Prisma Access
Table of Contents
Expand all | Collapse all
- CN-Series Firewalls
- MFA Vendor Support
-
- Cloud Identity Engine Cipher Suites
-
- PAN-OS 11.2 GlobalProtect Cipher Suites
- PAN-OS 11.2 IPSec Cipher Suites
- PAN-OS 11.2 IKE and Web Certificate Cipher Suites
- PAN-OS 11.2 Decryption Cipher Suites
- PAN-OS 11.2 Administrative Session Cipher Suites
- PAN-OS 11.2 HA1 SSH Cipher Suites
- PAN-OS 11.2 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.2 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 11.1 GlobalProtect Cipher Suites
- PAN-OS 11.1 IPSec Cipher Suites
- PAN-OS 11.1 IKE and Web Certificate Cipher Suites
- PAN-OS 11.1 Decryption Cipher Suites
- PAN-OS 11.1 Administrative Session Cipher Suites
- PAN-OS 11.1 HA1 SSH Cipher Suites
- PAN-OS 11.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 11.0 GlobalProtect Cipher Suites
- PAN-OS 11.0 IPSec Cipher Suites
- PAN-OS 11.0 IKE and Web Certificate Cipher Suites
- PAN-OS 11.0 Decryption Cipher Suites
- PAN-OS 11.0 Administrative Session Cipher Suites
- PAN-OS 11.0 HA1 SSH Cipher Suites
- PAN-OS 11.0 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 10.2 GlobalProtect Cipher Suites
- PAN-OS 10.2 IPSec Cipher Suites
- PAN-OS 10.2 IKE and Web Certificate Cipher Suites
- PAN-OS 10.2 Decryption Cipher Suites
- PAN-OS 10.2 Administrative Session Cipher Suites
- PAN-OS 10.2 HA1 SSH Cipher Suites
- PAN-OS 10.2 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 10.2 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 10.1 GlobalProtect Cipher Suites
- PAN-OS 10.1 IPSec Cipher Suites
- PAN-OS 10.1 IKE and Web Certificate Cipher Suites
- PAN-OS 10.1 Decryption Cipher Suites
- PAN-OS 10.1 Administrative Session Cipher Suites
- PAN-OS 10.1 HA1 SSH Cipher Suites
- PAN-OS 10.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 10.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 9.1 GlobalProtect Cipher Suites
- PAN-OS 9.1 IPSec Cipher Suites
- PAN-OS 9.1 IKE and Web Certificate Cipher Suites
- PAN-OS 9.1 Decryption Cipher Suites
- PAN-OS 9.1 Administrative Session Cipher Suites
- PAN-OS 9.1 HA1 SSH Cipher Suites
- PAN-OS 9.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode
- Prisma Access
- Strata Cloud Manager and Panorama Feature Parity
- User-ID Agent
- Terminal Server (TS) Agent
- Strata Logging Service Software Compatibility
- Cortex XDR
- Endpoint Security Manager (ESM)
- IPv6 Support by Feature
- Mobile Network Infrastructure Feature Support
Prisma Access
Learn about compatibility information for Prisma™ Access.
The following topics provide support
information for Prisma™ Access:
What Features Does Prisma Access Support?
Prisma® Access helps you to deliver consistent security to your remote networks and
mobile users. There are two ways that you can deploy and manage Prisma Access:
- Cloud Managed Prisma Access—If you aren’t using Panorama™ to manage firewall, the Prisma Access app on the hub gives you a simplified way to onboard and manage Prisma Access.
- Panorama Managed Prisma Access—If you are already using Panorama to manage your next-generation firewalls, you can use Panorama to deploy Prisma Access and leverage your existing configurations. You’ll need the Cloud Services plugin to use Panorama for Prisma Access.
The features and IPSec parameters supported for Prisma Access vary depending on the
management interface you’re using—Panorama or the Prisma Access app. You cannot
switch between the management interfaces after you activate your Prisma Access
license. This means you must decide how you want to manage Prisma Access before you
begin setting up the product. Review the Prisma Access Feature Support information to help you select your management interface.
For a description of the features supported in GlobalProtect™, see the features that GlobalProtect
supports.
Prisma Access Feature Support
The following sections provide you with the supported features and network settings
for Prisma Access (both Panorama Managed and Cloud Managed).
