Proxy mode on Remote Networks
Focus
Focus
Prisma Access

Proxy mode on Remote Networks

Table of Contents

Proxy mode on Remote Networks

Learn how to use multicast and unicast IP address to secure mobile users and devices at Remote Networks with an Explicit Proxy.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
If you'd like to enable Private Source IP based visibility and enforcement on Explicit Proxy in your Prisma Access environment, get in touch with your account team to learn more.
  • Prisma Access
    license
    A
    Prisma Access
    Mobile Users license and a
    Prisma Access
    Remote Network license are required for Proxy mode for remote networks.
Proxy Mode on Remote Networks helps to secure outbound internet traffic for users and servers in your branches which need PAC based connection method due to networking or compliance reasons.
You can use Proxy mode for Remote Networks to:
  • Secure Internet-bound traffic from from branch sites that use non-default routes.
  • Secure Internet-bound traffic from your branches without backhauling it to a data center or HQ site.
  • Connect to
    Prisma Access
    Explicit Proxy over Private IP addresses.
    Prisma Access provides you with four anycast IP addresses globally, and one unicast IP address per Remote Network, that you use to forward traffic to Explicit Proxy.
  • Enforce security controls and get visibility based on Source IP for the Systems in the branch.
  • Skip authentication for servers based on the Source IP address.
  • Connect to
    Prisma Access
    from your branch through an IPSec Tunnel.
  • If you require more than 1000 Mbps of bandwidth, you can create a high-bandwidth remote network connection using multiple Remote Network connections and specify the Explicit Proxy anycast and unicast addresses in each connection.
The following diagram shows a Remote Network that has been configured for a site that has no default route configured. To protect users and headless devices at the site using Explicit Proxy, the administrator has made the following configuration changes:
  • Onboarded Remote Networks and Explicit Proxy locations and have retrieved the anycast and unicast IP addresses that
    Prisma Access
    takes from its infrastructure subnet.
    You can also create a hostname for Explicit Proxy-directed traffic and add the Explicit Proxy unicast and anycast IP addresses to that hostname.
  • Configured the CPE to forward Explicit Proxy traffic to these anycast and unicast addresses.
    Use the anycast IP addresses in the PAC file to have
    Prisma Access
    select from any onboarded Remote Network tunnel to forward traffic to Explicit Proxy. Use the unicast address to have
    Prisma Access
    forward traffic through a specific Remote Network tunnel. In this example, you can use either anycast or unicast addresses, since the traffic is going only through one Remote Network IPSec tunnel.
  • Specified these IP addresses in the PAC files of the users’ endpoints and in the system proxy settings of the headless devices.
After configuration is complete,
Prisma Access
forwards the traffic from the Remote Network tunnel to Explicit Proxy.

Cloud Management

Learn how to use multicast and unicast IP address to secure mobile users and devices at Remote Networks with an Explicit Proxy.
To secure users at remote networks using Explicit Proxy in Cloud Managed Prisma Access, complete the following steps.
  1. Configure your Explicit Proxy setup and onboard the Explicit Proxy locations you want to add.
  2. Onboard your remote networks if you have not done so already.
    You must enable
    Prisma Access
    Remote Networks in the locations that are supported with Explicit Proxy.
  3. Push Config
    , being sure that
    Mobile Users—Remote Workforce
    and
    Remote Networks
    are selected in the
    Push
    scope.
    The push operation retrieves and Anycast addresses you need to integrated Explicit Proxy with the remote network.
  4. Get the anycast IP addresses you use for your Explicit Proxy/Remote Network deployment.
    1. Go to
      Manage
      Service Setup
      Explicit Proxy
      Advanced Security Settings
      .
      If you're using Strata Cloud Manager, go to
      Workflows
      Prisma Access
      Setup
      Explicit Proxy
      Advanced Security Settings
      .
    2. Enable Proxy Mode
      .
    3. To leverage the source IP addresses of the systems in your branch locations that are forwarding traffic to Explicit Proxy, select
      Source IP based visibility and enforcement
      .
      This functionality has these requirements:
    4. Add a policy to allow traffic bound to anycast and unicast IP on remote networks. If you have enabled
      Source IP visibility and enforcement
      , use the
      Source IP
      field in Security policies in Explicit Proxy to secure the traffic. You need additional policies in the remote networks.
    5. (
      Optional
      ) To bypass authentication of any trusted source addresses you entered, specify IP addresses that should have authentication skipped in the
      Trusted Source Address
      area and select
      Skip authentication
      .
      You can use
      Skip authentication
      with
      Source IP based visibility and enforcement
      to Skip authentication of headless systems that can't authenticate, set up security policies, and get visibility of the traffic on
      Prisma Access
      Explicit Proxy.
      You can add either IP addresses or subnets. A maximum of 100,000 IP addresses are supported after expanding the subnets.
    6. Go to
      Manage
      Service Setup
      Remote Networks
      .
      If you're using Strata Cloud Manager, go to
      Workflows
      Prisma Access
      Setup
      Remote Networks
      .
    7. Push Config
      , being sure that
      Mobile Users—Remote Workforce
      and
      Remote Networks
      are selected in the
      Push
      scope.
    8. Go to
      Advanced Settings
      in your Remote Networks Setup and find the anycast IP addresses used to forward traffic to Explicit Proxy.
  5. (
    Optional
    ) Find the unicast address to use for your Explicit Proxy/Remote Network deployment.
    Use the unicast IP address in the PAC file only if you want to target a specific Remote Network to forward traffic to Explicit Proxy. If you want to use all deployed Remote Networks to forward traffic to Explicit Proxy, use the anycast addresses.
    1. Go to
      Manage
      Service Setup
      Remote Networks
      .
      If you're using Strata Cloud Manager, go to
      Workflows
      Prisma Access
      Setup
      Remote Networks
      .
    2. Make a note of the
      Loopback IP
      address.
      If you have IPv4 and IPv6 addresses, make a note of the IPv4 address.

