Secure Mobile Users with an Explicit Proxy

Configure SAML authentication, including configuring a
SAML Identity Provider
and an
Authentication Profile
, for Prisma Access. You specify the authentication profile you create in a later step.
Use the following guidelines when configuring authentication for the IdP and in Panorama:
Panorama Guidelines:
Be sure that you configure the authentication profile under the
Explicit_Proxy_Template
.
Use
mail
as the user attribute in the IdP server profile and in the
Authentication Profile
on Panorama.
Explicit Proxy does not support
Sign SAML Message to IdP
in the SAML Identity Provider Server Profile.
When you configure the Cloud Identity Engine to retrieve user and group mapping information, use
mail
or
userPrincipalName
as the
SamAccountName
in Group Mapping.
When configuring
Group Mapping Settings
during Explicit Proxy setup, use the same Directory Attribute for Primary Username and email, or Prisma Access does not accurately reflect user counts. For example, given the following user profile:
sAMAccountName: muser
Netbios: example
userPrincipalName: muser@example.com
mail: mobile.user@example.com
If, in the Cloud Identity Engine configuration, you use a
Primary Username
of
userPrincipalName
and an
E-Mail
of
mail
, the user information that Cortex Data Lake returns in traffic logs and the user information that the ACS returns in authentication logs will be different. In this example, ACS sends the
mail
attribute (mobile.user@example.com) to the authentication logs and Cortex Data Lake sends the
userPrincipalName
attribute (muser@example.com) to the traffic logs. As a result of this mismatch, your user count will not be accurate in the
Current Users
and
Users (Last 90 days)
fields when checking the Explicit Proxy status in the Status (
Panorama
Cloud Services
Status
Status
page. For this reason, use the same directory attribute for
Primary Username
and
E-Mail
(for example,
mail
) when specifying
Group Mapping Settings
.
When using Panorama to manage Prisma Access, the Cloud Identity Engine does not auto-populate user and group information in security policy rules.
IdP Guidelines:
Use the following URLs when configuring SAML:
SAML Assertion Consumer Service
URL:
https://global.acs.prismaaccess.com/saml/acs
Entity ID
URL:
https://global.acs.prismaaccess.com/saml/metadata
If you use Okta as the IdP, use
EmailAddress
for the
Name ID Format
setting.
Enter a single sign on URL of
https://global.acs.prismaaccess.com/saml/acs
.
Single Logout (SLO) is not supported.
To troubleshoot IdP authentication issues, use the IdP’s monitoring and troubleshooting capabilities. The ACS does not log IdP authentication failures.
When creating an
Authentication Profile
for the SAML IdP, in the
Advanced
tab, select
all
in the
Allow List
or Explicit Proxy will not be able to retrieve group mapping.
Configure Explicit Proxy settings.
Select
Panorama
Cloud Services
Configuration
Mobile Users—Explicit Proxy
and click the gear icon to edit Explicit Proxy
Settings
.
In the
Settings
tab, edit the following settings:
(
Optional
) In the Templates section,
Add
the template or templates that contains the configuration you want to push for Explicit Proxy.
By default, Prisma Access creates a new template stack
Explicit_Proxy_Template_Stack
and a new template
Explicit_Proxy_Template
. If you have existing settings you want to import, import them now. If you are starting with a new Explicit Proxy configuration, make sure that you are using this template when you create and edit your
Network
and
Device
settings in Panorama.
You can
Add
more than one existing template to the stack and then order them appropriately using
Move Up
and
Move Down
. Panorama evaluates the templates in the stack from top to bottom, and settings in templates that are higher in the stack take priority over the same settings specified in templates that are lower in the stack. You cannot move the default
Explicit_Proxy_Template
from the top of the stack; this prevents you from overriding any required Explicit Proxy settings.
In the Device Group section, select the
Parent Device Group
that contains the configuration settings you want to push for the Explicit Proxy, or leave the parent device group as
Shared
to use the Prisma Access device group shared hierarchy. The
Device Group Name
cannot be changed.
(
Optional
) Specify a
Master Device
.
Explicit Proxy uses the Cloud Identity Engine to retrieve user and group mapping information. The Cloud Identity Engine does not auto-populate user and group information to security policy rules and to Panorama. To simplify rule creation based on user and group information, you can associate an on-premises or VM-series next generation firewall using a master device.
In the License Allocation section, specify the number of mobile users to allocate for Explicit Proxy.