Management
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
---|---|---|
Default Configurations Default settings enable you to get started quickly and
securely | √ Examples include:
| — |
Built-in Best Practice Rules So you’re as secure as possible, enable your users and
applications based on best practice templates. With best
practices as your basis, you can then refine policy based on
your enterprise needs. | √ Features with best practice rules include:
| — |
Onboarding Walkthroughs for First-Time Setup | Guided walkthroughs include:
| — |
Centralized Management Dashboards Can includes Best Practice scores and usage information | √ Dashboards are available for features including:
| — |
Hit Counts | √ Hit counts for security profiles include counts that measure the
profile’s effectiveness, and these can depend on the profile
(for example, unblocked critical and high severity
vulnerabilities, or WildFire submission types). | |
Policy Rule Usage | √ | |
Remote Networks
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
---|---|---|
IPSec Tunnels Review the list of supported IKE
cryptographic parameters. FQDNs for peer IPSec addresses are not supported; use an IP
address for the peer address instead. | √ | √ |
Tunnel Monitoring | ||
Dead Peer Detection (DPD) | √ | √ |
ICMP | √ | √ |
Bidirectional Forwarding Detection (BFD) | — | — |
Service Connections
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
---|---|---|
IPSec Tunnels Review the list of Supported IKE Cryptographic Parameters. | √ | √ FQDNs for peer IPSec addresses are not supported; use an IP
address for the peer address instead. |
Tunnel Monitoring | ||
Dead Peer Detection (DPD) | √ | √ |
ICMP | √ | √ |
Bidirectional Forwarding Detection (BFD) | — | — |
Traffic Steering (using policy-based forwarding rules to forward internet-bound
traffic to service connections) | Introduced in 1.7. |
Mobile Users—GlobalProtect
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
---|---|---|
Using On-Premise Gateways (Hybrid
Deployments) | ||
On-premise gateway integration with Prisma Access | √ | √ Using on-premise gateways with Prisma Access gateways is
supported. |
Priorities for Prisma Access and On-Premise Gateways | √ | √ Supported for
deployments that have on-premise GlobalProtect gateways. You can
set a priority separately for on-premise gateways and
collectively for all gateways in Prisma Access. You can also
specify source regions for on-premise gateways. |
Manual Gateway Selection Users can manually select a cloud gateway from their client
machines using the GlobalProtect app. | ||
GlobalProtect Gateway Modes | ||
External Mode | √ | √ |
Internal Mode | √ Introduced in 5.1 Innovation. If you are running a version below 5.1 Innovation, you can add
one or more on-premise gateways and configure them as internal
gateways. | √ Introduced in 5.1 Innovation. If you are running a version below 5.1 Innovation, you can add
one or more on-premise gateways and configure them as internal
gateways. |
GlobalProtect App Connect Methods | ||
User-Logon (always on) | √ | √ |
Pre-Logon (always on) | √ | √ |
Pre-Logon (then on-demand) | √ | √ |
On-Demand | √ | √ |
Clientless VPN | ||
Mobile User—GlobalProtect Features
| ||
MDM Integration with HIP Prisma Access does not support AirWatch MDM HIP service
integration; however, you can use the GlobalProtect App for iOS and
Android MDM Integration for HIP-Based Policy
Enforcement | √ | √ |
DHCP Prisma Access uses the IP address pools you
specify during mobile user setup to assign IP addresses to
mobile users and does not use DHCP. | — | — |
GlobalProtect App Version Controls | √ One-click configuration for GlobalProtect agent log
collection |
Mobile Users—Explicit Proxy
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
---|---|---|
Explicit Proxy Connectivity in GlobalProtect for Always-On
Internet Security | Introduced in 4.0 Preferred with GlobalProtect app version
6.2. | Introduced in 4.0 Preferred with GlobalProtect app version
6.2. |
Security Services
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
---|---|---|
Security Policy | √ | √ |
SaaS Application Management | Supported for:
| — |
IoT Security | √ | √ |
Security Profiles
| ||
Supported Profile Types | √
| √
|
Dashboards for Security Profiles | Dashboards are tailored to each profile, and give you:
| — |
