Set Up Prisma Access
Focus
Focus
Prisma Access

Set Up Prisma Access

Table of Contents

Set Up
Prisma Access

Learn how to set up
Prisma Access
.
Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • Prisma Access
    license
Before you can use
Prisma Access
to secure your remote networks and mobile users, configure an infrastructure subnet.
Prisma Access
uses IP addresses within this subnet to establish a network between your remote network locations, mobile users, headquarters and data center (if applicable).
Prisma Access
also uses service connections to access internal resources from your headquarters or data center location.
This sub-network will be an extension to your existing network. Hence, it should not overlap with any existing IP subnets in your network. The following example shows a 172.16.55.0/23 subnet that is being used for the
Prisma Access
infrastructure subnet.
For small networks with less than 50 sites and 2500 mobile users, consider a /24 subnet. For medium sized networks with less than 100 sites and less then 5000 mobile users, consider a /23 subnet. In most cases a /23 subnet is sufficient. If there are more than 100 sites or 5000 mobile users or expected future growth, contact Palo Alto Networks to evaluate whether you need a larger subnet size.
Learn how to set up
Prisma Access
.

Cloud Management

Learn how to set up your cloud service infrastructure for remote sites and mobile users.
The following workflow provides you with the summary steps that you take to install and configure
Prisma Access
.
  1. Launch the
    Prisma Access
    through the hub.
    1. Launch an internet browser and
      Sign In
      to the hub.
    2. Launch the
      Prisma Access
      app.
  2. Specify trusted IP addresses for
    Prisma Access (Cloud Management)
    administrators.
    Only administrators that log in from these source IP addresses (and also that successfully authenticate) can access
    Prisma Access (Cloud Management)
    . The IP addresses must be public addresses. By default, there aren’t any trusted addresses enforced (the list is set to any). To get started, find the
    Settings
    menu on the left navigation panel and click
    IP Restrictions
    .
  3. Enable the service infrastructure and service connections that allows communication between
    Prisma Access
    elements.
  4. Secure mobile users with GlobalProtect or Explicit Proxy, as required for your deployment.
  5. Plan, create, and configure remote network connections.
  6. (
    Optional
    ) Change the authentication method from local authentication to your organization’s authentication method.
  7. (
    Optional
    ) Forward logs from Cortex Data Lake to an external Syslog receiver using Cortex Data Lake.
  8. (
    Optional
    ) Check the status of
    Prisma Access
    .
    You can retrieve the status of all cloud services, including
    Prisma Access
    and Cortex Data Lake, and a historical record of the service uptime by accessing the app instance from the hub.
    You can also sign up for email or text message notifications so that you are notified when infrastructure updates are planned; when updates occur; and when Palo Alto Networks® creates, updates, or resolves an incident. To sign up for email updates, go to the Resources section of the hub home page and then select
    Service Status
    . You can then
    Subscribe
    to specific updates and incidents for your cloud services.

