Secure Mobile Users with an Explicit Proxy
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Secure Mobile Users with an Explicit Proxy
Secure Prisma Access mobile users by creating an Explicit
Proxy and using a PAC file.
In addition to securing mobile users
with GlobalProtect, you can configure an Explicit Proxy using
Prisma Access. Consider using an Explicit Proxy if your existing
network already uses proxies, if you use PAC files on your end users’
endpoints, or if you need to use a proxy for auditing or compliance
purposes.
Explicit Proxy Workflow
The following section shows the workflow when
mobile users are secured by Prisma Access using an Explicit Proxy
as the connection method. Before you start, you need to have configured Mobile Users—Explicit
Proxy.
The traffic takes the following path. Callouts
in the figure show the process.
- The mobile user browses the Internet or accesses the SaaS application by entering the URL or IP address using a web browser.The browser on the mobile users’ endpoint checks for the PAC file.This PAC file specifies that the URL or SaaS request should be forwarded to Prisma Access Explicit Proxy.The HTTPS client (the browser on the mobile user’s endpoint) forwards the URL request to the proxy URL.The traffic is redirected to Explicit Proxy, and the proxy decrypts the traffic.The proxy inspects the traffic and checks for the authentication cookie set up by the Prisma Access Explicit Proxy.The cookie contains information that identifies the mobile user, and uses the cookie to authenticate the user.If, upon inspection of the cookie, Prisma Access determines that the user has not been authenticated, it redirects the user for authentication.After the IdP authenticates the user, Prisma Access stores the authentication state of the user in the Authentication Cache Service (ACS). The validity period of the authentication is based on the Cookie Lifetime value you specify during Explicit Proxy configuration.The Explicit Proxy checks for the presence and validity of our cookie. If the cookie is not present or is invalid, the user is redirected to ACS. After ACS confirms the authentication of the user, the user is redirected back to Explicit Proxy with a token. The proxy then validates that token and sets the cookie for that domain for that user.Prisma Access applies security enforcement based on the security policy rules that the administrator has configured.If the URL is not blocked by security policy rules, Prisma Access sends the URL request to the internet.
Explicit Proxy Licensing Information
For the licensing requirements and guidelines you use with Explicit Proxy, see Explicit Proxy Licensing Guidelines. Explicit Proxy System Guidelines and Requirements
Before you secure mobile users with an Explicit Proxy, be sure to use the following system guidelines and requirements.Onboarding Guidelines—Use the following guidelines when you license and onboard your Explicit Proxy deployment:- Explicit Proxy supports a subset of Prisma Access locations. See Supported Explicit Proxy Locations for the list of locations.If you have a Local or Evaluation license for Prisma Access for Users and you have a Mobile Users—GlobalProtect deployment as well as a Mobile Users—Explicit Proxy deployment, you can deploy a maximum of five locations for each (five locations maximum for Mobile Users—GlobalProtect and five locations maximum for Mobile Users—Explicit Proxy). If you have a Worldwide license, there are no restrictions for the maximum number of locations.
- Explicit Proxy supports multitenancy under the following conditions: if you have an existing Prisma Access non-multitenant deployment and convert it to a multitenant deployment, only the first tenant (the tenant you migrated) supports Explicit Proxy. Any subsequent tenants you create for the multitenant deployment after the first do not support Explicit Proxy.In addition, group-based security policies will not work in a multitenant deployment. Explicit Proxy uses the Directory Sync component of the Cloud Identity Engine to perform group mapping, and multitenancy does not support the Cloud Identity Engine.
- When onboarding an Explicit Proxy deployment, Palo Alto Networks recommends that all the configuration be performed in a single browser. You can, however, add security policies from multiple browsers or browser sessions.
Network Guidelines and Requirements—When configuring Explicit Proxy, make sure that you are aware of the following network guidelines and have made the following configuration changes in your network and security environment:- You must configure an SSL decryption policy for all Explicit Proxy traffic.Decryption is required for Prisma Access to read the authentication state cookie set up by Prisma Access on the mobile user’s browser. Failing to enforce decryption enables the abuse of Explicit Proxy as an open proxy that can be widely misused as a forwarding service for conducting denial of service attacks.To prevent users from accessing undecrypted sites, be sure to leave the Decrypt traffic that matches existing decryption rules; for undecrypted traffic, allow traffic only from known IPs registered by authenticated users check box selected when you configure explicit proxy.
- Explicit Proxy does not support HTTP/2 natively. HTTP/2 protocol requests will be downgraded to HTTP/1.1. Explicit Proxy strips out application-layer protocol negotiation (ALPN) headers from uploaded files, regardless of your configuration.
- The maximum supported TLS version is 1.3. When creating a decryption profile, specify a Max Version of TLS v1.3.
- If mobile users are connecting from remote sites or headquarters/data center locations using an Explicit Proxy, the mobile user endpoint must be able reach and route to the IdP, ACS FQDN, Explicit Proxy URL, and URL of the PAC file hosted by Prisma Access. To find the ACS FQDN and the Explicit Proxy URL, select PanoramaCloud ServicesStatusNetwork DetailsMobile Users—Explicit Proxy.
Panorama and Content Version Requirements—Make sure that your deployment has the following minimum Panorama and Antivirus Content version requirements:- Explicit Proxy requires a minimum Panorama version of 10.0.5.
- Explicit Proxy requires a minimum antivirus Content Version of 3590 to be installed on the Panorama to support the predefined security policies. Install the required Content Version before committing the Mobile Users—Explicit Proxy configuration.
Palo Alto Networks Subscription Support—Explicit Proxy includes Threat Prevention, URL Filtering, WildFire, DNS Security, and DLP subscriptions. The DNS Security subscription is also included and includes support for the Command and Control Domains and Malware Domains DNS Security signature categories.Mobile User App Support and Browser Guidelines—Explicit Proxy supports the following apps and has the following browser guidelines and requirements:- Explicit Proxy secures internet and SaaS applications accessed over the mobile users’ browser using HTTP and HTTPS traffic only. Non-web ports and protocols are not supported.
- Explicit Proxy does not support the full client-based version of Microsoft 365 (Office 365), which uses non-web ports. However, it is designed to support web-based M365, including Office Online (office.com).
- Explicit Proxy does not provide access to private applications.
- Mobile users will be unidentified in the traffic logs for sites that are not decrypted, with some exceptions. See How Explicit Proxy Identifies Users for more information.
- Make a note of the following browser requirements and usage guidelines:
- If you use Explicit Proxy, do not disable cookies in your browser; if you do, you cannot browse any web pages.
- If you are using Explicit Proxy with Microsoft Edge, be sure that SettingsPrivacy, Search, and ServicesTracking prevention is set to Basic.
- If you use Safari with Explicit Proxy, you might experience issues when accessing websites. Instead of Safari, use Microsoft Edge, Firefox, Chrome, or Internet Explorer as your browser.
- When using Firefox with an Explicit Proxy, go to about:config and set security.csp.enable to false. In addition, some add-ons, such as ones that perform ad blocking or tracking protection, might interfere with tracking protection.
- To support desktop applications, or applications that do not send HTTP traffic, you can configure GlobalProtect in split tunnel mode and use GlobalProtect in conjunction with Explicit Proxy.
- If you visit a website for the first time, are prompted to enter Explicit Proxy credentials, then refresh the browser, you might receive an error. If this condition occurs, re-visit the website without refreshing and retry the authentication operation.
