Prisma Access
Prisma Access FedRAMP Requirements
Table of Contents
Prisma Access FedRAMP Requirements
Prisma Access
FedRAMP RequirementsFollow these rules to make sure that your
Prisma Access
deployment stays in compliance with FedRAMP Moderate.Where Can I Use This? | What Do I Need? |
|---|---|
|
|
FedRAMP is the program used by the United States government
that provides a standard approach to compliance for cloud service
offerings (CSOs). To make sure that your
Prisma Access (Managed by Panorama)
Access is compliant with FedRAMP Moderate, use these guidelines
and requirements when installing, activating, setting up for the
first time, and configuring Prisma Access
.Pre-Installation and Product Activation Requirements
To make sure that your
Prisma Access
deployment stays
in compliance, be sure to follow these installation and product
activation requirements.- Pre-Installation Requirements:
- Deployment Type (New or Existing)—NewPrisma Accessdeployments are supported in a FedRAMP Moderate environment. Upgrades from an existingPrisma Accessdeployment to a FedRAMP ModeratePrisma Accessdeployment are not supported.
- Required SKUs—When you purchasePrisma Accessfor a FedRAMP Moderate deployment,Prisma Accessrequires SKUs that are specific to the FedRAMP environment. Work with your authorized Palo Alto Networks representative or partner to make sure that you purchase the correct SKUs for your FedRAMP Moderate deployment.
- Use only the Panorama versions, GlobalProtect versions, and Cloud Services plugin versions listed in Required Panorama, Plugin, and PAN-OS Dataplane Versions.
- Allow List Cortex Data Lake Public IP Addresses—The IP address block that is used by the Cortex Data Lake federal region is 34.67.50.64/28. If your enterprise uses allow lists, be sure to add these IP addresses to your allow lists to make sure that Cortex Data Lake can receive the logs fromPrisma Access.
- Changes to API URLs—When you run the API script to retrieve the public IP addresses that are used byPrisma Access, change the URL for the API fromhttps://api.gpcloudservice.com/GetPrismaAccessIP/v2tohttps://api.fed.prismaaccess.com/GetPrismaAccessIP/v2.If your Panorama appliance uses a uses a proxy server (), or if you use SSL forward proxy decryption withPrisma Access, be sure to add the api.fed.prismaaccess.com URL to your allow list on the proxy or proxy server.
- GlobalProtect Portal Name Change—The default portal hostname for aPrisma AccessFedRAMP Mobile Users—GlobalProtect deployment is different from a non-FedRAMP deployment. The portal name is<portal-name>.fed.prismaaccess.com. instead of<portal-name>.gpcloudservice.com.
- Support Requirements—Prisma AccessFedRAMP Moderate requires Palo Alto Networks US Government Support Services, which includes 24x7 support for United States personnel on United States soil.
- Activation Requirements—When you activate and install yourPrisma Accessdeployment, the activation and installation tasks are similar to a non-FedRAMP deployment. However you must select aCortex Data Lakeregion ofUnited States—Governmentduring product activation.
Required Panorama, Plugin, and PAN-OS Dataplane Versions
To ensure that
Prisma Access
stays in
compliance with FedRAMP Moderate requirements, make sure that your
Prisma Access (Managed by Panorama)
deployment uses the following Panorama,
Cloud Services plugin, and GlobalProtect versions.Component | Required Version |
|---|---|
Panorama PAN-OS version | 10.2.8 and later PAN-OS 10.2 versions Enabling the Processing Standard
and Common Criteria (FIPS-CC) on the Panorama
that manages Prisma Access is the recommended best practice aligned
with FedRAMP controls. Enabling FIPS-CC support on Panorama requires
accessing the Maintenance Recovery Tool (MRT).To simplify the installation and activation process, you can select an existing Panorama you have
already configured in FIPS mode, if you have registered
Panorama, installed the licenses, and activated the support
license on the Customer Support Portal
(CSP). If you have added the Panorama serial
number to the same CSP account on which you want to deploy
Prisma Access , you can select the serial number of this
Panorama appliance during installation.You
cannot use a Panorama that has been used to manage another Prisma
Access or Cortex Data Lake deployment. |
Cloud Services plugin version |
|
GlobalProtect version | 5.1.4+ and 6.0.7+ 5.1.4 is FIPS certified and is the default version to use for Federal Government-based
deployments. If you change the default
GlobalProtect version from 5.1.4, you cannot select
version 5.1.4 from the Panorama UI and must open a Support case with Palo
Alto Networks Technical Support to add it back. |
Supported Prisma Access FedRAMP Locations
Prisma Access
FedRAMP LocationsThe following locations are authorized for use with
Prisma Access
in a FedRAMP Moderate environment, which includes
support for locations in the continental United States (CONUS) and
outside the continental United States (OCONUS):- Australia Southeast
- Belgium
- Brazil South
- Canada East
- Finland
- Germany Central
- India West
- Japan Central
- Japan South
- Netherlands Central
- Singapore
- Switzerland
- Taiwan
- United Kingdom
- US Central
- US East
- US Northwest
- US Southeast
- US Southwest
Supported and Unsupported Features in a Prisma Access FedRAMP
Deployment
Prisma Access
FedRAMP
DeploymentIPv6 support for private app access is supported in a
Prisma Access
FedRAMP Moderate environment.The following apps and features are not supported for use in
a
Prisma Access
FedRAMP Moderate environment: