What Features Does Prisma Access Support?
Learn about what features are supported for Prisma™ Access.
Prisma™ Access helps you to deliver consistent security
to your remote networks and mobile users. There are two ways that
you can deploy and manage Prisma Access:
- Cloud Managed Prisma Access—If you aren’t using Panorama to manage firewall, the Prisma Access app on the hub gives you a simplified way to onboard and manage Prisma Access.
- Panorama Managed Prisma Access—If you are already using Panorama™ to manage your next-generation firewalls, you can use Panorama to deploy Prisma Access and leverage your existing configurations. You’ll need the Cloud Services plugin to use Panorama for Prisma Access.
The features and IPSec parameters supported for Prisma Access
vary depending on the management interface you’re using: Panorama
or the Prisma Access app. You cannot switch between the management interfaces
after you’ve activated your Prisma Access license. This means you
must decide how you want to manage Prisma Access before begin setting
up the product. See Prisma Access Feature Support to select
your management interface.
For a description of the features that are supported in GlobalProtect™,
see What Features Does GlobalProtect Support?
Prisma Access Feature Support
The following sections provide you with the supported
features and network settings for Prisma Access (both Panorama Managed
and Cloud Managed).
Management
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
|---|---|---|
Default Configurations Default
settings enable you to get started quickly and securely | √ Examples include:
| — |
Built-in Best Practice Rules So you’re
as secure as possible, enable your users and applications based
on best practice templates. With best practices as your basis, you can
then refine policy based on your enterprise needs. | √ Features with best practice rules
include:
| — |
Onboarding Walkthroughs for First-Time Setup | Guided
walkthroughs include:
| — |
Centralized Management Dashboards Can
includes Best Practice scores and usage information | √ Dashboards are available for features including:
| — |
Hit Counts | √ Hit counts for security profiles
include counts that measure the profile’s effectiveness, and these
can depend on the profile (for example, unblocked critical and high
severity vulnerabilities, or WildFire submission types). | |
√ Introduced in 2.0 Innovation. Supported
in Preferred releases starting with 2.2 Preferred. | ||
Remote Networks
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
IPSec Tunnels See Supported IKE Cryptographic Parameters for a list
of the supported IKE crypto parameters. FQDNs for peer IPSec addresses
are not supported; use an IP address for the peer address instead. | √ | √ |
Tunnel Monitoring | ||
Dead Peer Detection (DPD) | √ | √ |
ICMP | √ | √ |
Bidirectional Forwarding Detection (BFD) | — | — |
Service Connections
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
IPSec Tunnels See Supported IKE Cryptographic Parameters for a list
of the supported IKE crypto parameters. | √ | √ FQDNs for peer IPSec addresses are
not supported; use an IP address for the peer address instead. |
Tunnel Monitoring | ||
Dead Peer Detection (DPD) | √ | √ |
ICMP | √ | √ |
Bidirectional Forwarding Detection (BFD) | — | — |
Traffic Steering (using policy-based forwarding
rules to forward internet-bound traffic to service connections) | Introduced
in version 1.7. | |
Mobile Users—GlobalProtect
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Using On-Premise Gateways (Hybrid Deployments) | ||
On-premise gateway integration with Prisma Access | √ | √ Using on-premise gateways with Prisma
Access gateways is supported. |
Priorities for Prisma Access and On-Premise Gateways | √ | √ Supported for deployments
that have on-premise GlobalProtect gateways. You can set a priority
separately for on-premise gateways and collectively for all gateways
in Prisma Access. You can also specify source regions for on-premise
gateways. |
Manual Gateway Selection Users can
manually select a cloud gateway from their client machines using
the GlobalProtect app. | ||
GlobalProtect Gateway Modes | ||
External Mode | √ | √ |
Internal Mode You cannot configure Prisma
