Prisma Access configuration can be shared across your
entire environment, or you can create configuration that is specific
to a deployment type (mobile users, remote networks, or service
Prisma Access configuration can apply
globally across your entire environment, or you can create configuration
that is specific to a deployment type (mobile users, remote networks,
or service connection sites).
Configuration that can be applied at the global
or local-level includes security policy, decryption, identity services,
and network services.
rules help you to easily manage and enforce security
policy requirements that apply in all cases.
All rules, objects,
and profiles that you create at the global level, can be leveraged
in local configurations.
as possible, we recommend that you work in the global configuration
that applies across the Prisma Access service. Only create local
configuration to address use cases that are unique to that part
of your organization.
rules and objects apply to the deployments where they
make sense, either mobile users, remote networks, or service connections.
See and Switch Configuration Scope
When it applies, you’ll always see the configuration
scope at the top of the page, and you can also toggle between configuration
Depending on the context you’re working in, you might also see
a Location column displayed for rules or profiles. This column indicates
the rule or profile’s configuration location: Prisma Access, Mobile
Users, Remote Networks, or Service Connection.
Pre-Rules and Post-Rules
For security rules at the global level (meaning, they’re
shared across the entire Prisma Access service), you can decide
if the rule should be enforced ahead of local rules or after local
rules. In Prisma Access, these are called pre-rules and post-rules.
are global rules that
take precedence over deployment-specific rules and Prisma Access
applies these to traffic first.
are global rules that Prisma
Access applies to traffic only after global pre-rules and local
rules are applied.
When you’re setting up a global policy rule, specify for it to
When you’re looking at your security policy rulebase, you can
easily identify pre- and post-rules and distinguish them from local