PAC File Requirements and Guidelines—Explicit Proxy has certain requirements for its PAC files; see PAC File Guidelines and Requirements for details.Proxy Chaining Guidelines—If you use proxy chaining from a third-party proxy to Explicit Proxy, specify the Explicit Proxy URL (PanoramaCloud ServicesStatusNetwork DetailsMobile Users—Explicit Proxy) in the third-party proxy to forward traffic to Explicit Proxy.Authentication and Group Mapping Guidelines—SAML is the only supported authentication protocol. Prisma Access supports PingOne, Azure AD, and Okta as SAML authentication providers, but you should be able to use any vendor that supports SAML 2.0 as a SAML identity provider (IdP). For more details about configuring SAML authentication with Prisma Access, including examples for Azure AD, Okta, and Active Directory Federation Services (ADFS) 4.0, see Authenticate Mobile Users in the Prisma Access Integration Guide (Panorama Managed).In addition, you must use the Cloud Identity Engine to retrieve user and group mapping information.Private or Data Center Access Support—Explicit Proxy does not support flows to Private or Data Center access for internal applications. It is internet-outbound only.Port Listening Guidelines—Explicit Proxy only listens on port 8080.On-Premises Support—Explicit Proxy is a cloud-based proxy solution, and is not offered as an on-premises product.How Explicit Proxy Identifies Users
Explicit Proxy identifies users in the traffic logs dependent on how the users authenticate with the proxy, as shown in the following table.Authentication Type User Identification in Traffic Logs Users that are logged in using SAML authentication and decryption The username. Users that are logged in from another proxy that uses X-Authenticated-User (XAU) headers XAU header information.Explicit Proxy only allows traffic from specific IP addresses to use XAU for authentication. You create an address object and specify the IP addresses where you allow XAU for authentication; then, add the address object in the Trusted Source Address field during Explicit Proxy setup.Authenticated cross-origin resource sharing (CORS) requestsThe swg-authenticated-ip-user user.To help identify traffic that is coming from authenticated users in cases where browsers cannot send cookies or perform authentication redirection, such as CORS requests, Explicit Proxy adds the swg-authenticated-ip-user to the traffic logs.Undecrypted traffic (if you have allowed Explicit Proxy to allow undecrypted traffic from IP addresses where users have previously authenticated)The swg-authenticated-ip-user user.You can specify Explicit Proxy to allow undecrypted traffic from IP addresses where users have authenticated; to do so, specify Decrypt traffic that matches existing decryption rules; for undecrypted traffic, allow traffic only from known IPs registered by authenticated users during Explicit Proxy setup. In these configurations, Explicit Proxy adds the swg-authenticated-ip-user to the traffic logs.Set Up an Explicit Proxy to Secure Mobile Users
To secure mobile users with an Explicit Proxy, complete the following steps.- Configure SAML authentication, including configuring a SAML Identity Provider and an Authentication Profile, for Prisma Access. You specify the authentication profile you create in a later step.Use the following guidelines when configuring authentication for the IdP and in Panorama:
- Panorama Guidelines:
- Be sure that you configure the authentication profile under the Explicit_Proxy_Template.
- Use mail as the user attribute in the IdP server profile and in the Authentication Profile on Panorama.
- Explicit Proxy does not support Sign SAML Message to IdP in the SAML Identity Provider Server Profile.
- When you configure the Cloud Identity Engine to retrieve user and group mapping information, use mail or userPrincipalName as the SamAccountName in Group Mapping.
- When configuring Group Mapping Settings during Explicit Proxy setup, use the same Directory Attribute for Primary Username and email, or Prisma Access does not accurately reflect user counts. For example, given the following user profile:
sAMAccountName: muser Netbios: example userPrincipalName: muser@example.com mail: mobile.user@example.com
If, in the Cloud Identity Engine configuration, you use a Primary Username of userPrincipalName and an E-Mail of mail, the user information that Strata Logging Service returns in traffic logs and the user information that the ACS returns in authentication logs will be different. In this example, ACS sends the mail attribute (mobile.user@example.com) to the authentication logs and Strata Logging Service sends the userPrincipalName attribute (muser@example.com) to the traffic logs. As a result of this mismatch, your user count will not be accurate in the Current Users and Users (Last 90 days) fields when checking the Explicit Proxy status in the Status (PanoramaCloud ServicesStatusStatus page. For this reason, use the same directory attribute for Primary Username and E-Mail (for example, mail) when specifying Group Mapping Settings. - When using Panorama to manage Prisma Access, the Cloud Identity Engine does not auto-populate user and group information in security policy rules.
- IdP Guidelines:
- Use the following URLs when configuring SAML:SAML Assertion Consumer Service URL: https://global.acs.prismaaccess.com/saml/acsEntity ID URL: https://global.acs.prismaaccess.com/saml/metadata
- If you use Okta as the IdP, use EmailAddress for the Name ID Format setting.
- Enter a single sign on URL of https://global.acs.prismaaccess.com/saml/acs.
- Single Logout (SLO) is not supported.
- To troubleshoot IdP authentication issues, use the IdP’s monitoring and troubleshooting capabilities. The ACS does not log IdP authentication failures.
