Panorama Managed Prisma Access FedRAMP Requirements
Table of Contents
Panorama Managed Prisma Access FedRAMP Requirements
Follow these rules to make sure that your Prisma Access
deployment stays in compliance with FedRAMP Moderate.
FedRAMP is the program used by the United States government
that provides a standard approach to compliance for cloud service
offerings (CSOs). To make sure that your Panorama Managed Prisma
Access is compliant with FedRAMP Moderate, use these guidelines
and requirements when installing, activating, setting up for the
first time, and configuring Prisma Access.
Pre-Installation and Product Activation Requirements
To make sure that your Prisma Access deployment stays
in compliance, be sure to follow these installation and product
activation requirements.
- Pre-Installation Requirements:
- Deployment Type (New or Existing)—New Prisma Access deployments are supported in a FedRAMP Moderate environment. Upgrades from an existing Prisma Access deployment to a FedRAMP Moderate Prisma Access deployment are not supported.
- Required SKUs—When you purchase Prisma Access for a FedRAMP Moderate deployment, Prisma Access requires SKUs that are specific to the FedRAMP environment. Work with your authorized Palo Alto Networks representative or partner to make sure that you purchase the correct SKUs for your FedRAMP Moderate deployment.
- Required Panorama Version—Use only the Panorama versions listed in Required Panorama, Plugin, and PAN-OS Dataplane Versions.
- Required GlobalProtect Version—Use only the GlobalProtect versions listed in Required Panorama, Plugin, and PAN-OS Dataplane Versions.
- Required Cloud Services Plugin Version—Use only the Cloud Services plugin version listed in Required Panorama, Plugin, and PAN-OS Dataplane Versions.
- Allow List Cortex Data Lake Public IP Addresses—The IP address block that is used by the Cortex Data Lake federal region is 34.67.50.64/28. If your enterprise uses allow lists, be sure to add these IP addresses to your allow lists to make sure that Cortex Data Lake can receive the logs from Prisma Access.
- Changes to API URLs—When you run the API script to retrieve the public IP addresses that are used by Prisma Access, change the URL for the API fromhttps://api.gpcloudservice.com/GetPrismaAccessIP/v2tohttps://api.fed.prismaaccess.com/GetPrismaAccessIP/v2.If your Panorama appliance uses a uses a proxy server (), or if you use SSL forward proxy decryption with Prisma Access, be sure to add the api.fed.prismaaccess.com URL to your allow list on the proxy or proxy server.
- GlobalProtect Portal Name Change—The default portal hostname for a Prisma Access FedRAMP Mobile Users—GlobalProtect deployment is different from a non-FedRAMP deployment. The portal name is<portal-name>.fed.prismaaccess.com. instead of<portal-name>.gpcloudservice.com.
- Support Requirements—Prisma Access FedRAMP Moderate requires Palo Alto Networks US Government Support Services, which includes 24x7 support for United States personnel on United States soil.
- Activation Requirements—When you activate and install your Panorama Managed Prisma Access deployment, the activation and installation tasks are similar to a non-FedRAMP deployment. However you must select aCortex Data Lakeregion ofUnited States—Governmentduring product activation.
Required Panorama, Plugin, and PAN-OS Dataplane Versions
To ensure that Prisma Access stays in
compliance with FedRAMP Moderate requirements, make sure that your
Panorama Managed Prisma Access deployment uses the following Panorama,
Cloud Services plugin, and GlobalProtect versions.
Component | Required Version |
|---|---|
Panorama PAN-OS version | 10.2.8-h3 or a later 10.2.8 hotfix PAN-OS version 10.2.9-h1 or a later 10.2.9 hotfix PAN-OS version Enabling the Processing Standard and Common Criteria (FIPS-CC) on the
Panorama that manages Prisma Access is the recommended best
practice aligned with FedRAMP controls. Enabling FIPS-CC support
on Panorama requires accessing the Maintenance Recovery Tool
(MRT). To simplify the installation and activation process, you can
select an existing Panorama you have already configured in
FIPS mode, if you have registered Panorama, installed the
licenses, and activated the support license on the Customer Support Portal
(CSP). If you have added the Panorama serial
number to the same CSP account on which you want to deploy
Prisma Access, you can select the serial number of this
Panorama appliance during installation. You cannot use a Panorama that has been used to manage another
Prisma Access or Cortex Data Lake deployment. |
Cloud Services plugin version |
|
GlobalProtect version | 5.1.4+ and 6.0.7+ 5.1.4 is FIPS certified and is the default version to use for
Federal Government-based deployments. If you change the default
GlobalProtect version from 5.1.4, you cannot select
version 5.1.4 from the Panorama UI and must open a Support case with Palo
Alto Networks Technical Support to add it back. |
Supported Prisma Access FedRAMP Locations
The following locations are authorized for use with
Prisma Access in a FedRAMP Moderate environment, which includes
support for locations in the continental United States (CONUS) and
outside the continental United States (OCONUS):
- Australia Southeast
- Belgium
- Brazil South
- Canada East
- Finland
- Germany Central
- India West
- Japan Central
- Japan South
- Netherlands Central
- Singapore
- Switzerland
- Taiwan
- United Kingdom
- US Central
- US East
- US Northwest
- US Southeast
- US Southwest
Supported and Unsupported Features in a Prisma Access FedRAMP
Deployment
IPv6 support for private app
access is supported in a Prisma Access FedRAMP Moderate environment.
The following apps and features are not supported for use in
a Prisma Access FedRAMP Moderate environment: