Create Block Settings in an Explicit Proxy Deployment
Focus
Focus

Create Block Settings in an Explicit Proxy Deployment

Table of Contents

Create Block Settings in an Explicit Proxy Deployment

Use Block Settings in the Prisma Access UI.
To enable this functionality, reach out to your Palo Alto Networks account representative or partner, who will contact the Site Reliability Engineering (SRE) team and submit a request.
When users access an internet destination using Explicit Proxy, the DNS resolution for the internet destination is performed by Explicit Proxy. To block access to an internet destination at the DNS resolution stage, you can use block settings. You can block based on DNS Security categories, URL Filtering categories or external dynamic lists (EDLs).
For domains that you block, Prisma Access blocks the domains and users receive a block page during the HTTP GET request (for unencrypted websites) or HTTP Connect request (for encrypted websites), which means that domains are blocked during the initial connection request. When you block access to the site, user are shown a block page after taking them through the authentication flow, and the username is captured for further forensics and Security Operations Center (SOC) workflows.
To configure block settings, complete the following steps.
  1. Configure Block Settings to block domains or domain categories.
    Specify the domains or domain categories for malicious websites, or for any websites that you do not want users to access. Prisma Access prevents users from accessing the URLs and IP addresses you specify in this area when users initiate an HTTP GET (for unencrypted requests) or HTTP CONNECT (for encrypted requests). Users receive a block page when they attempt to access blocked websites.
    1. In Blocked Domain Category List, enter the pre-defined categories to block.
      Custom URL categories are not supported.
    2. In EDL Domain, enter domain-based external dynamic lists (EDLs) to block.
      You can only select EDLs that have an EDL type of Dynamic Domain Lists; dynamic IP lists and dynamic URL lists are not allowed.
    3. If you want to exempt any domains that are included in a Blocked Domain Category List, specify them as an Exempted Domain.
      Any domains that are entered are exempted from being blocked, even if they appear in a domain category that you have blocked.
      • You can enter a maximum of 100 domains.
      • The maximum domain record length is 256 characters.
  2. Select the IP addresses to block in the Blocked Source Address area.
    You can Add addresses, address groups, IP address-based EDLs, or region- and country-based IP addresses.
    Use the following IP address guidelines:
    • Use EDLs with a Type of IP List or Predefined IP List only.
    • Use Address Objects with a type of IP Range or IP Netmask only.
    • Use static IP ranges.
    • Do not use custom regions in IP address objects; instead, use predefined regions.
  3. Select Log requests to blocked domains to have Prisma Access log blocked domain requests.
    Since blocked domain logs can generate a lot of traffic from botnets, use caution when you enable logging, or use it only for troubleshooting purposes. If you restrict your proxy usage (for example, if you restrict usage to specific IP addresses), you might be able to enable logging without restriction.