Requirements for Using Explicit Proxy with GlobalProtect or a Third-Party VPN
Focus
Focus
Prisma Access

Requirements for Using Explicit Proxy with GlobalProtect or a Third-Party VPN

Table of Contents

Requirements for Using Explicit Proxy with GlobalProtect or a Third-Party VPN

Follow these requirements and recommendations to use Explicit Proxy with GlobalProtect or third-party VPNs.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access license
Before you start your configuration, make sure that you follow the requirements and recommendations that are required to deploy Explicit Proxy with GlobalProtect or with a third-party VPN:
  • To use Explicit Proxy with GlobalProtect, you must deploy GlobalProtect (either a Mobile Users—GlobalProtect deployment or a standalone GlobalProtect deployment that uses GlobalProtect gateways and portals.
    You configure a split tunnel configuration in GlobalProtect. The examples in this section show traffic being split based on a domain (URL) or application; however, you can also split traffic based on the access route.
    You can also configure split DNS options in GlobalProtect to configure which domains are resolved by the VPN assigned DNS servers and which domains are resolved by the local DNS servers.
  • To use Explicit Proxy with a third-party VPN, you must deploy the VPN solution.
  • Make a list of the applications that you want to secure with the Mobile Users—GlobalProtect or third-party VPN deployment.
    For example, if you are configuring Explicit Proxy with GlobalProtect, you should configure GlobalProtect to secure all access to private apps or resources, while configuring the Explicit Proxy PAC file to secure public apps or SaaS applications. The configuration examples in this section have GlobalProtect resolving the internal domains and Explicit Proxy resolving external domains.
  • Configure authentication for Explicit Proxy and GlobalProtect or the third-party VPN.
    Palo Alto Networks recommends that you use the default browser on each mobile user’s endpoint for SAML authentication so you can take advantage of single sign-on (SSO) by editing the portal configuration as shown in Set Up Explicit Proxy.
  • You must make sure that the browsers used by the mobile users honor the configuration in the PAC file.