What Features Does Prisma Access Support?

Learn about what features are supported for Prisma Access.
Prisma Access helps you to deliver consistent security to your remote networks and mobile users. There are two ways that you can deploy and manage Prisma Access:
  • Panorama Managed Prisma Access
    —If you are already using Panorama to manage your next-gen firewalls, you can use Panorama to deploy Prisma Access and leverage your existing configurations. You’ll need the Cloud Services plugin to use Panorama for Prisma Access.
  • Cloud Managed Prisma Access
    —If you aren’t using Panorama, the Prisma Access app on the hub gives you a simplified way onboard and manage Prisma Access.
The features and IPsec parameters supported for Prisma Access vary depending on the management interface you’re using: Panorama or the Prisma Access app. You cannot switch between the management interfaces after you’ve activated your Prisma Access license. This means you must decide how you want to manage Prisma Access before begin setting up the product.
For a description of the features that are supported in GlobalProtect, see What Features Does GlobalProtect Support?

Features in Cloud Managed Prisma Access

Feature
Prisma Access (Cloud-Managed)
Routing Features
Static Routing
check-mark.png
Dynamic Routing (BGP)
check-mark.png
VPN Connections
IPSec tunnels
See Prisma Access IPSec Tunnel Configuration Parameters for a list of the supported IPSec tunnel parameters.
check-mark.png
SSL
SSL is supported only for Remote Access, not for site-to-site VPNs.
check-mark.png
check-mark.png
GlobalProtect Gateway Modes
External mode
check-mark.png
GlobalProtect App Connect Methods
User-logon (always on)
check-mark.png
Security Profiles
Security profiles scan traffic for and protect against threats, attacks, misuse, and abuse:
  • Antivirus
  • Anti-Spyware
  • Vulnerability Protection
  • URL Filtering
  • File Blocking
  • WildFire Analysis
Policies with these profiles attached to them are dynamically updated to detect and prevent newly-discovered threats.
check-mark.png
Networking
IPv4 addressing
check-mark.png
NAT
Prisma Access automatically manages outbound NAT; you cannot the configure the settings.
check-mark.png
SSL VPN connections
check-mark.png
Policies
Security
check-mark.png
QoS
check-mark.png
Decryption
check-mark.png
Application Override
check-mark.png
HIP Reports
check-mark.png
HIP-based security policy
check-mark.png
HIP report submission
check-mark.png
check-mark.png
HIP Objects and Profiles
check-mark.png
Tunnel Monitoring
Dead Peer Detection (DPD)
check-mark.png
ICMP
check-mark.png
App-ID
App-ID
check-mark.png
Logging
Log Settings
check-mark.png
Forward logs to syslog and/or email destinations.
check-mark.png

Features in Panorama Managed Prisma Access

Feature
Prisma Access (Panorama-Managed)
Authentication
check-mark.png
check-mark.png
check-mark.png
Supported for both IPSec and Remote Access.
Single Sign-On (SSO)
SSO (Credential Provider)
check-mark.png
check-mark.png
Kerberos is supported for Windows clients only.
Security Features
check-mark.png
This feature has the following Logging Service-based limitations:
  • Saas Application Usage
    report (
    Monitor
    PDF Reports
    SaaS Application Usage
    ):
    Include user group information in the report
    not available
  • Custom Report
    (
    Monitor
    Manage Custom Reports
    ):
    Detailed Logs (Slower)
    not available in
    Database
    area
  • Scheduled and pre-defined reports are not supported.
check-mark.png
check-mark.png
check-mark.png
check-mark.png
check-mark.png
Management Features
check-mark.png
check-mark.png
check-mark.png
check-mark.png
check-mark.png
This feature is introduced in version 1.4.
Mobile Features
check-mark.png
check-mark.png
check-mark.png
Content Inspection Features
Managed by Palo Alto Networks.
Managed by Palo Alto Networks.
Routing Features
Static Routing
check-mark.png
Dynamic Routing (BGP)
check-mark.png
Dynamic Routing (OSPF)
VPN Connections
IPSec tunnels
See Prisma Access IPSec Tunnel Configuration Parameters for a list of the supported IPSec tunnel parameters.
check-mark.png
SSL
SSL is supported only for Remote Access, not for site-to-site VPNs.
check-mark.png
check-mark.png
Hybrid Deployments
Hybrid Deployments
check-mark.png
Using on-premise gateways with Prisma Access gateways is supported.
Prisma Access gateway priority
check-mark.png
Supported for deployments that have on-premise GlobalProtect gateways. You can set a priority separately for on-premise gateways and collectively for all gateways in Prisma Access. You can also specify source regions for on-premise gateways.
Manual gateway selection
check-mark.png
Users can manually select a cloud gateway from their client machines using the GlobalProtect app.
GlobalProtect Gateway Modes
External mode
check-mark.png
The gateways in Prisma Access function as external gateways, allow you to add additional gateways, and can work with both internal and external on-premise gateways.
Internal mode
You cannot configure Prisma Access gateways as internal gateways; however, you can add one or more on-premise gateways and configure them as internal gateways.
GlobalProtect App Connect Methods
User-logon (always on)
check-mark.png
Pre-logon (always-on)
check-mark.png
Pre-logon (then on-demand)
check-mark.png
On-demand
check-mark.png
Security Profiles
Security Profile configuration
Administrators can push security profiles to Prisma Access.
check-mark.png
Networking
IPv4 addressing
check-mark.png
IPv6 addressing
Split tunnel based on access route
check-mark.png
Split tunnel based on destination domain, client process, and video streaming application
check-mark.png
NetFlow
QoS
Prisma Access uses the same security policies and QoS profiles and supports the same Differentiated Services Code Point (DSCP) markings as next-generation Palo Alto Networks firewalls.
check-mark.png
NAT
Prisma Access automatically manages outbound NAT; you cannot the configure the settings.
check-mark.png
SSL VPN connections
check-mark.png
Policies
Policy-Based Forwarding
DoS Protection
check-mark.png
The Prisma Access infrastructure manages DoS protection.
MDM
check-mark.png
MDM integration with HIP
check-mark.png
Prisma Access does not support AirWatch MDM HIP service integration; however, you can use the GlobalProtect App for iOS and Android MDM Integration for HIP-Based Policy Enforcement.
Virtual Routers
check-mark.png
HIP Reports
check-mark.png
check-mark.png
HIP-based security policy
check-mark.png
check-mark.png
HIP report submission
check-mark.png
check-mark.png
HIP Objects and Profiles
check-mark.png
HIP report viewing
check-mark.png
This feature is introduced in version 1.5.
check-mark.png
This feature is introduced in version 1.5.
Tunnel Monitoring
Dead Peer Detection (DPD)
check-mark.png
ICMP
check-mark.png
Bidirectional Forwarding Detection (BFD)
Apps
Applications
check-mark.png
Any applications that are supported by VM-Series firewalls are supported by Prisma Access.
Log Forwarding App
check-mark.png
High Availability
High Availability
check-mark.png
Logging
Log Settings
check-mark.png
Monitoring
SNMP
Use Tunnel Monitoring instead of SNMP to monitor the tunnels in Prisma Access.

Related Documentation