Describes the software and network requirements you need
to successfully deploy Prisma Access Explicit Proxy.
Before you secure mobile users with an Explicit Proxy,
make sure that you are aware of the software and network requirements
described in this section.
Onboarding Guidelines—Use the following guidelines when
you license and onboard your Explicit Proxy deployment:
Explicit Proxy supports a subset of Prisma
Access locations.
If
you have a Local or Evaluation license for Prisma Access for Users
and you have a Mobile Users—GlobalProtect deployment as well as
a Mobile Users—Explicit Proxy deployment, you can deploy a maximum
of five locations for each (five locations maximum for Mobile Users—GlobalProtect
and five locations maximum for Mobile Users—Explicit Proxy). If
you have a Worldwide license, there are no restrictions for the
maximum number of locations.
Explicit Proxy supports multitenancy under the following
conditions: if you have an existing Prisma Access non-multitenant
deployment and convert it to a multitenant deployment,
only the first tenant (the tenant you migrated) supports Explicit
Proxy. Any subsequent tenants you create for the multitenant deployment
after the first do not support Explicit Proxy.
In addition,
group-based security policies will not work in a multitenant deployment.
Explicit Proxy uses the Directory Sync component
of the Cloud Identity Engine to perform group mapping, and multitenancy does not support the Cloud
Identity Engine.
When onboarding an Explicit Proxy deployment, Palo Alto Networks
recommends that all the configuration be performed in a single browser.
You can, however, add security policies from multiple browsers or
browser sessions.
Network Guidelines and Requirements—When configuring Explicit
Proxy, make sure that you are aware of the following network guidelines
and have made the following configuration changes in your network
and security environment:
You must configure an SSL decryption policy
for all Explicit Proxy traffic.
Decryption
is required for Prisma Access to read the authentication state cookie
set up by Prisma Access on the mobile user’s browser. Failing to
enforce decryption enables the abuse of Explicit Proxy as an open
proxy that can be widely misused as a forwarding service for conducting
denial of service attacks.
To prevent users from accessing
undecrypted sites, be sure to leave the Decrypt traffic
that matches existing decryption rules; for undecrypted traffic,
allow traffic only from known IPs registered by authenticated users check
box selected when you configure Explicit
Proxy.
Explicit Proxy does not support HTTP/2 natively. HTTP/2 protocol
requests will be downgraded to HTTP/1.1. Explicit Proxy strips out application-layer protocol negotiation
(ALPN) headers from uploaded files, regardless of your configuration.
The maximum supported TLS version is 1.3. When creating a decryption profile,
specify a Max Version of TLS v1.3.
If mobile users are connecting from remote sites or headquarters/data
center locations using an Explicit Proxy, the mobile user endpoint must
be able reach and route to the IdP, ACS FQDN, Explicit Proxy URL,
and URL of the PAC file hosted by Prisma Access. To find the ACS
FQDN and the Explicit Proxy URL, select PanoramaCloud ServicesStatusNetwork DetailsMobile Users—Explicit
Proxy.
Panorama and Content Version Requirements—Make sure that
your deployment has the following minimum Panorama and Antivirus Content
version requirements:
Explicit Proxy requires a minimum Panorama version of
10.0.5.
Explicit Proxy requires a minimum antivirus Content Version
of 3590 to be installed on the Panorama to support the predefined
security policies. Install the required Content Version before committing
the Mobile Users—Explicit Proxy configuration.
Palo Alto Networks Subscription Support—Explicit Proxy
includes Threat Prevention, URL Filtering, WildFire, DNS Security,
and DLP subscriptions. The DNS Security subscription is also included
and includes support for the Command and Control Domains and Malware
Domains DNS Security signature categories.
Mobile User App Support and Browser Guidelines—Explicit
Proxy supports the following apps and has the following browser
guidelines and requirements:
Explicit Proxy secures internet and SaaS applications
accessed over the mobile users’ browser using HTTP and HTTPS traffic
only. Non-web ports and protocols are not supported.
Explicit Proxy does not support the full client-based version
of Microsoft 365 (Office 365), which uses non-web ports. However,
it is designed to support web-based M365, including Office Online
(office.com).
Explicit Proxy does not provide access to private applications.
Mobile users will be unidentified in the traffic logs for
sites that are not decrypted, with some exceptions. See How Explicit Proxy Identifies Users for more
information.
Make a note of the following browser requirements and usage
guidelines:
If
you use Explicit Proxy, do not disable cookies in your browser;
if you do, you cannot browse any web pages.
If
you are using Explicit Proxy with Microsoft Edge, be sure that SettingsPrivacy, Search, and ServicesTracking prevention is set
to Basic.
If
you use Safari with Explicit Proxy, you might experience issues
when accessing websites. Instead of Safari, use Microsoft Edge,
Firefox, Chrome, or Internet Explorer as your browser.
When using Firefox with an Explicit Proxy, go to about:config and
set security.csp.enable to false.
In addition, some add-ons, such as ones that perform ad blocking
or tracking protection, might interfere with tracking protection.
To support desktop applications, or applications that do
not send HTTP traffic, you can configure GlobalProtect
in split tunnel mode and use GlobalProtect in conjunction
with Explicit Proxy.
If
you visit a website for the first time, are prompted to enter Explicit
Proxy credentials, then refresh the browser, you might receive an
error. If this condition occurs, re-visit the website without refreshing
and retry the authentication operation.
PAC File Requirements and Guidelines—Explicit Proxy has
certain requirements for its PAC files; see Set Up Your Explicit Proxy PAC File for details.
Proxy Chaining Guidelines—If you use proxy chaining from
a third-party proxy to Explicit Proxy, specify the Explicit
Proxy URL (PanoramaCloud ServicesStatusNetwork DetailsMobile Users—Explicit
Proxy) in the third-party proxy to forward
traffic to Explicit Proxy.
Authentication and Group Mapping Guidelines—SAML is the
only supported authentication protocol. Prisma Access supports PingOne,
Azure AD, and Okta as SAML authentication providers, but you should
be able to use any vendor that supports SAML 2.0 as a SAML identity provider
(IdP). For more details about configuring SAML authentication with
Prisma Access, including examples for Azure AD, Okta, and Active
Directory Federation Services (ADFS) 4.0, see Authenticate Mobile Users in
the Prisma Access Integration Guide
(Panorama Managed).
In addition, you must use the Cloud Identity Engine to
retrieve user and group mapping information.
Private or Data Center Access Support—Explicit Proxy does
not support flows to Private or Data Center access for internal
applications. It is internet-outbound only.
Port Listening Guidelines—Explicit Proxy only listens
on port 8080.
On-Premises Support—Explicit Proxy is a cloud-based proxy
solution, and is not offered as an on-premises product.