Home

Location

Documentation Home
Palo Alto Networks
Support
Live Community
Knowledge Base

Home
Prisma
Prisma Access
Prisma Access Administrator’s Guide (Panorama Managed)
Prisma Access Overview
Prisma Access APIs

Last Updated:

Mar 13, 2023

Current Version:

3.2 Preferred and Innovation

Version 3.2 Preferred and Innovation
Version 3.1 Preferred and Innovation
Version 3.0 Preferred and Innovation
Version 2.2 Preferred

Table of Contents

Filter

Prisma Access Overview

Prisma Access

Prisma Access Infrastructure Management

Releases and Upgrades

Prisma Access Release Types

Prisma Access Upgrade Types

Cadence for Software and Content Updates for Prisma Access

Prisma Access Dataplane Upgrades

Dataplane Upgrade Overview

Dataplane Upgrade Example

Use the Prisma Access App to Get Upgrade Alerts and Updates

View Prisma Access Software Versions

Prisma Access Licensing

Determine Your Prisma Access License Type from Panorama

Cheat Sheet: Integrate ADEM with Panorama Managed Prisma Access

Cheat Sheet: Integrate IoT Security with Panorama Managed Prisma Access

Cheat Sheet: Enterprise DLP on Panorama Managed Prisma Access

Visibility and Monitoring Features in the Prisma Access App

Monitor Your Prisma Access Data Transfer Usage

Plan for Prisma Access IP Address Changes

IP Address Allocation For Mobile Users on Prisma Access

Public IP Address Scaling Examples for Mobile Users

Loopback IP Address Allocation for Mobile Users

Remote Network IPSec Termination Nodes and Service IP Addresses on Prisma Access

IP Address Changes For Remote Network Connections That Allocate Bandwidth by Location

Service IP and Egress IP Address Allocation for Remote Networks

Retrieve the IP Addresses for Prisma Access

Prisma Access IP Address Retrieval Using the API Examples

Pre-Allocate IP Addresses for Prisma Access Mobile User Locations

Set Up Prisma Access IP Address Change Notifications

Use Legacy Scripts to Retrieve Loopback Addresses

Use the Legacy Script to Retrieve Mobile User IP Addresses

Use the Legacy Script to Retrieve Public, Loopback, and Egress IP Addresses

Zone Mapping

Prisma Access APIs

Prisma Access Deployment Progress and Status

Troubleshoot the Prisma Access Deployment

Activate and Install the Prisma Access Components

Activate and Install Panorama Managed Prisma Access

Verify Your Account Using the One-Time Password

Transfer or Update Panorama Managed Prisma Access Licenses

Reset Your Panorama Managed Prisma Access License

Transfer or Update Prisma Access Licenses Between Panorama Appliances

Configure Panorama Appliances in High Availability for Panorama Managed Prisma Access

Prepare the Prisma Access Infrastructure and Service Connections

Set Up Panorama Managed Prisma Access

Prisma Access Service Infrastructure

Service Infrastructure Requirements

Configure the Service Infrastructure

Prisma Access Service Connections

Plan the Service Connections

Create a Service Connection to Allow Access to Private Apps

Verify Service Connection Status

Create a Service Connection to Enable Access between Mobile Users and Remote Networks

Prisma Access Locations

Prisma Access Locations by Compute Location

Prisma Access Locations by Region

Map of North America Prisma Access Locations

Explicit Proxy Locations

Secure Mobile Users

Prisma Access Mobile User Deployments

GlobalProtect on Prisma Access

Planning Checklist—GlobalProtect on Prisma Access

IP Address Pools in a Mobile Users—GlobalProtect Deployment

Set Up GlobalProtect on Panorama Managed Prisma Access

Enable Mobile User Regional Redundancy

How the GlobalProtect App Selects a Prisma Access Location for Mobile Users

Explicit Proxy on Prisma Access

How Explicit Proxy Works in Prisma Access

How Explicit Proxy Identifies Users

Planning Checklist—Explicit Proxy

Set Up Your Explicit Proxy PAC File

Secure Mobile Users with an Explicit Proxy

Create Block Settings in an Explicit Proxy Deployment

Use Special Objects to Restrict Explicit Proxy Internet Traffic to Source IP Addresses

