What Features Does Prisma Access Support?
Learn about what features are supported for Prisma™ Access.
Prisma™ Access helps you to deliver consistent security
to your remote networks and mobile users. There are two ways that
you can deploy and manage Prisma Access:
- Panorama Managed Prisma Access—If you are already using Panorama™ to manage your next-generation firewalls, you can use Panorama to deploy Prisma Access and leverage your existing configurations. You’ll need the Cloud Services plugin to use Panorama for Prisma Access.
- Cloud Managed Prisma Access—If you aren’t using Panorama to manage firewall, the Prisma Access app on the hub gives you a simplified way to onboard and manage Prisma Access.
The features and IPSec parameters supported for Prisma Access
vary depending on the management interface you’re using: Panorama
or the Prisma Access app. You cannot switch between the management
interfaces after you’ve activated your Prisma Access license. This
means you must decide how you want to manage Prisma Access before
begin setting up the product. See Prisma Access Feature Support to select
your management interface.
For a description of the features that are supported in GlobalProtect™,
see What Features Does GlobalProtect Support?
Prisma Access Feature Support
Feature | Prisma Access (Panorama-Managed) | Prisma Access (Cloud-Managed) |
---|---|---|
Authentication | ||
![]() Supported
for both IPSec and Remote Access. | ![]() | |
Single Sign-On (SSO) | ||
SSO (Credential Provider) | ![]() | ![]() |
![]() Kerberos
is supported for Windows clients only. | ![]() Kerberos
is supported for Windows clients only. | |
Security Features | ||
![]() This
feature has the following Cortex Data Lake-based limitation: SaaS Application Usage report (Monitor PDF Reports SaaS Application Usage Include
user group information in the report not available | — | |
Management Features | ||
Cortex Data Lake allows scheduled reports and custom
reports on Panorama. For more information, see Scheduled Reports for Cortex
Data Lake (Cloud Services plugin 1.8 and minimum Panorama version
of 10.0.0.2 required). | ![]() | |
![]() HTTP
response pages are supported for mobile users and users at remote networks.
To use HTTPS response pages, open a CLI session in the Panorama
that manages Prisma Access, enter the set template Mobile_User_Template config deviceconfig setting ssl-decrypt url-proxy yes command
in configuration mode, and commit your changes. | — | |
Mobile Features | ||
Content Inspection Features | ||
New Scheduling Options for Application and Threat Content
Updates | Managed by Palo Alto Networks. | Managed by Palo Alto Networks. |
Five-Minutes Updates for PAN-DB Malware and Phishing URL
Categories | Managed by Palo Alto Networks. | Managed by Palo Alto Networks. |
Routing Features | ||
Static Routing | ![]() | ![]() |
Dynamic Routing (BGP) | ![]() | ![]() |
Dynamic Routing (OSPF) | — | — |
VPN Connections | ||
IPSec Tunnels See Supported IKE Cryptographic Parameters for a list
of the supported IKE crypto parameters. | ![]() FQDNs
for peer IPSec addresses are not supported; use an IP address for
the peer address instead. | ![]() |
SSL SSL is supported only for Remote
Access, not for site-to-site VPNs. | ![]() | ![]() |
Hybrid Deployments | ||
Hybrid Deployments | ![]() Using
on-premise gateways with Prisma Access gateways is supported. | ![]() |
![]() Supported
for deployments that have on-premise GlobalProtect gateways. You
can set a priority separately for on-premise gateways and collectively
for all gateways in Prisma Access. You can also specify source regions
for on-premise gateways. | ![]() | |
![]() Users
can manually select a cloud gateway from their client machines using the
GlobalProtect app. | ![]() Users
can manually select a cloud gateway from their client machines using the
GlobalProtect app. | |
GlobalProtect Gateway Modes | ||
External Mode | ![]() | ![]() |
Internal Mode | — You cannot configure Prisma Access
gateways as internal gateways; however, you can add one or more on-premise
gateways and configure them as internal gateways. | — You cannot configure Prisma Access
gateways as internal gateways; however, you can add one or more on-premise
gateways and configure them as internal gateways. |
GlobalProtect App Connect
Methods | ||
User-Logon (always on) | ![]() | ![]() |
Pre-Logon (always on) | ![]() | ![]() |
Pre-Logon (then on-demand) | ![]() | ![]() |
On-Demand | ![]() | ![]() |
Security Profiles | ||
Security Profiles Scan
Traffic for and Protect Against Threats, Attacks, Misuse, and Abuse | ![]() | ![]() Supports
predefined security profiles only |
Networking | ||
IPv4 Addressing | ![]() | ![]() |
IPv6 Addressing | — | — |
Split Tunnel Based on Access Route | ![]() | ![]() |
Split Tunnel Based on Destination Domain,