In the
Group Mapping Settings
tab,
Enable Directory Sync Integration
(now known as the Cloud Identity Engine) to configure Prisma Access to use the Cloud Identity Engine to retrieve user and group information.
You use the Cloud Identity Engine to populate user and group mapping information for an Explicit Proxy deployment. To configure the Cloud Identity Engine, you set up the Cloud Identity Engine on your AD and associate the Panorama that manages Prisma Access with the Cloud Identity Engine in the hub; then, set up the Cloud Identity Engine in Prisma Access.
Enter
mail
for the Directory Attribute in the
Primary Username
field and
mail
for the
E-Mail
field.

Click
OK
when finished.
In the
Authentication Settings
tab, configure decryption, X-Authenticated-User (XAU), and authentication settings.
Configure your settings for decrypted traffic.
Select
Decrypt traffic that matches existing decryption rules; for undecrypted traffic, allow traffic only from known IPs registered by authenticated users
to configure the following decryption rules:
Traffic that matches decryption policy rules you have configured with an
Action
to
Decrypt
or
Decrypt and Forward
will be decrypted.
If a user accesses an undecrypted HTTPS site, and a user has not yet authenticated to Explicit Proxy from that IP address, the user is blocked. However, the user can access a decrypted site, complete authentication, and then access undecrypted sites.
Undecrypted traffic is allowed from IP addresses from which mobile user have already authenticated.
Explicit Proxy requires decryption to authenticate users. Enter the domains that can be decrypted in a custom URL category; then, specify those categories in
If Authentication traffic is forwarded through Explicit Proxy, specify the domains used in the authentication flow
.
Only add the domains that are required for authentication to the Custom URL category you specify, including all ACS and IdP FQDNs. You must add authentication URLs to the Custom URL category, regardless of whether or not you have added them to a decryption policy.
To allow all traffic to be decrypted, select
Decrypt all traffic (Overrides existing decryption rules)
.
If you choose this radio button, ensure that:
You do not have exceptions in your decryption policy.
You are applying source IP address-based restrictions in your security policy.
Failing to follow these recommendations enables the abuse of Explicit Proxy as an open proxy that can be widely misused as a forwarding service for conducting denial of service attacks.
You have at least one SSL Forward Proxy certificate specified as a
Forward Trust Certificate
.
If you do not have a forward trust certificate, create one on Panorama; then,
Commit and Push
your changes to Prisma Access. Failure to have a forward trust certificate will cause a commit error when you commit your Explicit Proxy changes.
(
Optional
) If you want to allow traffic from specific IP addresses to use XAU for authentication, create an address object and specify the IP addresses that will use XAU for authentication; then,
Add
the address object in the
Trusted Source Address
field.
This option is useful if you are using proxy chaining from a third-party proxy to Explicit Proxy, users have authenticated in that proxy, and the proxy uses XAU headers.
XAU headers are the only HTTP headers supported for Explicit Proxy header ingestion. X-Forwarded-For (XFF) headers are not supported.
Make sure that the address object uses IP addresses.
(
Optional
) Specify settings for privacy-sensitive websites by creating security policy rules for those sites, then specifying the
Security Policy
or policies for those sites in the
Enforce Authentication Only
area.
For any websites you specify in the in the
Security Policy
or policies you add, Explicit Proxy decrypts the websites based on the decryption policies, but does not inspect or log the decrypted traffic.

