Panorama Managed Prisma Access FedRAMP Requirements
Follow these rules to make sure that your Prisma Access deployment stays in compliance with FedRAMP Moderate.
FedRAMP is the program used by the United States government that provides a standard approach to compliance for cloud service offerings (CSOs). To make sure that your Panorama Managed Prisma Access is compliant with FedRAMP Moderate, use these guidelines and requirements when installing, activating, setting up for the first time, and configuring Prisma Access.
Pre-Installation and Product Activation Requirements
To make sure that your Prisma Access deployment stays in compliance, be sure to follow these installation and product activation requirements.
- Pre-Installation Requirements:
- Deployment Type (New or Existing)—New Prisma Access deployments are supported in a FedRAMP Moderate environment. Upgrades from an existing Prisma Access deployment to a FedRAMP Moderate Prisma Access deployment are not supported.
- Required SKUs—When you purchase Prisma Access for a FedRAMP Moderate deployment, Prisma Access requires SKUs that are specific to the FedRAMP environment. Work with your authorized Palo Alto Networks representative or partner to make sure that you purchase the correct SKUs for your FedRAMP Moderate deployment.
- Allow List Cortex Data Lake Public IP Addresses—The IP address block that is used by the Cortex Data Lake federal region is 220.127.116.11/28. If your enterprise uses allow lists, be sure to add these IP addresses to your allow lists to make sure that Cortex Data Lake can receive the logs from Prisma Access.
- Changes to API URLs—When you run the API script to retrieve the public IP addresses that are used by Prisma Access, change the URL for the API fromhttps://api.gpcloudservice.com/GetPrismaAccessIP/v2tohttps://api.fed.prismaaccess.com/GetPrismaAccessIP/v2.If your Panorama appliance uses a uses a proxy server (), or if you use SSL forward proxy decryption with Prisma Access, be sure to add the api.fed.prismaaccess.com URL to your allow list on the proxy or proxy server.PanoramaSetupServiceProxy Server
- GlobalProtect Portal Name Change—The default portal hostname for a Prisma Access FedRAMP Mobile Users—GlobalProtect deployment is different from a non-FedRAMP deployment. The portal name is<portal-name>.fed.prismaaccess.com. instead of<portal-name>.gpcloudservice.com.
- Support Requirements—Prisma Access FedRAMP Moderate requires Palo Alto Networks US Government Support Services, which includes 24x7 support for United States personnel on United States soil.
- Activation Requirements—When you activate and install your Panorama Managed Prisma Access deployment, the activation and installation tasks are similar to a non-FedRAMP deployment. However you must select aCortex Data Lakeregion ofUnited States—Governmentduring product activation.
Required Panorama, Plugin, and PAN-OS Dataplane Versions
To ensure that Prisma Access stays in compliance with FedRAMP Moderate requirements, make sure that your Panorama Managed Prisma Access deployment uses the following Panorama, Cloud Services plugin, and GlobalProtect versions.
Panorama PAN-OS version
10.1.6 with Processing Standard and Common Criteria (FIPS-CC) mode enabled.
To simplify the installation and activation process, you can select an existing Panorama you have already configured in FIPS mode, if you have registered Panorama, installed the licenses, and activated the support license on the Customer Support Portal (CSP). If you have added the Panorama serial number to the same CSP account on which you want to deploy Prisma Access, you can select the serial number of this Panorama appliance during installation.
You cannot use a Panorama that has been used to manage another Prisma Access or Cortex Data Lake deployment.
Cloud Services plugin version
2.2.0-h42 Preferred and 3.0.0-h24
Supported Prisma Access FedRAMP Locations
The following locations are authorized for use with Prisma Access in a FedRAMP Moderate environment, which includes support for locations in the continental United States (CONUS) and outside the continental United States (OCONUS):
- Australia Southeast
- Brazil South
- Canada East
- Germany Central
- India West
- Japan Central
- Japan South
- Netherlands Central
- United Kingdom
- US Central
- US East
- US Northwest
- US Southeast
- US Southwest
Supported and Unsupported Features in a Prisma Access FedRAMP
IPv6 support for private app access is supported in a Prisma Access FedRAMP Moderate environment.
The following apps and features are not supported for use in a Prisma Access FedRAMP Moderate environment:
Recommended For You
Recommended videos not found.