The rapid transition to a hybrid workforce, where employees can now work fluidly between corporate offices, branch offices, home offices, or on the road has accelerated the change in how and where business is done, including organizations in China. You can use

Prisma Access

to secure mobile users, branch offices, and headquarters and data center locations in China and allow secured traffic to reach applications and data outside China, while ensuring legality and compliance with regulations both inside and outside of mainland China.

The instances of

Prisma Access

in China are hosted in China and manage your organization's cybersecurity infrastructure while following all regulations and mandates. What's more,

Prisma Access

China enables a consistent end-user experience, extending consistent visibility and control to locations within mainland China.

The procedures you use to onboard

Prisma Access

locations in mainland China follow the same procedures you use to onboard

Prisma Access

deployments in other locations around the globe. However, make sure that you're aware of the following differences:

Deployment Type (New or Existing)

—You can only deploy

Prisma Access

China in a new

Prisma Access

environment. Upgrades or migrations from an existing

Prisma Access

deployment are not supported.

Deployment Type (Panorama or Cloud Managed

Prisma Access

)

—

Prisma Access

China is supported with both Cloud Managed and Panorama Managed

Prisma Access

deployments.

Required SKUs

—When you purchase

Prisma Access

for a deployment in mainland China, SKUs are required that are specific to

Prisma Access

China. Work with your authorized Palo Alto Networks representative or partner to make sure that you purchase the correct SKUs for your

Prisma Access

China deployment.

Supported Panorama Versions

(

Prisma Access (Panorama Managed)

Deployments Only

)—If you decide to use

Prisma Access (Panorama Managed)

,

Prisma Access

China requires a special build in China; before you begin installation, you must deploy your hardware or virtual (AWS, KVM, or ESXi) Panorama appliance from one of the following images that are available in mainland China.

Panorama-AWS-10.2.3 (AWS)
Panorama-KVM-10.2.3-h4.qcow2 (KVM)
One or more of the following ESXi images:
If your deployment does not use the Cloud Identity Engine for authentication, download and install this image: Panorama-ESX-10.2.3-h4.ova
If your deployment uses the Cloud Identity Engine for authentication, download and install the Panorama-ESX-10.2.3-h4.ova image, then download and install this image on top of the ova image: Panorama_pc-10.2.4-ch139
In addition, if your deployment uses the Cloud Identity Engine, reach out to your Palo Alto Networks team, who will open a case to copy the correct certificate authority (CA) certs to use with the Cloud Identity Engine in China.

Only use a new Panorama appliance with

Prisma Access

China. Use this appliance to manage

Prisma Access

China only, don't use it to manage on-premises firewalls.

Required Panorama Physical Location

(

Panorama Managed Deployments Only

)

—The Panorama you use to manage

Prisma Access

China must be installed and located in mainland China. If it's a hardware appliance, it must be based in mainland China; if it's a Panorama virtual appliance, the cloud location where the appliance is instantiated must be in China.

Supported Locations

—

Prisma Access

China supports the following locations in mainland China:

China North—Beijing (uses the China North compute location)
China Northwest—Ningxia (uses the China Northwest compute location)

Supported Cortex Data Lake Region

—

Prisma Access

China supports the Cortex Data Lake China region only, which is automatically populated for you during product activation.

If you want to enable log forwarding from Cortex Data Lake in China to an external log server, changes are required to the Prisma Access infrastructure in China. Reach out to your Palo Alto Networks team to begin the process of forwarding logs. Be aware that configuring log forwarding profiles to send logs to servers outside China can result in personally identifiable information leaving China.

Required GlobalProtect Version

—

Prisma Access

China supports all the GlobalProtect versions supported in a standard

Prisma Access

.

Mobile User IP Address Support

—When you configure mobile user IP address Pools in a

Prisma Access

deployment, use only a

Worldwide

pool. Selecting a regional or location group address can cause errors on commit.

Required Cloud Services Plugin Version

—4.1.0-h20

If you're running a plugin version earlier than 4.1.0-h20 (for example, 3.2.1-h18), you should upgrade your plugin to the minimum required version.

Feature Support

—All features and add-ons are supported with

Prisma Access

China, except for the following add-ons and functionality:

Base
Prisma Access
Functionality
—The following
Prisma Access
functionality isn't supported:
Mobile Users—Explicit Proxy deployments
Secure Inbound Access to Remote Network Locations
Autonomous DEM (ADEM) add-on
For a detailed list of nonsupported features, contact your Palo Alto Networks representative.
To access external SaaS apps or other external internet resources outside of China through a cross-border line (for example, an MPLS line), you can use traffic steering to redirect mobile user or remote network traffic to a service connection before sending it to the internet.
GlobalProtect Portal Name Change
—The GlobalProtect portal name for
Prisma Access
China is
<portal-name>
.
prismaaccess.cn
.
Other
Prisma Access
Component and Add-On Compatibility
—The supported add-ons depend on your license type and your customer's privacy profile and governance.
Prisma Access
China provides you with two licenses: Level 1 provides a solution that limits the amount of Personal Identifiable Information (PII) exporting out of mainland China and Level 2 allows more add-ons and features that don't restrict data exporting to outside of China.

The following table shows you the support for other

Prisma Access

components and add-ons; a check mark (√) indicates that it's supported and dash (—) indicates that it's not supported:

Component or Add-On	Level 1 License Support (Panorama Only)	Level 2 License Support
Access to private apps via service connection	√ For Enterprise licenses, five service connections are provided with the license. For Business Premium and Enterprise licenses, additional service connections are available as an add-on.	√ For Enterprise licenses, five service connections are provided with the license. For Business Premium and Enterprise licenses, additional service connections are available as an add-on.
Standard Threat Prevention	√	√
Advanced Threat Prevention	—	√
Standard URL Filtering	√	√
Advanced URL Filtering	—	√
DNS Security	√	√
Advanced WildFire	—	√
Next-Generation Cloud Access Security Broker (CASB-X)	—	√ (available as an add-on)
Enterprise DLP	—	√ (available as an add-on)
SaaS Inline	—	√ (available as an add-on)
IoT Security	—	√ (available as an add-on)