Configure a Prisma Access FedRAMP Deployment

How to configure a Panorama Managed Prisma Access deployment in a FedRAMP Moderate environment.
After you have completed the requirements to install Prisma Access on the Panorama that manages Prisma Access, complete setting up the Prisma Access deployment for a FedRAMP Moderate environment by completing the following steps.
Before you start, make a note of the requirements and guidelines that are specific to a Prisma Access FedRAMP deployment, including configuring the Panorama appliance in FIPS-CC mode and the specific versions that are required for Panorama, the Cloud Services Plugin, and GlobalProtect.
  1. Make sure that you have a Customer Support Portal (CSP) account that you can dedicate exclusively for your FedRAMP deployments.
    You cannot have FedRAMP and non-FedRAMP deployments in a single CSP account. For this reason, Palo Alto Networks recommends that you create a new CSP account to be used for FedRAMP accounts only.
  2. Prepare your Panorama appliance to be used in Prisma Access FedRAMP environment.
    1. Install the Panorama appliance (either an M-series appliance or a virtual appliance.
    2. Enable Federal Information Processing Standard and Common Criteria (FIPS-CC) support on the Panorama appliance.
      Enabling FIPS support requires accessing the Maintenance Recovery Tool (MRT).
    3. Upgrade your Panorama version to 10.0.7 or 10.0.8-h8.
  3. You must select a
    Cortex Data Lake
    region of
    United States—Government
    during product activation.
  4. Add the following URLs, IP addresses, and ports to an allow list on any security appliance that you use with the Panorama appliance that manages Prisma Access.
    In addition, if your Panorama appliance uses a proxy server (
    Proxy Server
    ), or if you use SSL forward proxy with Prisma Access, be sure to add the following URLs, IP addresses, and ports to an allow list on the proxy or proxy server.
    • (for Prisma Access)
    • (for Prisma Access)
    • (for Prisma Access)
    • (for Prisma Access)
      The IP address block that is used by the Cortex Data Lake federal region is Add these IP addresses to your allow list so that Cortex Data Lake can receive the logs from Prisma Access.
  5. Open a case in the Customer Support Portal (CSP) to have Palo Alto Networks allow list the source and destination ports for Cortex Data Lake.
    To use Cortex Data Lake in a Prisma Access environment, you must create a case so that Palo Alto Networks can allow list the source and destination ports internally.
  6. Select
    and enter
    FedRAMP deployments require that you use the WildFire U.S. Government cloud.
  7. Plan To Deploy Prisma Access for Mobile Users and secure mobile users with GlobalProtect, if required for your deployment.
    We recommend using local authentication as a first step to verify that the service is set up and your users have internet access. You can later switch to using your corporate authentication methods.
    1. Configure zones for mobile users.
      1. Create two zones in the Mobile User Template. For example, Mobile-Users and Internet.
      2. Map the zones. You should map any zone that is not Prisma Access connected users or HQ or branch offices to Untrust.
        Cloud Services
        Mobile Users
        , map Internet to Untrust; Mobile-Users to Trust.
    2. Configure Security policies for the device group.
      To create a Security policy to allow traffic to the Internet, select the Mobile_User_Device_Group
      a rule. For example: Mobile-Users to Internet.
    3. Commit and push your changes to get started with the service.
      1. Commit
        locally on Panorama.
      2. Commit and Push
        to Prisma Access.
      3. Select
        Cloud Services
        Mobile Users
        to view the
        and verify that you can ping the Portal FQDN.
    4. Validate that Prisma Access is securing Internet traffic for mobile users.
      1. Use the app to connect to the portal as a mobile user (local user).
      2. Browse to a few websites on the internet and check the traffic logs on Panorama.
  8. (
    Mobile Users—GlobalProtect Deployments Only
    ) Create an authentication override certificate in your Mobile Users—GlobalProtect deployment that meets the requirements for a Panorama running in FIPS mode and apply that certificate to your deployment.
    You must generate a new certificate because the default certificate for Mobile Users—GlobalProtect,
    Authentication Cookie CA
    , does not meet the minimum cipher suite requirements for a Panorama that is running in FIPS-CC mode.
    1. From the Panorama that manages Prisma Access, select
      Certificate Management
      Device Certificates
      Be sure that you are in the
    2. Generate a certificate that meets the minimum cipher suite requirements for a Panorama in FIPS-CC mode.
    3. Select
      Cloud Services
      Mobile Users—GlobalProtect
      , select the
      , and in the
      Client Authentication
      area, select the
      Authentication Override Certificate
      you created.
      If you have already created your Mobile Users—GlobalProtect configuration, this area is grayed out. To change the authentication override certificate, select
      and select this certificate under the
      Certificate to Encrypt/Decrypt Cookie
  9. Enable the service infrastructure and service connections that allows communication between Prisma Access elements.
    1. Create a service connection to allow access to your corporate resources.
      If you don’t require access to your corporate resources, you should still create a service connection to enable access between mobile users and remote networks.
  10. Plan, create, and configure remote network connections.
    1. Add one or more remote networks to Prisma Access.
      You can onboard one location and then add additional locations using the bulk import capability.
    2. Create a Security policy rule to allow traffic from the remote networks to HQ (For example: Trust to Trust).
    3. Validate the connectivity between the service connection, remote network connection, and mobile users.
  11. You add these addresses to an allow list on your organization’s network to limit inbound access to your enterprise network and applications.
  12. (
    ) Change the authentication method from local authentication to your organization’s authentication method.
    Use one of the following methods to set up SAML authentication for mobile users:
    While you can use the Cloud Identity Engine to retrieve user and group information using the Cloud Identity Engine after you set up authentication, you cannot authenticate users using only the Cloud Identity Engine.
  13. (
    ) Forward logs from Cortex Data Lake to an external Syslog receiver by setting up the Log Forwarding app.

Recommended For You