What Features Does Prisma Access Support?

Learn about what features are supported for Prisma™ Access.
Prisma™ Access helps you to deliver consistent security to your remote networks and mobile users. There are two ways that you can deploy and manage Prisma Access:
  • Panorama Managed Prisma Access
    —If you are already using Panorama™ to manage your next-generation firewalls, you can use Panorama to deploy Prisma Access and leverage your existing configurations. You’ll need the Cloud Services plugin to use Panorama for Prisma Access.
  • Cloud Managed Prisma Access
    —If you aren’t using Panorama to manage firewall, the Prisma Access app on the hub gives you a simplified way to onboard and manage Prisma Access.
The features and IPSec parameters supported for Prisma Access vary depending on the management interface you’re using: Panorama or the Prisma Access app. You cannot switch between the management interfaces after you’ve activated your Prisma Access license. This means you must decide how you want to manage Prisma Access before begin setting up the product. See Prisma Access Feature Support to select your management interface.
For a description of the features that are supported in GlobalProtect™, see What Features Does GlobalProtect Support?

Prisma Access Feature Support

Feature
Prisma Access (Panorama-Managed)
Prisma Access (Cloud-Managed)
Authentication
green-check-mark.png
Supports only SAML and local authentication
green-check-mark.png
green-check-mark.png
Supported for both IPSec and Remote Access.
Framed-IP-Address retrieval from RADIUS server
Single Sign-On (SSO)
SSO (Credential Provider)
green-check-mark.png
Supports only SAML and local authentication
green-check-mark.png
Kerberos is supported for Windows clients only.
Security Features
green-check-mark.png
This feature has the following Cortex Data Lake-based limitation:
SaaS Application Usage
report (
Monitor
PDF Reports
SaaS Application Usage
):
Include user group information in the report
not available
green-check-mark.png
green-check-mark.png
green-check-mark.png
Management Features
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
Introduced in version 1.4.
Cortex Data Lake does not allow the following reports:
  • Custom Report
    (
    Monitor
    Manage Custom Reports
    ):
    Detailed Logs (Slower)
    not available in
    Database
    area
  • Scheduled and pre-defined reports are not supported.
green-check-mark.png
green-check-mark.png
HTTP response pages are supported. To use HTTPS response pages, open a CLI session in the Panorama that manages Prisma Access, enter the
set template Mobile_User_Template config deviceconfig setting ssl-decrypt url-proxy yes
command in configuration mode, and commit your changes.
Mobile Features
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
Content Inspection Features
New Scheduling Options for Application and Threat Content Updates
Managed by Palo Alto Networks.
Managed by Palo Alto Networks.
Managed by Palo Alto Networks.
Managed by Palo Alto Networks.
Routing Features
Static Routing
green-check-mark.png
green-check-mark.png
Dynamic Routing (BGP)
green-check-mark.png
green-check-mark.png
Dynamic Routing (OSPF)
VPN Connections
IPSec Tunnels
See Prisma Access IPSec Tunnel Configuration Parameters for a list of the supported IPSec tunnel parameters.
green-check-mark.png
FQDNs for peer IPSec addresses are not supported; use an IP address for the peer address instead.
green-check-mark.png
SSL
SSL is supported only for Remote Access, not for site-to-site VPNs.
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
Hybrid Deployments
Hybrid Deployments
green-check-mark.png
Using on-premise gateways with Prisma Access gateways is supported.
green-check-mark.png
green-check-mark.png
Supported for deployments that have on-premise GlobalProtect gateways. You can set a priority separately for on-premise gateways and collectively for all gateways in Prisma Access. You can also specify source regions for on-premise gateways.
green-check-mark.png
green-check-mark.png
Users can manually select a cloud gateway from their client machines using the GlobalProtect app.
green-check-mark.png
Users can manually select a cloud gateway from their client machines using the GlobalProtect app.
GlobalProtect Gateway Modes
External Mode
green-check-mark.png
green-check-mark.png
Internal Mode
You cannot configure Prisma Access gateways as internal gateways; however, you can add one or more on-premise gateways and configure them as internal gateways.
You cannot configure Prisma Access gateways as internal gateways; however, you can add one or more on-premise gateways and configure them as internal gateways.
GlobalProtect App Connect Methods
User-Logon (always on)
green-check-mark.png
green-check-mark.png
Pre-Logon (always on)
green-check-mark.png
green-check-mark.png
Pre-Logon (then on-demand)
green-check-mark.png
green-check-mark.png
On-Demand
green-check-mark.png
green-check-mark.png
Security Profiles
Security Profiles Scan Traffic for and Protect Against Threats, Attacks, Misuse, and Abuse
green-check-mark.png
green-check-mark.png
Supports predefined security profiles only
