Prisma Access: Explicit Proxy

List view

Quick Start
Welcome
Console & Settings
Release Notes
October 9, 2025 WitnessAI Update
October 23, 2025 WitnessAI Update
October 2, 2025 WitnessAI Update
September 30, 2025: WitnessAI Update
September 23, 2025: WitnessAI Update
August 12, 2025: WitnessAI Update
July 31, 2025: WitnessAI Update
July 18, 2025: WitnessAI Update
June 23, 2025: WitnessAI Update
June 9, 2025: WitnessAI Update
April 11, 2025: WitnessAI Release v2.0
Copy August 12, 2025: WitnessAI Update
Supported Applications & LLMs
User Guide
Lists - OLD
Private Applications
Home
Discovery
Discovered Apps
App Catalog
Analytics
Conversations
Users
Alerts
Policies
Lists
Settings
Configuration
Access Control
System
Secure AI Portal
User Menu
Policies & GuardRails
Policy Creation
Policy Precedence
GuardRail: Behavioral Activity
GuardRail: Data Protection
GuardRail: Harmful Response Prevention (Beta)
GuardRail: Model Identity Protection
GuardRail: Model Protection
GuardRail: Organizational Behavior (Beta)
GuardRail: Risk Analysis
Witness Anywhere: Remote Device Security
Witness Anywhere Overview
Witness Anywhere with Stunnel
Witness Anywhere: Azure VDI - Intune
Witness Anywhere: CrowdStrike (Windows)
Witness Anywhere: GPO (Windows)
Witness Anywhere: Jamf (macOS) (Beta)
Witness Anywhere: SentinelOne
Witness Anywhere: FAQ
Witness Attack
Witness Attack: AI Red Teaming 
Administrator Guide
Integrations: Identity Providers
Identity: Microsoft Entra ID (Azure AD)
Identity: Okta Identity
Integrations: Network Security
Netskope SWG
Palo Alto Networks NGFW
Prisma Access: DNS Sinkhole
Prisma Access: Explicit Proxy
Zscaler Internet Access
Zscaler Beta
Status Page
API Reference
Input API
Complete API
Text-Completion API
Prompt-Protect API
Encryption
 

Prisma Access: Explicit Proxy

Traffic Flow

notion image

General Configuration

1. Install WitnessAI Root Certificate

  1. Select Manage → Configuration → NGFW and Prisma Access → Objects → Certificate Management. Select the Prisma Access configuration scope.
notion image
  1. Click ImportImport to import the WitnessAI proxy cert provided by Account Team, Select Trusted Root CA and Save
notion image

2. Setup EDL Certificate Profile

  1. Certificate will be provided by the Account Team.
  1. Go to Objects → Certificate Management and click on Import
  1. Give the certificate name as Witness-AI-CA and upload the CA certificate by clicking on Browse
  1. Go to Objects → Certificate ManagementCertificate Profiles and click on Add Profile
  1. Give the name as Witness-AI-CP and click on the Add button under CA Certificates
  1. Select the Witness-AI-CA certificate and Save
  1. Use this certificate Profile for the EDL Configuration.

3. Create External Dynamic Lists

This section will focus on creating the WitnessForwardDomainList, which are LLM domains that need to be forwarded to WitnessAI.
  1. Select Manage → Configuration → NGFW and Prisma Access → Objects → External Dynamic List. Select the Prisma Access configuration scope.
  1. Click Add External Dynamic List and enter the following configurations:
  1. Name → WitnessForwardURLList
  1. Type → URL List
  1. Source → https://api.[tenantID].[region].witness.ai/v1/edls/urllist.txt
  1. Certificate Profile → Witness-AI-CP
  1. Check for Updates → Every Five Minute and Save
notion image

4. HTTP Header Insertion

Configure HTTP Header Insertion to insert the user email address in the X- Authenticated-User Header field before forwarding the traffic to Witness AI proxy.
  1. Select Manage → Configuration → NGFW and Prisma Access → Security Services → HTTP Header Insertion. Select the Prisma Access configuration scope.
  1. Click Add Profile to set the following settings:
  1. Name → X-Auth-User
  1. Click Add Rule to set the following settings:
  1. Name → X-Auth-User Header
  1. Type → Dynamic Fields
  1. Domain → *
  1. Add Headers → X-Authenticated-User
  1. Value → ($user)@($domain)
  1. Tick the Log box and Save
notion image

5. URL Access Management

This will ensure URL filtering logs are created for any traffic matching WitnessForwardURLList EDL domains.
  1. Select Manage → Configuration → NGFW and Prisma Access → Security Services → URL Access Management. Select the Prisma Access configuration scope.
  1. Click Add Rule to set the following settings:
  1. Name → WitnessAI_allow
  1. Under External Dynamic Lists, select WitnessForwardURLList and change Site Access to alert.
notion image

