What Features Does Prisma Access Support?

Learn about what features are supported for Prisma™ Access.
Prisma™ Access helps you to deliver consistent security to your remote networks and mobile users. There are two ways that you can deploy and manage Prisma Access:
  • Cloud Managed Prisma Access
    —If you aren’t using Panorama to manage firewall, the Prisma Access app on the hub gives you a simplified way to onboard and manage Prisma Access.
  • Panorama Managed Prisma Access
    —If you are already using Panorama™ to manage your next-generation firewalls, you can use Panorama to deploy Prisma Access and leverage your existing configurations. You’ll need the Cloud Services plugin to use Panorama for Prisma Access.
The features and IPSec parameters supported for Prisma Access vary depending on the management interface you’re using: Panorama or the Prisma Access app. You cannot switch between the management interfaces after you’ve activated your Prisma Access license. This means you must decide how you want to manage Prisma Access before begin setting up the product. See Prisma Access Feature Support to select your management interface.
For a description of the features that are supported in GlobalProtect™, see What Features Does GlobalProtect Support?

Prisma Access Feature Support

The following sections provide you with the supported features and network settings for Prisma Access (both Panorama Managed and Cloud Managed).


Prisma Access (Cloud Managed)
Prisma Access (Panorama Managed)
Best Practice Checks
Default Configurations
Default settings enable you to get started quickly and securely
Examples include:
  • Default DNS settings
  • Default GlobalProtect settings, including for the Prisma Access portal
  • Default Prisma Access infrastructure settings
Built-in Best Practice Rules
So you’re as secure as possible, enable your users and applications based on best practice templates. With best practices as your basis, you can then refine policy based on your enterprise needs.
Features with best practice rules include:
  • Security rules
  • Security profiles
  • Decryption
  • M365
Onboarding Walkthroughs for First-Time Setup
Guided walkthroughs include:
  • Onboard Remote Networks
  • Onboard Mobile Users (GlobalProtect)
  • Onboard Your HQ or Data Centers
  • Turn on Decryption
Centralized Management Dashboards
Can includes Best Practice scores and usage information
Dashboards are available for features including:
  • Security Policy
  • Security Profiles
  • Decryption
  • Authentication
  • Certificates
  • SaaS Application Management
Hit Counts
Hit counts for security profiles include counts that measure the profile’s effectiveness, and these can depend on the profile (for example, unblocked critical and high severity vulnerabilities, or WildFire submission types).
Policy Rule Usage
Introduced in 2.0 Innovation. Supported in Preferred releases starting with 2.2 Preferred.
Profile Groups

Remote Networks

Prisma Access (Cloud-Managed)
Prisma Access (Panorama-Managed)
IPSec Tunnels
See Supported IKE Cryptographic Parameters for a list of the supported IKE crypto parameters.
FQDNs for peer IPSec addresses are not supported; use an IP address for the peer address instead.
Secure Inbound Access
Tunnel Monitoring
Dead Peer Detection (DPD)
Bidirectional Forwarding Detection (BFD)
Use Tunnel Monitoring instead of SNMP to monitor the tunnels in Prisma Access.

Service Connections

Prisma Access (Cloud-Managed)
Prisma Access (Panorama-Managed)
IPSec Tunnels
See Supported IKE Cryptographic Parameters for a list of the supported IKE crypto parameters.
FQDNs for peer IPSec addresses are not supported; use an IP address for the peer address instead.
Tunnel Monitoring
Dead Peer Detection (DPD)
Bidirectional Forwarding Detection (BFD)
Use Tunnel Monitoring instead of SNMP to monitor the tunnels in Prisma Access.
Traffic Steering
(using policy-based forwarding rules to forward internet-bound traffic to service connections)
Introduced in version 1.7.