Access gateways as internal gateways; however, you can add one or
more on-premise gateways and configure them as internal gateways. | — | — |
GlobalProtect App Connect
Methods | ||
User-Logon (always on) | √ | √ |
Pre-Logon (always on) | √ | √ |
Pre-Logon (then on-demand) | √ | √ |
On-Demand | √ | √ |
Clientless VPN | ||
Mobile User—GlobalProtect Features | ||
MDM Integration with HIP Prisma Access
does not support AirWatch MDM HIP service integration; however, you
can use the GlobalProtect App for iOS and
Android MDM Integration for HIP-Based Policy Enforcement | √ | √ |
DHCP Prisma Access
uses the IP address pools you specify during
mobile user setup to assign IP addresses to mobile users and does
not use DHCP. | √ | √ |
GlobalProtect App Version Controls | √ One-click configuration for GlobalProtect
agent log collection | |
Mobile Users—Explicit Proxy
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Guided Walkthrough: Best Practices
for Explicit Proxy | √ | — |
Security Services
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Security Policy | √ | √ |
SaaS Application Management | Supported
for:
| — |
Security Profiles | ||
Supported Profile Types | √
| √
|
Dashboards for Security Profiles | Dashboards
are tailored to each profile, and give you:
| — |
√ | √ HTTP response pages are supported
for mobile users and users at remote networks. To use HTTPS response
pages, open a CLI session in the Panorama that manages Prisma Access,
enter the set template Mobile_User_Template config deviceconfig settingssl-decrypt url-proxy yes command
in configuration mode, and commit your changes. | |
HTTP Header Insertion | ||
Decryption | ||
Guided Walkthrough: Turn on Decryption | √ | — |
Network Services
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Network Services | ||
Prisma
Access uses the same QoS policy rules and QoS profiles and supports
the same Differentiated Services Code Point (DSCP) markings as Palo
Alto Networks next-generation firewalls. | √ | √ QoS for Remote network deployments that
allocate bandwidth by compute location is introduced in version
3.0 Preferred. |
Application Override | √ | √ |
IPv4 Addressing | √ | √ |
IPv6 Addressing Introduced in version 2.2
preferred. | √ | √ |
Split Tunnel Based on Access Route | √ | √ |
Split Tunnel Based on Destination Domain,
Client Process, and Video Streaming Application | √ | √ |
NetFlow | — | — |
NAT Prisma Access automatically manages outbound
NAT; you cannot configure the settings. | √ | √ |
SSL VPN Connections | √ | √ |
Routing Features | ||
Static Routing | √ | √ |
Dynamic Routing (BGP) | √ | √ |
Dynamic Routing (OSPF) | — | — |
High Availability | ||
Identity Services
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Authentication Types | ||
SAML | √ | √ |
TACACS+ | √ | √ |
RADIUS | √ | √ |
Local Database Authentication | √ | √ |
Authentication Features | ||
Authentication Rules | √ | √ |
Authentication Portal | √ | √ |
√ Supported for both IPSec and mobile
users with GlobalProtect. | √ Supported for both IPSec and mobile
users with GlobalProtect. | |
Single Sign-On (SSO) | √ | √ |
Cloud Identity Engine (Directory Sync) | ||
Directory Sync for User and Group-Based
Policy | √ You can retrieve user and group information using
the Directory Sync component of the Cloud Identity Engine. Prisma
Access supports on-premises Active Directory, Azure Active Directory,
and Google IdP. This feature is not supported with multitenancy. Introduced
in version 1.6. Support for Azure Active Directory introduced in
2.0 Preferred. Support for Google IdP introduced in 3.0 Preferred and
Innovation. | |
Identity Redistribution
| √ | √ |
Ingestion of IP-address-to-username mappings
from 3rd party integration (NAC) | — | √ |
√ | √ Introduced in version 1.7. Requires
a Panorama version of 9.1.1 or later. | |
Policy Objects
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Addresses | √ | √ |
Address Groups | √ | √ |
Dynamic Address Groups (DAGs) and Auto-Tags | √ | √ |
XML API - Based DAG Updates | — | √ |
Regions | √ | √ |
App-ID (Applications) | √ | √ |
√ | — Commit warnings are not supported
for Prisma Access. | |
Application Groups | √ | √ |
Application Filters | √ | √ |
Services | √ | √ |
Service Groups | √ | √ |
Tags | √ | √ |
√ | √ Introduced in version 1.7. Requires