Networking
IPv4 Addressing
green-check-mark.png
green-check-mark.png
IPv6 Addressing
Split Tunnel Based on Access Route
green-check-mark.png
green-check-mark.png
Split Tunnel Based on Destination Domain, Client Process, and Video Streaming Application
green-check-mark.png
NetFlow
QoS
Prisma Access uses the same Security policy rules and QoS profiles and supports the same Differentiated Services Code Point (DSCP) markings as Palo Alto Networks Next-Generation Firewalls.
green-check-mark.png
green-check-mark.png
NAT
Prisma Access automatically manages outbound NAT; you cannot configure the settings.
green-check-mark.png
green-check-mark.png
SSL VPN Connections
green-check-mark.png
green-check-mark.png
DNS
green-check-mark.png
Per suffix DNS settings not supported
green-check-mark.png
DHCP
Prisma Access uses the IP address pools you specify during mobile user setup to assign IP addresses to mobile users and does not use DHCP.
External Dynamic List (EDL) for Panorama Managed and Cloud Managed Prisma Access
green-check-mark.png
green-check-mark.png
Policies
Policy-Based Forwarding
Traffic Steering (using policy-based forwarding rules to forward internet-bound traffic to service connections)
green-check-mark.png
Introduced in version 1.7.
This feature is not supported with multi-tenancy.
DoS Protection
green-check-mark.png
The Prisma Access infrastructure manages DoS protection.
green-check-mark.png
MDM
green-check-mark.png
MDM Integration with HIP
green-check-mark.png
Prisma Access does not support AirWatch MDM HIP service integration; however, you can use the GlobalProtect App for iOS and Android MDM Integration for HIP-Based Policy Enforcement.
Virtual Routers
green-check-mark.png
green-check-mark.png
You can register IP tags using an XML API on Panorama or on your on-premise firewall and redistribute them using User-ID agent redistribution.
HIP Reports
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
HIP-Based Security Policy
green-check-mark.png
green-check-mark.png
green-check-mark.png
HIP Report Submission
green-check-mark.png
green-check-mark.png
green-check-mark.png
green-check-mark.png
HIP Objects and Profiles
green-check-mark.png
green-check-mark.png
HIP Report Viewing
green-check-mark.png
Introduced in version 1.5.
green-check-mark.png
Introduced in version 1.5.
Tunnel Monitoring
Dead Peer Detection (DPD)
green-check-mark.png
green-check-mark.png
ICMP
green-check-mark.png
green-check-mark.png
Bidirectional Forwarding Detection (BFD)
App-ID
App-ID
green-check-mark.png
Any applications that are supported by VM-Series firewalls are supported by Prisma Access.
green-check-mark.png
green-check-mark.png
Introduced in version 1.7.
Requires a Panorama version of 9.1.1 or later.
Commit warnings are not supported for Prisma Access.
User-ID
Get User and Group-Based Policy with Directory Sync
green-check-mark.png
Introduced in version 1.6.
This feature is not supported with multi-tenancy.
green-check-mark.png
Retrieve and redistribute User ID information
green-check-mark.png
green-check-mark.png
Introduced in version 1.7.
Requires a Panorama version of 9.1.1 or later.
green-check-mark.png
You can implement user tags with dynamic user groups. You can register tags using auto-tagging on the firewall. You can also register User tags using an XML API on Panorama or on your on-premise firewall and redistribute them using User-ID agent redistribution.
You can only register users using
Local
registration; using the
Panorama User-ID Agent
or
Remote Device User-ID Agent
to register users is not supported.
Introduced in version 1.7.
Requires a Panorama version of 9.1.1 or later.
High Availability
High Availability
green-check-mark.png
Logging
Log Settings
green-check-mark.png
Cortex™ Data Lake Log Storage
green-check-mark.png
green-check-mark.png
Forward logs stored in Cortex Data Lake to syslog and email destinations.
green-check-mark.png
green-check-mark.png
green-check-mark.png
HTTP, SNMP, auto-tagging in Built-in Actions not supported
green-check-mark.png
Introduced in version 1.7.
Requires a Panorama version of 9.1.1 or later. If you use a Panorama version of 9.0.x, you can still see traffic and HIP logs via Panorama but can use the Explore app from the Hub to see remaining logs.
Monitoring
SNMP
Use Tunnel Monitoring instead of SNMP to monitor the tunnels in Prisma Access.

Integration with Other Palo Alto Networks Products

Feature
Prisma Access (Panorama-Managed)
Prisma Access (Cloud-Managed)
Prisma Access visibility on AutoFocus/WildFire portal
green-check-mark.png
green-check-mark.png
Cortex XSOAR integration
green-check-mark.png
Source IP-based allow lists and malicious user activity detection is supported.
green-check-mark.png
This feature is not supported with multi-tenancy.
Cortex XDR integration
green-check-mark.png
Cortex XDR receives Prisma Access log information from Cortex Data Lake.
green-check-mark.png
Cortex XDR receives Prisma Access log information from Cortex Data Lake.
Prisma SaaS integration

Multi-Tenancy Unsupported Features

The following Prisma Access (Panorama Managed) features are not supported in a multi-tenant deployment:

Recommended For You