Panorama Managed Prisma Access FedRAMP Requirements

Follow these rules to make sure that your Prisma Access deployment stays in compliance with FedRAMP Moderate.
FedRAMP is the program used by the United States government that provides a standard approach to compliance for cloud service offerings (CSOs). To make sure that your Panorama Managed Prisma Access is compliant with FedRAMP Moderate, use these guidelines and requirements when installing, activating, setting up for the first time, and configuring Prisma Access.

Pre-Installation and Product Activation Requirements

To make sure that your Prisma Access deployment stays in compliance, be sure to follow these installation and product activation requirements.
  • Pre-Installation Requirements:
    • Deployment Type (New or Existing)
      —New Prisma Access deployments are supported in a FedRAMP Moderate environment. Upgrades from an existing Prisma Access deployment to a FedRAMP Moderate Prisma Access deployment are not supported.
    • Required SKUs
      —When you purchase Prisma Access for a FedRAMP Moderate deployment, Prisma Access requires SKUs that are specific to the FedRAMP environment. Work with your authorized Palo Alto Networks representative or partner to make sure that you purchase the correct SKUs for your FedRAMP Moderate deployment.
    • Required Panorama Version
      —Use only the Panorama versions listed in Required Panorama, Plugin, and PAN-OS Dataplane Versions.
    • Required GlobalProtect Version
      —Use only the GlobalProtect versions listed in Required Panorama, Plugin, and PAN-OS Dataplane Versions.
    • Required Cloud Services Plugin Version
      —Use only the Cloud Services plugin version listed in Required Panorama, Plugin, and PAN-OS Dataplane Versions.
    • Allow List Cortex Data Lake Public IP Addresses
      —The IP address block that is used by the Cortex Data Lake federal region is 34.67.50.64/28. If your enterprise uses allow lists, be sure to add these IP addresses to your allow lists to make sure that Cortex Data Lake can receive the logs from Prisma Access.
    • Changes to API URLs
      —When you run the API script to retrieve the public IP addresses that are used by Prisma Access, change the URL for the API from
      https://api.gpcloudservice.com/GetPrismaAccessIP/v2
      to
      https://api.fed.prismaaccess.com/GetPrismaAccessIP/v2
      .
      If your Panorama appliance uses a uses a proxy server (
      Panorama
      Setup
      Service
      Proxy Server
      ), or if you use SSL forward proxy decryption with Prisma Access, be sure to add the api.fed.prismaaccess.com URL to your allow list on the proxy or proxy server.
    • GlobalProtect Portal Name Change
      —The default portal hostname for a Prisma Access FedRAMP Mobile Users—GlobalProtect deployment is different from a non-FedRAMP deployment. The portal name is
      <portal-name>
      .fed.prismaaccess.com. instead of
      <portal-name>
      .gpcloudservice.com.
    • Support Requirements
      —Prisma Access FedRAMP Moderate requires Palo Alto Networks US Government Support Services, which includes 24x7 support for United States personnel on United States soil.
  • Activation Requirements
    —When you activate and install your Panorama Managed Prisma Access deployment, the activation and installation tasks are similar to a non-FedRAMP deployment. However you must select a
    Cortex Data Lake
    region of
    United States—Government
    during product activation.

Required Panorama, Plugin, and PAN-OS Dataplane Versions

To ensure that Prisma Access stays in compliance with FedRAMP Moderate requirements, make sure that your Panorama Managed Prisma Access deployment uses the following Panorama, Cloud Services plugin, and GlobalProtect versions.
Component
Required Version
Panorama PAN-OS version
10.1.6 with Processing Standard and Common Criteria (FIPS-CC) mode enabled.
You must enable FIPS-CC support on the Panorama that manages Prisma Access, which requires accessing the Maintenance Recovery Tool (MRT).
To simplify the installation and activation process, you can select an existing Panorama you have already configured in FIPS mode, if you have registered Panorama, installed the licenses, and activated the support license on the Customer Support Portal (CSP). If you have added the Panorama serial number to the same CSP account on which you want to deploy Prisma Access, you can select the serial number of this Panorama appliance during installation.
You cannot use a Panorama that has been used to manage another Prisma Access or Cortex Data Lake deployment.
Cloud Services plugin version
2.2.0-h42 Preferred and 3.0.0-h24
GlobalProtect version
5.1.4+
5.1.4 is FIPS certified and is the default version to use for Federal Government-based deployments. If you change the default GlobalProtect version from 5.1.4, you cannot select version 5.1.4 from the Panorama UI and must open a Support case with Palo Alto Networks Technical Support to add it back.

Supported Prisma Access FedRAMP Locations

The following locations are authorized for use with Prisma Access in a FedRAMP Moderate environment, which includes support for locations in the continental United States (CONUS) and outside the continental United States (OCONUS):
  • Australia Southeast
  • Belgium
  • Brazil South
  • Canada East
  • Finland
  • Germany Central
  • India West
  • Japan Central
  • Japan South
  • Netherlands Central
  • Singapore
  • Switzerland
  • Taiwan
  • United Kingdom
  • US Central
  • US East
  • US Northwest
  • US Southeast
  • US Southwest

Supported and Unsupported Features in a Prisma Access FedRAMP Deployment

IPv6 support for private app access is supported in a Prisma Access FedRAMP Moderate environment.
The following apps and features are not supported for use in a Prisma Access FedRAMP Moderate environment:

Recommended For You