What Features Does Prisma Access Support?

Learn about what features are supported for Prisma Access.
The following tables list the supported features and supported IPSec parameters of Prisma Access.
For a description of the features that are supported in GlobalProtect, see What Features Does GlobalProtect Support?

Prisma Access Feature Support

The following table lists the supported features for Prisma Access. A check mark indicates that the feature is supported; a dash (—) indicates that the feature is not supported.
Feature
Support
Authentication
check-mark.png
check-mark.png
check-mark.png
Supported for both IPSec and Remote Access.
Single Sign-On (SSO)
SSO (Credential Provider)
check-mark.png
check-mark.png
Kerberos is supported for Windows clients only.
Security Features
check-mark.png
This feature is introduced in version 1.3 with the following Logging Service-based limitations:
  • Saas Application Usage
    report (
    Monitor
    PDF Reports
    SaaS Application Usage
    ):
    Include user group information in the report
    not available
  • Custom Report
    (
    Monitor
    Manage Custom Reports
    ):
    Detailed Logs (Slower)
    not available in
    Database
    area
  • Scheduled and pre-defined reports are not supported.
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
Management Features
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
Mobile Features
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
check-mark.png
This feature is introduced in version 1.3.
Content Inspection Features
Managed by Palo Alto Networks.
Managed by Palo Alto Networks.
Routing Features
Static Routing
check-mark.png
Dynamic Routing (BGP)
check-mark.png
Dynamic Routing (OSPF)
VPN Connections
IPSec tunnels
check-mark.png
See IPSec Tunnel Configuration Parameters for a list of the supported IPSec tunnel parameters.
SSL
check-mark.png
SSL is supported only for Remote Access, not for site-to-site VPNs.
check-mark.png
This feature is introduced in version 1.3.1.
Hybrid Deployments
Hybrid Deployments
check-mark.png
Using on-premise gateways with Prisma Access gateways is supported.
Prisma Access gateway priority
check-mark.png
Supported for deployments that have on-premise GlobalProtect gateways. You can set a priority separately for on-premise gateways and collectively for all gateways in Prisma Access. You can also specify source regions for on-premise gateways.
Manual gateway selection
check-mark.png
Users can manually select a cloud gateway from their client machines using the GlobalProtect app.
GlobalProtect Gateway Modes
External mode
check-mark.png
The gateways in Prisma Access function as external gateways, allow you to add additional gateways, and can work with both internal and external on-premise gateways.
Internal mode
You cannot configure Prisma Access gateways as internal gateways; however, you can add one or more on-premise gateways and configure them as internal gateways.
GlobalProtect App Connect Methods
User-logon (always on)
check-mark.png
Pre-logon (always-on)
check-mark.png
Pre-logon (then on-demand)
check-mark.png
On-demand
check-mark.png
Security Profiles
Security Profile configuration
check-mark.png
Administrators can push security profiles to Prisma Access.
Networking
IPv4 addressing
check-mark.png
IPv6 addressing
Split tunnel based on access route
check-mark.png
Split tunnel based on destination domain, client process, and video streaming application
check-mark.png
This feature is introduced in version 1.3.
NetFlow
QoS
check-mark.png
This feature is introduced in version 1.3.
Prisma Access uses the same security policies and QoS profiles and supports the same Differentiated Services Code Point (DSCP) markings as next-generation Palo Alto Networks firewalls.
Internet requests initiated from an outside network to Prisma Access (inbound internet)
Traffic from the internet is allowed as long as the connection originated from the Prisma Access-protected network.
NAT
check-mark.png
Prisma Access automatically manages outbound NAT; you cannot the configure the settings.
SSL VPN connections
check-mark.png
Policies
Policy-Based Forwarding
DoS Protection
check-mark.png
The Prisma Access infrastructure manages DoS protection.
MDM
check-mark.png
Virtual Routers
check-mark.png
This feature is introduced in version 1.3.
HIP reports
check-mark.png
check-mark.png
Hip-based security policy
check-mark.png
check-mark.png
HIP report submission
check-mark.png
check-mark.png
HIP Objects and Profiles
check-mark.png
HIP report viewing from Panorama
Tunnel Monitoring
Dead Peer Detection (DPD)
check-mark.png
ICMP
check-mark.png
Bidirectional Forwarding Detection (BFD)
Apps
Application Support
check-mark.png
Any applications that are supported by VM-series firewalls are supported by Prisma Access.
Log Forwarding Application
check-mark.png
High Availability
High Availability
check-mark.png
Logging
Log Settings
check-mark.png
Monitoring
SNMP
Use Tunnel Monitoring instead of SNMP to monitor the tunnels in Prisma Access.

