You are responsible for complying with Chinese regulations. VPNs must run on
sanctioned providers’ infrastructure, such as Alibaba cloud. Do not use VPNs to
access any content that has been banned by the Chinese government. You must assume
responsibility to implement appropriate security policies that prevent access to any
banned content (for example, disallow mobile users in China to perform a Google
search outside of China). You must use this solution to provide secure access to
business and corporate applications only, including private and approved SaaS
applications. Palo Alto Networks recommends that you consult with your
organization’s legal department before deploying this solution.
Before you start to provide secure access for mobile
users in mainland China, determine your requirements and purchase
the following Palo Alto Networks and third-party software and licensing:
If you use Alibaba Cloud as the hybrid connectivity,
create an account on Alibaba Cloud with Admin privileges and the
ability to create a CEN and perform real-name registration. This process can
take 48 hours.
In addition, gather the following required
information to use Alibaba Cloud:
The regions where you will deploy
Alibaba Cloud in mainland China.
The amount of bandwidth you will use for the CEN.
Take
both the bandwidth and the cost of the CEN into consideration when
planning to use a CEN.
A Prisma Access subscription.
A licensed Palo Alto Networks next-generation firewall (either
a VM-series or on-premise firewall) with a GlobalProtect subscription
located in mainland China.
You should also determine if your
deployment requires additional subscriptions.
This pool must not overlap with pools used
by Prisma Access in other regions.
A public key infrastructure (PKI) that can issue the required
server certificates and key pairs that are required for the GlobalProtect
gateway in China.
Alternatively, you can use self-signed certificates.
In addition to the software requirements, you need a basic
understanding of public cloud networking.
