Achieving consistent user identity-based control for undecrypted HTTPS traffic using Kerberos authentication was previously impossible in Prisma^® Access forcing administrators to accept inconsistent policy enforcement. This new feature solves that challenge by allowing you to implement user identity-based visibility and control using security policies for undecrypted HTTPS traffic when a user or system authenticates using Kerberos.

This functionality ensures consistent user visibility and policy enforcement for all HTTP-based traffic (undecrypted HTTPS, decrypted HTTPS, and HTTP traffic). Furthermore, administrators no longer need to configure Trusted Source Addresses, which simplifies your initial configuration and supports the use case in which your branch locations employ dynamic egress IP addresses. Previously, you could authenticate decrypted and undecrypted traffic, but enforcement was limited to decrypted HTTPS traffic. Now, all HTTP-based traffic can authenticate and undergo consistent user-based controls. This feature also eliminates the requirement for users or systems to come from static IP addresses configured as Trusted Source Addresses, simplifying initial configuration and supporting dynamic IP addresses.