Secure Mobile Users with an Explicit Proxy
Secure Prisma Access mobile users by creating an explicit
proxy and using a PAC file.
In addition to securing mobile users
with GlobalProtect, you can configure an explicit proxy using
Prisma Access. Consider using an explicit proxy if your existing
network already uses proxies, if you use PAC files on your end users’
endpoints, or if you need to use a proxy for auditing or compliance
purposes.
Explicit Proxy Workflow
The following section shows the workflow when
mobile users are secured by Prisma Access using an explicit proxy
as the connection method. Before you start, you need to have configured Mobile Users—Explicit
Proxy.
The traffic takes the following path. Callouts
in the figure show the process.

- The mobile user browses the Internet or accesses the SaaS application by entering the URL or IP address using a web browser.
- The browser on the mobile users’ endpoint checks for the PAC file.This PAC file specifies that the URL or SaaS request should be forwarded to Prisma Access explicit proxy.
- The HTTPS client (the browser on the mobile user’s endpoint) forwards the URL request to the proxy URL.
- The traffic is redirected to the explicit proxy, and the proxy decrypts the traffic.
- The proxy inspects the traffic and checks for the authentication cookie set up by the Prisma Access explicit proxy.The cookie contains information that identifies the mobile user, and uses the cookie to authenticate the user.
- If, upon inspection of the cookie, Prisma Access determines that the user has not been authenticated, it redirects the user for authentication.
- After the IdP authenticates the user, Prisma Access stores the authentication state of the user in the Authentication Cache Service (ACS). The validity period of the authentication is based on theCookie Lifetimevalue you specify during explicit proxy configuration.
- The explicit proxy checks for the presence and validity of our cookie. If the cookie is not present or is invalid, the user is redirected to ACS. After ACS confirms the authentication of the user, the user is redirected back to the explicit proxy with a token. The proxy then validates that token and sets the cookie for that domain for that user.
- Prisma Access applies security enforcement based on the security policy rules that the administrator has configured.
- If the URL is not blocked by security policy rules, Prisma Access sends the URL request to the internet.
Explicit Proxy System Guidelines and Requirements
Before you secure mobile users with an explicit
proxy, make sure that you complete all the software and network
requirements described in Secure Mobile Users With an Explicit Proxy.
Licensing
and Onboarding Guidelines
—Use the following guidelines when
you license and onboard your explicit proxy deployment: - Explicit proxy supports a subset of Prisma Access locations. See Supported Explicit Proxy Locations for the list of locations.If you have a Local or Evaluation license for Prisma Access for Users and you have a Mobile Users—GlobalProtect deployment as well as a Mobile Users—Explicit Proxy deployment, you can deploy a maximum of five locations for both deployments combined. You need to allocate the five locations between both deployments (for example, two locations for Mobile Users—GlobalProtect and three locations for Mobile Users—Explicit Proxy). If you have a Worldwide license, there are no restrictions for the maximum number of locations.
- Prisma Access is not supported in a multi-tenant deployment.
- Specify a minimum of 200 units from your Mobile Users license for your Explicit Proxy deployment.If you have a Mobile Users—GlobalProtect deployment and enter a number that exceeds the number of available users, Prisma Access takes those users from your Mobile Users for GlobalProtect deployment and allocates them to your Mobile Users—Explicit Proxy deployment. As shown in the following table, if you have 1000 users licensed and have 750 users licensed for Mobile Users - GlobalProtect, and you then enter 500 licensed users in the Mobile Users - Explicit Proxy, Prisma Access takes 250 licensed users from the pool for Mobile Users - GlobalProtect and assigns it to Mobile Users - Explicit Proxy, so that each mobile users component is licensed for 500 users.Total Licensed Mobile User AllocationExisting Licensed Mobile Users—GlobalProtect AllocationNew Licensed Mobile Users—Explicit Proxy AllocationNew Licensed Mobile Users—GlobalProtect Allocation1000 Users750 Users250 Users750 Users (no change)1000 Users750 Users500 Users500 UsersPrisma Access takes 250 users from the 750 Mobile Users—GlobalProtect license to allocate the 500 users you specified for the Mobile Users—Explicit Proxy license.
System and Network Requirements
—When
configuring explicit proxy, make sure that you have configured the
following system and network requirements:- You must configure an SSL decryption policy for all explicit proxy traffic.Decryption is required for Prisma Access to read the authentication state cookie set up by Prisma Access on the mobile user’s browser. Failing to enforce decryption enables the abuse of Explicit proxy as an open proxy that can be widely misused as a forwarding service for conducting denial of service attacks.
