Use Explicit Proxy with GlobalProtect
Focus
Focus

Use Explicit Proxy with GlobalProtect

Table of Contents

Use Explicit Proxy with GlobalProtect

Use this task to use Prisma Access Explicit Proxy with GlobalProtect .
To implement GlobalProtect—Mobile Users with Explicit Proxy, complete the following steps.
These configuration steps make the following assumptions about your network environment; if your network environment is different, the configuration might be different:
  • Mobile users are able to reach and resolve the GlobalProtect portal hostname, gateway FQDNs, Explicit Proxy URL, and PAC File URL.
    • To find the gateway FQDNs, select
      Panorama
      Cloud Services
      Status
      Network Details
      Mobile Users—GlobalProtect
      Gateways
      .
    • To find the
      PAC File URL
      , select
      Panorama
      Cloud Services
      Configuration
      Mobile Users—Explicit Proxy
      PAC File URL
      .
  • Mobile Users are able to resolve internal domains from GlobalProtect.
  1. Plan your Mobile Users—Explicit Proxy deployment and your GlobalProtect deployment (either your Mobile Users—GlobalProtect or standalone GlobalProtect deployment).
  2. Decide which applications you want to send to GlobalProtect and which applications you want to send to Explicit Proxy.
    The following steps direct private applications hosted at your data center to GlobalProtect and requests to internet and public SaaS applications to Explicit Proxy.
  3. In the Panorama that manages Prisma Access, configure GlobalProtect portal settings.
    1. Select
      Network
      GlobalProtect
      Portals
      .
      Be sure that you are in the
      Mobile_User_Template
      from the
      Template
      drop-down.
    2. Select
      GlobalProtect_Portal
      to edit the Prisma Access portal configuration.
    3. Select the
      Agent
      tab and select the
      DEFAULT
      configuration or
      Add
      a new one.
    4. Select the
      App
      tab.
    5. Make the following app configuration changes:
      • In
        Detect Proxy for Each Connection
        , select
        Yes
        .
      • In
        Set Up Tunnel Over Proxy (Windows & Mac Only)
        , select
        No
        .
      • In
        Use Default Browser for SAML Authentication
        , select
        Yes
        .
  4. Create a split tunnel in GlobalProtect that allows you to direct the internal traffic to GlobalProtect.
    The following example uses a split tunnel to direct traffic based on domain (FQDN); you could also configure a split tunnel based on the access route of traffic.
    1. While you are still in the GlobalProtect Agent configuration (
      Network
      GlobalProtect
      Gateways
      GlobalProtect External Gateway
      ), select
      Agent
      Client Settings
      .
    2. Select the
      DEFAULT
      configuration or
      Add
      a new one.
    3. Select
      Split Tunnel
      Domain and Application
      .
    4. Add
      the
      Include Domain
      and, optionally, the
      Ports
      to use with the domain.
      This example uses internal-app.corp.com as the URL you use to host apps in your data center. You add this URL and the SAML authentication URL in the
      Exclude Domain
      .
    5. Click
      OK
      to save your changes.
    6. Commit and Push
      your changes.
  5. Configure the PAC file to exclude the domains you entered for split tunnel.
    The following example shows a PAC file with the URL that hosts private apps (internal-app.corp.com) bypassing the internal proxy. The parameters in the following PAC file are all example values:
    • The portal hostname is
      splittunnel.gpcloudservice.com
      .
    • The mobile user gateways (
      Panorama
      Cloud Services
      Status
      Network Details
      Mobile Users—GlobalProtect
      Gateways
      ) are contained in the wildcard FQDN
      *examplegateways.gw.gpcloudservice.com
      .
    • The
      PAC File URL
      (
      Panorama
      Cloud Services
      Configuration
      Mobile Users—Explicit Proxy
      PAC File URL
      ) is
      https://pacfileurl.pac
      .
    • internal-app.corp.com
      is hosting the private apps that are being protected by Mobile Users—GlobalProtect.
    • Okta is being used for SAML authentication.
    • The Explicit Proxy URL is
      example.proxy.prismaacess.com
      .
    For more information about what PAC files do and how to create and modify them, see Set Up Your Explicit Proxy PAC File.
    function FindProxyForURL(url, host) { /* Bypass FTP */ if (url.substring(0,4) == "ftp:") return "DIRECT"; /* Bypass the Prisma Access Portal Hostname */ if (shExpMatch(host, "*.splittunnel.gpcloudservice.com")) return "DIRECT"; /* Bypass the Prisma Access Gateway */ if (shExpMatch(host, "*examplegateways.gw.gpcloudservice.com")) return "DIRECT"; /* Bypass the Prisma Access PAC File URL */ if (shExpMatch(host, "https://pacfileurl.pac")) return "DIRECT"; /* Bypass the URLs Being Sent to the GlobalProtect Portal */ if (shExpMatch(host, "*.internal-app.corp.com")) return "DIRECT"; /* Bypass ACS */ if (shExpMatch(host, "*.acs.prismaaccess.com")) return "DIRECT"; /* Forward to Prisma Access */ return "PROXY example.proxy.prismaaccess.com:8080"; }

Recommended For You