Click
Configure
to configure Explicit Proxy setup.
Specify an
Explicit Proxy URL
.
By default, the name is
proxyname
.proxy.prismaaccess.com, where
proxyname
is the subdomain you specify, and uses port 8080. If you want to use your organization’s domain name in the Explicit Proxy URL (for example, thisproxy.proxy.mycompany.com), enter a CNAME record your organization’s domain.
For example, to map a proxy URL named thisproxy.prismaaccess.com to a proxy named thisproxy.proxy.mycompany.com, you would add a CNAME of thisproxy.proxy.prismaaccess.com to the CNAME record in your organization’s domain.
Specify an
Authentication Profile
and
Cookie Lifetime
.
Specify the SAML
Authentication Profile
you used in Step 1, or add a
New
authentication profile to use with Prisma Access.
You must configure SAML authentication, including configuring a
SAML Identity Provider
(IdP) and an
Authentication Profile
, to use an Explicit Proxy.
(
Optional
) Specify a
Cookie Lifetime
for the cookie that stores the users’ authentication credentials.
Prisma Access caches the user’s credentials and stores them in the form of a cookie. To change the value, specify the length of time to use in Seconds, Minutes, Hours, or Days.
To prevent issues with users not being able to download large files before the cookie lifetime expires, or the cookie expiring when users are accessing a single website for a long period of time, Palo Alto Networks recommends that you configure a Cookie Lifetime of at least one day. If Explicit Proxy users have a cookie lifetime expiration issue, they can browse to a different website to re-authenticate to ACS and refresh the ACS cookie.
If you are downloading a file, and the file download takes longer than the
Cookie Lifetime
, the file download will terminate when the lifetime value expires. For this reason, consider using a longer
Cookie Lifetime
if you download large files that take a long time to download.
Select the
Locations
and the regions associated with those locations where you want to deploy your Explicit Proxy for mobile users. Prisma Access adds a proxy node into each location you select.
Explicit Proxy supports a subset of all Prisma Access locations. See Explicit Proxy Locations for the list of locations.
The
Locations
tab displays a map. Highlighting the map shows the global regions (Americas, Europe, and Asia Pacific) and the locations available inside each region. Select a region, then select the locations you want to deploy in each region. Limiting your deployment to a single region provides more granular control over deployed regions and allows you to exclude regions as required by your policy or industry regulations. See Prisma Access Locations for the list of regions and locations. You can select a location in a region that is closest to your mobile users, or select a location as required by your policy or industry regulations.
Click the
Locations
tab and select a region.

Select one or more Explicit Proxy locations within your selected region using the map.
Hovering your cursor over a location highlights it. White circles indicate an available location; green circles indicate that you have selected that location.

In addition to the map view, you can view a list of regions and locations. Choose between the map and list view from the lower left corner. In the list view, the list displays regions sorted by columns, with all locations sorted by region. You can select
All
sites within a region (top of the dialog).

Click
OK
to add the locations.
Configure security policy rules to enforce your organization’s security policies.
To make required configuration changes and to control the URLs that mobile users can access from Explicit Proxy, use security policies. Use the following guidelines and requirements when configuring your security policies:
Based on your business goals, create security policies for sanctioned internet and SaaS apps using App-ID and user groups that need access to those applications.
Attach security profiles to all security policy rules so that you can prevent both known and unknown threats following the security profile best practices.
Commit your changes to Panorama and push the configuration changes to Prisma Access.
Click
Commit
Commit and Push
.
Edit Selections
and, in the
Prisma Access
tab, make sure that
Explicit Proxy
is selected in the
Push Scope
, then click
OK
.

Click
Commit and Push
.
Select the PAC file to use with Explicit Proxy.
Select
Panorama
Cloud Services
Configuration
Mobile Users
Explicit Proxy
.
Be sure that you enter a port of 8080 in the PAC file.
Select the
Connection Name
for the Explicit Proxy setup you just configured.
Enter the
PAC (Proxy Auto-Configuration) File
to use for Explicit Proxy.
Be sure that you understand how PAC files work and how to modify them before you upload them to Prisma Access.

Browse
and upload the file.
Prisma Access provides you with a sample PAC file; you can
Download sample PAC file
, change the values, and upload that file. See Set Up Your Explicit Proxy PAC File for PAC file requirements and guidelines as we as a description of the contents of the sample PAC file.