Panorama
Focus
Focus
Prisma Access

Panorama

Table of Contents


Panorama

Secure
Prisma Access
mobile users by creating an Explicit Proxy and using a PAC file.
To secure mobile users with an Explicit Proxy, complete the following steps.
Before you configure Explicit Proxy, be aware of how explicit proxy works and how explicit proxy identifies users, go through the planning checklist, and learn how to set up the Explicit Proxy PAC file.
  1. Set up authentication for Explicit Proxy.
    SAML and Kerberos are the supported authentication types.
    Use the following guidelines when configuring SAML authentication for the IdP and in Panorama:
    • Panorama Guidelines:
      • Configure a
        SAML Identity Provider
        and an
        Authentication Profile
        , for Prisma Access. You specify the authentication profile you create in a later step.
      • Be sure that you configure the authentication profile under the
        Explicit_Proxy_Template
        .
      • Use
        mail
        as the user attribute in the IdP server profile and in the
        Authentication Profile
        on Panorama.
      • Explicit Proxy does not support
        Sign SAML Message to IdP
        in the SAML Identity Provider Server Profile.
      • When you configure the Cloud Identity Engine to retrieve user and group mapping information, use
        mail
        or
        userPrincipalName
        as the
        SamAccountName
        in Group Mapping.
      • When configuring
        Group Mapping Settings
        during Explicit Proxy setup, use the same Directory Attribute for Primary Username and email, or
        Prisma Access
        does not accurately reflect user counts. For example, given the following user profile:
        sAMAccountName: muser Netbios: example userPrincipalName: muser@example.com mail: mobile.user@example.com
        If, in the Cloud Identity Engine configuration, you use a
        Primary Username
        of
        userPrincipalName
        and an
        E-Mail
        of
        mail
        , the user information that Cortex Data Lake returns in traffic logs and the user information that the ACS returns in authentication logs will be different. In this example, ACS sends the
        mail
        attribute (mobile.user@example.com) to the authentication logs and Cortex Data Lake sends the
        userPrincipalName
        attribute (muser@example.com) to the traffic logs. As a result of this mismatch, your user count will not be accurate in the
        Current Users
        and
        Users (Last 90 days)
        fields when checking the Explicit Proxy status in the Status (
        Panorama
        Cloud Services
        Status
        Status
        page. For this reason, use the same directory attribute for
        Primary Username
        and
        E-Mail
        (for example,
        mail
        ) when specifying
        Group Mapping Settings
        .
      • When using Panorama to manage
        Prisma Access
        , the Cloud Identity Engine does not auto-populate user and group information in security policy rules.
    • IdP Guidelines:
      • Use the following URLs when configuring SAML:
        SAML Assertion Consumer Service
        URL:
        https://global.acs.prismaaccess.com/saml/acs
        Entity ID
        URL:
        https://global.acs.prismaaccess.com/saml/metadata
      • If you use Okta as the IdP, use
        EmailAddress
        for the
        Name ID Format
        setting.
      • Enter a single sign on URL of
        https://global.acs.prismaaccess.com/saml/acs
        .
      • Single Logout (SLO) is not supported.
      • To troubleshoot IdP authentication issues, use the IdP’s monitoring and troubleshooting capabilities. The ACS does not log IdP authentication failures.
      • When creating an
        Authentication Profile
        for the SAML IdP, in the
        Advanced
        tab, select
        all
        in the
        Allow List
        or Explicit Proxy will not be able to retrieve group mapping.
  2. Configure Explicit Proxy settings.
    1. Select
      Panorama
      Cloud Services
      Configuration
      Mobile Users—Explicit Proxy
      and click the gear icon to edit Explicit Proxy
      Settings
      .
    2. In the
      Settings
      tab, edit the following settings:
      • (
        Optional
        ) Verify the template and template stack names.
        By default,
        Prisma Access
        creates a new template stack
        Explicit_Proxy_Template_Stack
        and a new template
        Explicit_Proxy_Template
        . Make sure that you are using this template when you create and edit your
        Device
        settings in Panorama.