- If mobile users are connecting from remote sites or headquarters/data center locations using an explicit proxy, the mobile user endpoint must be able reach and route to the IdP, ACS FQDN, Explicit Proxy URL, and URL of the PAC file hosted by Prisma Access. To find the ACS FQDN and the Explicit Proxy URL, select.PanoramaCloud ServicesStatusNetwork DetailsMobile Users—Explicit Proxy
- The maximum supported TLS version if 1.2. When creating a decryption profile, specify aMax VersionofTLS v1.2.
- You must strip out ALPN headers from HTTP/2 traffic. See Security Policy Guidelines and Requirements for details.
Panorama
and Content Version Requirements
—Make sure that your deployment
has the following minimum Panorama and Antivirus Content version
requirements:- Explicit proxy requires a minimum Panorama version of 10.0.5.
- Explicit Proxy requires a minimum antivirus Content Version of 3590 to be installed on the Panorama to support the predefined security policies. Install the required Content Version before committing theMobile Users—Explicit Proxyconfiguration.
Palo
Alto Networks Subscription Support
—Explicit proxy supports Threat
Prevention, URL Filtering, and WildFire subscriptions. DNS Security
and DLP Security subscriptions are not supported.Mobile
User App Support and Browser Guidelines
—Explicit Proxy supports
the following apps and has the following browser guidelines and
requirements:- Explicit proxy secures internet and SaaS applications accessed over the mobile users’ browser using HTTP and HTTPS traffic only. Non-web ports and protocols are not supported.
- Explicit proxy does not support the full client-based version of Microsoft 365 (Office 365), which uses non-web ports. However, it is designed to support web-based M365, including Office Online (office.com).
- Explicit proxy does not provide access to private applications.
- Mobile users will be unidentified in the traffic logs for sites that are not decrypted, unless you have selectedAllow undecrypted HTTPS traffic only from previously authenticated IPsduring explicit proxy configuration. In this case, explicit proxy adds a userswg-authenticated-ip-userto the traffic logs when it processes undecrypted traffic from an IP address where a user has already authenticated.Explicit proxy also adds theswg-authenticated-ip-userto the traffic logs when it processes either HTTP requests or decrypted HTTPS requests where browsers do not send cookies, such as cross-origin resource sharing (CORS) requests.
- Make a note of the following browser requirements:
- If you use Explicit Proxy, do not disable cookies in your browser; if you do, you cannot browse any web pages.
- If you are using explicit proxy with Microsoft Edge, be sure thatis set toSettingsPrivacy, Search, and ServicesTracking preventionBasic.
- If you use Safari with explicit proxy, you might experience issues when accessing websites. Instead of Safari, use Microsoft Edge, Firefox, Chrome, or Internet Explorer as your browser.
- When using Firefox with an explicit proxy, go toabout:configand setsecurity.csp.enabletofalse. In addition, some add-ons, such as ones that perform ad blocking or tracking protection, might interfere with tracking protection.
- You might have issues when accessing the following desktop applications when using explicit proxy: Office 365, Slack, Zoom, or Webex.
PAC
File Requirements and Guidelines
—Explicit proxy has certain
requirements for its PAC files; see PAC File Guidelines and Requirements for details.Set Up an Explicit Proxy to Secure Mobile Users
To secure mobile users with an explicit proxy,
complete the following steps.
- Configure SAML authentication, including configuring aSAML Identity Providerand anAuthentication Profile, for Prisma Access. You specify the authentication profile you create in a later step.Use the following guidelines when configuring authentication for the IdP and in Panorama:
- Panorama Guidelines:
- Be sure that you configure the authentication profile under theExplicit_Proxy_Template.
- Usemailas the user attribute in the IdP server profile and in theAuthentication Profileon Panorama.
- Explicit proxy does not supportSign SAML Message to IdPin the SAML Identity Provider Server Profile.
- If you configure a Master Device or Directory Sync, usemailoruserPrincipalNameas theSamAccountNamein Group Mapping.
- When using Panorama to manage Prisma Access, Directory Sync does not auto-populate user and group information to security policy rules. To populate user and group information from Directory Sync and simplify rule creation, you can optionally configure a next-generation firewall as a Master Device using an on-premises or VM-series next generation firewall and associate it to Prisma Access.
- IdP Guidelines:
- SAML is the only supported authentication protocol. Prisma Access supports PingOne, Azure AD, and Okta as SAML authentication providers, but you should be able to use any vendor that supports SAML 2.0 as a SAML identity provider (IdP).
- Use the following URLs when configuring SAML:SAML Assertion Consumer ServiceURL:https://global.acs.prismaaccess.com/saml/acsEntity IDURL:https://global.acs.prismaaccess.com/saml/metadataFor more details about configuring SAML authentication with Prisma Access, including examples for Okta and Active Directory Federation Services (ADFS) 4.0, see Authenticate Mobile Users in the Prisma Access Integration Guide (Panorama Managed).
- If you use Okta as the IdP, usemailas the login username in the Okta profile.
- Enter a single sign on URL ofglobal.acs.prismaaccess.com.
- Single Logout (SLO) is not supported.
- To troubleshoot IdP authentication issues, use the IdP’s monitoring and troubleshooting capabilities. The ACS does not log IdP authentication failures.
- Configure explicit proxy settings.
- Selectand click the gear icon to edit the explicit proxyPanoramaCloud ServicesConfigurationMobile Users - Explicit ProxySettings.
- In theSettingstab, edit the following settings:
- (Optional) In the Templates section,Addthe template or templates that contains the configuration you want to push for explicit proxy.By default, Prisma Access creates a new template stackExplicit_Proxy_Template_Stackand a new templateExplicit_Proxy_Template. If you have existing settings you want to import, import them now. If you are starting with a new explicit proxy configuration, make sure that you are using this template when you create and edit yourNetworkandDevicesettings in Panorama.You canAddmore than one existing template to the stack and then order them appropriately usingMove UpandMove Down. Panorama evaluates the templates in the stack from top to bottom, and settings in templates that are higher in the stack take priority over the same settings specified in templates that are lower in the stack. You cannot move the defaultExplicit_Proxy_Templatefrom the top of the stack; this prevents you from overriding any required explicit proxy settings.
- In the Device Group section, select theParent Device Groupthat contains the configuration settings you want to push for the explicit proxy, or leave the parent device group asSharedto use the Prisma Access device group shared hierarchy. TheDevice Group Namecannot be changed.
- (Optional) in the Master Device section, specify aMaster Device.Explicit Proxy uses Directory Sync to retrieve user and group information. Directory Sync does not auto-populate user and group information to security policy rules and to Panorama. To simplify rule creation based on user and group information, you can associate an on-premises or VM-series next generation firewall as a Master Device.
- In the License Allocation section, specify the number of mobile users to allocate for explicit proxy.
- In theGroup Mapping Settingstab, configure Prisma Access to use Directory Sync for mobile users to retrieve user and group information.You use Directory Sync to populate user and group information for an explicit proxy deployment. To configure Directory Sync, you set up Directory Sync on your AD and associate the Panorama that manages Prisma Access with Directory Sync in the hub; then, set up Directory Sync in Prisma Access.Entermailfor the Directory Attribute in thePrimary Usernamefield andmailfor theE-Mailfield.
- ClickOKwhen finished.
- ClickConfigureto configure the explicit proxy setup.
- Specify anExplicit Proxy URL.By default, the name isproxyname.proxy.prismaaccess.com, whereproxynameis the subdomain you specify, and uses port 8080. If you want to use your organization’s domain name in the Explicit Proxy URL (for example, thisproxy.proxy.mycompany.com), enter a CNAME record your organization’s domain.For example, to map a proxy URL named thisproxy.prismaaccess.com to a proxy named thisproxy.proxy.mycompany.com, you would add a CNAME of thisproxy.proxy.prismaaccess.com to the CNAME record in your organization’s domain.
- Specify anAuthentication ProfileandCookie Lifetime.
- Specify the SAMLAuthentication Profileyou used in Step 1, or add aNewauthentication profile to use with Prisma Access.You must configure SAML authentication, including configuring aSAML Identity Provider(IdP) and anAuthentication Profile, to use an explicit proxy.
- (Optional) Specify aCookie Lifetimefor the cookie that stores the users’ authentication credentials.Prisma Access caches the user’s credentials and stores them in the form of a cookie. To change the value, specify the length of time to use in Seconds, Minutes, Hours, or Days.
- Select theLocationsand the regions associated with those locations where you want to deploy your explicit proxy for mobile users. Prisma Access adds a proxy node into each location you select.Explicit proxy supports a subset of all Prisma Access locations. See Supported Explicit Proxy Locations for the list of locations.TheLocationstab displays a map. Highlighting the map shows the global regions (Americas, Europe, and Asia Pacific) and the locations available inside each region. Select a region, then select the locations you want to deploy in each region. Limiting your deployment to a single region provides more granular control over deployed regions and allows you to exclude regions as required by your policy or industry regulations. See List of Prisma Access Locations for the list of regions and locations. You can select a location in a region that is closest to your mobile users, or select a location as required by your policy or industry regulations.
- Click theLocationstab and select a region.
- Select one or more explicit proxy locations within your selected region using the map.Hovering your cursor over a location highlights it. White circles indicate an available location; green circles indicate that you have selected that location.In addition to the map view, you can view a list of regions and locations. Choose between the map and list view from the lower left corner. In the list view, the list displays regions sorted by columns, with all locations sorted by region. You can selectAllsites within a region (top of the dialog).
- ClickOKto add the locations.
- Configure security policy rules to enforce your organization’s security policies.Explicit proxy has rules and recommendations for configuring security policy rules, and you must configure a decryption policy to strip out ALPN headers. See Security Policy Guidelines and Requirements for details.
- Commit your changes to Panorama and push the configuration changes to Prisma Access.
- Click.CommitCommit and Push
- Edit Selectionsand, in thePrisma Accesstab, make sure thatExplicit Proxyis selected in thePush Scope, then clickOK.
- ClickCommit and Push.
- Select the PAC file to use with the explicit proxy.
- Select.PanoramaCloud ServicesConfigurationMobile UsersExplicit ProxyBe sure that you enter a port of 8080 in the PAC file.
- Select theConnection Namefor the explicit proxy setup you just configured.
- Enter thePAC (Proxy Auto-Configuration) Fileto use for the explicit proxy.Be sure that you understand how PAC files work and how to modify them before you upload them to Prisma Access.Browseand upload the file.Prisma Access provides you with a sample PAC file; you canDownload sample PAC file, change the values, and upload that file. See PAC File Guidelines and Requirements for PAC file requirements and guidelines as we as a description of the contents of the sample PAC file.
PAC File Guidelines and Requirements
Use the following guidelines and requirements
when configuring the PAC file to use with explicit proxy:
- Only ASCII text format is supported for PAC files. Palo Alto Networks recommends that you create and save the PAC file in a text editor such as VI or Vim.
- Upload the PAC file after you create your explicit proxy configuration and commit and push your changes. After you upload your PAC file, a commit and push operation is not required.
- You must have at least one Prisma Access tenant Explicit Proxy URL in thereturn "PROXY foo.proxy.prismaaccess.com:8080";statement beginning for traffic ingressing to Prisma Access. Either use a configured domain used when you push your changes or use a valid IPv4 address or DIRECT keyword such asPROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080orPROXY 1.2.3.4:8080, and so on.
- If the proxy is not being bypassed, then the you must provide a PROXY keyword. A valid proxy statement is required if noDIRECTkeyword is configured for the proxy bypass.
- If a valid PROXY statement is found before an invalid PROXY statement, explicit proxy skips the validity check all on all PROXY statements after the first. For example, a PAC file with the valid statementPROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080followed by the invalid statementPROXY foo.proxy.prismaacess.com:8080would be considered valid since explicit proxy skips the validity check forfoo.proxy.prismaacess.com:8080.
- If you are using a PROXY statement to have ACS traffic bypass the Prisma Access proxy, the PROXY statement should not use the Explicit Proxy URL. In this configuration, the explicit proxy provides an error message, but allows you to upload the PAC file. You can direct the ACS traffic to other proxies using a valid FQDN or IPv4 address, or directly to the internet, using theDIRECTkeyword.
- Only IPv4 addresses are supported in PROXY statements. Do not use IPv6 addresses in PROXY statements.
- The maximum file size for a PAC file is 256 KB.
- You must specify IdP and ACS URLs to be bypassed.
- You cannot delete a PAC file after you're uploaded it. You can, however, upload a new PAC file to overwrite the existing one.
- Explicit proxy supports only one hosted PAC file.
- If you change the Explicit Proxy URL in Prisma Access but do not change the PAC file to reflect the changed URL, the change won't be applied.
- If you change the Explicit Proxy URL in Prisma Access but do not change the PAC file to reflect the change, the change won't be applied. You must upload a new PAC file specifying the new Explicit Proxy URL.
