Prisma Access Mobile Users
Focus
Focus
Prisma Access

Prisma Access Mobile Users

Table of Contents

Prisma Access Mobile Users

Learn about the different mobile user deployment types in Prisma Access.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Prisma Access license
Prisma Access offers two connection methods to secure mobile users: users can connect to Prisma Access using the GlobalProtect App or using a Proxy Auto-Configuration (PAC) file.
  • Secure Mobile Users with the GlobalProtect App
    You can use GlobalProtect in the following modes:
    • Tunnel Mode—The default agent mode for GlobalProtect in Prisma Access. Establishes a tunnel (IPSec or SSL) to Prisma Access to secure mobile users’ access to all applications, ports, and protocols, and to get consistent security whether the user is inside or outside your network.
      The GlobalProtect app installed on the users' endpoint secures user traffic to the internet, SaaS applications, and your internal and public cloud resources. Deploy the GlobalProtect app to your users (available for smartphones, tablets, or laptops running Microsoft Windows, Apple macOS and iOS, Android, Google Chrome OS, and Linux) so that they can tunnel the traffic to Prisma Access for policy enforcement and threat prevention. The GlobalProtect app also provides host information profile (HIP) reporting so that you can create granular rules based on device state to ensure that endpoints adhere to your security standards—for example, they are equipped with the most up-to-date patches, encryption, and virus definitions—in order to access your most sensitive applications. Or, to enable secure access to users on unmanaged devices, you can enable Clientless VPN. Prisma Access dynamically scales in and out per region based on where your users are at the moment.
    • Proxy Mode—This mode enables you to use a 3rd-party VPN agent while still using Prisma Access as a secure web gateway for consistent and superior SaaS security. This connection method is ideal if you are not yet ready to replace your existing private app VPN but want to replace your secure web gateway. For example, you're using a 3rd-party VPN agent for private access, but you want to use only Prisma Access for your internet security. Benefits of this connection method include:
      • Meets compliance or network requirements that require a proxy
      • Reduces the burden of PAC file management and supports proxy-aware apps beyond the browser
      • Improves user experience by avoiding the need to backhaul to an on-premises web proxy
    • Tunnel and Proxy Mode— This mode enables you to secure access to the internet and SaaS applications through proxy mode and to secure access to private apps through tunnel mode. This is especially helpful if you need the fastest, lowest latency access to a private app and your Prisma Access location is not in your region.
      In this mode, the GlobalProtect app first evaluates the explicit proxy forwarding rules you have defined and sends all internet-bound traffic to the Prisma Access explicit proxy. For all other traffic, the app determines which traffic to send through the tunnel to the GlobalProtect gateway, and which traffic to exclude from the tunnel, based on any split tunnel rules you have defined. You can also use the tunnel to secure any application that is not proxy aware.
  • Secure Mobile Users by Using a PAC File
    In addition to securing mobile users with GlobalProtect, you can configure an Explicit Proxy using Prisma Access. With Explicit Proxy, an endpoint uses a PAC file that instructs a web browser and proxy-aware apps to forward traffic to the web proxy server instead of the destination server, protecting your web-based internet (HTTP and HTTPS) traffic.
    If your organization’s existing network already uses explicit proxies and deploys PAC files on your client endpoints and servers, you can smoothly migrate from legacy proxy-based SWG solutions to Prisma Access to secure mobile users’ outbound internet traffic. You can also use an Explicit Proxy if you need to use a proxy for auditing or compliance purposes.