IPSec Tunnel Configuration Parameters

The following table describes the supported IPSec tunnel configuration parameters in Prisma Access. A check mark indicates that the parameter is supported; a dash (—) indicates that the parameter is not supported.
Instead of creating IPSec and IKE crypto profiles and gateways from scratch, you can use one of the predefined IPSec and IKE templates for common IPSec and SD-WAN devices, which simplify the onboarding of service connections that use one of the devices to terminate the connection.
Feature
Support
IPSec Tunnel
check-mark.png
GRE Tunnel
IKE Versions
IKE v1
check-mark.png
IKE v2
check-mark.png
IPSec Phase 1 DH-Group
Group 1
check-mark.png
Group 2
check-mark.png
(Default)
Group 5
check-mark.png
Group 14
check-mark.png
Group 19
check-mark.png
Group 20
check-mark.png
IPSec Phase 1 Auth
MD5
check-mark.png
SHA1
check-mark.png
(Default)
SHA256
check-mark.png
SHA384
check-mark.png
SHA512
check-mark.png
IPSec Phase 1 Encryption
DES
check-mark.png
3DES
check-mark.png
(Default)
AES-128-CBC
check-mark.png
(Default)
AES-192-CBC
check-mark.png
AES-256-CBC
check-mark.png
IPSec Phase 1 Key Lifetime Default
IPSec Phase 1 Key Lifetime Default
check-mark.png
(8 Hours)
IPSec Phase 1 Peer Authentication
Pre-Shared Key
check-mark.png
Certificate
check-mark.png
IKE Peer Identification
FQDN
check-mark.png
IP Address
check-mark.png
User FQDN
check-mark.png
IKE Peer
As Static Peer
check-mark.png
As Dynamic Peer
check-mark.png
Options
NAT Traversal
check-mark.png
Passive Mode
check-mark.png
Ability to Negotiate Tunnel
Per Subnet Pair
check-mark.png
Per Pair of Hosts
check-mark.png
Per Gateway Pair
check-mark.png
IPSec Phase 2 DH-Group
Group 1
check-mark.png
Group 2
check-mark.png
(Default)
Group 5
check-mark.png
Group 14
check-mark.png
Group 19
check-mark.png
Group 20
check-mark.png
No PFS
check-mark.png
IPSec Phase 2 Auth
MD5
check-mark.png
SHA1
check-mark.png
(Default)
SHA256
check-mark.png
SHA384
check-mark.png
SHA512
check-mark.png
None
check-mark.png
IPSec Phase 2 Encryption
DES
check-mark.png
3DES
check-mark.png
(Default)
AES-128-CBC
check-mark.png
(Default)
AES-192-CBC
check-mark.png
AES-256-CBC
check-mark.png
AES-128-CCM
check-mark.png
AES-128-GCM
check-mark.png
AES-256-GCM
check-mark.png
NULL
check-mark.png
IPSec Protocol
ESP
check-mark.png
AH
check-mark.png
IPSec Phase 2 Key Lifetime Default
IPSec Phase 2 Key Lifetime Default
check-mark.png
(1 Hour)

Related Documentation