Focus

Prisma Access

SASE Private Location

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Release Notes
Select a Document
- 6.1 Preferred and Innovation
- 6.0 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Activation & Onboarding
Administration
Select a Document
- 4.0 & Later
- Prisma Access China
Integrations
Incidents & Alerts

Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server

Configure SASE Private Location

SASE Private Location

Use your organization's infrastructure to deploy Prisma Access.

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama)	Prisma Access license Minimum version of Prisma Access 6.1 Innovation Minimum dataplane version of PAN-OS 12.1.1 (`Prisma Access (Managed by Panorama) Deployments only`) Minimum Cloud Services Plugin version of 6.1 To activate SASE Private Location, reach out to your Palo Alto Networks account representative, who will contact the Site Reliability Engineering (SRE) team and submit a request.

SASE Private Location enables you to deploy Prisma Access services within your own infrastructure. If your organization has one of the following use cases, consider deploying SASE Private Location:

You want to protect your network using Prisma Access, but your mobile users are far from a Prisma Access compute location (for example, Alaska or Hawaii). Using SASE Private Location, you can deploy a location close to your mobile users.
You can deploy agent-based mobile users in your infrastructure while continuing to manage configurations, implement policy rules, and monitor your deployment using the familiar Prisma Access web interface.

SASE Private Location is a managed Prisma Access deployment that extends Prisma® SASE capabilities to your existing network infrastructure, enabling traffic inspection for mobile users. SASE Private Location provides you with:

Operational simplicity for providing consistent security in campus using a shared responsibility model.
Prisma Access manages and orchestrates everything behind the security processing node (SPN). Palo Alto Networks manages sizing, content versioning, monitoring, upgrades, and security subscriptions. You provide the hypervisor, ISP links, and public IP address infrastructure.
Using a single security stack for mobile users.
Providing low latency for mobile users in regions where Prisma Access isn’t available.

This figure shows how you can deploy SASE Private Location as a seamless extension of Prisma SASE to branches for consistent security for secure internet access, allowing you to leverage your existing hypervisor, ISP links and public IP addresses. Palo Alto Networks manages sizing, content versioning, monitoring using Strata Logging Service, upgrades and Cloud-Delivered Security Services (CDSS) subscriptions.

For SASE Private Location, the GlobalProtect™ portal continues to operate from the cloud for global accessibility and provides a mobile user SPN (MU-SPN), while the gateways run locally behind load balancers in your environment, providing the optimal balance of centralized management and localized performance. The following diagrams show the inbound and outbound traffic flow for the gateway.

Planning Checklist for SASE Private Location

Before you begin to deploy SASE Private Location, be sure that you have completed the following tasks that are required to deploy a SASE private location:

Make a note of the maximum locations and mobile users that are supported—SASE Private location supports up to 5 locations and 40,000 users per location.
Set Up the VMware ESXi Profile for SASE Private Location—Before deploying SASE private location components using Terraform, you must prepare your VMware ESXi environment to meet its performance and connectivity requirements.
You select the VMware profile when you set up the hypervisor resource profile and the bastion host during SASE private location setup. Prisma Access uses the bastion host (bastion agent) for remote management, maintenance, and monitoring.
Ensure that you have you can fulfill the following minimum requirements before beginning:
- VMware ESXi 8.0.3 or later installed on your servers
- vCenter Server configured and accessible
- Administrative access to vCenter Server
- Network connectivity between your ESXi environment and the Prisma Access cloud services
- The minimum required vCPU, memory, and storage requirements.
Make sure that you have the following vCPU, memory, and storage minimums:
- 48 vCPU
- 192 GB memory
- 720 GB of storage space
Some larger deployments might require more network memory, storage, and VM resources.
Perform Initial Setup for the Prisma Access Infrastructure and Mobile Users—GlobalProtect—Before you start the setup for SASE Private Location, perform initial setup of Prisma Access, including:
- Perform initial license activation.
- Configure the Prisma Access service infrastructure and add an Infrastructure Subnet.
- Configure Prisma Access for Mobile Users and add a Mobile User IP address pool.
  
  After you configure SASE Private Location, you can specify a mobile user IP address pool for that private location only.

Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server

Configure SASE Private Location

Prisma Access Docs

SASE Private Location

Prisma Access Docs

SASE Private Location

Planning Checklist for SASE Private Location

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner