Prisma Access
SASE Private Location
Table of Contents
SASE Private Location
Use your organization's infrastructure to deploy Prisma Access.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
To activate SASE Private Location, reach out to your Palo Alto
Networks account representative, who will contact the Site
Reliability Engineering (SRE) team and submit a request.
|
SASE Private Location enables you to deploy Prisma Access services
within your own infrastructure. If your organization has one of the following use
cases, consider deploying SASE Private Location:
- You want to protect your network using Prisma Access, but your mobile users are far from a Prisma Access compute location (for example, Alaska or Hawaii). Using SASE Private Location, you can deploy a location close to your mobile users.
- Your organization has a requirement based on compliance, data sovereignty, or
geographic location that requires data processing to stay in your premises. SASE
Private Location lets you keep your network traffic and security processing
private, eliminating the need to route data through external cloud
infrastructure. Organizations in regulated industries such as healthcare, financial services, and government sectors benefit from SASE Private Location when they must comply with HIPAA regulations, data residency requirements, or FedRAMP standards that prohibit sending traffic to external cloud services.You can maintain the same Prisma Access security capabilities while ensuring that your data never leaves your controlled environment. This approach is useful when you need low-latency access to critical applications, or when your Security policy rules mandate that network security functions operate within your physical premises.
- You can deploy agent-based mobile users in your infrastructure while continuing to manage configurations, implement policy rules, and monitor your deployment using the familiar Prisma Access web interface.
SASE Private Location is a managed Prisma Access deployment that extends Prisma®
SASE capabilities to your existing network infrastructure, enabling traffic
inspection for mobile users. SASE Private Location provides you with:
- Operational simplicity for providing consistent security in campus using a
shared responsibility model. Prisma Access manages and orchestrates everything behind the security processing node (SPN). Palo Alto Networks manages sizing, content versioning, monitoring, upgrades, and security subscriptions. You provide the hypervisor, ISP links, and public IP address infrastructure.
- Using a single security stack for mobile users.
- Providing low latency for mobile users in regions where Prisma Access isn’t available.
This figure shows how you can deploy SASE Private Location as a seamless extension of
Prisma SASE to branches for consistent security for secure internet access, allowing
you to leverage your existing hypervisor, ISP links and public IP addresses. Palo
Alto Networks manages sizing, content versioning, monitoring using Strata Logging Service, upgrades and Cloud-Delivered Security Services (CDSS)
subscriptions.
For SASE Private Location, the GlobalProtect™ portal continues to operate
from the cloud for global accessibility and provides a mobile user SPN (MU-SPN),
while the gateways run locally behind load balancers in your environment, providing
the optimal balance of centralized management and localized performance. The
following diagrams show the inbound and outbound traffic flow for the gateway.
SASE Private Location eliminates the traditional choice between cloud
managed security services and on-premises compliance requirements. You can achieve
regulatory compliance without sacrificing the operational benefits of cloud
management, automated updates, and centralized policy enforcement that characterize
modern SASE architectures. This capability becomes essential when your organization
requires air-gapped environments, operates in countries with strict data sovereignty
laws, or maintains corporate policy rules that restrict the use of external cloud
services for security functions.
Planning Checklist for SASE Private Location
- Set Up the VMware ESXi
Profile for SASE Private Location—Before deploying SASE
private location components using Terraform, you must prepare your VMware
ESXi environment to meet its performance and connectivity requirements.
You select the VMware profile when you set up the hypervisor resource profile and the bastion host during SASE private location setup. Prisma Access uses the bastion host (bastion agent) for remote management, maintenance, and monitoring.Ensure that you have you can fulfill the following minimum requirements before beginning:
- VMware ESXi 8.0.3 or later installed on your servers
- vCenter Server configured and accessible
- Administrative access to vCenter Server
- Network connectivity between your ESXi environment and the Prisma Access cloud services
- The minimum required vCPU, memory, and storage requirements.
Make sure that you have the following minimum vCPU, memory, storage, network, and number of VMs:- 48 vCPU
- 192 GB memory
- 720 GB of storage space
- A minimum of 2 VM instances and a maximum of 4 VM instances
Some larger deployments might require more network memory, storage, and VM resources. - Perform Initial Setup for the Prisma Access Infrastructure and Mobile
Users—GlobalProtect—Before you start the setup for SASE Private
Location, perform initial setup of Prisma Access, including:
- Perform initial license activation.
- Configure the Prisma Access service infrastructure and add an Infrastructure Subnet.
- Configure Prisma Access for Mobile
Users and add a Mobile User IP address pool.After you configure SASE Private Location, you can specify a mobile user IP address pool for that private location only.