Prisma Access
Prisma Access Overview
Table of Contents
Prisma Access Overview
Prisma Access delivers consistent security to all your
users—at headquarters, office branches, and on the road. Learn more
about how Prisma Access works.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
To keep your applications and data safe, you must secure all users at all locations all the time.
But how do you do this when your footprint is expanding globally, more and more of your
users are mobile, and your applications and data are moving out of your network and into
the cloud? Prisma Access enables this consistent security by safely enabling your
users to access cloud and data center applications as well as the internet, whether they
are at your headquarters, branch offices, or on the road. Prisma Access consistently
inspects all traffic across all ports, enabling secure access to the internet, as well
as to your sanctioned SaaS applications, public cloud environments, and data centers and
headquarters. Threat prevention, malware prevention, URL filtering, SSL decryption, and
application-based policy capabilities are built-in to provide you with the same level of
security no matter where your users are or what resources they are accessing. All Prisma
Access logs are stored in the Strata Logging Service, providing centralized analysis,
reporting, and forensics across all users, applications, and locations.
Prisma Access delivers protection at scale with global coverage
so you don’t have to worry about things like sizing and deploying
hardware firewalls at your branches or building out and managing
appliances in collocation facilities. Prisma Access provides the
network infrastructure to connect all of your remote branches, your
headquarter sites, data centers, and mobile users without requiring
you to build out your own global security infrastructure and expand
your operational capacity.
With Prisma Access, Palo Alto Networks deploys and manages the security infrastructure globally
to secure your remote networks and mobile users. Prisma Access encrypts the data
end-to-end between Mobile User Security Processing Nodes (MU-SPNs) and Remote Network
Security Processing Nodes (RN-SPNs), between SPNs and Service Connection Corporate
Access Nodes (SC-CANs), and between SC-CANs and the datacenter.
- Service Infrastructure—Prisma Access uses an internal service infrastructure to secure your organization’s network. You supply a subnet for the infrastructure, and Prisma Access uses the IP addresses within this subnet to establish a network infrastructure between your remote network locations and mobile users, and service connections to your internal network resources (if applicable). Internal communication within the cloud is established using dynamic routing.
- Service Connections—If your Prisma Access license includes it, you have the option to establish IPSec tunnels to allow communication between internal resources in your network and mobile users and users in your remote network locations. You could, for example, create a service connection to an authentication server in your organization’s HQ or data center.Even if you don’t require a service connection for your HQ or data center, we recommend that you create one to allow network communication between mobile users and remote network locations, and between mobile users in different geographical locations.
- Mobile Users—Provides consistent security for your mobile users whether they are accessing applications at your data center, using SaaS applications, or browsing the internet. You can enable your mobile users to connect to Prisma Access through:
- GlobalProtectYou can deploy the GlobalProtect app to your users (available for smartphones, tablets, or laptops running Microsoft Windows, Apple macOS and iOS, Android, Google Chrome OS, and Linux) so that they can tunnel the traffic to Prisma Access for policy enforcement and threat prevention. The GlobalProtect app also provides host information profile (HIP) reporting so that you can create granular policies based on device state to ensure that endpoints adhere to your security standards—for example, they are equipped with the most up-to-date patches, encryption, and virus definitions—in order to access your most sensitive applications. Or, to enable secure access to users on unmanaged devices, you can enable Clientless VPN. Prisma Access dynamically scales in and out per region based on where your users are at the moment.
- Explicit ProxyIf your organization’s existing network already uses explicit proxies and deploys PAC files on your client endpoints, you can smoothly migrate to Prisma Access to secure mobile users’ outbound internet traffic.
- Remote Networks—Use remote networks to secure remote network locations, such as branches, and users in those branches with cloud-based next-generation firewalls. You can enable access to the subnetworks at each remote network location using either static routes, dynamic routing using BGP, or a combination of static and dynamic routes. All remote network locations that you onboard are fully meshed.
- ZTNA Connector—The Zero Trust Network Access (ZTNA) Connector lets you connect to your organization's private apps simply and securely. ZTNA Connector provides mobile users and users at branch locations access to your private apps using an automated secure tunnel, which eliminates the requirement of setting up IPSec tunnels and routing definitions to access the private apps. ZTNA Connector does not require any routing from the customer infrastructure and can provide access to applications that use overlapped IP addresses in your networks.
- Strata Logging Service—Prisma Access forwards all logs to Strata Logging Service; as part of activating Prisma Access, you’ll specify the Strata Logging Service instance that you want to forward Prisma Access logs to. Log traffic does not use the licensed bandwidth you purchased for Prisma Access.