Prisma Access
Cloud Management
Table of Contents
Cloud Management
Cloud Management
Set up a mobile users location in just a few steps (
Prisma Access
Cloud Management).In just a few steps, here’s how to start onboarding
GlobalProtect mobile users to
Prisma Access
.- Enable GlobalProtect as a mobile user connection typeGo to .If you're using Strata Cloud Manager, go to .You can divide your mobile user license between GlobalProtect and Explicit Proxy connections; some users can connect through GlobalProtect and others through Explicit Proxy. With aGlobalProtect Connection, the GlobalProtect app installed on mobile user devices sends traffic toPrisma Access.
- Set up basic infrastructure settingsConfigure the infrastructure settings that are specific to GlobalProtect. There are a few required settings you’ll need to fill out initially, so thatPrisma Accesscan provision your mobile user environment.
- When you set up GlobalProtect for the first time, you’ll be asked whether or not you want to enablePrisma AccessIP Optimization. Choosing to enable IP Optimization requires GlobalProtect client version 6.1.4 or later, and does not support IPv6. Choose carefully, as you can’t change this setting later.
- IP Optimization functionality is for newPrisma AccessGlobalProtect deployments only. Existing Global Protect deployments, including new tenants you create from an existing multitenant deployment, are not eligible.
- If you are migrating your GlobalProtect deployment toPrisma Access(away from using on-premises gateways and portals), ensure all users are running GlobalProtect app version 6.1.4 or above before enabling this functionality
Go to .If you're using Strata Cloud Manager, go to .
- Specify thePortal Name.
- Default Domain—If you select this option, your portal hostname uses the default domain name:.gpcloudservice.com. In this case, simply enter aPortal Hostnameto append to the default domain name.Prisma Accessfor Users will automatically create the necessary certificates and publish the hostname to public DNS servers.
- Custom Domain—You can also customize the portal address if you want the domain in the portal hostname to match your company domain name (for example, myportal.mydomain.com).
- EnterClient DNSresolution settings for your GlobalProtect deployment.
- Select a region for theDNS Servers(Add Region).SelectWorldwideor a theater. If you specify multiple proxy settings with a mix of Worldwide and theater settings,Prisma Accessuses the settings for the location group, then theater, then Worldwide.Prisma Accessevaluates the rules from top to bottom in the list.
- Choose whether or not you wantPrisma AccesstoResolve internal domains; if you do,Addone or moreInternal Domain Resolve Rules.
- Enter a uniqueNamefor the rule.
- Selectto use the defaultPrisma AccessDefaultPrisma AccessDNS server to resolve internal domains. you want your internal DNS server to only resolve the domains you specify, enter the domains to resolve in theDomain List. Specify an asterisk in front of the domain; for example, *.acme.com. You can specify a maximum of 1,024 domain entries.
- If you have aCustomDNS server that can access your internal domains, specify thePrimary DNSandSecondary DNSserver IP addresses
- If you want your internal DNS server to only resolve the domains you specify, enter the domains to resolve in theDomain Lists. Specify an asterisk in front of the domain; for example, *.acme.com. You can specify a maximum of 1,024 domain entries.
- Saveyour changes when finished.
- Specify the DNS settings forPrimary DNS for public domainsandSecondary DNS for public domains.
- —Use the defaultPrisma AccessDefaultPrisma AccessDNS server.
- Internal DNS—Use the same server that you use to resolve internal domains.
- Custom—If you have a DNS server that can access your public (external) domains, enter the Primary DNS server address in that field.
(Optional) You can add aClient DNS Suffix Listto specify the suffix that the client should use locally when an unqualified hostname is entered that it can't resolve, for example, acme.local. Don't enter a wildcard (*) character in front of the domain suffix (for example, acme.com). You can add multiple suffixes.
- Set upAdvanced Settings.
- (Optional) UseStatic Entriesto resolve FQDNs to specific IP addresses.This functionality can be useful if you have guest internet services at your organization and you want your guests to safely use search engines, preventing them from searching for potentially inappropriate or offensive material that could be against company policy. To do so, enter a uniqueNamefor the static entry rule, anFQDN, and the IPAddresswhere the FQDN request should be directed.
- If you wantPrisma Accessto proxy DNS requests, configure values forUDP Queries Retries(theInterval (Sec)to retry the query in seconds and the number of retryAttemptsto perform.
