What Features Does Prisma Access Support?
Table of Contents
Expand all | Collapse all
-
- Cloud Identity Engine Cipher Suites
-
- PAN-OS 11.1 GlobalProtect Cipher Suites
- PAN-OS 11.1 IPSec Cipher Suites
- PAN-OS 11.1 IKE and Web Certificate Cipher Suites
- PAN-OS 11.1 Decryption Cipher Suites
- PAN-OS 11.1 Administrative Session Cipher Suites
- PAN-OS 11.1 HA1 SSH Cipher Suites
- PAN-OS 11.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 11.0 GlobalProtect Cipher Suites
- PAN-OS 11.0 IPSec Cipher Suites
- PAN-OS 11.0 IKE and Web Certificate Cipher Suites
- PAN-OS 11.0 Decryption Cipher Suites
- PAN-OS 11.0 Administrative Session Cipher Suites
- PAN-OS 11.0 HA1 SSH Cipher Suites
- PAN-OS 11.0 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 11.0 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 10.2 GlobalProtect Cipher Suites
- PAN-OS 10.2 IPSec Cipher Suites
- PAN-OS 10.2 IKE and Web Certificate Cipher Suites
- PAN-OS 10.2 Decryption Cipher Suites
- PAN-OS 10.2 Administrative Session Cipher Suites
- PAN-OS 10.2 HA1 SSH Cipher Suites
- PAN-OS 10.2 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 10.2 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 10.1 GlobalProtect Cipher Suites
- PAN-OS 10.1 IPSec Cipher Suites
- PAN-OS 10.1 IKE and Web Certificate Cipher Suites
- PAN-OS 10.1 Decryption Cipher Suites
- PAN-OS 10.1 Administrative Session Cipher Suites
- PAN-OS 10.1 HA1 SSH Cipher Suites
- PAN-OS 10.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 10.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 9.1 GlobalProtect Cipher Suites
- PAN-OS 9.1 IPSec Cipher Suites
- PAN-OS 9.1 IKE and Web Certificate Cipher Suites
- PAN-OS 9.1 Decryption Cipher Suites
- PAN-OS 9.1 Administrative Session Cipher Suites
- PAN-OS 9.1 HA1 SSH Cipher Suites
- PAN-OS 9.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 9.1 Cipher Suites Supported in FIPS-CC Mode
-
- PAN-OS 8.1 GlobalProtect Cipher Suites
- PAN-OS 8.1 IPSec Cipher Suites
- PAN-OS 8.1 IKE and Web Certificate Cipher Suites
- PAN-OS 8.1 Decryption Cipher Suites
- PAN-OS 8.1 Administrative Session Cipher Suites
- PAN-OS 8.1 HA1 SSH Cipher Suites
- PAN-OS 8.1 PAN-OS-to-Panorama Connection Cipher Suites
- PAN-OS 8.1 Cipher Suites Supported in FIPS-CC Mode
What Features Does Prisma Access Support?
Learn about what features are supported for Prisma™ Access.
Prisma™ Access helps you to deliver consistent security
to your remote networks and mobile users. There are two ways that
you can deploy and manage Prisma Access:
- Cloud Managed Prisma Access—If you aren’t using Panorama™ to manage firewall, the Prisma Access app on the hub gives you a simplified way to onboard and manage Prisma Access.
- Panorama Managed Prisma Access—If you are already using Panorama to manage your next-generation firewalls, you can use Panorama to deploy Prisma Access and leverage your existing configurations. You’ll need the Cloud Services plugin to use Panorama for Prisma Access.
The features and IPSec parameters supported for Prisma Access
vary depending on the management interface you’re using—Panorama
or the Prisma Access app. You cannot switch between the management
interfaces after you activate your Prisma Access license. This means
you must decide how you want to manage Prisma Access before you
begin setting up the product. Review the Prisma Access Feature Support information
to help you select your management interface.
For a description of the features supported in GlobalProtect™,
see the features that GlobalProtect
supports.
Prisma Access Feature Support
The following sections provide you with the supported
features and network settings for Prisma Access (both Panorama Managed
and Cloud Managed).
