Create Block Settings in an Explicit Proxy Deployment
Table of Contents
Create Block Settings in an Explicit Proxy Deployment
Use Block Settings in the Prisma Access UI.
To enable this functionality, reach out
to your Palo Alto Networks account representative or partner, who
will contact the Site Reliability Engineering (SRE) team and submit
a request.
When users access an internet destination using
Explicit Proxy, the DNS resolution for the internet destination
is performed by Explicit Proxy. To block access to an internet destination
at the DNS resolution stage, you can use block settings. You can
block based on DNS Security categories, URL Filtering categories
or external dynamic lists (EDLs).
For
domains that you block, Prisma Access blocks the domains and users
receive a block page during the HTTP GET request (for unencrypted
websites) or HTTP Connect request (for encrypted websites), which
means that domains are blocked during the initial connection request.
When you block access to the site, user are shown a block page after
taking them through the authentication flow, and the username is
captured for further forensics and Security Operations Center (SOC)
workflows.
To configure block settings, complete the following
steps.
- Configure Block Settings to
block domains or domain categories.Specify the domains or domain categories for malicious websites, or for any websites that you do not want users to access. Prisma Access prevents users from accessing the URLs and IP addresses you specify in this area when users initiate an HTTP GET (for unencrypted requests) or HTTP CONNECT (for encrypted requests). Users receive a block page when they attempt to access blocked websites.
![]()
- In Blocked Domain Category List,
enter the pre-defined categories
to block.Custom URL categories are not supported.
- In EDL Domain, enter domain-based external dynamic lists (EDLs) to
block.You can only select EDLs that have an EDL type of Dynamic Domain Lists; dynamic IP lists and dynamic URL lists are not allowed.
- If you want to exempt any domains that are included
in a Blocked Domain Category List, specify
them as an Exempted Domain.Any domains that are entered are exempted from being blocked, even if they appear in a domain category that you have blocked.
- You can enter a maximum of 100 domains.
- The maximum domain record length is 256 characters.
- In Blocked Domain Category List,
enter the pre-defined categories
to block.
- Select the IP addresses to block in the Blocked
Source Address area. You can Add addresses, address groups, IP address-based EDLs, or region- and country-based IP addresses.Use the following IP address guidelines:
- Use EDLs with a Type of IP List or Predefined IP List only.
- Use Address Objects with a type of IP Range or IP Netmask only.
- Use static IP ranges.
- Do not use custom regions in IP address objects; instead, use predefined regions.
- Select Log requests to blocked domains to
have Prisma Access log blocked domain requests. Since blocked domain logs can generate a lot of traffic from botnets, use caution when you enable logging, or use it only for troubleshooting purposes. If you restrict your proxy usage (for example, if you restrict usage to specific IP addresses), you might be able to enable logging without restriction.
