- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-01-2021 05:31 AM - edited 07-01-2021 08:06 AM
When using Prisma access and on-premise devices can you do someting like per app_process/domain/destination_ip gateway selection (some traffic to be send to the geteways other to the prisma cloud)? What I mean by this is to do like a split-tunnel for the traffic but instead the excluded appications to be send directly to Internet to the prisma cloud (sounds like double VPN or if possible to send traffic to the Prisma cloud without VPN just for web filtering)?
My idea is for an office is easier to send the corporate traffic to the on-premise gateways as after they authenticate on the firewalls with their Microsoft Active Directory accounts and they will have corporate access to the internal environment but for a web traffic like facebook etc. it can go to the prisma cloud for web filtering without going to the on-premise gateways.
Edit:
I found out that in Prisma Access 2.0 Explicit Proxy is supported as an access method but can the two methods Globalprotect and Explicit Proxy be combined ? First to establish a VPN for example to the on-premise firewalls and then to split the tunnel but the excluded traffic from the tunnel to not be send directly to internet but to the Prisma Cloud using the PAC file. Is this possible?
08-05-2021 03:07 AM
After talks with Palo Alto it seems that in the future if globalprotect app is used for VPN to the prisma access and also a PAC file is used for web filtering with Prisma Access then there will be seamless authentication (afrer authenticating the VPN connecton to prisma access there will be no need to authnticate the Explicit proxy connection) but if the globalprotect app is used for VPN connection to local on premise gateways and a PAC file is used for Explicit proxy connection then the user will need to enter their credentials 2 times (once for the VPN and once with SAML for the Explicit Proxy) and seems cumbersome to me as many proxy vendors use the agents to share the user Windows SSO credentials to the cloud based explicit proxy services, so should be possible to be done.
08-05-2021 03:07 AM
After talks with Palo Alto it seems that in the future if globalprotect app is used for VPN to the prisma access and also a PAC file is used for web filtering with Prisma Access then there will be seamless authentication (afrer authenticating the VPN connecton to prisma access there will be no need to authnticate the Explicit proxy connection) but if the globalprotect app is used for VPN connection to local on premise gateways and a PAC file is used for Explicit proxy connection then the user will need to enter their credentials 2 times (once for the VPN and once with SAML for the Explicit Proxy) and seems cumbersome to me as many proxy vendors use the agents to share the user Windows SSO credentials to the cloud based explicit proxy services, so should be possible to be done.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!