Management
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
|---|---|---|
Default Configurations Default
settings enable you to get started quickly and securely | √ Examples include:
| — |
Built-in Best Practice Rules So you’re
as secure as possible, enable your users and applications based
on best practice templates. With best practices as your basis, you can
then refine policy based on your enterprise needs. | √ Features with best practice rules
include:
| — |
Onboarding Walkthroughs for First-Time Setup | Guided
walkthroughs include:
| — |
Centralized Management Dashboards Can
includes Best Practice scores and usage information | √ Dashboards are available for features including:
| — |
Hit Counts | √ Hit counts for security profiles
include counts that measure the profile’s effectiveness, and these
can depend on the profile (for example, unblocked critical and high
severity vulnerabilities, or WildFire submission types). | |
Policy Rule Usage | √ | |
Remote Networks
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
IPSec Tunnels See Supported IKE Cryptographic Parametersfor a list of the supported IKE crypto parameters. FQDNs for peer IPSec addresses
are not supported; use an IP address for the peer address instead. | √ | √ |
Tunnel Monitoring | ||
Dead Peer Detection (DPD) | √ | √ |
ICMP | √ | √ |
Bidirectional Forwarding Detection (BFD) | — | — |
Service Connections
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
IPSec Tunnels See Supported IKE Cryptographic Parameters for a list
of the supported IKE crypto parameters. | √ | √ FQDNs for peer IPSec addresses are
not supported; use an IP address for the peer address instead. |
Tunnel Monitoring | ||
Dead Peer Detection (DPD) | √ | √ |
ICMP | √ | √ |
Bidirectional Forwarding Detection (BFD) | — | — |
Traffic Steering (using policy-based forwarding
rules to forward internet-bound traffic to service connections) | Introduced
in version 1.7. | |
Mobile Users—GlobalProtect
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Using On-Premise Gateways (Hybrid Deployments) | ||
On-premise gateway integration with Prisma Access | √ | √ Using on-premise gateways with Prisma
Access gateways is supported. |
Priorities for Prisma Access and On-Premise Gateways | √ | √ Supported for deployments
that have on-premise GlobalProtect gateways. You can set a priority
separately for on-premise gateways and collectively for all gateways
in Prisma Access. You can also specify source regions for on-premise
gateways. |
Manual Gateway Selection Users can
manually select a cloud gateway from their client machines using
the GlobalProtect app. | ||
GlobalProtect Gateway Modes | ||
External Mode | √ | √ |
Internal Mode You cannot configure Prisma
Access gateways as internal gateways; however, you can add one or
more on-premise gateways and configure them as internal gateways. | — | — |
GlobalProtect App Connect
Methods | ||
User-Logon (always on) | √ | √ |
Pre-Logon (always on) | √ | √ |
Pre-Logon (then on-demand) | √ | √ |
On-Demand | √ | √ |
Clientless VPN | ||
Mobile User—GlobalProtect Features | ||
MDM Integration with HIP Prisma Access
does not support AirWatch MDM HIP service integration; however, you
can use the GlobalProtect App for iOS and
Android MDM Integration for HIP-Based Policy Enforcement | √ | √ |
DHCP Prisma Access
uses the IP address pools you specify during
mobile user setup to assign IP addresses to mobile users and does
not use DHCP. | — | — |
GlobalProtect App Version Controls | √ One-click configuration for GlobalProtect
agent log collection | |
Mobile Users—Explicit Proxy
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Explicit Proxy Connectivity in GlobalProtect for Always-On
Internet Security | Introduced in Prisma Access 4.0 Preferred with GlobalProtect app
version 6.2 | Introduced in Prisma Access 4.0 Preferred with GlobalProtect app
version 6.2 |
Security Services
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Security Policy | √ | √ |
SaaS Application Management | Supported
for:
| — |
IoT Security | √ | √ |
Security Profiles | ||
Supported Profile Types | √
| √
|
