How to configure a Panorama Managed Prisma Access deployment
in a FedRAMP Moderate environment.
After you have completed the requirements to
install Prisma Access on the Panorama that manages Prisma Access, complete
setting up the Prisma Access deployment for a FedRAMP Moderate environment
by completing the following steps.
Before you start,
make a note of the requirements and
guidelines that are specific to a Prisma Access FedRAMP deployment,
including configuring the Panorama appliance in FIPS-CC mode and
the specific versions that are required for Panorama, the Cloud
Services Plugin, and GlobalProtect.
Make sure that you have a Customer Support Portal (CSP) account
that you can dedicate exclusively for your FedRAMP deployments.
You cannot have FedRAMP and non-FedRAMP deployments in
a single CSP account. For this reason, Palo Alto Networks recommends
that you create a new CSP account to
be used for FedRAMP accounts only.
Prepare your Panorama appliance to be used in Prisma
Access FedRAMP environment.
Add the following URLs, IP addresses, and ports to an
allow list on any security appliance that you use with the Panorama
appliance that manages Prisma Access.
In addition, if your Panorama appliance uses a proxy server (
Panorama
Setup
Service
Proxy Server
), or if you use
SSL forward proxy with Prisma Access, be sure to add the following
URLs, IP addresses, and ports to an allow list on the proxy or proxy
server.
The IP address block that is used by
the Cortex Data Lake federal region is 34.67.50.64/28. Add these
IP addresses to your allow list so that Cortex Data Lake can receive
the logs from Prisma Access.
Open a case in the Customer Support Portal (CSP) to
have Palo Alto Networks allow list the source and destination ports for
Cortex Data Lake.
To use Cortex Data Lake in a Prisma Access environment,
you must create a case so that Palo Alto Networks can allow list
the source and destination ports internally.
We recommend using local authentication as a first step
to verify that the service is set up and your users have internet
access. You can later switch to using your corporate authentication
methods.
Use the app to connect to the portal as a mobile user (local
user).
Browse to a few websites on the internet and check the traffic
logs on Panorama.
(
Mobile Users—GlobalProtect Deployments Only
)
Create an authentication override certificate in your Mobile Users—GlobalProtect
deployment that meets the requirements for a Panorama running in
FIPS mode and apply that certificate to your deployment.
You must generate a new certificate because the default
certificate for Mobile Users—GlobalProtect,
From the Panorama that manages Prisma Access,
select
Device
Certificate
Management
Certificates
Device
Certificates
.
Be sure that you are in the
Mobile_User_Template
.
Generate a certificate that
meets the minimum cipher suite requirements for a Panorama in FIPS-CC
mode.
Select
Panorama
Cloud Services
Configuration
Mobile Users—GlobalProtect
,
select the
Hostname
, and in the
Client
Authentication
area, select the
Authentication
Override Certificate
you created.
If you have already created your Mobile Users—GlobalProtect
configuration, this area is grayed out. To change the authentication override
certificate, select
Network
GlobalProtect
Portals
<portal-config>
Agent
DEFAULT
Authentication
and
select this certificate under the
Certificate to Encrypt/Decrypt
Cookie
.
Enable the service infrastructure and service connections
that allows communication between Prisma Access elements.
While you can use the Cloud
Identity Engine to retrieve user and group information using
the Cloud Identity Engine after
you set up authentication, you cannot authenticate users using only
the Cloud Identity Engine.