Explicit Proxy — Guidelines

Review these guidelines to plan your explicit proxy deployment:

Configuration Guidelines

  • Supported Locations
    Explicit proxy supports a subset of Prisma Access locations.
    If you have a Local or Evaluation license for Prisma Access for Users and you have a Mobile Users—GlobalProtect deployment as well as a Mobile Users—Explicit Proxy deployment, you can deploy a maximum of five locations for both deployments combined. You need to allocate the five locations between both deployments (for example, two locations for Mobile Users—GlobalProtect and three locations for Mobile Users—Explicit Proxy). If you have a Worldwide license, there are no restrictions for the maximum number of locations.
  • Minimum Users
    Specify a following minimum number of mobile users from your license for an explicit proxy deployment:
    • For a Local license, specify a minimum number of 100 users.
    • For a Worldwide license, specify a minimum number of 200 users.
      If you have a Mobile Users—GlobalProtect deployment and enter a number that exceeds the number of available users, Prisma Access takes those users from your Mobile Users for GlobalProtect deployment and allocates them to your Mobile Users—Explicit Proxy deployment. As shown in the following table, if you have 1000 users licensed and have 750 users licensed for Mobile Users - GlobalProtect, and you then enter 500 licensed users in the Mobile Users - Explicit Proxy, Prisma Access takes 250 licensed users from the pool for Mobile Users - GlobalProtect and assigns it to Mobile Users - Explicit Proxy, so that each mobile users component is licensed for 500 users.
      Total Licensed Mobile User Allocation
      Existing Licensed Mobile Users—GlobalProtect Allocation
      New Licensed Mobile Users—Explicit Proxy Allocation
      New Licensed Mobile Users—GlobalProtect Allocation
      1000 Users
      750 Users
      250 Users
      750 Users (no change)
      1000 Users
      750 Users
      500 Users
      500 Users
      Prisma Access takes 250 users from the 750 Mobile Users—GlobalProtect license to allocate the 500 users you specified for the Mobile Users—Explicit Proxy license.
  • Authentication
    SAML is the only supported authentication protocol. Prisma Access supports PingOne, Azure AD, and Okta as SAML authentication providers, but you should be able to use any vendor that supports SAML 2.0 as a SAML identity provider (IdP).
  • Decryption
    • You must configure a
      decryption rule
      for all explicit proxy traffic. Decryption is required for Prisma Access to read the authentication state cookie set up by Prisma Access on the mobile user’s browser. Mobile users will be unidentified in the traffic logs for sites that are not decrypted.
      Decryption is required for Prisma Access to read the authentication state cookie set up by Prisma Access on the mobile user’s browser. Failing to enforce decryption enables the abuse of explicit proxy as an open proxy that can be widely misused as a forwarding service for conducting denial of service attacks.
    • The decryption rule you’re using for explicit proxy must include a
      decryption profile
      with the following two settings:
      • The maximum supported TLS version is set to 1.2.
      • Set
        Strip ALPN
        (Advanced SSL Forward Proxy settings) because explicit proxy does not support native HTTP/2, and you must remove the ALPN headers.
  • Security Rules
    To make required configuration changes and to control the URLs that mobile users can access from the explicit proxy, use security policy rules with these guidelines in mind:
    • Based on your business goals, create security policies for sanctioned internet and SaaS apps using App-ID and user groups that need access to those applications.
    • Create a security policy rule at the bottom of the list with web browsing and SSL App-IDs for any user to allow access to internet sites for cases such as CORS requests or undecrypted HTTPs where users cannot be identified.
    • Attach security profiles to all security policy rules so that you can prevent both known and unknown threats following the security profile best practices.
    • Ensure that your security policy rules do not allow traffic for non-HTTP/HTTPS protocols and non-standard web ports.
  • App Support
    • Explicit proxy secures internet and SaaS applications accessed over the mobile users’ browser using HTTP and HTTPS traffic only. Non-web ports and protocols are not supported.
    • Explicit proxy does not support the full client-based version of Microsoft 365 (Office 365), which uses non-web ports. However, it is designed to support web-based M365, including Office Online (office.com).
    • Explicit proxy does not provide access to private applications.