- When creating an Authentication Profile for the SAML IdP, in the Advanced tab, select all in the Allow List or Explicit Proxy will not be able to retrieve group mapping.
Configure Explicit Proxy settings.- Select PanoramaCloud ServicesConfigurationMobile Users—Explicit Proxy and click the gear icon to edit Explicit Proxy Settings.In the Settings tab, edit the following settings:
- (Optional) In the Templates section, Add the template or templates that contains the configuration you want to push for Explicit Proxy.By default, Prisma Access creates a new template stack Explicit_Proxy_Template_Stack and a new template Explicit_Proxy_Template. If you have existing settings you want to import, import them now. If you are starting with a new Explicit Proxy configuration, make sure that you are using this template when you create and edit your Network and Device settings in Panorama.You can Add more than one existing template to the stack and then order them appropriately using Move Up and Move Down. Panorama evaluates the templates in the stack from top to bottom, and settings in templates that are higher in the stack take priority over the same settings specified in templates that are lower in the stack. You cannot move the default Explicit_Proxy_Template from the top of the stack; this prevents you from overriding any required Explicit Proxy settings.
- In the Device Group section, select the Parent Device Group that contains the configuration settings you want to push for the Explicit Proxy, or leave the parent device group as Shared to use the Prisma Access device group shared hierarchy. The Device Group Name cannot be changed.
- (Optional) Specify a Master Device.Explicit Proxy uses the Cloud Identity Engine to retrieve user and group mapping information. The Cloud Identity Engine does not auto-populate user and group information to security policy rules and to Panorama. To simplify rule creation based on user and group information, you can associate an on-premises or VM-series next generation firewall as a Master Device.
- In the License Allocation section, specify the number of mobile users to allocate for Explicit Proxy.
In the Group Mapping Settings tab, Enable Directory Sync Integration (now known as the Cloud Identity Engine) to configure Prisma Access to use the Cloud Identity Engine to retrieve user and group information.You use the Cloud Identity Engine to populate user and group mapping information for an Explicit Proxy deployment. To configure the Cloud Identity Engine, you set up the Cloud Identity Engine on your AD and associate the Panorama that manages Prisma Access with the Cloud Identity Engine in the hub; then, set up the Cloud Identity Engine in Prisma Access.Enter mail for the Directory Attribute in the Primary Username field and mail for the E-Mail field.Click OK when finished.In the Authentication Settings tab, configure decryption, X-Authenticated-User (XAU), and authentication settings.- Configure your settings for decrypted traffic.
- Select Decrypt traffic that matches existing decryption rules; for undecrypted traffic, allow traffic only from known IPs registered by authenticated users to configure the following decryption rules:
- Traffic that matches decryption policy rules you have configured with an Action to Decrypt or Decrypt and Forward will be decrypted.If a user accesses an undecrypted HTTPS site, and a user has not yet authenticated to Explicit Proxy from that IP address, the user is blocked. However, the user can access a decrypted site, complete authentication, and then access undecrypted sites.
- Undecrypted traffic is allowed from IP addresses from which mobile user have already authenticated.
Explicit Proxy requires decryption to authenticate users. Enter the domains that can be decrypted in a custom URL category; then, specify those categories in If Authentication traffic is forwarded through Explicit Proxy, specify the domains used in the authentication flow.You must add authentication URLs to the Custom URL category, regardless of whether or not you have added them to a decryption policy. - To allow all traffic to be decrypted, select Decrypt all traffic (Overrides existing decryption rules).If you choose this radio button, ensure that:
- You do not have exceptions in your decryption policy.
- You are applying source IP address-based restrictions in your security policy.
Failing to follow these recommendations enables the abuse of Explicit Proxy as an open proxy that can be widely misused as a forwarding service for conducting denial of service attacks.- You have at least one SSL Forward Proxy certificate specified as a Forward Trust Certificate.If you do not have a forward trust certificate, create one on Panorama; then, Commit and Push your changes to Prisma Access. Failure to have a forward trust certificate will cause a commit error when you commit your Explicit Proxy changes.
