Set Up Prisma Access
Provides quick steps to implement Prisma Access
The following workflow provides you with the summary steps that you take to install and configure Prisma Access
If you are setting up a deployment that includes multiple instances of Prisma Access on a single Panorama (multi-tenancy), see Manage Multiple Tenants in Prisma Access. Most organizations do not have a need to create and manage multiple tenants.
- Whitelist the following URLs and ports on any security appliance that you use with the Panorama appliance.In addition, if your Panorama appliance uses a proxy server (), or if you use SSL forward proxy with Prisma Access, be sure to whitelist the following URLs and ports on the proxy or proxy server:PanoramaSetupServiceProxy Server
- api.gpcloudservice.com (for Prisma Access)
- api.paloaltonetworks.com (for Prisma Access)
- apitrusted.paloaltonetworks.com (for Prisma Access)
- In order to push configuration—such as security policy, authentication policy, server profiles, security profiles, address objects, and application groups—to Prisma Access, you must either create new templates and device groups with the configuration settings you want to push to Prisma Access, or leverage your existing device groups and templates by adding them to the template stacks and device group hierarchies that get created when you onboard the service.Configuration is simplified in Prisma Access because you do not have to configure any of the infrastructure settings, such as interfaces and routing protocols. This configuration is automated and pushed from Panorama in the templates and device groups that the service creates automatically. You can configure any infrastructure settings that are required by the service, such as settings required to create IPSec VPN tunnels to the IPSec-capable devices at your remote network locations, directly from the plugin. Optionally, you can add templates and device group hierarchies to the configuration to simplify the service setup.When creating templates and device groups for Prisma Access, you do not need to assign managed devices to it. Instead, you will add them to the template stacks and device group hierarchies created by the service. Do not add any of the templates or device groups created by Prisma Access to any other template stacks or device groups.Also note that some settings that are available in a non-Prisma Access template or device group may not be supported in Prisma Access. See What Features Does Prisma Access Support? for a list of supported features.
- Enable the service infrastructure and service connections that allows communication between Prisma Access elements.
- Create a service connection to allow access to your corporate resources.
- We recommend using local authentication as a first step to verify that the service is set up and your users have internet access. You can later switch to using your corporate authentication methods.
- Configure zones for mobile users.
- Create two zones in the Mobile User Template. For example, Mobile-Users and Internet.
- Map the zones. You should map any zone that is not Prisma Access connected users or HQ or branch offices to Untrust.Under, map Internet to Untrust; Mobile-Users to Trust.PanoramaCloud ServicesConfigurationMobile Users
- Configure Security policies for the device group.To create a Security policy to allow traffic to the Internet, select the Mobile_User_Device_Groupa rule. For example: Mobile-Users to Internet.PoliciesSecurityPrerulesAdd
- Commit your changes to get started with the service.
- Commitlocally on Panorama.
- Commit and Pushto Prisma Access.
- Selectto view thePanoramaCloud ServicesStatusMonitorMobile UsersStatusand verify that you can ping the Portal FQDN.
- Validate that Prisma Access is securing Internet traffic for mobile users.
- Add one or more remote networks to Prisma Access.You can onboard one location and then add additional locations using the bulk import capability.
- Create a Security policy rule to allow traffic from the remote networks to HQ (For example: Trust to Trust).
- Validate the connectivity between the service connection, remote network connection, and mobile users.
- You whitelist these addresses on your organization’s network to limit inbound access to your enterprise network and applications.
- (Optional) Change the authentication method from local authentication to your organization’s authentication method.
- Create an authentication profile that meets your organization’s requirements (LDAP, RADIUS, etc).
- If your organization uses an on-premise authentication server such as RADIUS or Active Directory, whitelist the IP addresses that Prisma Access uses as its source IP address for internal requests (
- Update the Authentication Profile for the Prisma Access portal and gateway to use this new authentication profile.
- (Optional) Forward logs from Cortex Data Lake (formerly Logging Service) to an external Syslog receiver by setting up the Log Forwarding app.
Recommended For You
Recommended videos not found.