      • In the Device Group section, select the
        Parent Device Group
        that contains the configuration settings you want to push for the Explicit Proxy, or leave the parent device group as
        Shared
        to use the
        Prisma Access
        device group shared hierarchy. The
        Device Group Name
        cannot be changed.
      • (
        Optional
        ) If you have configured a next-generation firewall as a master device or added a Cloud Identity Engine profile to populate user and group information in security policy rules, select User-ID Master Device or Cloud Identity Engine; then, select either the Master Device or the Cloud Identity Engine profile that you created.
      • In the License Allocation section, specify the number of mobile users to allocate for Explicit Proxy.
    3. In the
      Group Mapping Settings
      tab,
      Enable Directory Sync Integration
      (now known as the Cloud Identity Engine) to configure
      Prisma Access
      to use the Cloud Identity Engine to retrieve user and group information.
      You use the Cloud Identity Engine to populate user and group mapping information for an Explicit Proxy deployment.
      Enter
      mail
      for the Directory Attribute in the
      Primary Username
      field and
      mail
      for the
      E-Mail
      field.
    4. Click
      OK
      when finished.
  3. (
    Optional, Innovation Deployments Starting with 3.0 Innovation Only
    ) Configure Block Settings.
    Use Block Settings to block access to an internet destination at the DNS resolution stage.
    To restrict access to Explicit Proxy to specific source IP addresses, you can also use special objects. These Address Objects, Address Groups, and External Dynamic Lists (EDLs) that use specific names allow the IP addresses you specify for internet traffic and block any other IP addresses.
  4. In the
    Authentication Settings
    tab, configure decryption, X-Authenticated-User (XAU), and authentication settings.
    1. Configure your settings for decrypted traffic.
      • Select
        Decrypt Traffic That Matches Existing Decryption rules; For Undecrypted Traffic, Allow Traffic Only From Known IPs Registered By Authenticated Users
        to configure the following decryption rules:
        • Traffic that matches decryption policy rules you have configured with an
          Action
          to
          Decrypt
          or
          Decrypt and Forward
          will be decrypted.
          If a user accesses an undecrypted HTTPS site, and a user has not yet authenticated to Explicit Proxy from that IP address, the user is blocked. However, the user can access a decrypted site, complete authentication, and then access undecrypted sites.
        • Undecrypted traffic is allowed from IP addresses from which mobile user have already authenticated.
        Explicit Proxy requires decryption to authenticate users. Enter the domains that can be decrypted in a custom URL category; then, specify those categories in
        If Authentication traffic is forwarded through Explicit Proxy, specify the domains used in the authentication flow
        .
        Only add the domains that are required for authentication to the Custom URL category you specify, including all ACS and IdP FQDNs. You must add authentication URLs to the Custom URL category, even if you have added them to a decryption policy.
      • To allow all traffic to be decrypted, select
        Decrypt All traffic (Overrides Existing Decryption Rules)
        .
        If you choose this radio button, ensure that:
        • You do not have exceptions in your decryption policy.
        • You are applying source IP address-based restrictions in your security policy.
        Failing to follow these recommendations enables the abuse of Explicit Proxy as an open proxy that can be widely misused as a forwarding service for conducting denial of service attacks.
        • You have at least one SSL Forward Proxy certificate specified as a
          Forward Trust Certificate
          .
          If you do not have a forward trust certificate, create one on Panorama; then,
          Commit and Push
          your changes to
          Prisma Access
          . Failure to have a forward trust certificate will cause a commit error when you commit your Explicit Proxy changes.
    2. (
      Optional
      ) Enter any IP addresses from which undecrypted HTTP or HTTP Cross-Origin Resource Sharing (CORS) traffic should be allowed to the
      Trusted Source Address Auth Bypass
      .
      Add the IP addresses to IP address-based Address Objects and
      Add
      the address objects in the field.