- Choose thePrisma Accesslocation to which your GlobalProtect users will connectAdd thePrisma Accesslocations where you want to support GlobalProtect users. Go to .If you're using Strata Cloud Manager, go to .
The map displays the global regions where you can deployPrisma Accessfor Users . In addition,Prisma Accessprovides multiple locations within each region to ensure that your users can connect to a location that provides a user experience tailored to the users’ locale. For the best performance,Select All. Alternatively, select the specific locations within each selected region where your users will need access. By limiting your deployment to a single region, you can have more granular control over your deployed regions and exclude regions required by your policy or industry regulations.For the best user experience, if you're limiting the number of locations, choose locations that are closest to your users or in the same country as your users. If a location isn't available in the country where your mobile users reside, choose a location that is closest to your users for the best performance. - Authenticate GlobalProtect usersSet up User Authentication so that only legitimate users have access to your services and applications. Go to .If you're using Strata Cloud Manager, go to .To test your setup, you can add users whoPrisma Accessauthenticates locally, or you can go straight to setting up enterprise-level authentication. Learn more on how to Enable Mobile Users to Authenticate to Prisma Access.
- Prisma Accessenforces best practice security policy rules by default. These rules allow your users to securely browse to general internet sites. Users are:
- Blocked from visiting known bad websites based on URL
- Blocked from uploading or downloading files that are known to be malicious
- Protected from unknown, never-before-seen threats
- Protected from malware, spyware (command and control attacks), and vulnerabilities
After going through the initial setup, you can review and update these default rules to meet your enterprise needs. - Verify that the mobile user's location is activeAfter you push your initial configuration toPrisma Access,Prisma Accessbegins provisioning your GlobalProtect mobile user environment. This can take up to 15 minutes. When your mobile user locations are up and running, you’ll be able to verify them on the Mobile Users setup pages and withinPrisma Access.You can also validate your setup by selecting and edit infrastructure settings to confirm a gateway is set up in each of the locations you provisioned.If you're using Strata Cloud Manager, go to .
GlobalProtect — Customize the Portal Address
Prisma Access
requires only the minimal settings to provision your mobile user's environment so
that you can test it. If you would prefer to use your company domain in the
portal address, you can change the address after the initial environment
setup.By default,
Prisma Access
uses the gpcloudservice.com domain to set up the
Prisma Access
portal address that your mobile users will need to
connect to for secure access to the internet and your HQ and data centers. You
must use this default domain when you initially set up and test your
environment. If you want to customize the domain name after the initial setup to
use your company domain, you can go back and edit the environment settings so
that the portal address your users connect to contains your own company domain
(for example, prisma-access.acme.com). The *.gpcloudservice.com domain is
associated with the Palo Alto Networks application.
To configure
Prisma Access
to use
your own domain, you must:- Obtain certificates for the service.
- Create a DNS CNAME entry on your DNS servers that maps the default portal address using the default domain to the custom portal address that uses your company domain. You need to do this becausePrisma Accesspublishes the portal address you set up to public domain servers during initial provisioning.
- Select and editInfrastructure Settings.If you're using Strata Cloud Manager, go to and editInfrastructure Settings.In Strata Cloud Manager, Network Redundancy is enabled by default between portals or gateways and service connections, ensuring redundant connectivity for mobile users to accessible services and applications.
- Set the Portal Name Type toCustom Domain.
- Enter thePortal Hostnameyou want to use.
- Add thePortal DNS CNAMEto which to map your DNS server entries.
- ImporttheCertificateyou provisioned for your custom domain portal address.
- Select the certificateFormatfor the certificate you're importing:
- Encrypted Private Key and Certificate (PKCS12)—The key and certificate are in a single container (Certificate File). ClickChoose Fileand browse to the PKCS12 file to import.
- Base64 Encoded Certificate (PEM)—If you select this option, you must import theKey Fileseparately from the certificate. To import the PEM certificate and Key File, clickChoose File.
- Enter thePassphraseto encrypt the key andConfirm Passphraseand then clickSave.
- If you have not already done so, configure your DNS servers to point to thePrisma AccessDNS CNAME you defined.
- Savethe environment setup andPush ConfigtoPrisma Access.