(Optional) If you want to allow traffic from specific IP addresses to use XAU for authentication, create an address object and specify the IP addresses that will use XAU for authentication; then, Add the address object in the Trusted Source Address field.This option is useful if you are using proxy chaining from a third-party proxy to Explicit Proxy, users have authenticated in that proxy, and the proxy uses XAU headers.XAU headers are the only HTTP headers supported for Explicit Proxy header ingestion. X-Forwarded-For (XFF) headers are not supported.Make sure that the address object uses IP addresses.(Optional) Specify settings for privacy-sensitive websites by creating security policy rules for those sites, then specifying the Security Policy or policies for those sites in the Enforce Authentication Only area.For any websites you specify in the in the Security Policy or policies you add, Explicit Proxy decrypts the websites based on the decryption policies, but does not inspect or log the decrypted traffic.Click Configure to configure Explicit Proxy setup.- Specify an Explicit Proxy URL.By default, the name is proxyname.proxy.prismaaccess.com, where proxyname is the subdomain you specify, and uses port 8080. If you want to use your organization’s domain name in the Explicit Proxy URL (for example, thisproxy.proxy.mycompany.com), enter a CNAME record your organization’s domain.For example, to map a proxy URL named thisproxy.prismaaccess.com to a proxy named thisproxy.proxy.mycompany.com, you would add a CNAME of thisproxy.proxy.prismaaccess.com to the CNAME record in your organization’s domain.Specify an Authentication Profile and Cookie Lifetime.
- Specify the SAML Authentication Profile you used in Step 1, or add a New authentication profile to use with Prisma Access.You must configure SAML authentication, including configuring a SAML Identity Provider (IdP) and an Authentication Profile, to use an Explicit Proxy.
- (Optional) Specify a Cookie Lifetime for the cookie that stores the users’ authentication credentials.Prisma Access caches the user’s credentials and stores them in the form of a cookie. To change the value, specify the length of time to use in Seconds, Minutes, Hours, or Days.To prevent issues with users not being able to download large files before the cookie lifetime expires, or the cookie expiring when users are accessing a single website for a long period of time, Palo Alto Networks recommends that you configure a Cookie Lifetime of at least one day. If Explicit Proxy users have a cookie lifetime expiration issue, they can browse to a different website to re-authenticate to ACS and refresh the ACS cookie.If you are downloading a file, and the file download takes longer than the Cookie Lifetime, the file download will terminate when the lifetime value expires. For this reason, consider using a longer Cookie Lifetime if you download large files that take a long time to download.
Select the Locations and the regions associated with those locations where you want to deploy your Explicit Proxy for mobile users. Prisma Access adds a proxy node into each location you select.Explicit Proxy supports a subset of all Prisma Access locations. See Supported Explicit Proxy Locations for the list of locations.The Locations tab displays a map. Highlighting the map shows the global regions (Americas, Europe, and Asia Pacific) and the locations available inside each region. Select a region, then select the locations you want to deploy in each region. Limiting your deployment to a single region provides more granular control over deployed regions and allows you to exclude regions as required by your policy or industry regulations. See List of Prisma Access Locations for the list of regions and locations. You can select a location in a region that is closest to your mobile users, or select a location as required by your policy or industry regulations.- Click the Locations tab and select a region.Select one or more Explicit Proxy locations within your selected region using the map.Hovering your cursor over a location highlights it. White circles indicate an available location; green circles indicate that you have selected that location.In addition to the map view, you can view a list of regions and locations. Choose between the map and list view from the lower left corner. In the list view, the list displays regions sorted by columns, with all locations sorted by region. You can select All sites within a region (top of the dialog).Click OK to add the locations.Configure security policy rules to enforce your organization’s security policies.Explicit Proxy has rules and recommendations for configuring security policy rules. See Security Policy Guidelines and Requirements for details.Commit your changes to Panorama and push the configuration changes to Prisma Access.
- Click CommitCommit and Push.Edit Selections and, in the Prisma Access tab, make sure that Explicit Proxy is selected in the Push Scope, then click OK.Click Commit and Push.Select the PAC file to use with Explicit Proxy.
- Select PanoramaCloud ServicesConfigurationMobile UsersExplicit Proxy.Be sure that you enter a port of 8080 in the PAC file.Select the Connection Name for the Explicit Proxy setup you just configured.Enter the PAC (Proxy Auto-Configuration) File to use for Explicit Proxy.Be sure that you understand how PAC files work and how to modify them before you upload them to Prisma Access.Browse and upload the file.Prisma Access provides you with a sample PAC file; you can Download sample PAC file, change the values, and upload that file. See PAC File Guidelines and Requirements for PAC file requirements and guidelines as we as a description of the contents of the sample PAC file.
