Prisma Access
Configure Prisma Access in a FedRAMP Environment
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Configure Prisma Access in a FedRAMP Environment
Prisma Access
in a FedRAMP EnvironmentHow to configure a
Prisma Access (Managed by Panorama)
deployment
in a FedRAMP Moderate environment.Where Can I Use
This? | What Do I Need? |
---|---|
|
|
After you’ve completed the requirements, complete setting up the
Prisma Access
deployment for a
FedRAMP Moderate environment by completing the following steps. Before you start, make a note of the requirements and guidelines that are specific to a Prisma
Access FedRAMP deployment, including configuring the Panorama appliance in
FIPS-CC mode and the specific versions that are required for Panorama, the Cloud
Services Plugin, and GlobalProtect.
- Make sure that you have a Customer Support Portal (CSP) account that you can dedicate exclusively for your FedRAMP deployments.You can’t have FedRAMP and non-FedRAMP deployments in a single CSP account. For this reason, Palo Alto Networks recommends that you create a new CSP account to be used for FedRAMP accounts only.
- Prepare your Panorama appliance to be used in Prisma Access FedRAMP environment.
- Install the Panorama appliance (either an M-series appliance or a virtual appliance.
- (Optional, Recommended) Enable Federal Information Processing Standard and Common Criteria (FIPS-CC) support on the Panorama appliance.Enabling FIPS support requires accessing the Maintenance Recovery Tool (MRT).
- Upgrade your Panorama version to the version listed in Required Panorama, Plugin, and PAN-OS Dataplane Versions.
- Identify your license requirements; then activate and installPrisma Accesslicense components.Select aCortex Data Lakeregion ofUnited States—Governmentduring product activation.
- Add the following URLs, IP addresses, and ports to an allow list on any security appliance that you use with the Panorama appliance that managesPrisma Access.In addition, if your Panorama appliance uses a proxy server (), or if you use SSL forward proxy withPanoramaSetupServiceProxy ServerPrisma Access, be sure to add the following URLs, IP addresses, and ports to an allow list on the proxy or proxy server.
- api.gpcloudservice.com (forPrisma Access)
- api.paloaltonetworks.com (forPrisma Access)
- api.fed.prismaaccess.com (forPrisma Access)
- apitrusted.paloaltonetworks.com (forPrisma Access)
- 34.67.50.64/28The IP address block that is used by the Cortex Data Lake federal region is 34.67.50.64/28. Add these IP addresses to your allow list so that Cortex Data Lake can receive the logs fromPrisma Access.
- Open a case in the Customer Support Portal (CSP) to have Palo Alto Networks allow list the source and destination ports for Cortex Data Lake.To use Cortex Data Lake in aPrisma Accessenvironment, you must create a case so that Palo Alto Networks can allow list the source and destination ports internally.
- Selectand enterDeviceSetupWildFirewildfire.gov.paloaltonetworks.com.FedRAMP deployments require that you use the WildFire U.S. Government cloud.
- Onboard mobile users and secure them with GlobalProtect, if required for your deployment.We recommend using local authentication as a first step to verify that the service is set up and your users have internet access. You can later switch to using your corporate authentication methods.
- Configure zones for mobile users.
- Create two zones in the Mobile User template. For example, Mobile-Users and Internet.
- Map the zones. Map any zone that isn’tPrisma Accessconnected users or HQ or branch offices to Untrust.Under, map Internet to Untrust; Mobile-Users to Trust.PanoramaCloud ServicesConfigurationMobile Users
- Configure Security policies for the device group.To create a Security policy to allow traffic to the Internet, select the Mobile_User_Device_Groupa rule. For example: Mobile-Users to Internet.PoliciesSecurityPrerulesAdd
- Commit and push your changes to get started with the service.
- Commitlocally on Panorama.
- Commit and PushtoPrisma Access.
- Selectto view thePanoramaCloud ServicesStatusMonitorMobile UsersStatusand verify that you can ping the Portal FQDN.
- Validate thatPrisma Accessis securing Internet traffic for mobile users.
- Use the app to connect to the portal as a mobile user (local user).
- Browse to a few websites on the internet and check the traffic logs on Panorama.
- (Mobile Users—GlobalProtect Deployments Only) Create an authentication override certificate in your Mobile Users—GlobalProtect deployment that meets the requirements for a Panorama running in FIPS mode, and apply that certificate to your deployment.Generate a new certificate because the default certificate for Mobile Users—GlobalProtect,Authentication Cookie CA, doesn’t meet the minimum cipher suite requirements for a Panorama that is running in FIPS-CC mode.
- From the Panorama that managesPrisma Access, select.DeviceCertificate ManagementCertificatesDevice CertificatesBe sure that you are in theMobile_User_Template.
- Generate a certificate that meets the minimum cipher suite requirements for a Panorama in FIPS-CC mode.
- Select, select thePanoramaCloud ServicesConfigurationMobile Users—GlobalProtectHostname, and in theClient Authenticationarea, select theAuthentication Override Certificateyou created.If you have already created your Mobile Users—GlobalProtect configuration, this area is grayed out. To change the authentication override certificate, selectand select this certificate under theNetworkGlobalProtectPortals<portal-config>AgentDEFAULTAuthenticationCertificate to Encrypt/Decrypt Cookie.
- Enable the service infrastructure and service connections that allow communication betweenPrisma Accesselements.
- Create a service connection to allow access to your corporate resources.If you don’t require access to your corporate resources, you should still create a service connection to enable access between mobile users and remote networks.
- Plan, create, and configure remote network connections.
- Add one or more remote networks toPrisma Access.You can onboard one location and then add additional locations using the bulk import capability.
- Create a Security policy rule to allow traffic from the remote networks to HQ (For example: Trust to Trust).
- Validate the connectivity between the service connection, remote network connection, and mobile users.
- You add these addresses to an allow list on your organization’s network to limit inbound access to your enterprise network and applications.If you have a Mobile User—GlobalProtect deployment, you can use thePrisma AccessUI instead of this API to manage public IP address allocation and confirm that the IP addresses have been added to your allow lists beforePrisma Accessreleases the IP addresses. In this way,Prisma Accessonly provisions the IP addresses that you’ve allow listed.
- (Optional) Change the authentication method from local authentication to your organization’s authentication method.Use one of the following methods to set up SAML authentication for mobile users:
- Configure only the GlobalProtect parts of this configuration and omit the Explicit Proxy configuration.
While you can use the Cloud Identity Engine to retrieve user and group information using the Cloud Identity Engine after you set up authentication, you can’t authenticate users using only the Cloud Identity Engine. - (Optional) Forward logs from Cortex Data Lake to an external Syslog receiver by setting up the Log Forwarding app.