Panorama

Provides quick steps to implement
Prisma Access
.
The following workflow provides you with the summary steps that you take to install and configure
Prisma Access (Panorama Managed)
Access.
If you are setting up a deployment that includes multiple instances of
Prisma Access
on a single Panorama (multitenancy), see . Most organizations do not have a need to create and manage multiple tenants.
  1. Add the following URLs and ports to an allow list on any security appliance that you use with the Panorama appliance that manages
    Prisma Access
    .
    In addition, if your Panorama appliance uses a (
    Panorama
    Setup
    Service
    Proxy Server
    ), or if you use SSL forward proxy with
    Prisma Access
    , be sure to add the following URLs and ports to an allow list on the proxy or proxy server.
    If there is a Palo Alto Networks next-generation firewall between the Panorama appliance and the internet, you must add a security policy rule on the firewall to allow the
    paloalto-logging-service
    and
    paloalto-shared-services
    App-IDs from the Panorama appliance to the internet. These applications allow SSL-secured communication to
    Prisma Access
    and to Cortex Data Lake that the Panorama appliance uses to query logs. If the Panorama appliance is behind a legacy Layer 4 firewall, permit ports 443 and 444 outbound from the Panorama to allow this traffic from the Panorama. Note that opening layer 4 ports instead of using Palo Alto Networks App-IDs is less secure and not recommended.
  2. Add the ports used by Panorama to allow lists in your network.
  3. Import your existing Panorama configuration to Prisma Access, or create new templates and device groups to begin configuration of
    Prisma Access
    .
    In order to push configuration—such as security policy, authentication policy, server profiles, security profiles, address objects, and application groups—to
    Prisma Access
    , you must either create new templates and device groups with the configuration settings you want to push to
    Prisma Access
    , or leverage your existing device groups and templates by adding them to the template stacks and device group hierarchies that
    Prisma Access
    creates when you onboard the service.
    Prisma Access
    creates the following templates and device groups, depending on what you have purchased (for example, if you do not purchase an Explicit Proxy license, you will not see the Explicit Proxy templates and device groups):
    • Templates:
      • Explicit_Proxy_Template
      • Explicit_Proxy_Template_Stack
      • Mobile_User_Template
      • Mobile_User_Template_Stack
      • Remote_Network_Template
      • Remote_Network_Template_Stack
      • Service_Conn_Template
      • Service_Conn_Template_Stack
    • Device Groups:
      • Explicit_Proxy_Device_Group
      • Mobile_User_Device_Group
      • Remote_Network_Device_Group
      • Service_Conn_Device_Group
    Configuration is simplified in
    Prisma Access
    because you do not have to configure any of the infrastructure settings, such as interfaces and routing protocols. This configuration is automated and pushed from Panorama in the templates and device groups that the service creates automatically. You can configure any infrastructure settings that are required by the service, such as settings required to create IPSec VPN tunnels to the IPSec-capable devices at your remote network locations, directly from the plugin. Optionally, you can add templates and device group hierarchies to the configuration to simplify the service setup.
    To simplify the service setup, create or import the templates and device groups you need before you begin the setup tasks for using
    Prisma Access
    .
    When creating templates and device groups for
    Prisma Access
    , you do not need to assign managed devices to it. Instead, you will add them to the template stacks and device group hierarchies that
    Prisma Access
    creates. Do not add any of the templates or device groups created by
    Prisma Access
    to any other template stacks or device groups.
  4. Sign up for email notifications using the
    Prisma Access
    app.
    Prisma Access
    provides you with notifications about the service, including any dataplane upgrades, using notifications from this app.
  5. Change the default master key for Panorama and in the Cloud Services plugin.
    Palo Alto Networks recommends changing the master key in Panorama and in the Cloud Services plugin as a security best practice and that you change the master key monthly.
    Because the Panorama and
    Prisma Access
    master keys do not synchronize, Palo Alto Networks recommends that you do not automatically rotate the master key in Panorama without also synchronizing the master key in
    Prisma Access
    . You can use the Panorama UI or API commands to change the master keys.
    Be sure to keep track of the master key you deploy because master keys cannot be recovered. When a master key expires, you must enter the current master key in order to configure a new master key. You must reset your Panorama appliance to factory default if you cannot provide the current master key when it expires.
      1. Select
        Panorama
        Master Key and Diagnostics
        .
        Do not specify a
        Current Master Key
        .
      2. Configure the
        New Master Key
        and
        Confirm Master Key
        .
        Make a note of the master key you configured.
      3. Configure the master key Lifetime and Time for Reminder.
      4. Click
        OK
        .
    1. Change the master key for
      Prisma Access
      by selecting
      Panorama
      Cloud Services
      Configuration
      Service Operations
      Edit master key
      , then entering the same master key you entered for Panorama.
    You can also change the master key by using API commands. This requires two steps–one to change the Panorama master key and one to change the
    Prisma Access
    master key. Use the following API commands to change the master key:
    • Panorama:
      XML API
      Operational Commands
      request
      master-key
    • Prisma Access
      :
      XML API
      Operational Commands
      request
      plugins
      cloud_services
      prisma-access
      sync
  6. Enable the service infrastructure and service connections that allows communication between
    Prisma Access
    elements.
    1. Create a service connection to allow access to your corporate resources.
      If you don’t require access to your corporate resources, you should still create a service connection to enable access between mobile users and remote networks.
  7. Prisma Access
    and secure mobile users with GlobalProtect or Explicit Proxy, as required for your deployment.
    To set up GlobalProtect on
    Prisma Access (Panorama Managed)
    :
    1. Configure zones for mobile users by creating two zones in the Mobile_User_Template (for example, Mobile-Users and Internet) and mapping the zones. You should map any zone that is not
      Prisma Access
      connected users or HQ or branch offices to Untrust.
      Under
      Panorama
      Cloud Services
      Configuration
      Mobile Users
      , map Internet to Untrust; Mobile-Users to Trust.
    2. Configure authentication.
      We recommend using local authentication as a first step to verify that the service is set up and your users have internet access. You can later switch to using your corporate authentication methods.
    3. Configure Security policies for the device group.
      To create a Security policy to allow traffic to the Internet, select the Mobile_User_Device_Group
      Policies
      Security
      Prerules
      Add
      a rule. For example: Mobile-Users to Internet.
    4. Commit and push your changes to get started with the service.
    5. Select
      Panorama
      Cloud Services
      Status
      Monitor
      Mobile Users
      to view the
      Status
      and verify that you can ping the Portal FQDN.
    6. Validate that
      Prisma Access
      is securing Internet traffic for mobile users by downloading and installing the GlobalProtect app, using the app to connect to the portal as a mobile user (local user), browsing to a few websites on the internet, and checking the traffic logs on Panorama.
    To secure mobile users with an explicit proxy:
    1. Configure SAML Authentication. SAML authentication is required for Explicit Proxy.
    2. Set up Group Mapping using the Cloud Identity Engine.
    3. Complete the Explicit Proxy configuration.
    4. Commit and Push your changes.
  8. Plan, create, and configure remote network connections.
    1. Add one or more remote networks to
      Prisma Access
      .
      You can onboard one location and then add additional locations using the bulk import capability.
    2. Create a Security policy rule to allow traffic from the remote networks to HQ (For example: Trust to Trust).
    3. Validate the connectivity between the service connection, remote network connection, and mobile users.
  9. You add these addresses to an allow list on your organization’s network to limit inbound access to your enterprise network and applications.
  10. (
    Optional
    ) Change the authentication method from local authentication to your organization’s authentication method.
    1. Create an authentication profile that meets your organization’s requirements (SAML, LDAP, RADIUS, etc).
    2. If your organization uses an on-premises authentication server such as RADIUS or Active Directory, add the IP addresses that
      Prisma Access
      uses as its source IP address for internal requests () to allow lists in your network, or allow the IP addresses of the entire Infrastructure Subnet (
      Prisma Access
      takes the loopback IP address from this subnet).
    3. Update the Authentication Profile for the
      Prisma Access
      portal and gateway to use this new authentication profile.
  11. (
    Optional
    ) Forward logs from Cortex Data Lake to an external Syslog receiver using Cortex Data Lake.

Recommended For You