PAC File Guidelines and Requirements
Use the following guidelines and requirements when configuring the PAC file to use with Explicit Proxy:- PAC files are required to steer user traffic to Explicit Proxy.
- You can only host one PAC file for use with Prisma Access, and the Explicit Proxy PAC file is hosted in the United States. If you require alternative PAC file access outside of the United States, you can host the PAC file in your enterprise.
- Only ASCII text format is supported for PAC files. Palo Alto Networks recommends that you create and save the PAC file in a text editor such as VI or Vim.
- Upload the PAC file after you create your Explicit Proxy configuration and commit and push your changes. After you upload your PAC file, a commit and push operation is not required.
- You must have at least one Explicit Proxy URL in the return "PROXY foo.proxy.prismaaccess.com:8080"; statement beginning for traffic ingressing to Prisma Access. Either use a configured domain used when you push your changes or use a valid IPv4 address or DIRECT keyword such as PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080 or PROXY 1.2.3.4:8080, and so on.
- If the proxy is not being bypassed, then the you must provide a PROXY keyword. A valid proxy statement is required if no DIRECT keyword is configured for the proxy bypass.
- If a valid PROXY statement is found before an invalid PROXY statement, Explicit Proxy skips the validity check all on all PROXY statements after the first. For example, a PAC file with the valid statement PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080 followed by the invalid statement PROXY foo.proxy.prismaacess.com:8080 would be considered valid since Explicit Proxy skips the validity check for foo.proxy.prismaacess.com:8080.
- If you are using a PROXY statement to have ACS traffic bypass the Prisma Access proxy, the PROXY statement should not use the Explicit Proxy URL. In this configuration, Explicit Proxy provides an error message, but allows you to upload the PAC file. You can direct the ACS traffic to other proxies using a valid FQDN or IPv4 address, or directly to the internet, using the DIRECT keyword.
- Only IPv4 addresses are supported in PROXY statements. Do not use IPv6 addresses in PROXY statements.
- The maximum file size for a PAC file is 256 KB.
- You must specify IdP and ACS URLs to be bypassed.
- You cannot delete a PAC file after you're uploaded it. You can, however, upload a new PAC file to overwrite the existing one.
- If you change the Explicit Proxy URL in Prisma Access but do not change the PAC file to reflect the change, the change won't be applied. You must upload a new PAC file specifying the new Explicit Proxy URL.
Explicit Proxy provides you with a sample PAC file that you can modify and use as the PAC file for your Explicit Proxy deployment. The sample PAC file that Prisma Access provides contains the following data:function FindProxyForURL(url, host) { /* Bypass localhost and Private IPs */ var resolved_ip = dnsResolve(host); if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") || isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") || isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") || isInNet(resolved_ip, "127.0.0.0", "255.255.255.0")) return "DIRECT"; /* Bypass FTP */ if (url.substring(0,4) == "ftp:") return "DIRECT"; /* Bypass SAML, e.g. Okta */ if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com")) return "DIRECT"; /* Bypass ACS */ if (shExpMatch(host, "*.acs.prismaaccess.com")) return "DIRECT"; /* Forward to Prisma Access */ return "PROXY foo.proxy.prismaaccess.com:8080";If you want to use the default PAC file that Prisma Access provides, you can optionally modify the fields in the PAC file as described in the following table.Text Description var resolved_ip = dnsResolve(host); ... return "DIRECT";
Enter any hostnames or IP addresses that should not be sent to Explicit Proxy between the JavaScript functions var resolved_ip = and return “DIRECT”;.If you do not modify the data in this file, the following hostnames and IP addresses bypass Explicit Proxy:- if (isPlainHostName(host)—Bypasses Explicit Proxy for hostnames that contain no dots (for example, http://intranet).
- shExpMatch(host, "*.local") ||—Bypasses the proxy for any hostnames that are hosted in the internal network (localhost).
- isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") || isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") || isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") || isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))—Bypasses Explicit Proxy for any IP addresses that are in the private or loopback IP address range.
if (url.substring(0,4) == "ftp:") return "DIRECT";
Bypasses Explicit Proxy for FTP sessions.if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com")) return "DIRECT";
Bypasses Explicit Proxy for the SAML IdP. Be sure to add all FQDNs used by the IdP.If you use Okta as the IdP used for SAML authentication, enter *.okta.com and *.oktacdn.com.if (shExpMatch(host, "*.acs.prismaaccess.com")) return "DIRECT";
Bypasses Explicit Proxy for the Prisma Access Authentication Cache Service (ACS).Instead of using a wildcard, you can add the specific ACS FQDN for your deployment. Find this FQDN under PanoramaCloud ServicesStatusNetwork DetailsMobile Users—Explicit ProxyACS FQDN.return "PROXY foo.proxy.prismaaccess.com:8080"
Bypasses Explicit Proxy for the Explicit Proxy URL.You must have at least one Explicit Proxy URL in the return "PROXY foo.proxy.prismaaccess.com:8080"; statement for traffic ingressing to Prisma Access. Either use a configured domain used when you push your changes, or use a valid IPv4 address or DIRECT keyword such as PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080 or PROXY 1.2.3.4:8080.Security Policy Guidelines and Requirements
To make required configuration changes and to control the URLs that mobile users can access from Explicit Proxy, use security policies. Use the following guidelines and requirements when configuring your security policies:- Based on your business goals, create security policies for sanctioned internet and SaaS apps using App-ID and user groups that need access to those applications.
- Attach security profiles to all security policy rules so that you can prevent both known and unknown threats following the security profile best practices.
Verify and Monitor the Explicit Proxy Deployment
After you have configured Explicit Proxy for mobile users, monitor the status and troubleshoot any issues by checking the following Prisma Access components.- Check the status of your Explicit Proxy deployment.
- Select PanoramaCloud ServicesStatusStatus to see Explicit Proxy status.The mobile users Status and Config Status fields indicate whether the connection between Prisma Access and your mobile users is OK, unable to fetch the status on the tunnel (Warning), or that the mobile users cannot connect to Explicit Proxy (Error).Click the hyperlink next to Current Users and Users (Last 90 days) to get more information about mobile users.
- Current Users—The current number of authenticated users who have browsed traffic in the last five minutes.
- Users (Last 90 days)—The number of unique authenticated Explicit Proxy users for the last 90 days.
- Select PanoramaCloud ServicesStatusMonitorMobile Users—Explicit Proxy to display a map showing the deployed Explicit Proxy locations.
- Select PanoramaCloud ServicesStatusNetwork DetailsMobile Users—Explicit Proxy to view the following details:
- Explicit Proxy URL—The URL used for Explicit Proxy.
- ACS FQDN—The FQDN of the ACS.
- SAML Meta Data—The authentication profile metadata used by SAML. You can Export SAML Metadata to save the metadata file.
- To troubleshoot authentication-related issues, check the traffic logs (MonitorLogsTraffic) and authentication logs (MonitorLogsAuthentication). Explicit Proxy displays the following IP addresses and locations in the logs:
- IP Addresses—If mobile users bypass the ACS FQDN in the PAC file, the IP address displayed in the Source column in the Traffic logs and the Traffic logs and the IP Address column in the Authentication logs, when viewed under the Explicit_Proxy_Device_Group, will be same as the mobile user’s IP address. If users do not bypass the ACS FQDN in the PAC file, the source IP address is the public IP address of the Explicit Proxy cloud firewall where redirects are going to ACS.
- Locations—If mobile users bypass the ACS FQDN in the PAC file, the Region Name displayed in the Region Column in Authentication Logs, Current Users, and Users (Last 90 days) is one of the five 5 regions (us-west-2, us-east-1, eu-west-2, eu-west-3, ap-south-1) where the ACS is deployed, and shows the region where Explicit Proxy is performing the redirects from the client’s browser. If users do not bypass the ACS FQDN in the PAC file, the Region Name displayed in the Region Column in Authentication Logs, Current Users, and Users (Last 90 days) is one of the five 5 regions (us-west-2, us-east-1, eu-west-2, eu-west-3, ap-south-1) where the ACS is deployed, and shows the region where Explicit Proxy is performing the redirects from the Explicit Proxy firewall.