What Features Does Prisma Access Support?

Learn about what features are supported for Prisma™ Access.
Prisma™ Access helps you to deliver consistent security to your remote networks and mobile users. There are two ways that you can deploy and manage Prisma Access:
  • Panorama Managed Prisma Access
    —If you are already using Panorama to manage your next-gen firewalls, you can use Panorama™ to deploy Prisma Access and leverage your existing configurations. You’ll need the Cloud Services plugin to use Panorama for Prisma Access.
  • Cloud Managed Prisma Access
    —If you aren’t using Panorama, the Prisma Access app on the hub gives you a simplified way onboard and manage Prisma Access.
The features and IPSec parameters supported for Prisma Access vary depending on the management interface you’re using: Panorama or the Prisma Access app. You cannot switch between the management interfaces after you’ve activated your Prisma Access license. This means you must decide how you want to manage Prisma Access before begin setting up the product. See Prisma Access Feature Support to select your management interface.
For a description of the features that are supported in GlobalProtect™, see What Features Does GlobalProtect Support?

Prisma Access Feature Support

Feature
Prisma Access (Panorama-Managed)
Prisma Access (Cloud-Managed)
Authentication
check-mark.png
Supports only SAML and local authentication
check-mark.png
check-mark.png
Supported for both IPSec and Remote Access.
Framed-IP-Address retrieval from RADIUS server
Single Sign-On (SSO)
SSO (Credential Provider)
check-mark.png
Supports only SAML and local authentication
check-mark.png
Kerberos is supported for Windows clients only.
Security Features
check-mark.png
This feature has the following Cortex Data Lake-based limitation:
SaaS Application Usage
report (
Monitor
PDF Reports
SaaS Application Usage
):
Include user group information in the report
not available
check-mark.png
check-mark.png
check-mark.png
Management Features
check-mark.png
check-mark.png
check-mark.png
check-mark.png
check-mark.png
check-mark.png
Introduced in version 1.4.
Cortex Data Lake does not allow the following reports:
  • Custom Report
    (
    Monitor
    Manage Custom Reports
    ):
    Detailed Logs (Slower)
    not available in
    Database
    area
  • Scheduled and pre-defined reports are not supported.
check-mark.png
check-mark.png
HTTP response pages are supported. To use HTTPS response pages, open a CLI session in the Panorama that manages Prisma Access, enter the
set template Mobile_User_Template config deviceconfig setting ssl-decrypt url-proxy yes
command in configuration mode, and commit your changes.
Mobile Features
check-mark.png
check-mark.png
check-mark.png
Content Inspection Features
New Scheduling Options for Application and Threat Content Updates
Managed by Palo Alto Networks.
Managed by Palo Alto Networks.
Managed by Palo Alto Networks.
Managed by Palo Alto Networks.
Routing Features
Static Routing
check-mark.png
check-mark.png
Dynamic Routing (BGP)
check-mark.png
check-mark.png
Dynamic Routing (OSPF)
VPN Connections
IPSec Tunnels
See Prisma Access IPSec Tunnel Configuration Parameters for a list of the supported IPSec tunnel parameters.
check-mark.png
FQDNs for peer IPSec addresses are not supported; use an IP address for the peer address instead.
check-mark.png
SSL
SSL is supported only for Remote Access, not for site-to-site VPNs.
check-mark.png
check-mark.png
check-mark.png
check-mark.png
Hybrid Deployments
Hybrid Deployments
check-mark.png
Using on-premise gateways with Prisma Access gateways is supported.
check-mark.png
Supported for deployments that have on-premise GlobalProtect gateways. You can set a priority separately for on-premise gateways and collectively for all gateways in Prisma Access. You can also specify source regions for on-premise gateways.
check-mark.png
Users can manually select a cloud gateway from their client machines using the GlobalProtect app.
check-mark.png
Users can manually select a cloud gateway from their client machines using the GlobalProtect app.