√ | √ HTTP response pages are supported for mobile users and users at
remote networks. To use HTTPS response pages, open a CLI session
in the Panorama that manages Prisma Access, enter the
set template Mobile_User_Template config
deviceconfig settingssl-decrypt
url-proxyyes command in
configuration mode, and commit your changes. | |
HTTP Header Insertion
| ||
Decryption
| ||
SSL Forward Proxy | √ | √ |
SSL Inbound Inspection | — | √ |
SSH Proxy | — | √ |
Guided Walkthrough: Turn on Decryption | √ | — |
Network Services
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
---|---|---|
Network Services
| ||
Prisma Access uses the same QoS policy rules and QoS profiles and
supports the same Differentiated Services Code Point (DSCP)
markings as Palo Alto Networks next-generation firewalls. | √ | √ QoS for Remote network deployments
that allocate bandwidth by compute location is
introduced in 3.0 Preferred. |
Application Override | √ | √ |
IPv4 Addressing | √ | √ |
IPv6 Addressing Introduced in 2.2 Preferred. | √ | √ |
Split Tunnel Based on Access Route | √ | √ |
Split Tunnel Based on Destination Domain, Client Process, and
Video Streaming Application | √ | √ |
NetFlow | — | — |
NAT Prisma Access automatically manages outbound NAT; you cannot
configure the settings. | √ | √ |
SSL VPN Connections | √ | √ |
Routing Features | ||
Static Routing | √ | √ |
Dynamic Routing (BGP) | √ | √ |
Dynamic Routing (OSPF) | — | — |
High Availability | ||
SMTP | √ Prisma Access may block SMTP port 25 for security reasons and to
mitigate the risk from known vulnerabilities that exploit
non-secure SMTP. Palo Alto Networks recommends using ports 465,
587 or an alternate port 2525 for SMTP. | √ Prisma Access may block SMTP port 25 for security reasons and to
mitigate the risk from known vulnerabilities that exploit
non-secure SMTP. Palo Alto Networks recommends using ports 465,
587 or an alternate port 2525 for SMTP. |
Identity Services
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
---|---|---|
Authentication Types | ||
SAML | √ | √ |
√ Requires 3.0 Innovation or a later Innovation release. | √ Requires 3.0 Innovation or a later Innovation release. | |
TACACS+ | √ | √ |
RADIUS | √ | √ |
Local Database Authentication | √ | √ |
Authentication Features | ||
Authentication Rules | √ | √ |
Authentication Portal | √ | √ |
√ Supported for both IPSec and mobile users with GlobalProtect. | √ Supported for both IPSec and mobile users with GlobalProtect. | |
Single Sign-On (SSO) | √ | √ |
√ Supported for the following platforms:
A maximum of 400 TS Agents are supported. | √ Supported for the following platforms:
A maximum of 400 TS Agents are supported. | |
Cloud Identity Engine (Directory
Sync Component) | ||
Directory Sync for User and Group-Based Policy | √ You can retrieve user and group
information using the Directory Sync component of the
Cloud Identity
Engine. Prisma Access supports on-premises Active Directory, Azure Active
Directory, and Google IdP. Introduced in 1.6. Support for Azure Active Directory introduced
in 2.0 Preferred. Support for Google IdP introduced in 3.0
Preferred and Innovation. | |
Identity Redistribution
| √ | √ |
Ingestion of IP-address-to-username mappings from 3rd party
integration (NAC) | — | √ |
√ | √ Introduced in 1.7. Requires Panorama running PAN-OS 9.1.1 or a later supported
PAN-OS version. |
Policy Objects
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
---|---|---|
Addresses | √ | √ |
Address Groups | √ | √ |
Dynamic Address Groups (DAGs) and Auto-Tags | √ | √ |
XML API - Based DAG Updates | — | √ |
Regions | √ | √ |
App-ID (Applications) | √ | √ |
√ | — Commit warnings are not supported for Prisma Access. | |
Application Groups | √ | √ |
Application Filters | √ | √ |
Services | √ | √ |
Service Groups | √ | √ |
Tags | √ | √ |
√ | √ Introduced in 1.7. Requires Panorama running PAN-OS 9.1.1 or a later supported
PAN-OS version. | |
Auto-Tag Actions | √ | √ |
HIP Objects
| ||
HIP-Based Security Policy | √ | √ |
HIP Report Submission | √ | √ |
HIP Report Viewing | — | √ Introduced in 1.5. |
HIP Objects and Profiles | √ | √ |
Certificate Management
| ||
Custom Certificates | √ | √ |
Palo Alto Networks Issued Certificates | √ | √ |
Certificate Profiles | √ | √ |
Custom Certificates | √ | √ |
SSL/TLS Service Profiles | √ | √ |
SSL SSL is supported only for Mobile Users, not for site-to-site
