What Features Does Prisma Access Support?
Learn about what features are supported for Prisma™ Access.
Prisma™ Access helps you to deliver consistent security
to your remote networks and mobile users. There are two ways that
you can deploy and manage Prisma Access:
- Panorama Managed Prisma Access—If you are already using Panorama™ to manage your next-generation firewalls, you can use Panorama to deploy Prisma Access and leverage your existing configurations. You’ll need the Cloud Services plugin to use Panorama for Prisma Access.
- Cloud Managed Prisma Access—If you aren’t using Panorama to manage firewall, the Prisma Access app on the hub gives you a simplified way to onboard and manage Prisma Access.
The features and IPSec parameters supported for Prisma Access
vary depending on the management interface you’re using: Panorama
or the Prisma Access app. You cannot switch between the management
interfaces after you’ve activated your Prisma Access license. This
means you must decide how you want to manage Prisma Access before
begin setting up the product. See Prisma Access Feature Support to select
your management interface.
For a description of the features that are supported in GlobalProtect™,
see What Features Does GlobalProtect Support?
Prisma Access Feature Support
Feature | Prisma Access (Panorama-Managed) | Prisma Access (Cloud-Managed) |
|---|---|---|
Authentication | ||
 Supported
for both IPSec and Remote Access. | ||
Single Sign-On (SSO) | ||
SSO (Credential Provider) | | Supports only SAML and local
authentication |
Kerberos
is supported for Windows clients only. | ||
Security Features | ||
This
feature has the following Cortex Data Lake-based limitation: SaaS Application Usage report (): Include
user group information in the report not available | — | |
Management Features | ||
Cortex Data Lake does not allow the following reports:
| | |
HTTP
response pages are supported. To use HTTPS response pages, open
a CLI session in the Panorama that manages Prisma Access, enter
the set template Mobile_User_Template config deviceconfig setting ssl-decrypt url-proxy yes command
in configuration mode, and commit your changes. | — | |
Mobile Features | ||
Content Inspection Features | ||
New Scheduling Options for Application and Threat Content
Updates | Managed by Palo Alto Networks. | Managed by Palo Alto Networks. |
Five-Minutes Updates for PAN-DB Malware and Phishing URL
Categories | Managed by Palo Alto Networks. | Managed by Palo Alto Networks. |
Routing Features | ||
Static Routing | | |
Dynamic Routing (BGP) | | |
Dynamic Routing (OSPF) | — | — |
VPN Connections | ||
IPSec Tunnels See Prisma Access IPSec Tunnel Configuration Parameters for a list
of the supported IPSec tunnel parameters. | FQDNs
for peer IPSec addresses are not supported; use an IP address for
the peer address instead. | |
SSL SSL is supported only for Remote
Access, not for site-to-site VPNs. | | |
Hybrid Deployments | ||
Hybrid Deployments | Using
on-premise gateways with Prisma Access gateways is supported. | |
Supported
for deployments that have on-premise GlobalProtect gateways. You
can set a priority separately for on-premise gateways and collectively
for all gateways in Prisma Access. You can also specify source regions
for on-premise gateways. | | |
Users
can manually select a cloud gateway from their client machines using the
GlobalProtect app. | Users
can manually select a cloud gateway from their client machines using the
GlobalProtect app. | |
GlobalProtect Gateway Modes | ||
External Mode | | |
Internal Mode | — You cannot configure Prisma Access
gateways as internal gateways; however, you can add one or more on-premise
gateways and configure them as internal gateways. | — You cannot configure Prisma Access
gateways as internal gateways; however, you can add one or more on-premise
gateways and configure them as internal gateways. |
GlobalProtect App Connect
Methods | ||
User-Logon (always on) | | |
Pre-Logon (always on) | | |
Pre-Logon (then on-demand) | | |
On-Demand | | |
Security Profiles | ||
Security Profiles Scan
Traffic for and Protect Against Threats, Attacks, Misuse, and Abuse | | Supports