Monitor and Troubleshoot Explicit Proxy

Monitor and Log Out GlobalProtect Users in Prisma Access

View GlobalProtect Mobile Users from the Status Tab

View GlobalProtect Mobile Users from the Monitor Tab

How Prisma Access Counts GlobalProtect Mobile Users

Manage GlobalProtect App Upgrades in Prisma Access

Select the Active GlobalProtect App Version for Prisma Access

Manage User Access to GlobalProtect App Updates from Prisma Access

Perform Staged Updates of the GlobalProtect App on Prisma Access

Deploy Explicit Proxy and GlobalProtect or a Third-Party VPN in Prisma Access

Use Explicit Proxy with GlobalProtect and Third-Party VPNs Examples

How Explicit Proxy Works With GlobalProtect

Requirements and Recommendations for Using Explicit Proxy with GlobalProtect and Third-Party VPNs

Use Explicit Proxy with GlobalProtect

Use Explicit Proxy with Third-Party VPNs

Integrate Prisma Access with On-Premises Gateways

Manage Priorities for Prisma Access and On-Premises Gateways

Set Equal Gateway Priorities for On-Premises and Prisma Access Gateways

Set a Higher Gateway Priority for an On-Premises Gateway

Set Higher Priorities for Multiple On-Premises Gateways

Configure Priorities for Prisma Access and On-Premises Gateways

Allow Mobile Users to Manually Select Specific Prisma Access Gateways

Allow Listing for Mobile Users—GlobalProtect Deployments

Manage Allow Listing for Existing Mobile User Deployments

Manage Allow Listing for New Prisma Access Deployments

Allow Listing Examples for Autoscale Events

Fields in the Egress IP Allow List table

Report Prisma Access Website Access Issues

Use Remote Networks to Secure Branches

Prisma Access Remote Network Deployments

Planning Checklist—Prisma Access Remote Networks

Onboard and Configure Remote Networks

Configure Prisma Access for Networks—Allocating Bandwidth by Compute Location

Configure Prisma Access for Networks—Allocating Bandwidth by Location

Verify Remote Network Connection Status

Verify Remote Connection BGP Status

Plan to Migrate to an Aggregate Bandwidth Remote Network Deployment

Migrate to the Aggregate Bandwidth Model

Remote Network Locations with Overlapping Subnets

Configure Remote Network and Service Connection Connected with a WAN Link

Use Predefined IPSec Templates to Onboard Service and Remote Network Connections

Onboard a Service Connection or Remote Network Connection Using Predefined Templates

Onboard Multiple Remote Network Connections of the Same Type

Supported IKE and IPSec Cryptographic Profiles for Common SD-WAN Devices

Onboard Remote Networks with Configuration Import

Fields in Remote Networks Table

How to Calculate Remote Network Bandwidth

Configure User-ID and User-Based Policies with Prisma Access

Configure User-ID in Panorama Managed Prisma Access

Configure User-ID for Remote Network Deployments

Get User and Group Information Using the Cloud Identity Engine

Populate User and Group Names in Security Policy Rules

Populate User Group Names in Security Policy Rules Using the Cloud Identity Engine

Populate User Group Names in Security Policy Rules Using a Master Device

Configure an on-premises or VM-Series Firewall as a Master Device

Use Long-Form DN Entries to Implement User- and Group-Based Policy

Redistribute User-ID Information Between Prisma Access and On-Premises Firewalls

Redistribute User-ID Information From Prisma Access to an On-Premise Firewall

Redistribute User-ID Information From an On-Premises Firewall to Prisma Access

Quality of Service in Prisma Access

QoS Examples

Configure QoS in Prisma Access

QoS for Remote Networks

QoS for Remote Networks Using Guaranteed Bandwidth and Bandwidth Allocation Ratios

Change the Guaranteed Bandwidth For Remote Networks

Select QoS Profiles for Remote Networks

Configure Quality of Service in Prisma Access

Configure Quality of Service for Clean Pipe

Manage Multiple Tenants in Prisma Access

Multitenancy Overview

Multitenancy Configuration Overview

Plan Your Multitenant Deployment

Create an All-New Multitenant Deployment

Enable Multitenancy and Migrate the First Tenant

Add Tenants to Prisma Access

Delete a Tenant

Create a Tenant-Level Administrative User

Control Role-Based Access for Tenant-Level Administrative Users

Remove Plugin Access for a Tenant-Level Administrative User

Sort Logs by Device Group ID in a Multitenant Deployment

Prisma Access Advanced Deployments

Advanced Deployments that Apply to All Prisma Access Types

Add a New Compute Location for a Deployed Prisma Access Location

IPv6 Support for Private App Access

Private App Access Over IPv6 Examples

Enable and Configure IPv6 Networking and IP Pools in Your Prisma Access Infrastructure

