GlobalProtect Cloud Service Infrastructure Management

It is important to understand who owns and manages the components in the GlobalProtect cloud service infrastructure. To see when GlobalProtect cloud services updates the components of the cloud infrastructure, see Release Cadence for GlobalProtect Cloud Service Infrastructure Updates.
To see the features that GlobalProtect cloud service supports, see What features does GlobalProtect cloud service support?
GlobalProtect cloud service uses a shared ownership model. Palo Alto Networks manages the underlying security infrastructure, ensuring it is secure, resilient, up-to-date and available to you when you need it. Your organization’s responsibility is to onboard locations and users, push policies, update them, query logs, and generate reports.
Your organization manages the following components of the security infrastructure:
  • Users—You manage the onboarding of mobile users.
  • Authentication—You manage the authentication of those users.
  • Mobile device management (MDM)—You can control your organization's mobile devices that are protected with GlobalProtect Cloud Service using your own MDM software.
  • Panorama and Cloud Services plugin—You make sure that the Panorama on which the Cloud Services plugin is installed is running a Panorama version that supports the Cloud Services plugin. In addition, you upgrade the Cloud Services plugin in Panorama after we inform you that a new plugin is available.
  • Policy creation and management—You plan for and create the policies in Panorama to use with GlobalProtect cloud service.
  • Log analysis and forensics—GlobalProtect cloud service provides the logs, you provide the analysis and reporting, using integrated tools provided by us or by another vendor.
  • On-premise security—You provide the on-premise security between micro-segmentations of your on-premise network. In some deployments, you can also direct all traffic to be secured with GlobalProtect cloud service.
  • Networking—You provide the network connectivity to GlobalProtect cloud service.
  • Monitoring—You monitor the on-premise network’s status.
  • Service Connectivity—You provide the connectivity to the GlobalProtect cloud service gateway for mobile users (for example, provide an ISP), and you also provide the on-premise devices used as the termination points for the IPSec tunnels used by service connections and remote network connections.
  • Onboarding—You onboard the mobile users, HQ/Data center sites, and branch sites.
Palo Alto Networks manages the following parts of the security infrastructure:
  • GlobalProtect cloud service
  • Cortex Data Lake—We manage the delivery mechanism for logs.
  • Content updates—We manage the updating of the GlobalProtect cloud service infrastructure, including PAN-OS updates.
  • Fault tolerance—We manage the availability of the service.
  • Auto scaling—We automatically scale the service when you add service connections or remote networks, or when additional mobile users log in to one or more gateways in a single region.
  • Provisioning—We provision the infrastructure with everything that is required.
  • Service monitoring—We monitor the service status and keep it functioning.

Related Documentation