>
    Explicit Proxy Configuration Guidelines
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Mobile Users
    4. Mobile Users: Explicit Proxy
    5. Explicit Proxy Configuration Guidelines
    Download PDF
    Prisma Access

    Explicit Proxy — Guidelines

    Table of Contents

    Explicit Proxy Configuration Guidelines

    Describes the software and network requirements you need to successfully deploy
    Prisma Access
     Explicit Proxy.
    Where Can I Use This?
    What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access
       license
    System Requirements and Supported Features
    These are the system requirements and supported features for the different connection methods you can use with Explicit Proxy.
    Agentless SAML
    Proxy Mode on Agent (requires GP 6.2 or later)
    Applications and OS Support
    Traffic Type
    Internet and public SaaS traffic only
    Internet and public SaaS traffic only
    Internet and public SaaS traffic only
    Internet and public SaaS traffic only
    Protocol Supports
    Proxy aware HTTP or HTTPS
    Proxy aware HTTP or HTTPS
    Proxy aware HTTP or HTTPS
    Proxy aware HTTP or HTTPS
    Transport Channel to
    Prisma Access
    HTTP Connect
    HTTP Connect
    HTTP Connect inside TLS
    HTTP Connect inside IPSec from branch to remote network security processing node (SPN)
    Environments Supported
    Windows, Mac, Linux, ChromeOS, VDI
    Windows, Mac, Linux,
    ChromeOS, VDI
    Windows and Mac
    Windows, Mac, Linux,
    ChromeOS, VDI
    App Support
    Proxy aware HTTP(s) apps
    Any app that honors a PAC file or system proxy setting and supports Kerberos
    Proxy aware HTTP(s) apps
    Proxy aware HTTP(s) apps
    Browser Support
    Chrome, Edge, Firefox versions 115 or later
    Chrome, Edge, Firefox versions 115 or later
    Chrome, Edge, Firefox versions 115 or later*
    Chrome, Edge, Firefox versions 115 or later
    O365 Support†
    Browser and client apps
    Browser and client apps
    Browser and client apps
    Browser and client apps
    Identity
    User-ID‡
    Decrypted and non-HTTP CORS traffic
    All Supported Traffic
    All Supported Traffic
    Depending on whether you're using SAML or Kerberos: decrypted/non-CORS X-Authenticated-User traffic
    Auth Supported
    SAML (Any SAML 2.0 IDPs or through CIE)
    Kerberos
    All GlobalProtect Supported Auth
    SAML, Kerberos, X-Authenticated-User-based
    Skip Auth
    By Domain and by Source IP
    By Domain and by Source IP
    By Domain
    By Domain and by Source IP
    User Group Directory
    License
    Mobile User Unit per user
    Mobile User Unit per user
    Mobile User Unit per user
    Mobile User unit per user or headless device and NET units for bandwidth for remote networks
    Management
    Multitenant Panorama
    Multitenant Cloud Management
    Supported
    Supported
    Supported
    Supported
    Security Services
    SaaS Inline
    Supported
    Supported
    Supported
    Supported
    DLP
    Supported
    Supported
    Supported
    Supported
    DNS Security§
    Supported
    Supported
    Supported
    Supported
    Advanced URL Filtering
    Supported
    Supported
    Supported
    Supported
    Advanced WildFire
    Supported
    Supported
    Supported
    Supported
    Advanced Threat Prevention
    Supported
    Supported
    Supported
    Supported
    Supported
    Supported
    Supported
    Supported
    * For Proxy Mode on Agent, Firefox requires a manual policy rule pushed through Mobile Device Management that instructs it to honor the system proxy
     Explicit Proxy supports only HTTP traffic, not UDP. With SAML, Explicit Proxy does not provide User-ID for client apps flows. For Agent proxy, you need to use a PAC file to send client app authentication flows to the cloud proxy.
     No User-ID is available for auth bypass.
    §
     You can't apply DNS Security profiles to Explicit Proxy flows. Block domains instead.
    App Support Considerations
    1. Explicit Proxy does not support apps that need IP affinity. The app must support traffic coming from multiple IPs for a given user session.
    2. Explicit Proxy downgrades decrypted HTTP/2 Flows to HTTP/1.
    3. Explicit Proxy does not fetch on-premises external dynamic lists.
    4. Agentless SAML only:
      1. Configure an SSL decryption policy to allow auth bypass by domain for agentless PAC-based Explicit Proxy with SAML Auth
        Decryption is required for Prisma Access to read the authentication state cookie set up by Prisma Access on the mobile user's browser. Failing to enforce decryption enables the abuse of Explicit Proxy as an open proxy that can attackers can use as a forwarding service for denial-of-service attacks.
      2. In traffic logs, Explicit Proxy will show undecrypted and HTTP-CORS mobile user traffic logs as SWG-authenticated users.
      3. Make a note of the following browser requirements and usage guidelines:
        • If you use Explicit Proxy, don't disable cookies in your browser; if you do, you can't browse any webpages.
        • If you're using Explicit Proxy with Microsoft Edge, be sure to set
          Settings
          Privacy, Search, and Services
          Tracking prevention
           to
          Basic
          .
    Connectivity Requirements
    If mobile users are connecting from remote sites or headquarters or data center locations using an Explicit Proxy, the mobile user endpoint must be able to reach and route to the IdP, ACS FQDN, Explicit Proxy URL, and URL of the PAC file hosted by Prisma Access.
    PAC File Requirements and Guidelines
    —Follow the PAC File Guidelines when you set up the PAC file to use with Explicit Proxy.
    Proxy Chaining Guidelines
    —If you use proxy chaining from a third-party proxy to Explicit Proxy, specify the
    Explicit Proxy URL
     in the third-party proxy to forward traffic to Explicit Proxy
    On-Premises Support
    —Explicit Proxy is a cloud-based proxy solution and not an on-premises product. For an on-premises proxy solution, configure a PAN-OS web proxy.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.