Configure a Prisma Access China Deployment
Focus
Focus

Configure a Prisma Access China Deployment

Table of Contents

Configure a
Prisma Access
China Deployment

How to configure a
Prisma Access
deployment in mainland China.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
    Managed)
  • Prisma Access (Panorama Managed)
  • Prisma Access
    China license
  • Prisma Access (Panorama Managed)
    Only
    :
    • A minimum Panorama version of
      10.2.4
    • A minimum Cloud Services plugin version of
      4.1.0-h20
After you have reviewed the requirements to install
Prisma Access
China, complete the setup by performing the following steps.
  1. (
    Optional
    ) Create a Customer Support Portal (CSP) account that you can dedicate for your
    Prisma Access
    China deployments.
    While it's not required to create a dedicated CSP account for
    Prisma Access
    China only, you might find it beneficial because the <ph keyref="pa"/> setup and activation are unique to
    Prisma Access
    China.
  2. (
    Prisma Access (Panorama Managed)
    Deployments Only
    )
    Install the Panorama that will manage
    Prisma Access
    in China (if you have not done so already).
    View the Supported Panorama Versions for the image links and instructions to install Panorama.
  3. Activate and install your
    Prisma Access
    China deployment (Cloud Managed or Panorama Managed).
  4. (
    Optional
    ,
    Prisma Access (Panorama Managed)
    Deployments Only
    ) If you need to install a Panorama device certificate (
    Panorama
    Setup
    Device Certificate
    ), open a CLI session with the Panorama that manages
    Prisma Access
    and enter the following CLI command before downloading it:
    request certificate secure-bridge enable
    Entering this command before downloading the certificate ensures that you get a certificate that is signed in China.
  5. Add the following URLs, IP addresses, and ports to an allow list on any security appliance that you use with
    Prisma Access
    .
    In addition,
    for
    Prisma Access (Panorama Managed)
    deployments,
    if your Panorama appliance uses a proxy server (
    Panorama
    Setup
    Service
    Proxy Server
    ), or if you use SSL Forward Proxy with
    Prisma Access
    , be sure to add the following URLs, IP addresses, and ports to an allow list on the proxy or proxy server.
  6. (
    Prisma Access (Panorama Managed)
    Deployments Only
    )
    Select
    Device
    Setup
    WildFire
    and enter
    cn.wildfire.paloaltonetworks.com
    .
    Use the WildFire China Cloud with
    Prisma Access
    China.
  7. If you have a Mobile Users—GlobalProtect deployment, configure your deployment.
    Palo Alto Networks recommends using local authentication as a first step to verify that the service is set up and your users have internet access. You can later switch to using your corporate authentication methods.
  8. Enable the service infrastructure and service connections that allow communication between
    Prisma Access
    elements.
  9. Plan for and create a service connection to secure access to private apps.
  10. Plan, create, and configure remote network connections to secure access to branch sites.
  11. Retrieve the and add them to your organization's network allow lists.
    Add these addresses to limit inbound access to your enterprise's network and applications.
    (
    Prisma Access (Panorama Managed)
    Deployments Only
    )
    If you have a Mobile User—GlobalProtect deployment, you can use the instead of this API to manage public IP address allocation and confirm that the IP addresses have been added to your allow lists before Prisma Access releases the IP addresses. In this way,
    Prisma Access
    only provisions the IP addresses that you have allow listed.
  12. (
    Optional
    ) Change the authentication method from local authentication to your organization’s authentication method and set up authentication for mobile users.

Recommended For You