Prisma Access
Setting Priority for Prisma Access and On-Premises Gateways
Table of Contents
Setting Priority for Prisma Access and On-Premises Gateways
Prisma Access
and On-Premises GatewaysWhere Can I Use
This? | What Do I Need? |
|---|---|
|
|
Prisma Access
enables you to extend the Palo Alto Networks security platform out to your mobile
users. In a hybrid deployment where your enterprise uses on-premises GlobalProtect
gateways, you can set priorities in Prisma Access
to let mobile users connect to
either a specific on-premises GlobalProtect gateway or a Prisma Access
gateway.You
can select an on-premises gateway that is physically closest to
your mobile users and allow users to connect to a different gateway
(either on-premises or cloud) to ensure secure access for mobile
users if they change locations. You can also specify priority for
gateways that are in the same country or same linguistic area as
your mobile users.
If you add on-premises gateways to your
Prisma Access
deployment, check to see if the priority
for the Prisma Access
gateways is set to None
and, if it
is, change the priority. If the priority is set to None
,
the service will not select a gateway. See Configure Priorities for Prisma Access and On-Premises Gateways to change the priority of your
Prisma Access
gateways.If you
require users to connect to a specific
Prisma Access
gateway, you
can allow mobile users to manually select specific Prisma Access
gateways. Mobile users choose one of the Prisma Access
gateways
using the GlobalProtect app that is installed on their endpoint.Complete
the following workflow to configure gateway priorities in Prisma
Access.
Set Equal Gateway Priorities for On-Premises and Prisma Access
Gateways
Prisma Access
GatewaysTo enable secure access for your mobile workforce
no matter where they are located, you can set equal priorities for
the on-premises GlobalProtect gateways and the
Prisma Access
gateways.
The GlobalProtect app uses Gateway Priority in a Multiple
Gateway Configuration to determine the preferred gateway.You
can use this configuration if your mobile users are most often closer
to an on-premises gateway. When users change locations, the GlobalProtect
app chooses another gateway (either on-premises or
Prisma Access
gateway) based on the highest priority and lowest response time.The
following figure shows a sample configuration with two mobile users
in North America. You set the gateway priority to
Highest
for
both the Prisma Access
gateways and the on-premises gateways.In
this example, User 1’s GlobalProtect app determines that the Prisma
Access gateway has a lower response time than the on-premises gateway,
and user 2’s GlobalProtect app determines that the on-premises gateway
has a lower response time. Since all gateways have the same priority,
User 1 connects to the
Prisma Access
gateway and User 2 connects
to the on-premises gateway, based on the lower response time.
Set a Higher Gateway Priority for an On-Premises Gateway
In situations where you want to direct mobile
users to use an on-premises gateway instead of the
Prisma Access
gateways, specify the on-premises gateways with a source region
and a higher priority than the Prisma Access
gateway.The
following figure shows a sample configuration for mobile users in
Indonesia. To avoid the possibility of mobile users being connected
to the nearest
Prisma Access
gateway in Singapore, you set the gateway
priority to Highest
for the on-premises gateway
in Indonesia and set the priority to Medium
for
the Prisma Access
gateways.This example also specifies a
source region of Indonesia for the on-premises gateway. We recommend
specifying a source region for the following reasons:
- Specifying a source region for an on-premises gateway allows users in a region to access that gateway and prevents users outside of that region from connecting to that gateway. In this example, only mobile users in Indonesia can connect to the on-premises gateway with the source region of Indonesia, and the higher priority means that the on-premise gateway has priority over thePrisma Accessgateways.
- If you set a source region ofAnyfor the on-premises gateway in Indonesia, every mobile user in your organization would prefer the on-premises gateway in Indonesia, because of its higher priority and worldwide accessibility. This configuration means that mobile users might never connect to thePrisma Accessgateways.
Set Higher Priorities for Multiple On-Premises Gateways
To ensure that traffic to the internet stays
in language-specific regions, you can configure multiple gateways
in multiple source regions, setting the priority of the on-premise
gateways to
Highest
and the priority of the
Prisma Access
gateways to Medium
.The
following figure shows a sample configuration for mobile users in
Scandinavia. Using this configuration, when the mobile users access
internet websites, the websites use the character encoding set that
is specific to their languages.
In this example, you configure
on-premises gateways with source regions in Denmark, Norway, and
Sweden. You set the priority of those gateways to
Highest
and
set the priority of the Prisma Access
gateways to Medium
.
Specifying a source region for the on-premises gateways allows users
in those regions to access those gateways, and prevents users outside
of those regions from connecting to those gateways.In this
example, the GlobalProtect app for mobile users in Sweden selects
the on-premises gateway in Sweden because of the source region and
higher gateway priority.
Configure Priorities for Prisma Access and On-Premises Gateways
Configure Priorities for
Prisma Access
and On-Premises GatewaysUse this workflow to configure priorities for a deployment that uses on-premises
gateways with
Prisma Access
.- Log in toPrisma Access.
- Select in theMobile_User_Templatetemplate.
- Click the portal name in theNamefield.
- Click theAgenttab.
- Click the name of the agent to configure.The default agent is namedDEFAULT.
- Click theExternaltab.
- Set the priority of thePrisma Accessgateways.
- ClickGP cloud service.
- Set the priority for your preferred configuration.
- To Set a Higher Gateway Priority for an On-Premises Gateway or Set Higher Priorities for Multiple On-Premises Gateways, change the priority fromNonetoMedium.
- Be sure that theManualcheck box is selected.Checking theManualcheck box ensures that mobile users can select a specificPrisma Accessgateway if it is required.Do not add a source region for thePrisma Accessgateways; any region you specify is not applied to the configuration.
- ClickOK.
- Addone or more on-premises external gateways to your configuration.
- Enter a descriptiveNamefor the gateway.The name you enter should match the name you defined when you configured the gateway, and it should be descriptive enough for users to know the location of the gateway to which they connect.
- Enter the FQDN or IP address of the interface where the gateway is configured in the Address field.You can configure an IPv4 address. The address you specify must exactly match the Common Name (CN) in the gateway server certificate.
- Add one or moreSource Regionsfor the on-premises gateway, or selectAnyto make the gateway available to all regions.If you set the priority of on-premises external gateways higher thanPrisma Accessgateways, we recommend that you specify source regions for the external gateways. If you specifyAnyfor the region, the GlobalProtect app might never selectPrisma Accessgateways over on-premises gateways because of the higher priority for the on-premises gateways.
- Select theManualcheck box to allow users to manually switch to the gateway.
- Set thePriorityof the on-premises gateway toHighest(the default).
- ClickOK.
- (Optional) Set the priority for additional gateways by repeating Step 8.Be sure to specify the correct source regions.The following figure shows a sample configuration with multiple gateways that have source regions in Norway, Sweden, and Denmark. Note that theManualcheck box is selected, which indicates that a mobile user can manually select any of these gateways.