Enable IPv6 Networking for a Mobile Users—GlobalProtect Deployment

Enable IPv6 Networking for Service Connections

Enable IPv6 Networking for Remote Networks

DNS Resolution for Mobile Users—GlobalProtect and Remote Network Deployments

DNS Resolution for Mobile Users—GlobalProtect Deployments

DNS Resolution for Remote Networks

How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections

Proxy Support for Prisma Access and Cortex Data Lake

Prisma Access Service Connection Advanced Deployments

Service Connection Multi-Cloud Redundancy

Configure and Activate Service Connection Cloud Provider Redundancy for Panorama Managed Prisma Access

Supported In-Country Active and Backup Cloud Provider Redundancy Locations

Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections

Default Routes With Prisma Access Traffic Steering

Traffic Steering in Prisma Access

Traffic Steering Requirements

Default Routes with Traffic Steering Example

Default Routes with Traffic Steering Direct to Internet Example

Default Routes with Traffic Steering and Dedicated Service Connection Example

Prisma Access Traffic Steering Rule Guidelines

Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections

Configure Traffic Steering in Prisma Access

Routing for Service Connection Traffic

Mobile User and Remote Network Routing to Service Connections

Prisma Access Default Routing

Prisma Access Hot Potato Routing

Configure Routing Preferences

Create a High-Bandwidth Network Using Multiple Service Connections

Create a High-Bandwidth Connection to a Headquarters or Data Center Location

Configure More than Two Service Connections to a Headquarters or Data Center Location

Prisma Access Mobile Users—GlobalProtect Advanced Deployments

Configure Multiple Portals in Prisma Access

Dynamic DNS Registration Support for Mobile Users—GlobalProtect

Enable DDNS for Mobile Users—GlobalProtect

Verify Dynamic DNS Configuration

Identification and Quarantine of Compromised Devices in a Prisma Access GlobalProtect Deployment

Use Cases for Quarantine List Redistribution

Configure Quarantine List Redistribution in Prisma Access

Sinkhole IPv6 Traffic In Mobile Users—GlobalProtect Deployments

Configure GlobalProtect to Disable Direct Access to the Local Network

Set Up an IPv6 Sinkhole On the On-Premises Gateway

Redistribute HIP Information with Prisma Access

HIP Redistribution Overview

Use Cases for HIP Redistribution

Configure HIP Redistribution in Prisma Access

View HIP Reports from Panorama

Support for Gzip Encoding in Clientless VPN

Prisma Access Mobile Users—Explicit Proxy Advanced Deployments

Secure Users and Devices at Remote Networks With an Explicit Proxy

Prisma Access Remote Network Advanced Deployments

Provide Secure Inbound Access to Remote Network Locations

Secure Inbound Access for Remote Network Sites

Secure Inbound Access Examples

Guidelines for Using Secure Inbound Access

Configure Secure Inbound Access for Remote Network Sites

Configure Secure Inbound Access for Remote Network Sites for Locations that Allocate Bandwidth by Location

Configure Secure Inbound Access for Remote Network Sites

Create a High-Bandwidth Network for a Remote Site

Create a High-Bandwidth Remote Network Connection

Create and Configure Prisma Access for Clean Pipe

Prisma Access for Clean Pipe Overview

Clean Pipe Use Cases

Clean Pipe Examples

Clean Pipe and Partner Interconnect Requirements

Configure Prisma Access for Clean Pipe

Enable Multitenancy and Create a Tenant

Complete the Clean Pipe Configuration

Prisma Access Overview
Activate and Install the Prisma Access Components
Prepare the Prisma Access Infrastructure and Service Connections
Secure Mobile Users
Use Remote Networks to Secure Branches
Configure User-ID and User-Based Policies with Prisma Access
Quality of Service in Prisma Access
Manage Multiple Tenants in Prisma Access
Prisma Access Advanced Deployments
Create and Configure Prisma Access for Clean Pipe
- Prisma Access for Clean Pipe Overview
- Configure Prisma Access for Clean Pipe
  - Enable Multitenancy and Create a Tenant
  - Complete the Clean Pipe Configuration

Document:Prisma Access Administrator’s Guide (Panorama Managed)

Prisma Access APIs

Last Updated:

Mar 13, 2023

Current Version:

3.2 Preferred and Innovation

Version 3.2 Preferred and Innovation
Version 3.1 Preferred and Innovation
Version 3.0 Preferred and Innovation
Version 2.2 Preferred