predefined security profiles only |
Networking | ||
IPv4 Addressing | | |
IPv6 Addressing | — | — |
Split Tunnel Based on Access Route | | |
Split Tunnel Based on Destination Domain,
Client Process, and Video Streaming Application | | — |
NetFlow | — | — |
QoS Prisma Access uses the same Security
policy rules and QoS profiles and supports the same Differentiated
Services Code Point (DSCP) markings as Palo Alto Networks Next-Generation
Firewalls. | | |
NAT Prisma Access automatically manages outbound
NAT; you cannot configure the settings. | | |
SSL VPN Connections | | |
DNS | Per
suffix DNS settings not supported | |
DHCP | — Prisma Access uses the IP address pools you specify during
mobile user setup to assign IP addresses to mobile users and does
not use DHCP. | — |
Policies | ||
Policy-Based Forwarding | — | — |
Traffic Steering (using policy-based
forwarding rules to forward internet-bound traffic to service connections) | Introduced
in version 1.7. This feature is not supported with multi-tenancy. | — |
MDM | | — |
MDM Integration with HIP | Prisma
Access does not support AirWatch MDM HIP service integration; however, you
can use the GlobalProtect App for iOS and
Android MDM Integration for HIP-Based Policy Enforcement. | — |
Virtual Routers | — | — |
You can register IP tags using
an XML API on Panorama or on
your on-premise firewall and redistribute them using User-ID agent redistribution. | — | |
HIP Reports | ||
HIP-Based Security Policy | | |
HIP Report Submission | | |
HIP Objects and Profiles | | |
HIP Report Viewing | Introduced
in version 1.5. | — |
Tunnel Monitoring | ||
Dead Peer Detection (DPD) | | |
ICMP | | |
Bidirectional Forwarding Detection (BFD) | — | — |
App-ID | ||
App-ID | Any
applications that are supported by VM-Series firewalls are supported
by Prisma Access. | |
Introduced
in version 1.7. Requires a Panorama version of 9.1.1 or later. | — | |
— Commit warnings are not supported
for Prisma Access. | — | |
User-ID | ||
Get User and Group-Based Policy with Directory
Sync | Introduced
in version 1.6. This feature is not supported with multi-tenancy. | |
Introduced
in version 1.7. Requires a Panorama version of 9.1.1 or later. | — | |
You
can implement user tags with dynamic user groups. You
can register tags using auto-tagging on the firewall.
You can also register User tags using an XML API on Panorama or
on your on-premise firewall and redistribute them using User-ID agent redistribution. You
can only register users using Local registration; using
the Panorama User-ID Agent or Remote Device
User-ID Agent to register users is not supported.Introduced
in version 1.7. Requires a Panorama version of 9.1.1 or later. | — | |
High Availability | ||
High Availability | | — |
Logging | ||
Log Settings | | — |
Cortex™ Data Lake Log Storage | | |
Enhanced Mobile Users Visibility
for Administrators (GlobalProtect logs) | Introduced
in version 1.7. Requires a Panorama version of 9.1.1 or later.
If you use a Panorama version of 9.0.x, you can still see traffic
and HIP logs via Panorama but can use the Explore app from the Hub to see remaining logs. | — |
Monitoring | ||
Integration with Other Palo Alto Networks Products
Feature | Prisma Access (Panorama-Managed) | Prisma Access (Cloud-Managed) |
|---|---|---|
Cortex XSOAR integration | Source
IP-based allow lists and malicious user activity detection is supported. | — |
Enterprise Data Loss Prevention
(DLP) integration | This
feature is not supported with multi-tenancy. | — |
Cortex XDR integration | Cortex
XDR receives Prisma Access log information from Cortex Data Lake. | Cortex
XDR receives Prisma Access log information from Cortex Data Lake. |
Prisma SaaS integration | SaaS visibility with Cortex Data
Lake and VPN reverse SAML proxy are supported. | SaaS visibility with Cortex Data
Lake and VPN reverse SAML proxy are supported. |
Multi-Tenancy Unsupported Features
The following Prisma Access (Panorama Managed) features
are not supported in a multi-tenant deployment:
- Directory Sync integration
- Traffic Steering (using traffic forwarding rules with service connections)
