Prisma Access with On-Premise Gateways
Prisma Access enables you to extend the Palo Alto Networks security platform out to your remote network locations and your mobile users without having to build out your own global security infrastructure and expand your operational capacity. In cases where you have already deployed GlobalProtect gateways in regions where you already have the infrastructure to manage it, you can leverage this investment by configuring Prisma Access to direct mobile users to your existing external gateways when appropriate.
You can Manage Priorities for Prisma Access and On-Premise Gateways, which allow you to specify priorities for on-premise and Prisma Access gateways. Administrators cannot specify mobile users to connect to a specific Prisma Access gateway; however administrators can Allow Mobile Users to Manually Select Specific Prisma Access Gateways using the GlobalProtect app.
You cannot use your own portal with Prisma Access. You can only use the portal that is deployed when your Prisma Access for mobile users is provisioned.
To configure one of these hybrid Prisma Access deployments, you must edit the GlobalProtect_Portal configuration within the Mobile_User_Template to add your on-premise gateways to the appropriate regions:
- Edit the Prisma Access portal configuration.
- To add an existing gateway to the list of available gateways, select.NetworkGlobalProtectPortals
- SelectMobile_User_Templatefrom theTemplatedrop-down.
- SelectGlobalProtect_Portalto edit the Prisma Access portal configuration.
- Add your on-premise gateway to the list of gateways in the agent configuration.
- Select theAgenttab and select theDEFAULTagent configuration orAdda new one.
- Select theExternaltab andAddyour on-premise gateway.If you add a new agent configuration and you want to add the Prisma Access gateways to the list of external gateways in that configuration, you must set theNametoGP cloud serviceand theAddresstogpcloudservice.com. You must enter these values exactly as shown, and you cannot use either of these values for non-Prisma Access gateways.
- Enter theNameof the gateway and specify either theFQDNorIPaddress of the gateway in theAddressfield; this value must exactly match the common name (CN) in the gateway certificate.
- (Optional) If you want mobile users to only connect to the gateway when they are in the corresponding region,AddtheSource Regionto restrict the gateway to. For example, if you have a gateway in France, you would select FR (France). If you have a gateway in Sweden, you would select (SE) Sweden.One benefit of this is that users will then be able to access a gateway that enables access to internet resources in their own language.
- Configure other agent settings as necessary to complete the agent configuration.
- ClickOKto save the portal configuration.
- Commit all your changes to Panorama and push the configuration changes to Prisma Access.
- Click.CommitCommit to Panorama
- Clickand clickCommitPush to DevicesEdit Selections.
- On thePrisma Accesstab, make surePrisma Access for usersis selected and then clickOK.
Recommended For You
Recommended videos not found.