Configure

Prisma Access

in a FedRAMP Environment

Make sure that you have a Customer Support Portal (CSP) account that you can dedicate exclusively for your FedRAMP deployments.
You can’t have FedRAMP and non-FedRAMP deployments in a single CSP account. For this reason, Palo Alto Networks recommends that you create a new CSP account to be used for FedRAMP accounts only.
Prepare your Panorama appliance to be used in Prisma Access FedRAMP environment.
Install the Panorama appliance (either an M-series appliance or a virtual appliance.
(
Optional, Recommended
) Enable Federal Information Processing Standard and Common Criteria (FIPS-CC) support on the Panorama appliance.
Enabling FIPS support requires accessing the Maintenance Recovery Tool (MRT).
Upgrade your Panorama version to the version listed in Required Panorama, Plugin, and PAN-OS Dataplane Versions.
Identify your license requirements; then activate and install
Prisma Access
license components.
Select a
Cortex Data Lake
region of
United States—Government
during product activation.

Add the following URLs, IP addresses, and ports to an allow list on any security appliance that you use with the Panorama appliance that manages
Prisma Access
.
In addition, if your Panorama appliance uses a proxy server (
Panorama
Setup
Service
Proxy Server
), or if you use SSL forward proxy with
Prisma Access
, be sure to add the following URLs, IP addresses, and ports to an allow list on the proxy or proxy server.
api.gpcloudservice.com (for
Prisma Access
)
api.paloaltonetworks.com (for
Prisma Access
)
api.fed.prismaaccess.com (for
Prisma Access
)
apitrusted.paloaltonetworks.com (for
Prisma Access
)
The FQDNs and ports required for Cortex Data Lake
34.67.50.64/28
The IP address block that is used by the Cortex Data Lake federal region is 34.67.50.64/28. Add these IP addresses to your allow list so that Cortex Data Lake can receive the logs from
Prisma Access
.
The ports used by Panorama.
Open a case in the Customer Support Portal (CSP) to have Palo Alto Networks allow list the source and destination ports for Cortex Data Lake.
To use Cortex Data Lake in a
Prisma Access
environment, you must create a case so that Palo Alto Networks can allow list the source and destination ports internally.
Select
Device
Setup
WildFire
and enter
wildfire.gov.paloaltonetworks.com
.
FedRAMP deployments require that you use the WildFire U.S. Government cloud.
Onboard mobile users and secure them with GlobalProtect, if required for your deployment.
We recommend using local authentication as a first step to verify that the service is set up and your users have internet access. You can later switch to using your corporate authentication methods.
Set up GlobalProtect mobile users.
Configure zones for mobile users.
Create two zones in the Mobile User template. For example, Mobile-Users and Internet.
Map the zones. Map any zone that isn’t
Prisma Access
connected users or HQ or branch offices to Untrust.
Under
Panorama
Cloud Services
Configuration
Mobile Users
, map Internet to Untrust; Mobile-Users to Trust.
Configure Security policies for the device group.
To create a Security policy to allow traffic to the Internet, select the Mobile_User_Device_Group
Policies
Security
Prerules
Add
a rule. For example: Mobile-Users to Internet.
Commit and push your changes to get started with the service.
Commit
locally on Panorama.
Commit and Push
to
Prisma Access
.
Select
Panorama
Cloud Services
Status
Monitor
Mobile Users
to view the
Status
and verify that you can ping the Portal FQDN.
Validate that
Prisma Access
is securing Internet traffic for mobile users.
Download and install the GlobalProtect app.
Use the app to connect to the portal as a mobile user (local user).
Browse to a few websites on the internet and check the traffic logs on Panorama.
(
Mobile Users—GlobalProtect Deployments Only
) Create an authentication override certificate in your Mobile Users—GlobalProtect deployment that meets the requirements for a Panorama running in FIPS mode, and apply that certificate to your deployment.
Generate a new certificate because the default certificate for Mobile Users—GlobalProtect,
Authentication Cookie CA
, doesn’t meet the minimum cipher suite requirements for a Panorama that is running in FIPS-CC mode.
From the Panorama that manages
Prisma Access
, select
Device
Certificate Management
Certificates
Device Certificates
.
Be sure that you are in the
Mobile_User_Template
.
Generate a certificate that meets the minimum cipher suite requirements for a Panorama in FIPS-CC mode.

Select
Panorama
Cloud Services
Configuration
Mobile Users—GlobalProtect
, select the
Hostname
, and in the
Client Authentication
area, select the
Authentication Override Certificate
you created.

If you have already created your Mobile Users—GlobalProtect configuration, this area is grayed out. To change the authentication override certificate, select
Network
GlobalProtect
Portals
<portal-config>
Agent
DEFAULT
Authentication
and select this certificate under the
Certificate to Encrypt/Decrypt Cookie
.
Enable the service infrastructure and service connections that allow communication between
Prisma Access
elements.
Plan to enable the service infrastructure and service connections.
Enable the service infrastructure.
Create a service connection to allow access to your corporate resources.
If you don’t require access to your corporate resources, you should still create a service connection to enable access between mobile users and remote networks.
Plan, create, and configure remote network connections.
Add one or more remote networks to
Prisma Access
.
You can onboard one location and then add additional locations using the bulk import capability.
Create a Security policy rule to allow traffic from the remote networks to HQ (For example: Trust to Trust).
Validate the connectivity between the service connection, remote network connection, and mobile users.
Retrieve the .
You add these addresses to an allow list on your organization’s network to limit inbound access to your enterprise network and applications.
If you have a Mobile User—GlobalProtect deployment, you can use the
Prisma Access
UI instead of this API to manage public IP address allocation and confirm that the IP addresses have been added to your allow lists before
Prisma Access
releases the IP addresses. In this way,
Prisma Access
only provisions the IP addresses that you’ve allow listed.
(
Optional
) Change the authentication method from local authentication to your organization’s authentication method.
Use one of the following methods to set up SAML authentication for mobile users:
Configure Azure AD SAML Authentication for Mobile User Deployments
Configure only the GlobalProtect parts of this configuration and omit the Explicit Proxy configuration.
Configure SAML Authentication Using Okta as IdP for Mobile Users
Configure ADFS as a SAML Provider for Mobile Users
While you can use the Cloud Identity Engine to retrieve user and group information using the Cloud Identity Engine after you set up authentication, you can’t authenticate users using only the Cloud Identity Engine.
(
Optional
) Forward logs from Cortex Data Lake to an external Syslog receiver by setting up the Log Forwarding app.