6. Profile Groups

Attach HTTP Header Insertion Profile and URL Access Management Profile to the Profile Group.
  1. Select Manage → Configuration → NGFW and Prisma Access → Security Services → Profile Groups. Select the Prisma Access configuration scope.
  1. Click Add Rule to set the following settings:
  1. NameWitnessAI PG
  1. Under URL Access Management Profile, select WitnessAI_allow
  1. Under HTTP Header Insertion Profile, select X-Auth-User and Save
notion image

7. Security Policy

i. Create Security Policy to block Quic

Quic is a Google developed protocol which uses UDP for web connections and limits the firewall visibility and ability to analyze and apply security actions.
If the Quic protocol is not already blocked, please perform below steps.
  1. Select Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy. Select the Prisma Access configuration scope.
  1. Click Add RuleSecurity Rule (Pre Rule) to set the following settings:
Pre-rules are global rules that take precedence over deployment-specific rules and are applied to traffic first.
  1. Name → Quic Block
  1. Source Zone → trust
  1. Destination Zone → untrust
  1. Application → quic
  1. Action → Deny and Save
notion image

ii. Create Security Policy for allowing traffic to WitnessAI Proxy.

Attach the WitnessAI PG profile group with this policy. This rule will insert the HTTP header and generate the URL filtering logs for the traffic towards WitnessForwardURLList.
  1. Select Manage → Configuration → NGFW and Prisma Access → Security Services → Security Policy. Select the Prisma Access configuration scope.
  1. Click Add Rule → Security Rule (Pre Rule) to set the following settings:
  1. Name → WitnessAI_Allow
  1. Source Zone → trust
  1. Destination Zone → untrust
  1. URL Category → WitnessForwardURLList
  1. Profile Group  → WitnessAI PG
  1. Action → Allow and Save
notion image

8. Create Decryption Profile & Policy

  1. Select Manage → Configuration → NGFW and Prisma Access → Security Services → Decryption. Select the Prisma Access configuration scope.
  1. Click Add Profile to set the following settings:
  1. Decryption Profiles Name → Witness-Decrypt Profile
  1. SSL/TLS Decryption Advanced → Enable Strip ALPN
The Palo Alto Firewall supports header insertion for HTTP/1.x traffic only; it does not support header insertion for HTTP/2 traffic.
  1. SSL/TLS Decryption → Select Protocol Min Version as TLSv1.0 and Protocol Max Version as Max, and Save
notion image
  1. Create a new Decryption Policy to decrypt WitnessForwardURLList URL category. Make sure this is placed above the ‘O365-Best-Practice’ rule or any other SSL Decryption Bypass rules.
  1. Click Add Rule to set the following settings:
  1. Name → WitnessAI_Decrypt
  1. Source Zone → trust
  1. Destination Zone → untrust
  1. URL Category Entities → WitnessForwardURLList
  1. Action → Decrypt
  1. Type → SSL Forward Proxy
  1. Decryption Profile → WitnessAI_Decrypt Profile
notion image

Explicit Proxy Configuration

1. Create a Forwarding Profile

Explicit Proxy Forwarding Profiles enable to employ PAC files to define which traffic to forward to Prisma Access.
Select Workflows → Prisma Access Setup → Explicit Proxy Setup → Forwarding Rules → Forwarding Profiles Setup → Add Forwarding Profile → GlobalProtect Proxy
  1. Name → Explicit Proxy
  1. PAC File Upload → Enable
  1. Select Upload New PAC File to upload an existing PAC file. After Save we should see the Prisma hosted PAC URL.
Note: The Accounts team will provide the WitnessAI PAC. Customers using an existing PAC file must incorporate LLM domain logic from the WitnessAI PAC to ensure traffic is routed through the WitnessAI Proxy.
notion image

2. Attach Forwarding Profiles to GlobalProtect App Configuration

Select Workflows → Prisma Access Setup → GlobalProtect → GlobalProtect App App Settings → Show Advanced Options
  1. Agent Mode for Prisma Access → Tunnel and Proxy
  1. Forwarding Option → Forwarding Profiles
  1. Forwarding Profiles → Select Explicit Proxy profile which we created earlier and Save
notion image
Note: Customer have an option to host custom PAC URL in any publicly accessible server (eg. Amazon S3)

10. Push Config

The last step is to push the changes to the Prisma Gateways. Click Push to enable the configuration changes made.
notion image
Copied from:
Admin Guide- Prisma Access Integration using Explicit Proxy