Follow these rules to make sure that your Prisma Access
deployment stays in compliance with FedRAMP Moderate.
FedRAMP is the program used by the United States government
that provides a standard approach to compliance for cloud service
offerings (CSOs). To make sure that your Panorama Managed Prisma
Access is compliant with FedRAMP Moderate, use these guidelines
and requirements when installing, activating, setting up for the
first time, and configuring Prisma Access.
Pre-Installation and Product Activation Requirements
To make sure that your Prisma Access deployment stays
in compliance, be sure to follow these installation and product
activation requirements.
Pre-Installation Requirements:
Deployment
Type (New or Existing)
—New Prisma Access deployments are supported
in a FedRAMP Moderate environment. Upgrades from an existing Prisma Access
deployment to a FedRAMP Moderate Prisma Access deployment are not supported.
Required SKUs
—When you purchase Prisma Access for
a FedRAMP Moderate deployment, Prisma Access requires SKUs that
are specific to the FedRAMP environment. Work with your authorized
Palo Alto Networks representative or partner to make sure that you
purchase the correct SKUs for your FedRAMP Moderate deployment.
—The
IP address block that is used by the Cortex Data Lake federal region
is 34.67.50.64/28. If your enterprise uses allow lists, be sure
to add these IP addresses to your allow lists to make sure that
Cortex Data Lake can receive the logs from Prisma Access.
Changes to API URLs
—When you run the API script to retrieve
the public IP addresses that are used by Prisma Access, change the
URL for the API from
If
your Panorama appliance uses a uses a proxy server (
Panorama
Setup
Service
Proxy Server
), or if you use
SSL forward proxy decryption with Prisma Access, be sure to add
the api.fed.prismaaccess.com URL to your allow list on the proxy
or proxy server.
GlobalProtect Portal Name Change
—The default portal
hostname for a Prisma Access FedRAMP Mobile Users—GlobalProtect
deployment is different from a non-FedRAMP deployment. The portal
name is
<portal-name>
.fed.prismaaccess.com.
instead of
<portal-name>
.gpcloudservice.com.
Support Requirements
—Prisma Access FedRAMP Moderate
requires Palo Alto Networks US Government Support Services, which
includes 24x7 support for United States personnel on United States
soil.
Activation Requirements
—When you activate and install
your Panorama Managed Prisma Access deployment, the activation and installation tasks
are similar to a non-FedRAMP deployment. However you must select
a
Cortex Data Lake
region of
United
States—Government
during product activation.
Required Panorama, Plugin, and PAN-OS Dataplane Versions
To ensure that Prisma Access stays in
compliance with FedRAMP Moderate requirements, make sure that your
Panorama Managed Prisma Access deployment uses the following Panorama,
Cloud Services plugin, and GlobalProtect versions.
Component
Required Version
Panorama PAN-OS version
10.1.8
Enabling the Processing Standard and Common Criteria (FIPS-CC) on the
Panorama that manages Prisma Access is the recommended best
practice aligned with FedRAMP controls. Enabling FIPS-CC support
on Panorama requires accessing the Maintenance Recovery Tool
(MRT).
To simplify the installation and activation process, you can
select an existing Panorama you have already configured in
FIPS mode, if you have registered Panorama, installed the
licenses, and activated the support license on the Customer Support Portal
(CSP). If you have added the Panorama serial
number to the same CSP account on which you want to deploy
Prisma Access, you can select the serial number of this
Panorama appliance during installation.
You cannot use a Panorama that has been used to manage another
Prisma Access or Cortex Data Lake deployment.
Cloud Services plugin version
2.2.0-h42 Preferred
3.0.0-h24
3.2.1-h48 and later versions of 3.2.1
GlobalProtect version
5.1.4+ and 6.0.7+
5.1.4 is FIPS certified and is the default version to use for
Federal Government-based deployments. If you change the default
GlobalProtect version from 5.1.4, you cannot select
version 5.1.4 from the Panorama UI and must open a Support case with Palo
Alto Networks Technical Support to add it back.
Supported Prisma Access FedRAMP Locations
The following locations are authorized for use with
Prisma Access in a FedRAMP Moderate environment, which includes
support for locations in the continental United States (CONUS) and
outside the continental United States (OCONUS):
Australia Southeast
Belgium
Brazil South
Canada East
Finland
Germany Central
India West
Japan Central
Japan South
Netherlands Central
Singapore
Switzerland
Taiwan
United Kingdom
US Central
US East
US Northwest
US Southeast
US Southwest
Supported and Unsupported Features in a Prisma Access FedRAMP
Deployment