Prisma SD-WAN Administrator’s Guide
  • Prisma SD-WAN Administrator’s Guide
  • Prisma SD-WAN Documentation
  • All Documentation
>
Advanced Security Services
Focus
Download PDF
Focus
  1. Home
  2. Prisma SD-WAN
  3. Prisma SD-WAN Security Policies
  4. Configure Security Policies
  5. Advanced Security Services
Download PDF
Prisma SD-WAN

Advanced Security Services

Table of Contents

Advanced Security Services

Learn about the advanced security capabilities in Branch security for Prisma SD-WAN ION devices.
Where Can I Use This?What Do I Need?
  • Strata Cloud Manager
  • Prisma Access license
  • Branch Security license
  • license
Security Profile Groups is a subscription-based feature that enhances Branch Security for Prisma SD-WAN ION devices, offering Threat Prevention, DNS Security, and URL Filtering. Managed through Strata Cloud Manager, these profiles are enforced through Prisma SD-WAN branch security policies with the option to integrate logging into SLS for comprehensive visibility.
A subscription license is required to access the Security Profile Group option and branch security features for Prisma SD-WAN in Strata Cloud Manager. Additionally, to log traffic and security events to SLS, your tenant/devices be licensed for SLS. Branch security capabilities are officially supported starting with the 6.5.1-I release.
A Security Profile Group is a set of security profiles, including anti spyware, vulnerability protection, URL filtering, and DNS that can be managed as a unit and added to security policy rules. Profiles often assigned together can be added to profile groups to simplify the creation of security policy rules. By default, a best-practice Security Profile Group is created based on the existing default best-practice profiles. A Security Profile Group can only be attached to an SD-WAN security policy rule, not an individual profile.

Configure Security Services

To create profiles for different Security Services in Strata Cloud Manager web interface:
  1. Go to ManageNGFW and Prisma Access.
  2. Select Configuration Scope and choose Global.
    All security service profiles used by Prisma SD-WAN will be managed and maintained within the Global Scope.
  3. Select the Security Services drop down menu to modify existing security service profiles or create new ones.
    Prisma SD-WAN supports the following security services:
    Palo Alto Networks supports over 30k threat signatures, and Prisma SD-WAN can retrieve the latest updates within 30 minutes of availability. The Strata Cloud Manager controller ensures seamless, real-time distribution of updates to all ION devices for enhanced security.
  4. To deploy security service profiles, perform a Push for all configurations in Global Config and select Prisma SD-WAN as the destination target.
  5. After the push is complete you will be able to see the sync status on the overview page.

Configure Security Profile Group

After you create and push security service profiles to Prisma SD-WAN as instructed in the above section, you must create a security profile group before applying them to a security policy rule.
  1. In Strata Cloud Manager, go to ManagePrisma SD-WANPoliciesSecuritySecurity Profile Groups.
  2. Select Add Profile Group.
  3. On the Create Profile Group screen, enter a Name for the Security Group Profile.
  4. Select the previously configured Anti-Spyware, Vulnerability Protection, DNS Security, and URL Filtering profiles from the drop-down.
  5. Save the configurations.
  6. The Profile Group will now be listed in the Policies page. Select the ellipsis to edit, clone, or delete an existing profile group.
    You cannot delete a Security Profile Group if one or more security policy rules are using it.
  7. Select a Security Policy Set to create a Security Policy Rule. After entering all the required rule information, you can select the Security Profile Group for that Security Policy Set.
    Each Security Policy Set consists of multiple security policy rules and is associated with one or more sites. To apply its security policy rules to a site, you must bind the Security Policy Set to that site.
  8. Save the changes.

Integrate Logging into SLS

Prisma SD-WAN offers an optional feature to log all traffic and security events to Strata Logging Service (SLS), providing centralized visibility, scalable cloud-native storage, and enhanced compliance and forensic analysis. This feature requires a valid subscription license.
  • Sites enabled with SASE Site license
  • Standalone devices enabled with SLS license
If a Branch Site has both the SLS and Branch Security licenses, and the ION device detects threats, the Threat Logs will be forwarded to SLS. These logs can be viewed in Incidents & AlertsLog Viewer.
  • Traffic logs can be seen under NetworkPrisma SD-WAN Traffic.
  • Threat logs can be seen under NetworkThreat.
  • URL logs can be seen under NetworkURL.
  • DNS logs can be seen under NetworkDNS.

Check Cloud Security Services Connection Status

After the security services are configured and applied to the security profile for an ION device in Strata Cloud Manager, you can check the Cloud Security Services Connection Status and Logging Service Connection Status.
In Strata Cloud Manager, go to Workflows Prisma SD-WAN SetupDevicesClaimed Devices and hover over the Device State (Online/Offline) to view the Connection Status popover information.

Configure Syslog Profiles

When adding a Syslog Profile in Prisma SD-WAN, you can configure the profile and select the Threat, DNS, and URL checkboxes for Security Logs. Syslog Profiles allow you to forward Log Collector logs as syslog messages to a syslog server from the Prisma SD-WAN web interface.
  1. Select ManageResourcesConfiguration ProfilesSyslog.
  2. Select Create Syslog Profile.
  3. Enter the syslog profile configurations and select the Security Logs checkboxes.
  4. Select a Syslog Profile, then click the ellipsis to Edit or Clone an existing syslog server configuration.

View Flows

Flow Browser supports viewing Branch Security information, including threat prevention, URL filtering, and DNS security, to analyze network traffic. Flow records display threat metadata, including threat IDs, categories, severities, and actions taken, along with URL classifications and DNS security details. This information helps monitor security events and network traffic patterns effectively.
To support these capabilities, fields related to threat prevention, URL filtering, and DNS security have been added to the flow records exported from the device.
  1. In Strata Cloud Manager, select MonitorPrisma SD-WANFlows.
  2. You can filter flows by Session End Reason to view specific sessions, including those terminated due to threats (Anti-Spyware, Vulnerability Protection, DNS Security or URL Access Management).
  3. Click on the flow to view the flow details page to see the details of the security services decision.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.