topic Re: Prisma explicit proxy for on-premises servers? in Prisma Access Discussions

Prisma explicit proxy for on-premises servers?

VTQNetwork — Tue, 08 Apr 2025 16:30:56 GMT

Hi Palo experts!

Do you know if Prisma explicit proxy can be used for on-Orem servers’ internet sccess?

I have few small sites with two segments: remote networks (for users) and server subnet (which is reachable via service connection from Prisma MU).

i do not have interconnect license neither on-prem proxy to be used.

Do you think it’s possible to use explicit proxy in this case to let servers access the internet with Prisma Access policies?

Kind Regards,

Kasper

Re: Prisma explicit proxy for on-premises servers?

nikoolayy1 — Wed, 16 Apr 2025 05:17:56 GMT

You can but you will need to use kerberos for your servers Kerberos Authentication for Explicit Proxy Deployments as it is what palo alto recommends for authenticating your servers to the prisma access explicit proxy. The supported authentication is the issue by Prisma Access for not web browser users.

Still if that is not an option then you may need to deploy palo alto firewall in one location and maybe steer the outbound server Internet traffic to that location with vpn tunnels to the firewall (2 FW in HA active/standby) as to exit from the firewall after being checked. This way you will not need to deploy firewalls in all locations and as only server updates of the software and apps in most cases will generate internet traffic it shouldn't be that much.

Re: Prisma explicit proxy for on-premises servers?

nikoolayy1 — Wed, 16 Apr 2025 05:28:47 GMT

Also I forgot to mention if you don't want authentication then but just to trust and decrypt the server traffic based on IP addrresses then see the options below but if possible source the server traffic with specific dedicated public ip address:

How Explicit Proxy Identifies Users

Set Up Explicit Proxy

Re: Prisma explicit proxy for on-premises servers?

VTQNetwork — Wed, 16 Apr 2025 10:20:02 GMT

Thank you Nikoolayy1,

I have PAN220 in every site, it's not a problem, but I have no security licenses there.

Thus I do not want to open all traffic from the server to the internet, but use Prisma instead.

Servers will be in the "SC" network, not "RN".

I saw in Palo documents that the connection from LAN to explicit proxy should use RN tunnel.

I'm afraid the kerberos authentication issues - I have no idea what apps will be used on the servers.

At the moment, the only solution I can imagine is web proxy (squid?), in "Prisma RN enabled LAN" and configured on the servers (for apps that supports proxy), and static internet access policies for the ones that does not support it (I would need to know the destination).

Kind Regards,

Kacper

Re: Prisma explicit proxy for on-premises servers?

nikoolayy1 — Thu, 17 Apr 2025 23:56:05 GMT

Sorry but you I think you need to dig dipper and to test things. I also shared that you can use trusted source ip addresses my second post that does not need kerberos, also SPN connection can also host servers as mentioned in Can the internal DNS server be behind SPN not a CAN?