Dashboards for Security Profiles | Dashboards
are tailored to each profile, and give you:
| — |
√ | √ HTTP response pages are supported
for mobile users and users at remote networks. To use HTTPS response
pages, open a CLI session in the Panorama that manages Prisma Access,
enter the set template Mobile_User_Template config deviceconfig settingssl-decrypt url-proxyyes command
in configuration mode, and commit your changes. | |
HTTP Header Insertion | ||
Decryption | ||
SSL Forward Proxy | √ | √ |
SSL Inbound Inspection | — | √ |
SSH Proxy | — | √ |
Guided Walkthrough: Turn on Decryption | √ | — |
Network Services
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Network Services | ||
Prisma
Access uses the same QoS policy rules and QoS profiles and supports
the same Differentiated Services Code Point (DSCP) markings as Palo
Alto Networks next-generation firewalls. | √ | √ QoS for Remote network deployments that
allocate bandwidth by compute location is introduced in version
3.0 Preferred. |
Application Override | √ | √ |
IPv4 Addressing | √ | √ |
IPv6 Addressing Introduced in version 2.2
preferred. | √ | √ |
Split Tunnel Based on Access Route | √ | √ |
Split Tunnel Based on Destination Domain,
Client Process, and Video Streaming Application | √ | √ |
NetFlow | — | — |
NAT Prisma Access automatically manages outbound
NAT; you cannot configure the settings. | √ | √ |
SSL VPN Connections | √ | √ |
Routing Features | ||
Static Routing | √ | √ |
Dynamic Routing (BGP) | √ | √ |
Dynamic Routing (OSPF) | — | — |
High Availability | ||
SMTP | √ Prisma Access may block SMTP port
25 for security reasons and to mitigate the risk from known vulnerabilities that
exploit non-secure SMTP. Palo Alto Networks recommends using ports
465, 587 or an alternate port 2525 for SMTP. | √ Prisma Access may block SMTP port
25 for security reasons and to mitigate the risk from known vulnerabilities that
exploit non-secure SMTP. Palo Alto Networks recommends using ports
465, 587 or an alternate port 2525 for SMTP. |
Identity Services
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Authentication Types | ||
SAML | √ | √ |
√ Requires 3.0 Innovation or a later
Innovation release. | √ Requires 3.0 Innovation or a later
Innovation release. | |
TACACS+ | √ | √ |
RADIUS | √ | √ |
Local Database Authentication | √ | √ |
Authentication Features | ||
Authentication Rules | √ | √ |
Authentication Portal | √ | √ |
√ Supported for both IPSec and mobile
users with GlobalProtect. | √ Supported for both IPSec and mobile
users with GlobalProtect. | |
Single Sign-On (SSO) | √ | √ |
√ Supported for the following platforms:
A maximum
of 400 TS Agents are supported. | √ Supported for the following platforms:
A maximum
of 400 TS Agents are supported. | |
Cloud Identity Engine (Directory
Sync Component) | ||
Directory Sync for User and Group-Based
Policy | √ You can retrieve user and group information using
the Directory Sync component of the Cloud Identity Engine. Prisma
Access supports on-premises Active Directory, Azure Active Directory,
and Google IdP. Introduced in version 1.6. Support for Azure
Active Directory introduced in 2.0 Preferred. Support for Google IdP
introduced in 3.0 Preferred and Innovation. | |
Identity Redistribution
| √ | √ |
Ingestion of IP-address-to-username mappings
from 3rd party integration (NAC) | — | √ |
√ | √ Introduced in version 1.7. Requires
Panorama running 9.1.1 or later. | |
Policy Objects
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Addresses | √ | √ |
Address Groups | √ | √ |
Dynamic Address Groups (DAGs) and Auto-Tags | √ | √ |
XML API - Based DAG Updates | — | √ |
Regions | √ | √ |
App-ID (Applications) | √ | √ |
√ | — Commit warnings are not supported
for Prisma Access. | |
Application Groups | √ | √ |
Application Filters | √ | √ |
Services | √ | √ |
Service Groups | √ | √ |
Tags | √ | √ |
√ | √ Introduced in version 1.7. Requires
Panorama running 9.1.1 or later. | |
Auto-Tag Actions | √ | √ |
HIP Objects | ||
HIP-Based Security Policy | √ | √ |
HIP Report Submission | √ | √ |
HIP Report Viewing | — | √ Introduced in version 1.5. |