      Enter a maximum of 100,000 addresses. Make sure that the address object uses IP addresses only.
    3. (
      Optional
      ) To bypass authentication of any trusted source addresses you entered, select
      Auth Bypass
      .
      You can use
      Auth Bypass
      with
      Source IP based visibility and enforcement
      to skip authentication of headless systems that can't authenticate, set up security policies, and get visibility of the traffic on Prisma Access Explicit Proxy.
      You can add either IP addresses or subnets. A maximum of 100,000 IP addresses are supported after expanding the subnets.
      If you select
      Auth Bypass
      to skip authentication for an address object, and then later want to enable authentication by deselecting
      Auth Bypass
      for that address object, it can take up to 24 hours for the change to take effect after you make the change and Commit and Push your changes.
    4. (
      Optional
      ) To allow the trusted source Address IP addresses to use XAU for identity, select
      Use X-Authenticated-User (XAU) header on incoming HTTP/HTTPS requests for Identity
      .
      Select this option if you if you are using proxy chaining from a third-party proxy to Explicit Proxy, users have authenticated in that proxy, and the proxy uses XAU headers.
      XAU headers are the only HTTP headers supported for Explicit Proxy header ingestion. X-Forwarded-For (XFF) headers are not supported.
    5. (
      Optional
      ) Specify settings for privacy-sensitive websites by creating security policy rules for those sites, then specifying the
      Security Policy
      or policies for those sites in the
      Enforce Authentication Only
      area.
      For any websites you specify in the in the
      Security Policy
      or policies you add, Explicit Proxy decrypts the websites based on the decryption policies, but does not inspect or log the decrypted traffic.
  5. (
    Optional
    ) Configure
    Advanced
    settings.
    1. If you want to forward traffic to Explicit Proxy from your branches through a secure IPSec tunnel,
      Enable Proxy Mode
      and retrieve anycast IP addresses if you want to use Explicit Proxy in conjunction with a .
      This solution uses anycast addresses with a remote network IPSec tunnel to allow Explicit Proxy to be used for users and devices at a remote network site or branch location.
    2. (
      Optional
      ) To leverage the private IP addresses of the systems in your branch locations that are forwarding traffic to Explicit Proxy, select
      Source IP based visibility and enforcement
      .
      This functionality has these requirements:
      • A minimum
        Prisma Access
        dataplane of 10.2.4
      • A
        Prisma Access (Panorama Managed)
        deployment with a minimum Cloud Services plugin of 4.1
      • The source IP addresses only display for IP addresses from a remote network after you have configured a Remote Networks-Explicit Proxy deployment and only source addresses in Remote Network locations that are supported with Explicit Proxy.
    3. Proxy Mode Deployments Only
      If Proxy Mode is enabled on your remote networks, add a policy to allow traffic bound to anycast and unicast IP on remote networks. If you have enabled
      Source IP visibility and enforcement
      , use the
      Source IP
      field in Security policies in Explicit Proxy to secure the traffic. You need additional policies in the remote networks.
    4. Click
      OK
      .
  6. Click
    Configure
    to configure Explicit Proxy setup.
    1. Specify an
      Explicit Proxy FQDN
      .
      By default, the name is
      proxyname
      .proxy.prismaaccess.com, where
      proxyname
      is the subdomain you specify, and uses port 8080. If you want to use your organization’s domain name in the Explicit Proxy URL (for example, thisproxy.proxy.mycompany.com), enter a CNAME record your organization’s domain.
      For example, to map a proxy URL named thisproxy.prismaaccess.com to a proxy named thisproxy.proxy.mycompany.com, you would add a CNAME of thisproxy.proxy.prismaaccess.com to the CNAME record in your organization’s domain.
    2. (
      Optional
      ) Select
      Use GlobalProtect Agent to Authenticate
      to enable the agent-based proxy functionality.
      Enable this feature if you want to use
      Prisma Access
      .
      You also must select this check box to enable
      Source IP based visibility and enforcement
      .
