topic Prisma access palo alto privileged remote access (PRA) adding an app in General Topics

Prisma access palo alto privileged remote access (PRA) adding an app

heyheyyoyojj — Wed, 26 Feb 2025 11:24:59 GMT

Hi all,

is it possible to add an application for PRA by making use of Wildcard FQDN or IP subnet range?

Re: Prisma access palo alto privileged remote access (PRA) adding an app

Mudhireddy — Wed, 26 Feb 2025 13:05:47 GMT

Yes, it is possible to add an application for Prisma Remote Access (PRA) by using Wildcard FQDN or IP subnet range, but the approach depends on the specific configuration and security policies in place.

Options for Defining Applications in PRA:
Wildcard FQDN (Fully Qualified Domain Name)

PRA allows the use of wildcard FQDNs to define applications when domain-based policies are required.
Example: *.example.com can be used to match any subdomain under example.com.
This is useful when the application has dynamic subdomains that are difficult to list individually.
IP Subnet Range

Instead of defining individual IPs, you can specify a subnet (e.g., 192.168.1.0/24) to include multiple IP addresses within that range.
This method works well for applications hosted in a known range of IP addresses.

Re: Prisma access palo alto privileged remote access (PRA) adding an app

heyheyyoyojj — Wed, 26 Feb 2025 13:53:30 GMT

Hi Suresh,

thanks for the swift response.

May I know what will be the user experince or User interface look like if I use wildcard fqdn(*Suresh.com)

is it like user once logged in the pra portal, they can have a box to type in the requested fqdn (abc.Suresh.com)?

thank you

Re: Prisma access palo alto privileged remote access (PRA) adding an app

Mudhireddy — Wed, 02 Apr 2025 05:26:59 GMT

If you configure a wildcard FQDN (*.suresh.com) for an application in Prisma Access Remote Access (PRA), the user experience (UX) will depend on how the access is set up. Here’s how it typically works:

1. User Login to the PRA Portal
The user logs into the PRA portal using their credentials (e.g., SSO, username/password).

After authentication, they will land on the PRA App Portal.

2. Application Access with Wildcard FQDN
Scenario 1: If the Wildcard FQDN is Used for an Application
When an app is added with a wildcard FQDN (*.suresh.com), users will NOT see a manual text box to enter a subdomain.

Instead, the available applications will be displayed as icons/links on the PRA App Portal.

If multiple subdomains exist (e.g., abc.suresh.com, xyz.suresh.com), these need to be explicitly added as separate apps in the portal for users to see them.

User Experience:

The user clicks on an app in the portal (e.g., app1.suresh.com) and is redirected.

If wildcard FQDNs are used for internal routing, users will be able to access abc.suresh.com, xyz.suresh.com, etc., but they won’t have an input box to enter their own subdomain.

Scenario 2: If Using a Wildcard FQDN in Security Policies
If the wildcard FQDN is used in Security Policies, it applies to all matching subdomains.

The user will not notice any UI change but will experience access control based on policy rules.

3. Can Users Enter a Custom FQDN (abc.suresh.com)?
No, PRA does not provide a manual input box for users to enter a custom subdomain dynamically.

However, if you configure a generic internal web portal that allows users to enter a subdomain manually, they could enter abc.suresh.com and be redirected.

Final Summary
Feature Wildcard FQDN (*.suresh.com)
UI Experience No manual input box; users see predefined app links
Access Behavior Users can access multiple subdomains if configured
Dynamic Subdomain Entry Not supported directly in PRA Portal
Security Policy Controls access to all matching subdomains