Panorama

Learn how to use multicast and unicast IP address to secure mobile users and devices at Remote Networks with an Explicit Proxy.
To secure users at remote networks using Explicit Proxy in
Prisma Access (Panorama Managed)
Access, complete the following steps.
  1. Configure your Explicit Proxy deployment and onboard the Explicit Proxy locations you want to add.
  2. Retrieve the anycast IP addresses you use for your Explicit Proxy/Remote Network deployment.
    1. Select
      Panorama
      Cloud Services
      Configuration
      Mobile Users—Explicit Proxy
      .
    2. Select the gear icon to edit the
      Settings
      .
    3. Select
      Enable Proxy Mode
      .
    4. To leverage the private IP addresses of the systems in your branch locations that are forwarding traffic to Explicit Proxy, select
      Source IP based visibility and enforcement
      .
      This functionality has these requirements:
      • A minimum
        Prisma Access
        dataplane of 10.2.4
      • A
        Prisma Access (Panorama Managed)
        deployment with a minimum Cloud Services plugin of 4.1
    5. Add a policy to allow traffic bound to anycast and unicast IP on remote networks. If you have enabled
      Source IP visibility and enforcement
      , use the
      Source IP
      field in Security policies in Explicit Proxy to secure the traffic. You need additional policies in the remote networks.
    6. (
      Optional
      ) Under
      Authentication Settings
      , enter any IP addresses from which undecrypted HTTP or HTTP Cross-Origin Resource Sharing (CORS) traffic should be allowed to the
      Trusted Source Address Auth Bypass
      .
      Add the IP addresses to IP address-based Address Objects and
      Add
      the address objects in the field.
      Enter a maximum of 100,000 addresses. Make sure that the address object uses IP addresses only.
    7. (
      Optional
      ) To bypass authentication of any trusted source addresses you entered, select
      Auth Bypass
      .
      You can use
      Auth Bypass
      with
      Source IP based visibility and enforcement
      to skip authentication of headless systems that can't authenticate, set up security policies, and get visibility of the traffic on Prisma Access Explicit Proxy.
      You can add either IP addresses or subnets. A maximum of 100,000 IP addresses are supported after expanding the subnets.
    8. Select
      Panorama
      Cloud Services
      Configuration
      Remote Networks
      .
    9. Onboard your Remote Network Locations if you have not done so already.
      You must enable
      Prisma Access
      Remote Networks in the locations that are supported with Explicit Proxy.
    10. Click
      Commit
      Commit and Push
      .
    11. Edit Selections
      and, in the
      Prisma Access
      tab, make sure
      Prisma Access
      for networks
      is selected in the
      Push Scope
      , then click
      OK
      .
    12. Commit and Push
      your changes.
      You must perform a commit and push for your Remote Networks for
      Prisma Access
      to retrieve the IP addresses used in an Explicit Proxy/Remote Network deployment.
    13. Return to the Explicit Proxy
      Settings
      (
      Panorama
      Cloud Services
      Configuration
      Mobile Users—Explicit Proxy
      Settings
      Advanced
      ) and make a note of the
      ALLOCATED ADDRESSES
      that display in under
      Remote Networks Configuration
      .
  3. (
    Optional
    ) Find the unicast address you use for your Explicit Proxy/Remote Network deployment.
    Use the unicast IP address in the PAC file only if you want to target a specific Remote Network to forward traffic to Explicit Proxy. If you want to use all deployed Remote Networks to forward traffic to Explicit Proxy, use the anycast addresses.
    1. Select
      Panorama
      Cloud Services
      Status
      Network Details
      Remote Networks
      .
    2. Make a note of the
      EBGP Router
      address.
      If you have IPv4 and IPv6 addresses, make a note of the IPv4 address.
      This address is also known as the loopback address. If you have made configuration changes that changed the EBGP router address, you can retrieve the loopback IP address using the
      Prisma Access
      legacy API.
  4. Ensure that the CPE in your network is set up correctly for endpoints to forward traffic to Explicit Proxy via the anycast and unicast IP addresses.

Recommended For You