Mobile Users—GlobalProtect

Prisma Access (Cloud-Managed)
Prisma Access (Panorama-Managed)
Using On-Premise Gateways (Hybrid Deployments)
On-premise gateway integration with Prisma Access
Using on-premise gateways with Prisma Access gateways is supported.
Priorities for Prisma Access and On-Premise Gateways
Supported for deployments that have on-premise GlobalProtect gateways. You can set a priority separately for on-premise gateways and collectively for all gateways in Prisma Access. You can also specify source regions for on-premise gateways.
Manual Gateway Selection
Users can manually select a cloud gateway from their client machines using the GlobalProtect app.
GlobalProtect Gateway Modes
External Mode
Internal Mode
You cannot configure Prisma Access gateways as internal gateways; however, you can add one or more on-premise gateways and configure them as internal gateways.
GlobalProtect App Connect Methods
User-Logon (always on)
Pre-Logon (always on)
Pre-Logon (then on-demand)
Clientless VPN
Clientless VPN
Mobile User—GlobalProtect Features
Mobile Device Management (MDM)
MDM Integration with HIP
Prisma Access does not support AirWatch MDM HIP service integration; however, you can use the GlobalProtect App for iOS and Android MDM Integration for HIP-Based Policy Enforcement
Administratively Log Out Mobile Users
Introduced in version 1.4.
Prisma Access uses the IP address pools you specify during mobile user setup to assign IP addresses to mobile users and does not use DHCP.
GlobalProtect App Version Controls
One-click configuration for GlobalProtect agent log collection

Okyo Garde

Prisma Access (Cloud-Managed)
Prisma Access (Panorama-Managed)
Okyo Garde
In the home office, corporate-issued devices beyond the laptop, such as video/audio conferencing equipment, printers, and more connect to Prisma Access to safely use the internet and applications.
Supported via link to Prisma Access (Cloud-Managed) portal.

Mobile Users—Explicit Proxy

Prisma Access (Cloud-Managed)
Prisma Access (Panorama-Managed)
Explicit Proxy Support
Introduced in 2.0 Innovation.
Guided Walkthrough:
Best Practices for Explicit Proxy

Security Services

Prisma Access (Cloud-Managed)
Prisma Access (Panorama-Managed)
Security Policy
DoS Protection
The Prisma Access infrastructure manages DoS protection.
SaaS Application Management
Supported for:
  • Microsoft 365 apps
    Includes a guided walkthrough to safely enable M365
  • Google apps
  • Dropbox
  • YouTube
Security Profiles
Supported Profile Types
  • Anti-Spyware
  • DNS Security
  • Vulnerability Protection
  • WildFire and Antivirus
  • URL Filtering
  • File Blocking
  • Data Loss Prevention (DLP)
  • HTTP Header Insertion
  • Anti-Spyware
  • DNS Security (enabled via an Anti-Spyware profile)
  • Vulnerability Protection
  • Antivirus
  • WildFire
  • URL Filtering
  • File Blocking
  • Data Loss Prevention (DLP)
Dashboards for Security Profiles
Dashboards are tailored to each profile, and give you:
  • centralized management for security service features
  • visibility into profile usage and effectiveness
  • access to cloud databases (search for threat coverage, for example)
Best Practice Scores for Security Profiles
HTTP response pages are supported for mobile users and users at remote networks. To use HTTPS response pages, open a CLI session in the Panorama that manages Prisma Access, enter the
set template Mobile_User_Template config deviceconfig settingssl-decrypt url-proxy yes
command in configuration mode, and commit your changes.
HTTP Header Insertion
Guided Walkthrough:
Turn on Decryption

Network Services

Prisma Access (Cloud-Managed)
Prisma Access (Panorama-Managed)
Network Services
Prisma Access uses the same QoS policy rules and QoS profiles and supports the same Differentiated Services Code Point (DSCP) markings as Palo Alto Networks next-generation firewalls.
QoS for Remote network deployments that allocate bandwidth by compute location is introduced in version 3.0 Preferred.
Application Override
IPv4 Addressing
IPv6 Addressing
Introduced in version 2.2 preferred.
Split Tunnel Based on Access Route
Split Tunnel Based on Destination Domain, Client Process, and Video Streaming Application
Prisma Access automatically manages outbound NAT; you cannot configure the settings.
SSL VPN Connections
Routing Features
Static Routing
Dynamic Routing (BGP)
Dynamic Routing (OSPF)
High Availability
Availability maintained by Palo Alto Networks.

Identity Services

Prisma Access (Cloud-Managed)
Prisma Access (Panorama-Managed)
Authentication Types
Kerberos is supported for Windows clients only.
Local Database Authentication
Authentication Features
Authentication Rules
Authentication Portal
Supported for both IPSec and mobile users with GlobalProtect.
Supported for both IPSec and mobile users with GlobalProtect.
Framed-IP-Address retrieval from RADIUS server
Single Sign-On (SSO)
Cloud Identity Engine (Directory Sync)
Directory Sync for User and Group-Based Policy
Supports on-premises Active Directory and Azure Active Directory.
You can retrieve user and group information using the Directory Sync component of the Cloud Identity Engine.
Prisma Access supports on-premises Active Directory, Azure Active Directory, and Google IdP.
This feature is not supported with multitenancy.
Introduced in version 1.6. Support for Azure Active Directory introduced in 2.0 Preferred. Support for Google IdP introduced in 3.0 Preferred and Innovation.
Identity Redistribution
  • IP-address-to-username mappings
  • HIP
  • Device Quarantine
  • IP-Tag
  • User-Tag
Ingestion of IP-address-to-username mappings from 3rd party integration (NAC)
Introduced in version 1.7.
Requires a Panorama version of 9.1.1 or later.