VPNs | √ | √ |
SCEPs | √ | √ |
OCSP Responders | √ | √ |
Default Trusted Certificate Authorities | √ | √ |
Logs
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
---|---|---|
Strata™ Logging Service (formerly Cortex™ Data Lake) Log
Storage | √ | √ |
Forward logs stored in Strata Logging Service to syslog and email
destinations | √ | √ |
Enhanced Mobile Users
Visibility for Administrators (GlobalProtect
logs) | √ | √ Introduced in 1.7. Requires Panorama 9.1.1 or a later version. If you use Panorama
running a 9.0 version, you can still see traffic and HIP logs
from Panorama but you need to use the Explore app from the Hub to see the remaining logs. |
Reports
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
---|---|---|
App Report | This feature has the following Strata Logging Service-based
limitation: SaaS Application Usage report (Monitor PDF Reports SaaS Application Usage Include user group information in the
report choice is not supported) | |
Best Practices Report | √ | √ |
WildFire Reports | √ | √ Supported starting 2.0 Innovation. |
Integration with Other Palo Alto Networks Products
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
---|---|---|
Cortex XSOAR
integration | — | √ Source IP-based allow lists and malicious user activity detection
is supported. |
Cortex XDR
integration | √ Prisma Access is compatible with the Cortex XDR version of Strata Logging
Service. Cortex XDR receives Prisma Access log
information from Strata Logging Service (formerly Cortex Data
Lake). | √ Prisma Access is compatible with the Cortex XDR version of Strata Logging
Service. Cortex XDR receives Prisma Access log
information from Strata Logging Service (formerly Cortex Data
Lake). |
Prisma SaaS
integration | √ SaaS visibility with Strata
Logging Service is supported. | √ SaaS visibility with Strata
Logging Service is supported. |
Multitenancy Unsupported Features and Functionality
The following Prisma Access (Panorama managed) features are not supported in a multitenant deployment:
In addition, a Panorama Managed multitenant deployment has changes to the following
functionality:
- You cannot view your Panorama Managed tenants under Common Services: Tenant Management.
- For Panorama-managed Prisma Access, continue to use Panorama for managing Prisma Access and the admin access that is controlled locally on Panorama. You cannot manage users, roles, and services accounts using Common Services: Identity and Access for Panorama-managed Prisma Access. However, you can use Common Services: Identity and Access for managing other apps such as ADEM and Insights.
- You cannot use the Prisma Access APIs in pan-dev.
The following Prisma Access components and add-ons have the following caveats when
used in a multitenant deployment:
- For Prisma Access—Explicit Proxy deployments, if you have an existing Prisma Access non-multitenant deployment and convert it to a multitenant deployment, only the first tenant (the tenant you migrated) supports Explicit Proxy. Any subsequent tenants you create for the multitenant deployment after the first do not support Explicit Proxy.
- SaaS Security and Enterprise Data Loss Prevention (Enterprise DLP) support multitenancy with the following restrictions:
- Only a Superuser on Panorama can create DLP profiles and patterns and can associate DLP profiles to security policies for tenants.
- A Superuser must commit all changes to Panorama whenever they make changes in DLP profiles and patterns.
- All tenants share a single copy of profiles and pattern configurations; therefore, any changes done to them will be reflected across all tenants.
- Since security policies can be different across tenants, each tenant can have different data filtering profiles associated with security policies.
- Prisma SD-WAN integration and Configuring multiple portals in Prisma Access can only be used with one tenant per multitenant deployment.
- If you enable High Availability (HA) with active and passive Panorama appliances in a multi-tenant deployment, you cannot change the HA pair association after you enable multi-tenancy.
Prisma Access and Panorama Version Compatibility
This section provides you with the minimum and maximum versions of Panorama™ to use
with Prisma™ Access, along with the end-of-service (EoS) dates for Panorama software
versions with Prisma Access.
