Prisma Access delivers consistent security to all your
users—at headquarters, office branches, and on the road. Learn more
about how Prisma Access works.
Where Can I Use This?
What Do I Need?
Prisma Access (Managed by Strata Cloud Manager)
Prisma Access (Managed by Panorama)
Prisma Access license
To keep your applications and data safe, you must secure all users at all locations all the time.
But how do you do this when your footprint is expanding globally, more and more of your
users are mobile, and your applications and data are moving out of your network and into
the cloud? Prisma Access enables this consistent security by safely enabling your
users to access cloud and data center applications as well as the internet, whether they
are at your headquarters, branch offices, or on the road. Prisma Access consistently
inspects all traffic across all ports, enabling secure access to the internet, as well
as to your sanctioned SaaS applications, public cloud environments, and data centers and
headquarters. Threat prevention, malware prevention, URL filtering, SSL decryption, and
application-based policy capabilities are built-in to provide you with the same level of
security no matter where your users are or what resources they are accessing. All Prisma
Access logs are stored in the Strata Logging Service, providing centralized analysis,
reporting, and forensics across all users, applications, and locations.
Prisma Access delivers protection at scale with global coverage
so you don’t have to worry about things like sizing and deploying
hardware firewalls at your branches or building out and managing
appliances in collocation facilities. Prisma Access provides the
network infrastructure to connect all of your remote branches, your
headquarter sites, data centers, and mobile users without requiring
you to build out your own global security infrastructure and expand
your operational capacity.
With Prisma Access, Palo Alto Networks deploys and manages the security infrastructure globally
to secure your remote networks and mobile users. Prisma Access encrypts the data
end-to-end between Mobile User Security Processing Nodes (MU-SPNs) and Remote Network
Security Processing Nodes (RN-SPNs), between SPNs and Service Connection Corporate
Access Nodes (SC-CANs), and between SC-CANs and the datacenter.
Service Infrastructure—Prisma Access uses an internal
service infrastructure to secure your organization’s network. You
supply a subnet for the infrastructure, and Prisma Access uses the
IP addresses within this subnet to establish a network infrastructure
between your remote network locations and mobile users, and service
connections to your internal network resources (if applicable).
Internal communication within the cloud is established using dynamic
routing.
Service Connections—If your Prisma Access license
includes it, you have the option to establish IPSec tunnels to allow
communication between internal resources in your network and mobile
users and users in your remote network locations. You could, for
example, create a service connection to an authentication server
in your organization’s HQ or data center.
Even if you don’t
require a service connection for your HQ or data center, we recommend
that you create one to allow network communication between mobile
users and remote network locations, and between mobile users in
different geographical locations.
Mobile Users—Provides consistent security for your
mobile users whether they are accessing applications at your data
center, using SaaS applications, or browsing the internet. You can
enable your mobile users to connect to Prisma Access through:
GlobalProtect
You can deploy the GlobalProtect
app to your users (available for smartphones, tablets, or laptops
running Microsoft Windows, Apple macOS and iOS, Android, Google
Chrome OS, and Linux) so that they can tunnel the traffic to Prisma Access
for policy enforcement and threat prevention. The GlobalProtect
app also provides host information profile (HIP) reporting so that
you can create granular policies based on device state to ensure
that endpoints adhere to your security standards—for example, they
are equipped with the most up-to-date patches, encryption, and virus
definitions—in order to access your most sensitive applications.
Or, to enable secure access to users on unmanaged devices, you can
enable Clientless VPN. Prisma Access dynamically scales in
and out per region based on where your users are at the moment.
Explicit Proxy
If your organization’s existing
network already uses explicit proxies and deploys PAC files on your
client endpoints, you can smoothly migrate to Prisma Access to secure
mobile users’ outbound internet traffic.
Remote Networks—Use remote networks to secure remote
network locations, such as branches, and users in those branches
with cloud-based next-generation firewalls. You can enable access
to the subnetworks at each remote network location using either
static routes, dynamic routing using BGP, or a combination of static
and dynamic routes. All remote network locations that you onboard
are fully meshed.
ZTNA Connector—The Zero Trust Network Access (ZTNA) Connector lets you
connect to your organization's private apps simply and securely. ZTNA Connector provides mobile users and users at
branch locations access to your private apps using an automated secure tunnel,
which eliminates the requirement of setting up IPSec tunnels and routing
definitions to access the private apps. ZTNA Connector does not require any
routing from the customer infrastructure and can provide access to applications
that use overlapped IP addresses in your networks.
Strata Logging Service—Prisma Access forwards all logs to Strata Logging Service; as part
of activating Prisma Access, you’ll specify the Strata Logging Service
instance that you want to forward Prisma Access logs to. Log traffic does
not use the licensed bandwidth you purchased for Prisma Access.