02-26-2025 03:24 AM
Hi all,
is it possible to add an application for PRA by making use of Wildcard FQDN or IP subnet range?
02-26-2025 05:05 AM
Yes, it is possible to add an application for Prisma Remote Access (PRA) by using Wildcard FQDN or IP subnet range, but the approach depends on the specific configuration and security policies in place.
Options for Defining Applications in PRA:
Wildcard FQDN (Fully Qualified Domain Name)
PRA allows the use of wildcard FQDNs to define applications when domain-based policies are required.
Example: *.example.com can be used to match any subdomain under example.com.
This is useful when the application has dynamic subdomains that are difficult to list individually.
IP Subnet Range
Instead of defining individual IPs, you can specify a subnet (e.g., 192.168.1.0/24) to include multiple IP addresses within that range.
This method works well for applications hosted in a known range of IP addresses.
02-26-2025 05:53 AM
Hi Suresh,
thanks for the swift response.
May I know what will be the user experince or User interface look like if I use wildcard fqdn(*Suresh.com)
is it like user once logged in the pra portal, they can have a box to type in the requested fqdn (abc.Suresh.com)?
thank you
04-01-2025 10:26 PM
If you configure a wildcard FQDN (*.suresh.com) for an application in Prisma Access Remote Access (PRA), the user experience (UX) will depend on how the access is set up. Here’s how it typically works:
1. User Login to the PRA Portal
The user logs into the PRA portal using their credentials (e.g., SSO, username/password).
After authentication, they will land on the PRA App Portal.
2. Application Access with Wildcard FQDN
Scenario 1: If the Wildcard FQDN is Used for an Application
When an app is added with a wildcard FQDN (*.suresh.com), users will NOT see a manual text box to enter a subdomain.
Instead, the available applications will be displayed as icons/links on the PRA App Portal.
If multiple subdomains exist (e.g., abc.suresh.com, xyz.suresh.com), these need to be explicitly added as separate apps in the portal for users to see them.
User Experience:
The user clicks on an app in the portal (e.g., app1.suresh.com) and is redirected.
If wildcard FQDNs are used for internal routing, users will be able to access abc.suresh.com, xyz.suresh.com, etc., but they won’t have an input box to enter their own subdomain.
Scenario 2: If Using a Wildcard FQDN in Security Policies
If the wildcard FQDN is used in Security Policies, it applies to all matching subdomains.
The user will not notice any UI change but will experience access control based on policy rules.
3. Can Users Enter a Custom FQDN (abc.suresh.com)?
No, PRA does not provide a manual input box for users to enter a custom subdomain dynamically.
However, if you configure a generic internal web portal that allows users to enter a subdomain manually, they could enter abc.suresh.com and be redirected.
Final Summary
Feature Wildcard FQDN (*.suresh.com)
UI Experience No manual input box; users see predefined app links
Access Behavior Users can access multiple subdomains if configured
Dynamic Subdomain Entry Not supported directly in PRA Portal
Security Policy Controls access to all matching subdomains
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