Explicit proxy provides you with a sample PAC
file that you can modify and use as the PAC file for your explicit
proxy deployment. The sample PAC file that Prisma Access provides
contains the following data:
function FindProxyForURL(url, host) { /* Bypass localhost and Private IPs */ var resolved_ip = dnsResolve(host); if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") || isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") || isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") || isInNet(resolved_ip, "127.0.0.0", "255.255.255.0")) return "DIRECT"; /* Bypass FTP */ if (url.substring(0,4) == "ftp:") return "DIRECT"; /* Bypass SAML, e.g. Okta */ if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com")) return "DIRECT"; /* Bypass ACS */ if (shExpMatch(host, "*.acs.prismaaccess.com")) return "DIRECT"; /* Forward to Prisma Access */ return "PROXY foo.proxy.prismaaccess.com:8080";
If
you want to use the default PAC file that Prisma Access provides,
you can optionally modify the fields in the PAC file as described
in the following table.
Text | Description |
---|---|
| Enter any hostnames or IP addresses that should
not be sent to the explicit proxy between the JavaScript functions var resolved_ip
= and return “DIRECT”; . If you
do not modify the data in this file, the following hostnames and
IP addresses bypass the explicit proxy:
|
| Bypasses the explicit proxy for FTP sessions. |
| Bypasses the explicit proxy for the SAML IdP.
Be sure to add the following FQDNs in this section:
|
| Bypasses the explicit proxy for the Prisma Access
Authentication Cache Service (ACS). |
| Bypasses the explicit proxy for the Explicit Proxy
URL. You must have at least one Prisma Access tenant Explicit
Proxy URL in the return "PROXY foo.proxy.prismaaccess.com:8080"; statement
for traffic ingressing to Prisma Access. Either use a configured
domain used when you push your changes, or use a valid IPv4 address
or DIRECT keyword such as PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080 or PROXY 1.2.3.4:8080 . |
Security Policy Guidelines and Requirements
To make required configuration changes and
to control the URLs that mobile users can access from the explicit
proxy, use security policies. Use the following guidelines and requirements
when configuring your security policies:
- Based on your business goals, create security policies for sanctioned internet and SaaS apps using App-ID and user groups that need access to those applications.
- Create a security policy rule at the bottom of the list with web browsing and SSL App-IDs for any user to allow access to internet sites for cases such as CORS requests or undecrypted HTTPs where users cannot be identified.
- Attach security profiles to all security policy rules so that you can prevent both known and unknown threats following the security profile best practices.
- Ensure that your security policy rules do not allow traffic for non-HTTP/HTTPS protocols and non-standard web ports.
- Create a decryption profile and a decryption policy rule to remove ALPN headers from uploaded files.Explicit proxy does not support native HTTP/2 support, so you must remove the ALPN headers.
- Select.ObjectsDecryptionDecryption ProfileChoose any device group in the Device Group drop-down at the top of the page; decryption profiles are shared across device groups.
- Adda new profile and give it aName.
- SelectSSL Forward Proxy, then selectStrip ALPNin theClient Extensionarea.
- Select.PoliciesDecryption
- Adda decryption policy and give it aName.
- In theOptionsarea, select anActionofDecryptand theDecryption Profileyou created.
Verify and Monitor the Explicit Proxy Deployment
After you have configured the explicit proxy
for mobile users, monitor the status and troubleshoot any issues
by checking the following Prisma Access components.
- Check the status of your explicit proxy deployment.
- Selectto see the explicit proxy status.PanoramaCloud ServicesStatusStatusThe mobile usersStatusandConfig Statusfields indicate whether the connection between Prisma Access and your mobile users isOK, unable to fetch the status on the tunnel (Warning), or that the mobile users cannot connect to the explicit proxy (Error).Click the hyperlink next toCurrent UsersandUsers (Last 90 days)to get more information about mobile users.
- Current Users—The current number of authenticated users who have browsed traffic in the last five minutes.
- Users (Last 90 days)—The number of unique authenticated explicit proxy users for the last 90 days.
- Selectto display a map showing the deployed explicit proxy locations.PanoramaCloud ServicesStatusMonitorMobile Users—Explicit Proxy
- Selectto view the following details:PanoramaCloud ServicesStatusNetwork DetailsMobile Users—Explicit Proxy
- Explicit Proxy URL—The URL used to the explicit proxy.
- ACS FQDN—The FQDN of the ACS.
- SAML Meta Data—The authentication profile metadata used by SAML. You canExport SAML Metadatato save the metadata file.
Recommended For You
Recommended Videos
Recommended videos not found.