| Where Can I Use
This? | What Do I Need? |
|---|
- Prisma Access (Managed by Strata Cloud Manager)
- Prisma Access (Managed by Panorama)
|
- Prisma Access license
- Prisma Access 6.1 Innovation or later
- Minimum dataplane version of PAN-OS 12.1.1
- (Prisma Access (Managed by Panorama) Deployments only) Minimum
Cloud Services Plugin version of 6.1
- Remote
Network (Local Inspection Node) support requires:
- Prisma Access 6.2 Innovation
- A PAN-OS version of PAN-OS 12.1.8 or later
- (Prisma Access (Managed by Panorama) Deployments only)
Minimum Cloud Services Plugin version of 6.2
To activate SASE Private Location, reach out to your Palo Alto
Networks account representative, who will contact the Site
Reliability Engineering (SRE) team and submit a request.
|
SASE Private Location enables you to deploy Prisma Access services
within your own infrastructure. If your organization has one of the following use
cases, consider deploying SASE Private Location:
- You want to protect your network using Prisma Access, but your mobile users
are far from a Prisma Access
compute location (for example, Alaska or Hawaii). Using
SASE Private Location, you can deploy a location close to your mobile
users.
You can deploy agent-based mobile users in your infrastructure
while continuing to manage configurations, implement policy rules, and
monitor your deployment using the familiar Prisma Access web
interface.
- Your branch offices or
remote sites need private network connectivity for secure internet access — for
example, in regions where no Prisma Access cloud location is available,
where latency requirements prohibit routing traffic to a cloud location, or
where data residency rules prevent traffic from leaving your premises. Using
Local Inspection Nodes, you can deploy remote network connections within your
own infrastructure.
SASE Private Location is a managed
Prisma Access deployment that extends Prisma®
SASE capabilities to your existing network infrastructure, enabling traffic
inspection for
mobile users, campuses, and large branches. SASE Private Location provides you with:
- Operational simplicity for providing consistent security on campus using a
shared responsibility model.
Prisma Access manages and orchestrates
everything behind the security processing node (SPN). Palo Alto Networks
manages sizing, content versioning, monitoring, upgrades, and security
subscriptions. You provide the hypervisor, ISP links, and public IP
address infrastructure.
- A single security stack for mobile users and branch offices.
- Low latency for mobile users and branches in regions where Prisma Access
isn’t available.
This figure shows how you can deploy SASE Private Location as a seamless extension of
Prisma SASE to branches for consistent security for secure internet access. You use
your existing hypervisor, ISP links, and public IP addresses. Palo
Alto Networks manages sizing, content versioning, monitoring using Strata Logging Service, upgrades, and Cloud-Delivered Security Services (CDSS)
subscriptions.
For SASE Private Location, the GlobalProtect™ portal continues to operate from the
cloud for global accessibility and provides a mobile user SPN (MU-SPN), while the
gateways run locally behind load balancers in your environment, providing the
optimal balance of centralized management and localized performance. The following
diagrams show the inbound and outbound traffic flow for the mobile users gateway.
Local Inspection Nodes extend
SASE Private Location to your branch offices and remote sites. You deploy Local
Inspection Nodes (shown as LIN in the following diagrams) within your own
infrastructure, and Palo Alto Networks manages sizing, content versioning,
monitoring using Strata Logging Service, upgrades, and CDSS subscriptions.
The following diagrams show the forward and reverse flow for Local Inspection Nodes.
The LBs are load balancers.
