When utilizing GlobalProtect in Proxy Mode on desktops and systems in the branches, you have the capability to view the source IP address of the device in the branch instead of the public egress IP address of the branch. This capability allows you to view the device's source IP address in the logs, and you can also use this address to enforce policy.

ITES companies and distributed IT service providers face the challenge of providing granular project-based access control for their end users, who are mapped to multiple customer projects or profiles. Dynamic Privilege Access provides a seamless, secure, and compartmentalized way for your users to access only those projects that they are assigned to. Employees are typically assigned to several customer projects and are provided with siloed access to these projects so that an authorized user can access only one customer project at a time. Also, a tenant can have multiple projects. A user working on one project will have access to resources for that project only.

This feature addresses the challenge of providing access to overlapping IP networks for multiple customers, even in the presence of potential IP address overlaps in their private data centers. By creating separate groups for each customer and allowing overlapping addresses within each group, the solution ensures efficient network management. Anycast addresses are assigned to the groups and effectively advertised to the ZTTs, facilitating seamless routing. Static routes are established on the connectors to enable smooth connectivity to the respective networks. With the implementation of a PBF rule template, DHCP addresses are accurately routed to the appropriate groups, ensuring that users can effortlessly access specific customer networks based on their selected project. This solution optimizes the ZTNA infrastructure, providing a positive user experience and efficient traffic routing.

Prisma Access

supports Explicit Proxy deployments in China.

Prisma Access offers a comprehensive solution for high-bandwidth IPSec termination, supporting large sites, automated load balancing, simplified onboarding, regional redundancy, single egress IP management, and compatibility with various SD-WAN solutions including Prisma SD-WAN. These features collectively enhance the scalability, performance, and reliability of remote site connectivity.

As your business scales and your office locations become geographically distributed, you can quickly onboard a branch site with a high bandwidth using a Prisma Access performant remote network, also known as a

Remote Network—High Performance

. These networks offer the following benefits:

On Dynamic Privilege Access enabled Prisma Access tenants, you can summarize routes when advertising the Mobile User (MU) routes to your on-premises network. Route summarization is beneficial for enterprises that have on-premises equipment that has limited capacity such as basic cloud routers. By reducing the demand on these devices, route summarization ensures that the devices won't exceed their route capacity when communicating with the data center.

To enable route summarization, configure global summary pools that consist of lists of large IP pools that can be used across multiple projects. Then, enable route summarization in the Prisma Access service connection. When a user uses the Prisma Access Agent to connect to a project that has an IP address within the range of the configured global summary pools, the service connection will advertise the global summary pool instead of the smaller project-level route. This helps reduce the number of routes that are sent to the network.

Use SC-NAT support for Dynamic Privilege Access (DPA) if you use DPA and have created service connections to access private apps in your data center or headquarters location. Multiple projects in your DPA environment can experience IP address exhaustion if the IP addresses of the Infrastructure Subnet overlap. To fix this issue, Prisma Access can implement source NAT (SNAT) for IP addresses, which:

One way to access a private app is by using a service connection, also known as a

Service Connection-Corporate Access Node

(SC-CAN). It can be difficult to connect to private apps using service connections because:

To solve this issue, Prisma Access has enhanced its routing infrastructure routing enhancements that:

This design offers the following benefits:

Prisma Access expands on the IP Optimization functionality by offering it for Explicit Proxy as well as Mobile Users—GlobalProtect.

For Mobile Users—GlobalProtect deployments, when a large number of users access a GlobalProtect gateway from a location, Prisma Access autoscales the location and adds another GlobalProtect gateway. IP Optimization uses a NAT layer so that the autoscaled gateway uses the same IP address as the previously allocated IP address, thus eliminating the need to add extra IP addresses to your organization's allow lists.

Prisma Access expands the NAT layer to Explicit Proxy Security Processing Nodes (SPNs) as well as Mobile User SPNs, reducing the need to allow list IP addresses for Explicit Proxy deployments. This Explicit Proxy NAT layer is beneficial if you're setting up a Mobile Users and Explicit Proxy deployment in Proxy Mode or Tunnel and Proxy Mode.

If you're a large organization using Traffic Replication, you can have the following challenges in deploying and using it:

Tools that consume the packet capture (PCAP) files require frequent queries of the buckets to cope with a large number of PCAP files. The tools might create overhead on the buckets and their use might be limited by the cloud providers.
When using the PCAP files for forensic analysis, accessing SSL decrypted traffic provides better efficacy, and a significant amount of the traffic is TLS 1.3 encrypted.

To solve these issues, Prisma Access offers these enhancements that allow third-party tools to be more efficient and easier to scale:

Prisma Access

Colo-Connect builds on the Colo-based performance hub concept, with high-bandwidth private connections along with Layer 2/3 connectivity to Prisma Access from existing performance hubs. Colo-Connect leverages the cloud native GCP interconnect technology to provide high-bandwidth service connections to your private applications. Go to

Monitor

Data Centers

Service Connections

to view and monitor your private connectivity to hybrid cloud and on-premises data centers over cloud interconnects.

To allow you to gain more information about your Prisma Access (managed by Strata Cloud Manager) deployments, the Software Information area in the Overview page (

Manage

Configuration

NGFW and Prisma Access

Overview

in Strata Cloud Manager and Prisma Access Version (

Panorama

Cloud Services

Configuration

Service Setup

) in Panorama provide you with the following information:

With commitless onboarding enhancement, you have an improved experience when onboarding, modifying, or removing applications. The previous delay of 5-10 minutes is eliminated, resulting in a faster process. Your application onboarding time now takes less than 1 minute, allowing you to quickly and efficiently manage your applications. Additionally, the enhanced scale of the ZTNA Connector caters to the needs of large customers who manage more than 10,000 applications. You have the capability to onboard a larger number of applications, providing you with greater flexibility and efficiency in your operations.