PAC File Guidelines

Use the following guidelines and requirements when configuring the PAC file for explicit proxy:
  • Only ASCII text format is supported for PAC files. Palo Alto Networks recommends that you create and save the PAC file in a text editor such as VI or Vim.
  • Upload the PAC file after you create your explicit proxy configuration and commit and push your changes. After you upload your PAC file, a commit and push operation is not required.
  • You must have at least one Prisma Access tenant Explicit Proxy URL in the
    return "PROXY foo.proxy.prismaaccess.com:8080";
    statement beginning for traffic ingressing to Prisma Access. Either use a configured domain used when you push your changes or use a valid IPv4 address or DIRECT keyword such as
    PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080
    or
    PROXY 1.2.3.4:8080
    , and so on.
  • If the proxy is not being bypassed, then the you must provide a PROXY keyword. A valid proxy statement is required if no
    DIRECT
    keyword is configured for the proxy bypass.
  • If a valid PROXY statement is found before an invalid PROXY statement, explicit proxy skips the validity check all on all PROXY statements after the first. For example, a PAC file with the valid statement
    PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080
    followed by the invalid statement
    PROXY foo.proxy.prismaacess.com:8080
    would be considered valid since explicit proxy skips the validity check for
    foo.proxy.prismaacess.com:8080
    .
  • If you are using a PROXY statement to have ACS traffic bypass the Prisma Access proxy, the PROXY statement should not use the Explicit Proxy URL. In this configuration, the explicit proxy provides an error message, but allows you to upload the PAC file. You can direct the ACS traffic to other proxies using a valid FQDN or IPv4 address, or directly to the internet, using the
    DIRECT
    keyword.
  • Only IPv4 addresses are supported in PROXY statements. Do not use IPv6 addresses in PROXY statements.
  • The maximum file size for a PAC file is 256 KB.
  • You must specify IdP and ACS URLs to be bypassed.
  • Explicit proxy supports only one hosted PAC file.
Explicit proxy provides you with a sample PAC file that you can modify and use as the PAC file for your explicit proxy deployment. The sample PAC file that Prisma Access provides contains the following data:
function FindProxyForURL(url, host) { /* Bypass localhost and Private IPs */ var resolved_ip = dnsResolve(host); if (isPlainHostName(host) || shExpMatch(host, "*.local") || isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") || isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") || isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") || isInNet(resolved_ip, "127.0.0.0", "255.255.255.0")) return "DIRECT"; /* Bypass FTP */ if (url.substring(0,4) == "ftp:") return "DIRECT"; /* Bypass SAML, e.g. Okta */ if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com")) return "DIRECT"; /* Bypass ACS */ if (shExpMatch(host, "*.acs.prismaaccess.com")) return "DIRECT"; /* Forward to Prisma Access */ return "PROXY foo.proxy.prismaaccess.com:8080";
If you want to use the default PAC file that Prisma Access provides, you can optionally modify the fields in the PAC file as described in the following table.
Text
Description
var resolved_ip = dnsResolve(host); ... return "DIRECT";
Enter any hostnames or IP addresses that should not be sent to the explicit proxy between the JavaScript functions
var resolved_ip =
and
return “DIRECT”;
.
If you do not modify the data in this file, the following hostnames and IP addresses bypass the explicit proxy:
  • if (isPlainHostName(host)
    —Bypasses the explicit proxy for hostnames that contain no dots (for example, http://intranet).
  • shExpMatch(host, "*.local") ||
    —Bypasses the proxy for any hostnames that are hosted in the internal network (localhost).
  • isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") || isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") || isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") || isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
    —Bypasses the explicit proxy for any IP addresses that are in the private or loopback IP address range.
if (url.substring(0,4) == "ftp:") return "DIRECT";
Bypasses the explicit proxy for FTP sessions.
if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com")) return "DIRECT";
Bypasses the explicit proxy for the SAML IdP. Be sure to add the following FQDNs in this section:
  • Add the ACS FQDN.
  • All FQDNs used by the IdP.
    If you use Okta as the IdP used for SAML authentication, enter
    *.okta.com
    and
    *.oktacdn.com
    .
if (shExpMatch(host, "*.acs.prismaaccess.com")) return "DIRECT";
Bypasses the explicit proxy for the Prisma Access Authentication Cache Service (ACS).
return "PROXY foo.proxy.prismaaccess.com:8080"
Bypasses the explicit proxy for the Explicit Proxy URL.
You must have at least one Prisma Access tenant Explicit Proxy URL in the
return "PROXY foo.proxy.prismaaccess.com:8080";
statement for traffic ingressing to Prisma Access. Either use a configured domain used when you push your changes, or use a valid IPv4 address or DIRECT keyword such as
PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080
or
PROXY 1.2.3.4:8080
.

Recommended For You