    3. Specify an
      Authentication Profile
      and
      Cookie Lifetime
      .
      • Specify the SAML
        Authentication Profile
        you used in Step 1, or add a
        New
        authentication profile to use with
        Prisma Access
        .
        You must configure SAML authentication, including configuring a
        SAML Identity Provider
        (IdP) and an
        Authentication Profile
        , to use an Explicit Proxy.
      • (
        Optional
        ) Specify a
        Cookie Lifetime
        for the cookie that stores the users’ authentication credentials.
        Prisma Access caches the user’s credentials and stores them in the form of a cookie. To change the value, specify the length of time to use in Seconds, Minutes, Hours, or Days.
        To prevent issues with users not being able to download large files before the cookie lifetime expires, or the cookie expiring when users are accessing a single website for a long period of time, Palo Alto Networks recommends that you configure a Cookie Lifetime of at least one day. If Explicit Proxy users have a cookie lifetime expiration issue, they can browse to a different website to re-authenticate to ACS and refresh the ACS cookie.
        If you are downloading a file, and the file download takes longer than the
        Cookie Lifetime
        , the file download will terminate when the lifetime value expires. For this reason, consider using a longer
        Cookie Lifetime
        if you download large files that take a long time to download.
  7. Select the
    Locations
    and the regions associated with those locations where you want to deploy your Explicit Proxy for mobile users.
    Prisma Access
    adds a proxy node into each location you select.
    Explicit Proxy supports a subset of all
    Prisma Access
    locations. See Explicit Proxy — Guidelines for the list of locations.
    The
    Locations
    tab displays a map. Highlighting the map shows the global regions (Americas, Europe, and Asia Pacific) and the locations available inside each region. Select a region, then select the locations you want to deploy in each region.
    You should enable Explicit Proxy locations in at least two regions to ensure regional redundancy.
    1. Click the
      Locations
      tab and select a region.
    2. Select one or more Explicit Proxy locations within your selected region using the map.
      Hovering your cursor over a location highlights it. White circles indicate an available location; green circles indicate that you have selected that location.
      In addition to the map view, you can view a list of regions and locations. Choose between the map and list view from the lower left corner. In the list view, the list displays regions sorted by columns, with all locations sorted by region. You can select
      All
      sites within a region (top of the dialog).
    3. Click
      OK
      to add the locations.
  8. Configure security policy rules to enforce your organization’s security policies.
    To make required configuration changes and to control the URLs that mobile users can access from Explicit Proxy, use security policies. Use the following guidelines and requirements when configuring your security policies:
    • Based on your business goals, create security policies for sanctioned internet and SaaS apps using App-ID and user groups that need access to those applications.
    • Attach security profiles to all security policy rules so that you can prevent both known and unknown threats following the security profile best practices.
  9. Commit your changes to Panorama and push the configuration changes to
    Prisma Access
    .
    1. Click
      Commit
      Commit and Push
      .
    2. Edit Selections
      and, in the
      Prisma Access
      tab, make sure that
      Explicit Proxy
      is selected in the
      Push Scope
      , then click
      OK
      .
    3. Click
      Commit and Push
      .
  10. Select the PAC file to use with Explicit Proxy.
    1. Select
      Panorama
      Cloud Services
      Configuration
      Mobile Users
      Explicit Proxy
      .
      Be sure that you enter a port of 8080 in the PAC file.
    2. Select the
      Connection Name
      for the Explicit Proxy setup you just configured.
    3. Enter the
      PAC (Proxy Auto-Configuration) File
      to use for Explicit Proxy.
      Be sure that you understand how PAC files work and how to modify them before you upload them to
      Prisma Access
      .
      Browse
      and upload the file.
      Prisma Access
      provides you with a sample PAC file; you can
      Download sample PAC file
      , change the values, and upload that file. See Set Up Your Explicit Proxy PAC File for PAC file requirements and guidelines as we as a description of the contents of the sample PAC file.


Recommended For You