Prisma Access Explicit Proxy mode with globalprotect as an agent application. How does it work?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Prisma Access Explicit Proxy mode with globalprotect as an agent application. How does it work?

L6 Presenter

Hello,

 

 

Just for information as I have not used Prisma Access with the globalprotect agent as an explicit proxy, this is supported right? I am asking this as I am interested in not pushing the PAC file to every browser but like the other SWG cloud solutions on the market to use an agent app on the end computer.

 

Also for connecting to the Prisma cloud what kind a tunnel is used if the globalprotect agent supports this (maybe ssl tunnel with pinned certificates or something else) or each browser needs to have palo alto plugins ? 

 

 

Also can the explicit proxy mode work together with globalprotect VPN as for example the agent to send just web traffic to prisma access and the other traffic to the on prem firewalls ? I think this was not supported 2 yeast ago but now with Prima 3.0 maybe it is.

1 accepted solution

Accepted Solutions

L6 Presenter

From what I read the Prisma Access Explicit proxy mode is still not integrated with a globalprotect agent and Microsoft AD GPIO policies will be needed to push the PAC file to the user devices:

 

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-fo...

 

 

As palo alto is a great product they just need to add this option the globalprotect agent to push the pac file settings to the computer system and web browsers as globalprotect can download this from the portal and an option for the globalprotect to review the PAC file and to auto exclude domains and destination ip addresses from entering the VPN (split tunnel) based on the PAC file will be nice. Also the globalprotect agent can add tolken header when sending the web traffic to Prisma Access and in this way cookies will not be needed as many 3-rth party cloud proxy vendors use endpoint  agents with some kind of tolkens for this as cookies cause issues with some sites, other proxy devices in between or browser settings and extensions that block the cookies. Also if the user is in the office then the on-prem firewall will be used but when the user is not an connects to Prisma Access for VPN then globalprotect may autodetect this and stop the Prisma Access Explicit Proxy PAC file settings and in this way with an agent there will be no need to make a gre/ipsec tunnel from the firewall to Prisma Access if the Firewall can't handle the SSL decryption as the Agent will direct the web traffic to Prisma access, using the PAC file even if the VPN is enabled as some companies use VPN even in the office for Security.

 

I hope Palo Alto will start using the Globalprotect agent for Prisma Access Explicit Proxy mode and enable Prisma Access VPN and Prisma Access Proxy (for when the user VPN is connected to the on-prem firewalls or if the user is in the office and globalprotect has detected this using host detection DNS) to work together in the future.

View solution in original post

2 REPLIES 2

L6 Presenter

From what I read the Prisma Access Explicit proxy mode is still not integrated with a globalprotect agent and Microsoft AD GPIO policies will be needed to push the PAC file to the user devices:

 

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-fo...

 

 

As palo alto is a great product they just need to add this option the globalprotect agent to push the pac file settings to the computer system and web browsers as globalprotect can download this from the portal and an option for the globalprotect to review the PAC file and to auto exclude domains and destination ip addresses from entering the VPN (split tunnel) based on the PAC file will be nice. Also the globalprotect agent can add tolken header when sending the web traffic to Prisma Access and in this way cookies will not be needed as many 3-rth party cloud proxy vendors use endpoint  agents with some kind of tolkens for this as cookies cause issues with some sites, other proxy devices in between or browser settings and extensions that block the cookies. Also if the user is in the office then the on-prem firewall will be used but when the user is not an connects to Prisma Access for VPN then globalprotect may autodetect this and stop the Prisma Access Explicit Proxy PAC file settings and in this way with an agent there will be no need to make a gre/ipsec tunnel from the firewall to Prisma Access if the Firewall can't handle the SSL decryption as the Agent will direct the web traffic to Prisma access, using the PAC file even if the VPN is enabled as some companies use VPN even in the office for Security.

 

I hope Palo Alto will start using the Globalprotect agent for Prisma Access Explicit Proxy mode and enable Prisma Access VPN and Prisma Access Proxy (for when the user VPN is connected to the on-prem firewalls or if the user is in the office and globalprotect has detected this using host detection DNS) to work together in the future.

L6 Presenter

In newer versions of the Globalprotect agent this seems to be added but only when the VPN tunnel is started then the proxy config is pushed by the Palo Alto Agent to the computer.

 

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-fo...

 

 

Maybe in the future even without a VPN tunnel the PAC file Proxy settings can be pushed for example for mobile users that connect to the internet using Palo Alto Prisma Access as an explicit proxy and the access to the internal applications is based on the Clientless VPN not full globalprotect tunnel.

  • 1 accepted solution
  • 3012 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!