HIP Objects and Profiles | √ | √ |
Certificate Management | ||
Custom Certificates | √ | √ |
Palo Alto Networks Issued Certificates | √ | √ |
Certificate Profiles | √ | √ |
Custom Certificates | √ | √ |
SSL/TLS Service Profiles | √ | √ |
SSL SSL is supported only for Mobile
Users, not for site-to-site VPNs | √ | √ |
SCEPs | √ | √ |
OCSP Responders | √ | √ |
Default Trusted Certificate Authorities | √ | √ |
Logs
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Cortex™ Data Lake Log Storage | √ | √ |
Enhanced Mobile Users Visibility
for Administrators (GlobalProtect logs) | √ | √ Introduced in version 1.7. Requires
Panorama 9.1.1 or a later version. If you use Panorama running a
9.0 version, you can still see traffic and HIP logs from Panorama but
you need to use the Explore app from the Hub to see the remaining
logs. |
Reports
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
App Report | This
feature has the following Cortex Data Lake-based limitation: SaaS Application Usage report (Monitor PDF Reports SaaS Application Usage Include user group information
in the report choice is not supported) | |
Best Practices Report | √ | √ |
WildFire Reports | √ | √ Supported starting 2.0 Innovation. |
Integration with Other Palo Alto Networks Products
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Cortex XSOAR integration | — | √ Source IP-based allow lists and
malicious user activity detection is supported. |
Cortex XDR integration | √ Prisma Access is compatible with
the Cortex XDR version of Cortex Data Lake. Cortex
XDR receives Prisma Access log information from Cortex Data Lake. | √ Prisma Access is compatible with
the Cortex XDR version of Cortex Data Lake. Cortex
XDR receives Prisma Access log information from Cortex Data Lake. |
Prisma SaaS integration | √ SaaS visibility with Cortex
Data Lake is supported. | √ SaaS visibility with Cortex
Data Lake is supported. |
Multitenancy Unsupported Features and Functionality
The following Prisma Access (Panorama Managed) features
are not supported in a multitenant deployment:
In addition, a Panorama Managed multitenant deployment has changes
to the following functionality:
- You cannot view your Panorama Managed tenants under Common Services: Tenant Management.
- For Panorama-managed Prisma Access, continue to use Panorama for managing Prisma Access and the admin access that is controlled locally on Panorama. You cannot manage users, roles, and services accounts using Common Services: Identity and Access for Panorama-managed Prisma Access. However, you can use Common Services: Identity and Access for managing other apps such as ADEM and Insights.
- You cannot use the Prisma Access APIs in pan-dev.
The following Prisma Access components and add-ons have the following
caveats when used in a multitenant deployment:
- For Prisma Access—Explicit Proxy deployments, if you have an existing Prisma Access non-multitenant deployment and convert it to a multitenant deployment, only the first tenant (the tenant you migrated) supports Explicit Proxy. Any subsequent tenants you create for the multitenant deployment after the first do not support Explicit Proxy.
- SaaS Security and Enterprise Data Loss Prevention (Enterprise DLP) support multitenancy with the following restrictions:
- Only a Superuser on Panorama can create DLP profiles and patterns and can associate DLP profiles to security policies for tenants.
- A Superuser must commit all changes to Panorama whenever they make changes in DLP profiles and patterns.
- All tenants share a single copy of profiles and pattern configurations; therefore, any changes done to them will be reflected across all tenants.
- Since security policies can be different across tenants, each tenant can have different data filtering profiles associated with security policies.
- Prisma SD-WAN integration and Configuring multiple portals in Prisma Access can only be used with one tenant per multitenant deployment.
- If you enable High Availability (HA) with active and passive Panorama appliances in a multi-tenant deployment, you cannot change the HA pair association after you enable multi-tenancy.