Policy Objects

Prisma Access (Cloud-Managed)
Prisma Access (Panorama-Managed)
Address Groups
Dynamic Address Groups (DAGs) and Auto-Tags
XML API - Based DAG Updates
App-ID (Applications)
Commit warnings are not supported for Prisma Access.
Service-Based Session Timeouts
Application Groups
Application Filters
Service Groups
Introduced in version 1.7.
Requires a Panorama version of 9.1.1 or later.
Auto-Tag Actions
HIP Objects
HIP-Based Security Policy
HIP Report Submission
HIP Report Viewing
Introduced in version 1.5.
Introduced in version 1.5.
HIP Objects and Profiles
Certificate Management
Custom Certificates
Palo Alto Networks Issued Certificates
Certificate Profiles
Custom Certificates
SSL/TLS Service Profiles
SSL is supported only for Mobile Users, not for site-to-site VPNs
OCSP Responders
Default Trusted Certificate Authorities


Prisma Access (Cloud-Managed)
Prisma Access (Panorama-Managed)
Cortex™ Data Lake Log Storage
Forward logs stored in Cortex Data Lake to syslog and email destinations
Default log forwarding profile
HTTP, SNMP, auto-tagging in Built-in Actions not supported
Introduced in version 1.7.
Requires Panorama 9.1.1 or a later version. If you use a Panorama 9.0 version, you can still see traffic and HIP logs from Panorama but you need to use the Explore app from the Hub to see the remaining logs.


Prisma Access (Cloud-Managed)
Prisma Access (Panorama-Managed)
Introduced in Prisma Access 1.8.
Prisma Access supports running scheduled and custom reports on Panorama with the following caveats:
Run the scheduled or custom report under the
device group. Running a scheduled or custom report under a specific Device Group retrieves a blank report.
You cannot search or sort the records in a report by specific device groups.
App Report
This feature has the following Cortex Data Lake-based limitation:
SaaS Application Usage
report (
PDF Reports
SaaS Application Usage
)—Cannot filter the logs for user groups (the
Include user group information in the report
choice is not supported)
Usage Report
User Activity Report
Best Practices Report
WildFire Reports
Supported starting 2.0 Innovation. Not supported on 2.0 Preferred and 2.1 Preferred.

Integration with Other Palo Alto Networks Products

Prisma Access (Cloud-Managed)
Prisma Access (Panorama-Managed)
Cortex XSOAR integration
Source IP-based allow lists and malicious user activity detection is supported.
The Panorama Enterprise DLP plugin is supported starting with version 2.0 Innovation and supports multitenancy with the following caveats:
You manage DLP data patterns and data filtering profiles at the superuser-level admin user, and all tenants share the same patterns and profiles. However, you can implement security policies at a per-tenant level and associate different data filtering profiles per tenant, to allow you per-tenant control over what profiles are used.
The superuser-level admin user must commit all changes to Panorama whenever a change to DLP profiles and patterns are made.
This feature is not supported with multitenancy with 2.0 Preferred and 2.1 Preferred Prisma Access versions.
Cortex XDR integration
Cortex XDR receives Prisma Access log information from Cortex Data Lake.
Cortex XDR receives Prisma Access log information from Cortex Data Lake.
Prisma SaaS integration
IoT Security Integration
Introduced in version 2.0 Innovation.

Multitenancy Unsupported Features

The following Prisma Access (Panorama Managed) features are not supported in a multitenant deployment:
Explicit Proxy supports multitenancy under the following conditions: if you have an existing Prisma Access non-multitenant deployment and convert it to a multitenant deployment, only the first tenant (the tenant you migrated) supports Explicit Proxy. Any subsequent tenants you create for the multitenant deployment after the first do not support Explicit Proxy.
In addition, group-based security policies will not work in a multitenant deployment. Explicit Proxy uses the Directory Sync component of the Cloud Identity Engine to perform group mapping, and multitenancy does not support the Cloud Identity Engine.

Recommended For You