function FindProxyForURL(url, host) {
/* Bypass localhost and Private IPs */
var resolved_ip = dnsResolve(host);
if (isPlainHostName(host) ||
shExpMatch(host, "*.local") ||
isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") ||
isInNet(resolved_ip, "172.16.0.0", "255.240.0.0") ||
isInNet(resolved_ip, "192.168.0.0", "255.255.0.0") ||
isInNet(resolved_ip, "127.0.0.0", "255.255.255.0"))
return "DIRECT";
/* Bypass FTP */
if (url.substring(0,4) == "ftp:")
return "DIRECT";
/* Bypass SAML, e.g. Okta */
if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com"))
return "DIRECT";
/* Bypass ACS */
if (shExpMatch(host, "*.acs.prismaaccess.com"))
return "DIRECT";
/* Forward to Prisma Access */
return "PROXY foo.proxy.prismaaccess.com:8080";
If you want to use the default PAC file that Prisma Access provides,
you can optionally modify the fields in the PAC file as described
in the following table.
var resolved_ip = dnsResolve(host);
...
return "DIRECT";
| Enter any hostnames or IP addresses that
should not be sent to Explicit Proxy between the JavaScript functions var
resolved_ip = and return “DIRECT”; . If
you do not modify the data in this file, the following hostnames
and IP addresses bypass Explicit Proxy: if
(isPlainHostName(host) —Bypasses Explicit Proxy for hostnames
that contain no dots (for example, http://intranet). shExpMatch(host, "*.local") || —Bypasses
the proxy for any hostnames that are hosted in the internal network
(localhost). isInNet(resolved_ip, "10.0.0.0", "255.0.0.0") || isInNet(resolved_ip, "172.16.0.0", "255.240.0.0")
|| isInNet(resolved_ip, "192.168.0.0", "255.255.0.0")
|| isInNet(resolved_ip, "127.0.0.0", "255.255.255.0")) —Bypasses Explicit Proxy for any IP addresses
that are in the private or loopback IP address range.
|
if (url.substring(0,4) == "ftp:")
return "DIRECT";
| Bypasses Explicit Proxy for FTP sessions. |
if (shExpMatch(host, "*.okta.com") || shExpMatch(host, "*.oktacdn.com"))
return "DIRECT";
| Bypasses Explicit Proxy for the SAML IdP.
Be sure to add all FQDNs used by the IdP. If you use Okta
as the IdP used for SAML authentication, enter *.okta.com and *.oktacdn.com . |
if (shExpMatch(host, "*.acs.prismaaccess.com"))
return "DIRECT";
| Bypasses Explicit Proxy for the Prisma Access Authentication
Cache Service (ACS). Instead of using a wildcard, you can
add the specific ACS FQDN for your deployment. Find
this FQDN under . |
return "PROXY foo.proxy.prismaaccess.com:8080"
| Bypasses Explicit Proxy for the Explicit
Proxy URL. You must have at least one Explicit Proxy URL in
the return "PROXY foo.proxy.prismaaccess.com:8080"; statement
for traffic ingressing to Prisma Access. Either use a configured
domain used when you push your changes, or use a valid IPv4 address
or DIRECT keyword such as PROXY paloaltonetworks-245139.proxy.prismaaccess.com:8080 or PROXY 1.2.3.4:8080 . |