Public Web Application Access for Secure Agentless Access
You can enable secure, isolated access to public web applications (SaaS apps) for
unmanaged users, protecting enterprise data through browser-based isolation without requiring
endpoint agents.
| Where Can I Use This? | What Do I Need? |
- Prisma Access (Managed by Strata Cloud Manager)
- Prisma Access (Managed by Panorama)
|
Minimum Prisma Access version: 6.1 Preferred Minimum PAN-OS dataplane version: 11.2.7 Prisma Access license with a Mobile User
subscription Remote Browser Isolation (RBI) license for data
controls for SaaS applications Cloud Identity Engine (CIE) for user
authentication - Network Administrator or Superuser role
|
Organizations increasingly rely on SaaS applications such as Salesforce, Microsoft
365, and other cloud-hosted services for day-to-day operations. When employees,
contractors, and partners access these applications from unmanaged devices, sensitive
corporate data is exposed to risks including data exfiltration, malware injection, and
session hijacking. Traditional security approaches that require endpoint agents or VPN
clients are not viable for these unmanaged users, who may lack administrative rights on
their devices or be subject to policies that prohibit installing additional
software.
Public Web Application Access with Remote Browser Isolation addresses this challenge
by rendering SaaS application content in a secure, cloud-hosted browser environment
rather than directly on the user's device. This approach ensures that corporate data
never reaches the endpoint while still providing users with a seamless browsing
experience. The user interacts with a visual stream of the application, and all data
processing occurs within the isolated environment managed by Palo Alto Networks.
Unlike private web applications that reside within an organization's data center,
public web applications are hosted by third-party SaaS providers on the public internet.
Secure Agentless Access with Remote Browser Isolation extends the existing SAA
architecture to provide isolated access to these SaaS applications, preventing data
leakage through clipboard restrictions, download controls, and session isolation—all
without requiring any software installation on the user's device.
How It Works
When an unmanaged user accesses a public web application through the Secure
Agentless Access portal, the following occurs:
- The user authenticates through Cloud Identity Engine and accesses the SAA
portal.
- The user selects a public web application (for example, Salesforce) from the
portal.
- Secure Agentless Access routes the request through the Mobile User (MU)
gateway, which evaluates the security policy.
- The MU gateway determines that the traffic must be isolated based on the URL
Access Management configuration.
- The session is redirected to Remote Browser Isolation, which renders the
application in a secure cloud environment.
- The user interacts with the application through the isolated session. All
in-tab navigation remains within the isolated environment.
Key Capabilities
- Mandatory isolation—App isolation is enabled by default for public
web applications and cannot be disabled. All SaaS application traffic from
unmanaged users is rendered through Remote Browser Isolation.
- Managed certificate lifecycle—Palo Alto Networks can generate and
maintain Let's Encrypt certificates for the access domain, eliminating
certificate management overhead for administrators.
- Seamless user experience—Users access SaaS applications through a
familiar browser interface with an isolation banner indicating the secure
session. In-tab navigation remains fully functional within the isolated
environment.
- No endpoint software required—Users access applications through a
standard web browser without installing agents, VPN clients, or browser
extensions.
- Granular URL-based isolation—You define which application domains
are isolated through custom URL categories and URL Access Management profiles,
providing precise control over which SaaS applications receive isolation
treatment.
- Session management—Idle timeout (30 minutes) and authentication
token expiration (3 hours) protect against unauthorized access from unattended
sessions.
- Targeted Isolation for Unmanaged Users: You can enable browser isolation
exclusively for unmanaged users while allowing managed users (for example, users
with GlobalProtect or the Prisma Access Agent) to access the same SaaS
applications directly. This provides secure access for unmanaged users without
impacting the seamless user experience or performance for managed users.