Client Process, and Video Streaming Application | ![]() | ![]() |
NetFlow | — | — |
Prisma
Access uses the same Security policy rules and QoS profiles and
supports the same Differentiated Services Code Point (DSCP) markings
as Palo Alto Networks Next-Generation Firewalls. | ![]() Not
supported in Prisma Access 1.8. | ![]() |
NAT Prisma Access automatically manages outbound
NAT; you cannot configure the settings. | ![]() | ![]() |
SSL VPN Connections | ![]() | ![]() |
DNS | ![]() Per
suffix DNS settings not supported | ![]() |
DHCP | — Prisma Access uses the IP address pools you specify during
mobile user setup to assign IP addresses to mobile users and does
not use DHCP. | — |
Policies | ||
Policy-Based Forwarding | — | — |
Traffic Steering (using policy-based
forwarding rules to forward internet-bound traffic to service connections) | ![]() Introduced
in version 1.7. | ![]() |
MDM | ![]() | — |
MDM Integration with HIP | ![]() Prisma
Access does not support AirWatch MDM HIP service integration; however, you
can use the GlobalProtect App for iOS and
Android MDM Integration for HIP-Based Policy Enforcement. | ![]() Prisma
Access does not support AirWatch MDM HIP service integration; however, you
can use the GlobalProtect App for iOS and
Android MDM Integration for HIP-Based Policy Enforcement. |
Virtual Routers | — | — |
![]() Prisma
Access supports using DAGs in security policies. The only supported option
to register IP address-based tags is using auto-tagging based on
events in the logs for Security Processing Nodes (SPNs) (remote
networks and mobile users). For the auto-tagging, only Local User-ID
as Registration source is supported. Requires a Panorama version
of 9.1.1 or later. | ![]() You
can register IP tags using an XML API on Panorama or on
your on-premise firewall. You can only register users using Local registration; using
the Panorama User-ID Agent or Remote Device
User-ID Agent to register users is not supported. | |
![]() Prisma
Access supports using DUGs in security policies. The only supported option
to register user-based tags using auto-tagging based on
events in the logs for SPNs (remote networks and mobile users).
For the auto-tagging, only Local User-ID as Registration source
is supported. Introduced in version 1.7 and requires a Panorama version
of 9.1.1 or later. | ![]() | |
HIP Reports | ||
HIP-Based Security Policy | ![]() | ![]() |
HIP Report Submission | ![]() | ![]() |
HIP Objects and Profiles | ![]() | ![]() |
HIP Report Viewing | ![]() Introduced
in version 1.5. | — |
Tunnel Monitoring | ||
Dead Peer Detection (DPD) | ![]() | ![]() |
ICMP | ![]() | ![]() |
Bidirectional Forwarding Detection (BFD) | — | — |
App-ID | ||
App-ID | ![]() Any
applications that are supported by VM-Series firewalls are supported
by Prisma Access. | ![]() |
![]() Introduced
in version 1.7. Requires a Panorama version of 9.1.1 or later. | ![]() | |
— Commit warnings are not supported
for Prisma Access. | — | |
User-ID | ||
Get User and Group-Based Policy with Directory Sync | ![]() Supports
on-premises Active Directory. This feature is not supported
with multi-tenancy. Introduced in version 1.6. | ![]() Supports
on-premises Active Directory and Azure Active Directory. |
![]() Introduced
in version 1.7. Requires a Panorama version of 9.1.1 or later. | — | |
High Availability | ||
High Availability | ![]() | Doesn’t apply. |
Logging | ||
Log Settings | ![]() | — |
Cortex™ Data Lake Log Storage | ![]() | ![]() |
Enhanced Mobile Users Visibility
for Administrators (GlobalProtect logs) | ![]() Introduced
in version 1.7. Requires a Panorama version of 9.1.1 or later.
If you use a Panorama version of 9.0.x, you can still see traffic
and HIP logs via Panorama but can use the Explore app from the Hub to see remaining logs. | — |
Monitoring | ||
Integration with Other Palo Alto Networks Products
Feature | Prisma Access (Panorama-Managed) | Prisma Access (Cloud-Managed) |
---|---|---|
Cortex XSOAR integration | ![]() Source
IP-based allow lists and malicious user activity detection is supported. | — |
Enterprise Data Loss Prevention
(DLP) integration | ![]() This
feature is not supported with multi-tenancy. | — |
Cortex XDR integration | ![]() Cortex
XDR receives Prisma Access log information from Cortex Data Lake. | ![]() Cortex
XDR receives Prisma Access log information from Cortex Data Lake. |
Prisma SaaS integration | ![]() SaaS visibility with Cortex Data
Lake and VPN reverse SAML proxy are supported. | ![]() SaaS visibility with Cortex Data
Lake and VPN reverse SAML proxy are supported. |
Multi-Tenancy Unsupported Features
The following Prisma Access (Panorama Managed) features
are not supported in a multi-tenant deployment:
Recommended For You
Recommended Videos
Recommended videos not found.