Integrate Prisma Access with On-Premises GlobalProtect Gateways
Focus
Focus
Prisma Access

Integrate Prisma Access with On-Premises GlobalProtect Gateways

Table of Contents

Integrate
Prisma Access
with On-Premises GlobalProtect Gateways

Where Can I Use This?
What Do I Need?
  • Prisma Access (Panorama Managed)
  • Prisma Access
    license
Prisma Access
enables you to extend the Palo Alto Networks security platform out to your remote network locations and your mobile users without having to build out your own global security infrastructure and expand your operational capacity. In cases where you have already deployed GlobalProtect gateways in regions where you already have the infrastructure to manage it, you can leverage this investment by configuring
Prisma Access
to direct mobile users to your existing external gateways when appropriate.
You can manage priorities for , which allow you to specify priorities for on-premises and
Prisma Access
gateways. Administrators cannot specify mobile users to connect to a specific
Prisma Access
gateway; however administrators can allow mobile users to manually select specific using the GlobalProtect app.
You cannot use your own portal with
Prisma Access
. You can only use the portal that is deployed when your
Prisma Access
for mobile users is provisioned.
To configure one of these hybrid
Prisma Access
deployments, you must edit the GlobalProtect_Portal configuration within the Mobile_User_Template to add your on-premises gateways to the appropriate regions:
  1. Edit the
    Prisma Access
    portal configuration.
    1. To add an existing gateway to the list of available gateways, select
      Network
      GlobalProtect
      Portals
      .
    2. Select
      Mobile_User_Template
      from the
      Template
      drop-down.
    3. Select
      GlobalProtect_Portal
      to edit the
      Prisma Access
      portal configuration.
  2. Add your on-premises gateway to the list of gateways in the agent configuration.
    1. Select the
      Agent
      tab and select the
      DEFAULT
      agent configuration or
      Add
      a new one.
    2. Select the
      External
      tab and
      Add
      your on-premises gateway.
      If you add a new agent configuration and you want to add the Prisma Access gateways to the list of external gateways in that configuration, you must set the
      Name
      to
      GP cloud service
      and the
      Address
      to
      gpcloudservice.com
      . You must enter these values exactly as shown, and you cannot use either of these values for non-
      Prisma Access
      gateways.
    3. Enter the
      Name
      of the gateway and specify either the
      FQDN
      or
      IP
      address of the gateway in the
      Address
      field; this value must exactly match the common name (CN) in the gateway certificate.
    4. (
      Optional
      ) If you want mobile users to only connect to the gateway when they are in the corresponding region,
      Add
      the
      Source Region
      to restrict the gateway to. For example, if you have a gateway in France, you would select FR (France). If you have a gateway in Sweden, you would select (SE) Sweden.
      One benefit of this is that users will then be able to access a gateway that enables access to internet resources in their own language.
    5. Configure other agent settings as necessary to complete the agent configuration.
    6. Click
      OK
      to save the portal configuration.
  3. Commit all your changes to Panorama and push the configuration changes to
    Prisma Access
    .
    1. Click
      Commit
      Commit to Panorama
      .
    2. Click
      Commit
      Push to Devices
      and click
      Edit Selections
      .
    3. On the
      Prisma Access
      tab, make sure
      Prisma Access
      for users
      is selected and then click
      OK
      .
    4. Click
      Push
      .

Recommended For You