a Panorama version of 9.1.1 or later. | |
Auto-Tag Actions | √ | √ |
HIP Objects | ||
HIP-Based Security Policy | √ | √ |
HIP Report Submission | √ | √ |
HIP Report Viewing | — | √ Introduced in version 1.5. |
HIP Objects and Profiles | √ | √ |
Certificate Management | ||
Custom Certificates | √ | √ |
Palo Alto Networks Issued Certificates | √ | √ |
Certificate Profiles | √ | √ |
Custom Certificates | √ | √ |
SSL/TLS Service Profiles | √ | √ |
SSL SSL is supported only for Mobile
Users, not for site-to-site VPNs | √ | √ |
SCEPs | √ | √ |
OCSP Responders | √ | √ |
Default Trusted Certificate Authorities | √ | √ |
Logs
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Cortex™ Data Lake Log Storage | √ | √ |
Enhanced Mobile Users Visibility
for Administrators (GlobalProtect logs) | √ | √ Introduced in version 1.7. Requires
Panorama 9.1.1 or a later version. If you use a Panorama 9.0 version, you
can still see traffic and HIP logs from Panorama but you need to
use the Explore app from the Hub to see the remaining logs. |
Reports
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Reports | Introduced
in Prisma Access 1.8. Prisma Access supports running scheduled and custom reports on Panorama
with the following caveats: Run the scheduled or custom report
under the All device group. Running a scheduled
or custom report under a specific Device Group retrieves a blank
report. You
cannot search or sort the records in a report by specific device
groups. | |
App Report | This
feature has the following Cortex Data Lake-based limitation: SaaS Application Usage report (Monitor PDF Reports SaaS Application Usage Include user group information
in the report choice is not supported) | |
Best Practices Report | √ | √ |
WildFire Reports | √ | √ Supported starting 2.0 Innovation.
Not supported on 2.0 Preferred and 2.1 Preferred. |
Integration with Other Palo Alto Networks Products
Feature | Prisma Access (Cloud-Managed) | Prisma Access (Panorama-Managed) |
|---|---|---|
Cortex XSOAR integration | — | √ Source IP-based allow lists and
malicious user activity detection is supported. |
Enterprise Data Loss Prevention
(DLP) integration | √ | √ The Panorama Enterprise DLP plugin is
supported starting with version 2.0 Innovation and supports multitenancy
with the following caveats: You manage DLP data patterns and data filtering profiles at
the superuser-level admin user, and all tenants share the same patterns
and profiles. However, you can implement security policies at a
per-tenant level and associate different data filtering profiles
per tenant, to allow you per-tenant control over what profiles are
used. The superuser-level admin user must commit all changes
to Panorama whenever a change to DLP profiles and patterns are made. This
feature is not supported with multitenancy with 2.0 Preferred and
2.1 Preferred Prisma Access versions. |
Cortex XDR integration | √ Prisma Access is compatible with
the Cortex XDR version of Cortex Data Lake. Cortex
XDR receives Prisma Access log information from Cortex Data Lake. | √ Prisma Access is compatible with
the Cortex XDR version of Cortex Data Lake. Cortex
XDR receives Prisma Access log information from Cortex Data Lake. |
Prisma SaaS integration | √ SaaS visibility with Cortex Data
Lake and VPN reverse SAML proxy are supported. | √ SaaS visibility with Cortex Data
Lake and VPN reverse SAML proxy are supported. |
Multitenancy Unsupported Features
The following Prisma Access (Panorama Managed) features
are not supported in a multitenant deployment:
- Directory Sync integration
Explicit Proxy supports multitenancy under the following
conditions: if you have an existing Prisma Access non-multitenant
deployment and convert it to a multitenant deployment, only
the first tenant (the tenant you migrated) supports Explicit Proxy.
Any subsequent tenants you create for the multitenant deployment
after the first do not support Explicit Proxy.
In addition,
group-based security policies will not work in a multitenant deployment.
Explicit Proxy uses the Directory Sync component
of the Cloud Identity Engine to perform group mapping, and multitenancy does not support the Cloud
Identity Engine.
Most Popular
Recommended For You
Recommended Videos
Recommended videos not found.