Minimum Required Panorama Software Versions
The Cloud Services plugins require the following minimum Panorama™ software
versions.
Due to the fast-paced release cycle for Prisma Access and the Cloud Services
plugin, the software end-of-support (EoS) dates
for Panorama appliances for managing Prisma Access vary from the software
end-of-life (EoL) dates for PAN-OS and Panorama releases. These exceptions apply
only to Panorama version compatibility with Prisma Access.
Cloud Services Plugin Version | Minimum Required Panorama Version |
---|---|
5.1 Preferred and Innovation |
|
4.0, 4.1, and 4.2 Preferred 5.0 and 5.0.1 Preferred
and Innovation |
For Panorama versions supported and required for FedRAMP
deployments, see Prisma
Access FedRAMP Requirements. |
3.2.1 Preferred |
|
3.2.1 Innovation |
|
3.2 Preferred |
For Panorama versions supported and required for FedRAMP
deployments, see Prisma
Access FedRAMP Requirements. |
3.2 Innovation |
|
3.1 Preferred |
|
3.1 Innovation | PAN-OS 10.2.3 or a later PAN-OS 10.2 version. PAN-OS 10.1.3 or a later PAN-OS 10.1 version. If using a PAN-OS 10.1 version, you should upgrade your PAN-OS
software to PAN-OS 10.1.4 or a later PAN-OS 10.1 version to
incorporate an addressed issue
(CYR-19816) that resolves a known issue found in
earlier PAN-OS 10.1 versions. |
3.0 |
For Panorama versions supported and required for FedRAMP
deployments, see Prisma
Access FedRAMP Requirements. |
2.2 Preferred |
For Panorama versions supported and required for FedRAMP
deployments, see Prisma Access FedRAMP
Requirements. |
End-of-Support (EoS) Dates for Panorama Software Version Compatibility with Prisma
Access
When Prisma™ Access upgrades its infrastructure and dataplane after a major release,
the upgrades can become incompatible with earlier Panorama™ versions. Because of the
fast-paced release of Prisma Access and the Cloud Services plugin, the software
compatibility end-of-support (EoS) dates for Panorama can differ from the software
end-of-life dates for Panorama releases and apply to Panorama version compatibility
with Prisma Access only.
If the Panorama appliance that manages Prisma Access is running a software version
that is incompatible (not supported) with the upgrades, you must upgrade Panorama to
a compatible version to take full advantage of the capabilities of the
infrastructure and dataplane upgrades. It is our goal to make this process as
seamless as possible and, for this reason, we make every effort to provide you with
adequate notice of Panorama and Prisma Access version compatibility
requirements.
Use the dates in the following table to learn when a Panorama software version that
manages Prisma Access is no longer compatible with Prisma Access so that you can
plan an upgrade to a supported version prior to the EoS date.
Due to the fast-paced release of Prisma Access and the Cloud Services plugin, the
software compatibility end-of-support (EoS) dates for Panorama appliances used
to manage Prisma Access can differ from the software end-of-life (EoL) dates for
PAN-OS and Panorama releases. Note that these exceptions apply only to Panorama
version compatibility with Prisma Access.
To find the latest EoS compatibility information for your Panorama software with
Prisma Access, log in to the Panorama appliance that manages Prisma Access,
select the Service Setup page (), and view the
Panorama
Cloud Services
Configuration
Service Setup
Panorama Alert
information.
(See Notifications and Alerts for Panorama, Cloud
Services Plugin, and PAN-OS Dataplane Versions for details.)Panorama Software Version | EoS Dates for Prisma Access Deployments |
---|---|
PAN-OS 10.0 | March 1, 2023 |
PAN-OS 9.1 | August 1st, 2022 Before this date, you must upgrade your Panorama to PAN-10.1 or a
later supported (with Prisma Access) PAN-OS version. PAN-OS 10.1 is supported only after you upgrade to 2.2 Preferred
or to the following 2.1 plugins:
|
The Panorama upgrade is required regardless of the Cloud Services plugin version you
are running at the EoS date. You cannot continue using an earlier version of the
Cloud Services plugin with an earlier unsupported version of Panorama software.
The following Panorama software versions are already EoS and you cannot use them with
Prisma Access:
- PAN-OS 10.0—EoS on July 16, 2022
- PAN-OS 9.0—EoS on February 1, 2021