within a region (top of the dialog).
      3. Click
        OK
         to add the locations.
    8. Configure security policy rules to enforce your organization’s security policies.
      To make required configuration changes and to control the URLs that mobile users can access from Explicit Proxy, use security policies. Use the following guidelines and requirements when configuring your security policies:
      • Based on your business goals, create security policies for sanctioned internet and SaaS apps using App-ID and user groups that need access to those applications.
      • Attach security profiles to all security policy rules so that you can prevent both known and unknown threats following the security profile best practices.
    9. Commit your changes to Panorama and push the configuration changes to Prisma Access.
      1. Click
        Commit
        Commit and Push
        .
      2. Edit Selections
         and, in the
        Prisma Access
         tab, make sure that
        Explicit Proxy
         is selected in the
        Push Scope
        , then click
        OK
        .
      3. Click
        Commit and Push
        .
    10. Select the PAC file to use with Explicit Proxy.
      1. Select
        Panorama
        Cloud Services
        Configuration
        Mobile Users
        Explicit Proxy
        .
        Be sure that you enter a port of 8080 in the PAC file.
      2. Select the
        Connection Name
         for the Explicit Proxy setup you just configured.
      3. Enter the
        PAC (Proxy Auto-Configuration) File
         to use for Explicit Proxy.
        Be sure that you understand how PAC files work and how to modify them before you upload them to Prisma Access.
        Browse
         and upload the file.
        Prisma Access provides you with a sample PAC file; you can
        Download sample PAC file
        , change the values, and upload that file. See Set Up Your Explicit Proxy PAC File for PAC file requirements and guidelines as we as a description of the contents of the sample PAC file.

    Recommended For You

    © 2023 Palo Alto Networks, Inc. All rights reserved.