Prisma Access in China
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Prisma Access in China
Prisma Access
in ChinaLearn how to set up
Prisma Access
in China. Where Can I Use This? | What Do I Need? |
---|---|
|
|
The rapid transition to a hybrid workforce, where
employees can now work fluidly between corporate offices, branch offices, home offices,
or on the road has accelerated the change in how and where business is done, including
organizations in China. You can use
Prisma Access
to secure mobile users, branch
offices, and headquarters and data center locations in China and allow secured traffic
to reach applications and data outside China, while ensuring legality and compliance
with regulations both inside and outside of mainland China.The instances of
Prisma Access
in China are hosted in
China and manage your organization's cybersecurity infrastructure while following all
regulations and mandates. What's more, Prisma Access
China enables a consistent
end-user experience, extending consistent visibility and control to locations within
mainland China. The procedures you use to onboard
Prisma Access
locations in mainland China follow the same procedures you use to onboard Prisma Access
deployments in other locations around the globe. However, make sure
that you're aware of the following differences: - Deployment Type (New or Existing)—You can only deployPrisma AccessChina in a newPrisma Accessenvironment. Upgrades or migrations from an existingPrisma Accessdeployment are not supported.
- Deployment Type (Panorama or Cloud Managed—Prisma Access)Prisma AccessChina is supported with both Cloud Managed and Panorama ManagedPrisma Accessdeployments.
- Required SKUs—When you purchasePrisma Accessfor a deployment in mainland China, SKUs are required that are specific toPrisma AccessChina. Work with your authorized Palo Alto Networks representative or partner to make sure that you purchase the correct SKUs for yourPrisma AccessChina deployment.
- Supported Panorama Versions()—If you decide to usePrisma Access (Panorama Managed)Deployments OnlyPrisma Access (Panorama Managed),Prisma AccessChina requires a special build in China; before you begin installation, you must deploy your hardware or virtual (AWS, KVM, or ESXi) Panorama appliance from one of the following images that are available in mainland China.
- Panorama-AWS-10.2.3 (AWS)
- One or more of the following ESXi images:
- If your deployment does not use the Cloud Identity Engine for authentication, download and install this image: Panorama-ESX-10.2.3-h4.ova
- If your deployment uses the Cloud Identity Engine for authentication, download and install the Panorama-ESX-10.2.3-h4.ova image, then download and install this image on top of the ova image: Panorama_pc-10.2.4-ch139In addition, if your deployment uses the Cloud Identity Engine, reach out to your Palo Alto Networks team, who will open a case to copy the correct certificate authority (CA) certs to use with the Cloud Identity Engine in China.
Only use a new Panorama appliance withPrisma AccessChina. Use this appliance to managePrisma AccessChina only, don't use it to manage on-premises firewalls. - Required Panorama Physical Location(—The Panorama you use to managePanorama Managed Deployments Only)Prisma AccessChina must be installed and located in mainland China. If it's a hardware appliance, it must be based in mainland China; if it's a Panorama virtual appliance, the cloud location where the appliance is instantiated must be in China.
- Supported Locations—Prisma AccessChina supports the following locations in mainland China:
- China North—Beijing (uses the China North compute location)
- China Northwest—Ningxia (uses the China Northwest compute location)
- Supported Cortex Data Lake Region—Prisma AccessChina supports the Cortex Data Lake China region only, which is automatically populated for you during product activation.If you want to enable log forwarding from Cortex Data Lake in China to an external log server, changes are required to the Prisma Access infrastructure in China. Reach out to your Palo Alto Networks team to begin the process of forwarding logs. Be aware that configuring log forwarding profiles to send logs to servers outside China can result in personally identifiable information leaving China.
- Required GlobalProtect Version—Prisma AccessChina supports all the GlobalProtect versions supported in a standardPrisma Access.
- Mobile User IP Address Support—When you configure mobile user IP address Pools in aPrisma Accessdeployment, use only aWorldwidepool. Selecting a regional or location group address can cause errors on commit.
- Required Cloud Services Plugin Version—4.1.0-h20If you're running a plugin version earlier than 4.1.0-h20 (for example, 3.2.1-h18), you should upgrade your plugin to the minimum required version.
- Feature Support—All features and add-ons are supported withPrisma AccessChina, except for the following add-ons and functionality:
- Base—The followingPrisma AccessFunctionalityPrisma Accessfunctionality isn't supported:For a detailed list of nonsupported features, contact your Palo Alto Networks representative.
- To access external SaaS apps or other external internet resources outside of China through a cross-border line (for example, an MPLS line), you can use traffic steering to redirect mobile user or remote network traffic to a service connection before sending it to the internet.
- GlobalProtect Portal Name Change—The GlobalProtect portal name forPrisma AccessChina is<portal-name>.prismaaccess.cn.
- Other—The supported add-ons depend on your license type and your customer's privacy profile and governance.Prisma AccessComponent and Add-On CompatibilityPrisma AccessChina provides you with two licenses: Level 1 provides a solution that limits the amount of Personal Identifiable Information (PII) exporting out of mainland China and Level 2 allows more add-ons and features that don't restrict data exporting to outside of China.
The following table shows you the support for otherPrisma Accesscomponents and add-ons; a check mark (√) indicates that it's supported and dash (—) indicates that it's not supported:Component or Add-OnLevel 1 License Support (Panorama Only)Level 2 License SupportAccess to private apps via service connection√For Enterprise licenses, five service connections are provided with the license. For Business Premium and Enterprise licenses, additional service connections are available as an add-on.√For Enterprise licenses, five service connections are provided with the license. For Business Premium and Enterprise licenses, additional service connections are available as an add-on.Standard Threat Prevention√√Advanced Threat Prevention—√Standard URL Filtering√√Advanced URL Filtering—√DNS Security√√Advanced WildFire—√Next-Generation Cloud Access Security Broker (CASB-X)—√ (available as an add-on)Enterprise DLP—√ (available as an add-on)SaaS Inline—√ (available as an add-on)IoT Security—√ (available as an add-on)