Describes the PAC file requirements used to successfully
deploy Prisma Access Explicit Proxy.
Use the following guidelines and requirements when configuring
the PAC file to use with Explicit Proxy:
PAC files are required to steer user traffic to Explicit
Proxy.
You can only host one PAC file for use with Prisma Access,
and the Explicit Proxy PAC file is hosted in the United States.
If you require alternative PAC file access outside of the United
States, you can host the PAC file in your enterprise.
Only ASCII text format is supported for PAC files. Palo Alto
Networks recommends that you create and save the PAC file in a text
editor such as VI or Vim.
Upload the PAC file after you create your Explicit Proxy
configuration and commit and push your changes. After you upload
your PAC file, a commit and push operation is not required.
You must have at least one Explicit Proxy URL in the return "PROXY foo.proxy.prismaaccess.com:8080"; statement
beginning for traffic ingressing to Prisma Access. Either use a
configured domain used when you push your changes or use a valid
IPv4 address or DIRECT keyword such as PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080 or PROXY
1.2.3.4:8080, and so on.
If the proxy is not being bypassed, then the you must provide
a PROXY keyword. A valid proxy statement is required if no DIRECT keyword
is configured for the proxy bypass.
If a valid PROXY statement is found before an invalid PROXY
statement, Explicit Proxy skips the validity check all on all PROXY
statements after the first. For example, a PAC file with the valid
statement PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080 followed
by the invalid statement PROXY foo.proxy.prismaacess.com:8080 would
be considered valid since Explicit Proxy skips the validity check
for foo.proxy.prismaacess.com:8080.
If you are using a PROXY statement to have ACS traffic bypass
the Prisma Access proxy, the PROXY statement should not use the
Explicit Proxy URL. In this configuration, Explicit Proxy provides
an error message, but allows you to upload the PAC file. You can
direct the ACS traffic to other proxies using a valid FQDN or IPv4
address, or directly to the internet, using the DIRECT keyword.
Only IPv4 addresses are supported in PROXY statements. Do
not use IPv6 addresses in PROXY statements.
The maximum file size for a PAC file is 256 KB.
You must specify IdP and ACS URLs to be bypassed.
You
cannot delete a PAC file after you're uploaded it. You can, however,
upload a new PAC file to overwrite the existing one.
If
you change the Explicit Proxy URL in Prisma Access but do not change
the PAC file to reflect the change, the change won't be applied.
You must upload a new PAC file specifying the new Explicit Proxy
URL.
Explicit Proxy provides you with a sample PAC file that you can
modify and use as the PAC file for your Explicit Proxy deployment.
The sample PAC file that Prisma Access provides contains the following data:
function FindProxyForURL(url, host) {
/* Bypass localhost and Private IPs */
var resolved_ip = dnsResolve(host);
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
/* Bypass FTP */
if (url.substring(0,4) == "ftp:")
return "DIRECT";
/* Bypass SAML, e.g. Okta */
if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com"))
return "DIRECT";
/* Bypass ACS */
if (shExpMatch(host, "*.acs.prismaaccess.com"))
return "DIRECT";
/* Forward to Prisma Access */
return "PROXY foo.proxy.prismaaccess.com:8080";
If you want to use the default PAC file that Prisma Access provides,
you can optionally modify the fields in the PAC file as described
in the following table.
| Text | Description |
|---|
var resolved_ip = dnsResolve(host);
...
return "DIRECT"; | Enter any hostnames or IP addresses that
should not be sent to Explicit Proxy between the JavaScript functions var
resolved_ip = and return “DIRECT”;. If
you do not modify the data in this file, the following hostnames
and IP addresses bypass Explicit Proxy: if
(isPlainHostName(host)—Bypasses Explicit Proxy for hostnames
that contain no dots (for example, http://intranet). shExpMatch(host, "*.local") ||—Bypasses
the proxy for any hostnames that are hosted in the internal network
(localhost). - isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") || isInNet(resolved_ip, "172.16.0.0", "255.240.0.0")
|| isInNet(resolved_ip, "192.168.0.0", "255.255.0.0")
|| isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))—Bypasses Explicit Proxy for any IP addresses
that are in the private or loopback IP address range.
|
if (url.substring(0,4) == "ftp:")
return "DIRECT";
| Bypasses Explicit Proxy for FTP sessions. |
if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com"))
return "DIRECT";
| Bypasses Explicit Proxy for the SAML IdP.
Be sure to add all FQDNs used by the IdP. If you use Okta
as the IdP used for SAML authentication, enter *.okta.com and *.oktacdn.com. |
if (shExpMatch(host, "*.acs.prismaaccess.com"))
return "DIRECT";
| Bypasses Explicit Proxy for the Prisma Access Authentication
Cache Service (ACS). Instead of using a wildcard, you can
add the specific ACS FQDN for your deployment. Find
this FQDN under . |
return "PROXY foo.proxy.prismaaccess.com:8080" | Bypasses Explicit Proxy for the Explicit
Proxy URL. You must have at least one Explicit Proxy URL in
the return "PROXY foo.proxy.prismaaccess.com:8080"; statement
for traffic ingressing to Prisma Access. Either use a configured
domain used when you push your changes, or use a valid IPv4 address
or DIRECT keyword such as PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080 or PROXY 1.2.3.4:8080. |
