Configure a Prisma Access China Deployment
Table of Contents
Configure a Prisma Access China Deployment
How to configure a Prisma Access deployment in mainland
China.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
After you have reviewed the requirements to install Prisma Access
China, complete the setup by performing the following steps.
- (Optional) Create a Customer Support Portal (CSP) account that you can dedicate for your Prisma Access China deployments.While it's not required to create a dedicated CSP account for Prisma Access China only, you might find it beneficial because the Prisma Access setup and activation are unique to Prisma Access China.(Prisma Access (Managed by Panorama) Deployments Only) Install the Panorama that will manage Prisma Access in China (if you have not done so already).View the Supported Panorama Versions for the image links and instructions to install Panorama.Activate and install your Prisma Access China deployment (Cloud Managed or Panorama Managed).(Optional, Prisma Access (Managed by Panorama) Deployments Only) If you need to install a Panorama device certificate (), open a CLI session with the Panorama that manages Prisma Access and enter the following CLI command before downloading it:request certificate secure-bridge enableEntering this command before downloading the certificate ensures that you get a certificate that is signed in China.Add the following URLs, IP addresses, and ports to an allow list on any security appliance that you use with Prisma Access.In addition, for Prisma Access (Managed by Panorama) deployments, if your Panorama appliance uses a proxy server (), or if you use SSL Forward Proxy with Prisma Access, be sure to add the following URLs, IP addresses, and ports to an allow list on the proxy or proxy server.
- api.prismaaccess.cn (for Prisma Access)
- api.sb.prismaaccess.com (for Prisma Access)
- api-trusted.sb.prismaaccess.com (for Prisma Access)
- *.proxy.prismaaccess.cn (for Prisma Access Explicit Proxy)
- The FQDNs, ports, and IP addresses required for Strata Logging Service in China
(Prisma Access (Managed by Panorama) Deployments Only) Select and enter cn.wildfire.paloaltonetworks.com.Use the WildFire China Cloud with Prisma Access China.Configure the Prisma Access Service Infrastructure.If you have a Mobile Users—GlobalProtect deployment, configure your deployment.Palo Alto Networks recommends using local authentication as a first step to verify that the service is set up and your users have internet access. You can later switch to using your corporate authentication methods.Enable the service infrastructure and service connections that allow communication between Prisma Access elements.Plan for and create a service connection to secure access to private apps.Plan, create, and configure remote network connections to secure access to branch sites.Retrieve the Prisma Access public and private IP addresses and add them to your organization's network allow lists.Add these addresses to limit inbound access to your enterprise's network and applications.(Prisma Access (Managed by Panorama) Deployments Only) If you have a Mobile User—GlobalProtect deployment, you can use the Prisma Access UI instead of this API to manage public IP address allocation and confirm that the IP addresses have been added to your allow lists before Prisma Access releases the IP addresses. In this way, Prisma Access only provisions the IP addresses that you have allow listed.(Optional) Change the authentication method from local authentication to your organization’s authentication method and set up authentication for mobile users.