GlobalProtect Gateway Modes
External Mode
check-mark.png
check-mark.png
Internal Mode
You cannot configure Prisma Access gateways as internal gateways; however, you can add one or more on-premise gateways and configure them as internal gateways.
GlobalProtect App Connect Methods
User-Logon (always on)
check-mark.png
Supports user-logon (always on) only
Pre-Logon (always on)
check-mark.png
Pre-Logon (then on-demand)
check-mark.png
On-Demand
check-mark.png
Security Profiles
Security Profiles Scan Traffic for and Protect Against Threats, Attacks, Misuse, and Abuse
check-mark.png
check-mark.png
Supports predefined security profiles only
Networking
IPv4 Addressing
check-mark.png
check-mark.png
IPv6 Addressing
Split Tunnel Based on Access Route
check-mark.png
Split Tunnel Based on Destination Domain, Client Process, and Video Streaming Application
check-mark.png
NetFlow
QoS
Prisma Access uses the same Security policy rules and QoS profiles and supports the same Differentiated Services Code Point (DSCP) markings as Palo Alto Networks Next-Generation Firewalls.
check-mark.png
check-mark.png
NAT
Prisma Access automatically manages outbound NAT; you cannot configure the settings.
check-mark.png
check-mark.png
SSL VPN Connections
check-mark.png
check-mark.png
DNS
check-mark.png
Per suffix DNS settings not supported
check-mark.png
DHCP
Prisma Access uses the IP address pools you specify during mobile user setup to assign IP addresses to mobile users and does not use DHCP.
External Dynamic List (EDL) for Panorama Managed and Cloud Managed Prisma Access
check-mark.png
check-mark.png
Policies
Policy-Based Forwarding
DoS Protection
check-mark.png
The Prisma Access infrastructure manages DoS protection.
check-mark.png
MDM
check-mark.png
MDM Integration with HIP
check-mark.png
Prisma Access does not support AirWatch MDM HIP service integration; however, you can use the GlobalProtect App for iOS and Android MDM Integration for HIP-Based Policy Enforcement.
Virtual Routers
check-mark.png
check-mark.png
Supported with XML API-based tagging with Panorama or an on-premise firewall as a User-ID agent to redistribute into Prisma Access cloud firewalls.
HIP Reports
check-mark.png
check-mark.png
check-mark.png
check-mark.png
HIP-Based Security Policy
check-mark.png
check-mark.png
check-mark.png
HIP Report Submission
check-mark.png
check-mark.png
check-mark.png
check-mark.png
HIP Objects and Profiles
check-mark.png
check-mark.png
HIP Report Viewing
check-mark.png
Introduced in version 1.5.
check-mark.png
Introduced in version 1.5.
Tunnel Monitoring
Dead Peer Detection (DPD)
check-mark.png
check-mark.png
ICMP
check-mark.png
check-mark.png
Bidirectional Forwarding Detection (BFD)
App-ID
App-ID
check-mark.png
Any applications that are supported by VM-Series firewalls are supported by Prisma Access.
check-mark.png
User-ID
Get User and Group-Based Policy with Directory Sync
check-mark.png
Introduced in version 1.6.
check-mark.png
Retrieve and redistribute User ID information
check-mark.png
High Availability
High Availability
check-mark.png
Logging
Log Settings
check-mark.png
Cortex™ Data Lake Log Storage
check-mark.png
check-mark.png
Forward logs stored in Cortex Data Lake to syslog and email destinations.
check-mark.png
check-mark.png
check-mark.png
HTTP, SNMP, Dynamic Tagging in Built-in Actions not supported
Monitoring
SNMP
Use Tunnel Monitoring instead of SNMP to monitor the tunnels in Prisma Access.

Integration with Other Palo Alto Networks Products

Feature
Prisma Access (Panorama-Managed)
Prisma Access (Cloud-Managed)
Prisma Access visibility on AutoFocus/WildFire portal
check-mark.png
check-mark.png
Cortex XSOAR integration
check-mark.png
Source IP-based whitelisting and malicious user activity detection is supported.
Enterprise DLP integration
check-mark.png
Cortex XDR integration
check-mark.png
Cortex XDR receives Prisma Access log information from Cortex Data Lake.
check-mark.png
Cortex XDR receives Prisma Access log information from Cortex Data Lake.
Prisma SaaS integration

Recommended For You