Set Up Prisma Access

Set Up Prisma Access

Table of Contents

Set Up Prisma Access

Provides quick steps to implement Prisma Access
The following sections provide you with the summary steps that you take to install and configure Prisma Access and information about proxy server support between Panorama, Prisma Access, and Cortex Data Lake.

Prisma Access Onboarding and Configuration Workflow

The following workflow provides you with the summary steps that you take to install and configure Prisma Access
If you are setting up a deployment that includes multiple instances of Prisma Access on a single Panorama (multitenancy), see Manage Multiple Tenants in Prisma Access. Most organizations do not have a need to create and manage multiple tenants.
  1. Add the following URLs and ports to an allow list on any security appliance that you use with the Panorama appliance that manages Prisma Access.
    In addition, if your Panorama appliance uses a proxy server (
    Proxy Server
    ), or if you use SSL forward proxy with Prisma Access, be sure to add the following URLs and ports to an allow list on the proxy or proxy server.
  2. Add the ports used by Panorama to allow lists in your network.
  3. Import your existing Panorama configuration to Prisma Access, or create new templates and device groups to begin configuration of Prisma Access.
    In order to push configuration—such as security policy, authentication policy, server profiles, security profiles, address objects, and application groups—to Prisma Access, you must either create new templates and device groups with the configuration settings you want to push to Prisma Access, or leverage your existing device groups and templates by adding them to the template stacks and device group hierarchies that get created when you onboard the service.
    Configuration is simplified in Prisma Access because you do not have to configure any of the infrastructure settings, such as interfaces and routing protocols. This configuration is automated and pushed from Panorama in the templates and device groups that the service creates automatically. You can configure any infrastructure settings that are required by the service, such as settings required to create IPSec VPN tunnels to the IPSec-capable devices at your remote network locations, directly from the plugin. Optionally, you can add templates and device group hierarchies to the configuration to simplify the service setup.
    To simplify the service setup, create or import the templates and device groups you need before you begin the setup tasks for using Prisma Access.
    When creating templates and device groups for Prisma Access, you do not need to assign managed devices to it. Instead, you will add them to the template stacks and device group hierarchies created by the service. Do not add any of the templates or device groups created by Prisma Access to any other template stacks or device groups.
    Also note that some settings that are available in a non-Prisma Access template or device group may not be supported in Prisma Access. See What Features Does Prisma Access Support? for a list of supported features.
  4. Sign up for email alert notifications using the Prisma Access app.
    Prisma Access provides you with notifications about the service, including any dataplane upgrades, using notifications from this app.
  5. Change the default master key for Panorama and in the Cloud Services plugin.
    Palo Alto Networks recommends changing the master key in Panorama and in the Cloud Services plugin as a security best practice and that you change the master key monthly.
    Because the Panorama and Prisma Access master keys do not synchronize, Palo Alto Networks recommends that you do not automatically rotate the master key in Panorama without also synchronizing the master key in Prisma Access. You can use the Panorama UI or API commands to change the master keys.
    Be sure to keep track of the master key you deploy because master keys cannot be recovered. When a master key expires, you must enter the current master key in order to configure a new master key. You must reset your Panorama appliance to factory default if you cannot provide the current master key when it expires.
      1. Select
        Master Key and Diagnostics
        Do not specify a
        Current Master Key
      2. Configure the
        New Master Key
        Confirm Master Key
        Make a note of the master key you configured.
      3. Configure the master key Lifetime and Time for Reminder.
      4. Click
    1. Change the master key for Prisma Access by selecting
      Cloud Services
      Service Operations
      Edit master key
      , then entering the same master key you entered for Panorama.
    You can also change the master key by using API commands. This requires two steps–one to change the Panorama master key and one to change the Prisma Access master key. Use the following API commands to change the master key:
    • Panorama:
      XML API
      Operational Commands
    • Prisma Access:
      XML API
      Operational Commands
  6. Enable the service infrastructure and service connections that allows communication between Prisma Access elements.
    1. Create a service connection to allow access to your corporate resources.
      If you don’t require access to your corporate resources, you should still create a service connection to enable access between mobile users and remote networks.
  7. Plan To Deploy Prisma Access for Mobile Users and secure mobile users with GlobalProtect or an explicit proxy, as required for your deployment.
    We recommend using local authentication as a first step to verify that the service is set up and your users have internet access. You can later switch to using your corporate authentication methods.
    1. Configure zones for mobile users.
      1. Create two zones in the Mobile User Template. For example, Mobile-Users and Internet.
      2. Map the zones. You should map any zone that is not Prisma Access connected users or HQ or branch offices to Untrust.
        Cloud Services
        Mobile Users
        , map Internet to Untrust; Mobile-Users to Trust.
    2. Configure Security policies for the device group.
      To create a Security policy to allow traffic to the Internet, select the Mobile_User_Device_Group
      a rule. For example: Mobile-Users to Internet.
    3. Commit and push your changes to get started with the service.
      1. Commit
        locally on Panorama.
      2. Commit and Push
        to Prisma Access.
      3. Select
        Cloud Services
        Mobile Users
        to view the
        and verify that you can ping the Portal FQDN.
    4. Validate that Prisma Access is securing Internet traffic for mobile users.
      1. Use the app to connect to the portal as a mobile user (local user).
      2. Browse to a few websites on the internet and check the traffic logs on Panorama.
  8. Plan, create, and configure remote network connections.
    1. Add one or more remote networks to Prisma Access.
      You can onboard one location and then add additional locations using the bulk import capability.
    2. Create a Security policy rule to allow traffic from the remote networks to HQ (For example: Trust to Trust).
    3. Validate the connectivity between the service connection, remote network connection, and mobile users.
  9. You add these addresses to an allow list on your organization’s network to limit inbound access to your enterprise network and applications.
  10. (
    ) Change the authentication method from local authentication to your organization’s authentication method.
    1. Create an authentication profile that meets your organization’s requirements (LDAP, RADIUS, etc).
    2. If your organization uses an on-premises authentication server such as RADIUS or Active Directory, add the IP addresses that Prisma Access uses as its source IP address for internal requests () to allow lists in your network, or allow the IP addresses of the entire Infrastructure Subnet (Prisma Access takes the loopback IP address from this subnet).
    3. Update the Authentication Profile for the Prisma Access portal and gateway to use this new authentication profile.
  11. (
    ) Forward logs from Cortex Data Lake to an external Syslog receiver by setting up the Log Forwarding app.

Proxy Support for Prisma Access and Cortex Data Lake

If you have deployed a proxy server between Panorama, the Prisma Access infrastructure, and Cortex Data Lake, refer to the following table for details on the expected behavior:
Support through a Proxy Server that does not perform SSL Decryption
Support through a Proxy Server that performs SSL Decryption
Initial onboarding to Cortex Data Lake with Certificate Revocation Status checks using OCSP
Only pass-through proxies are supported; any proxy using SSL decryption is not supported.
Panorama Queries to Cortex Data Lake for Reports and Logs
If the proxy server is the default route on Panorama, you cannot view the data on the ACC and
You can view data on the ACC and
pages if Panorama has an alternate route to the Cortex Data Lake and you can bypass the proxy server.

Recommended For You