Table of Contents

Filter

Prisma Access Overview

Prisma Access

Prisma Access Infrastructure Management

Releases and Upgrades

Prisma Access Release Types

Prisma Access Upgrade Types

Cadence for Software and Content Updates for Prisma Access

Prisma Access Dataplane Upgrades

Dataplane Upgrade Overview

Dataplane Upgrade Example

Use the Prisma Access App to Get Upgrade Alerts and Updates

View Prisma Access Software Versions

Prisma Access Licensing

Determine Your Prisma Access License Type from Panorama

Cheat Sheet: Integrate ADEM with Panorama Managed Prisma Access

Cheat Sheet: Integrate IoT Security with Panorama Managed Prisma Access

Cheat Sheet: Enterprise DLP on Panorama Managed Prisma Access

Visibility and Monitoring Features in the Prisma Access App

Monitor Your Prisma Access Data Transfer Usage

Plan for Prisma Access IP Address Changes

IP Address Allocation For Mobile Users on Prisma Access

Public IP Address Scaling Examples for Mobile Users

Loopback IP Address Allocation for Mobile Users

Remote Network IPSec Termination Nodes and Service IP Addresses on Prisma Access

IP Address Changes For Remote Network Connections That Allocate Bandwidth by Location

Service IP and Egress IP Address Allocation for Remote Networks

Retrieve the IP Addresses for Prisma Access

Prisma Access IP Address Retrieval Using the API Examples

Pre-Allocate IP Addresses for Prisma Access Mobile User Locations

Set Up Prisma Access IP Address Change Notifications

Use Legacy Scripts to Retrieve Loopback Addresses

Use the Legacy Script to Retrieve Mobile User IP Addresses

Use the Legacy Script to Retrieve Public, Loopback, and Egress IP Addresses

Zone Mapping

Prisma Access APIs

Prisma Access Deployment Progress and Status

Troubleshoot the Prisma Access Deployment

Activate and Install the Prisma Access Components

Activate and Install Panorama Managed Prisma Access

Verify Your Account Using the One-Time Password

Transfer or Update Panorama Managed Prisma Access Licenses

Reset Your Panorama Managed Prisma Access License

Transfer or Update Prisma Access Licenses Between Panorama Appliances

Configure Panorama Appliances in High Availability for Panorama Managed Prisma Access

Prepare the Prisma Access Infrastructure and Service Connections

Set Up Panorama Managed Prisma Access

Prisma Access Service Infrastructure

Service Infrastructure Requirements

Configure the Service Infrastructure

Prisma Access Service Connections

Plan the Service Connections

Create a Service Connection to Allow Access to Private Apps

Verify Service Connection Status

Create a Service Connection to Enable Access between Mobile Users and Remote Networks

Prisma Access Locations

Prisma Access Locations by Compute Location

Prisma Access Locations by Region

Map of North America Prisma Access Locations

Explicit Proxy Locations

Secure Mobile Users

Prisma Access Mobile User Deployments

GlobalProtect on Prisma Access

Planning Checklist—GlobalProtect on Prisma Access

IP Address Pools in a Mobile Users—GlobalProtect Deployment

Set Up GlobalProtect on Panorama Managed Prisma Access

Enable Mobile User Regional Redundancy

How the GlobalProtect App Selects a Prisma Access Location for Mobile Users

Explicit Proxy on Prisma Access

How Explicit Proxy Works in Prisma Access

How Explicit Proxy Identifies Users

Planning Checklist—Explicit Proxy

Set Up Your Explicit Proxy PAC File

Secure Mobile Users with an Explicit Proxy

Create Block Settings in an Explicit Proxy Deployment

Use Special Objects to Restrict Explicit Proxy Internet Traffic to Source IP Addresses

Monitor and Troubleshoot Explicit Proxy

Monitor and Log Out GlobalProtect Users in Prisma Access

View GlobalProtect Mobile Users from the Status Tab

View GlobalProtect Mobile Users from the Monitor Tab

How Prisma Access Counts GlobalProtect Mobile Users

Manage GlobalProtect App Upgrades in Prisma Access

Select the Active GlobalProtect App Version for Prisma Access

Manage User Access to GlobalProtect App Updates from Prisma Access

Perform Staged Updates of the GlobalProtect App on Prisma Access

Deploy Explicit Proxy and GlobalProtect or a Third-Party VPN in Prisma Access

Use Explicit Proxy with GlobalProtect and Third-Party VPNs Examples

How Explicit Proxy Works With GlobalProtect

Requirements and Recommendations for Using Explicit Proxy with GlobalProtect and Third-Party VPNs

Use Explicit Proxy with GlobalProtect

Use Explicit Proxy with Third-Party VPNs

Integrate Prisma Access with On-Premises Gateways

Manage Priorities for Prisma Access and On-Premises Gateways

Set Equal Gateway Priorities for On-Premises and Prisma Access Gateways

Set a Higher Gateway Priority for an On-Premises Gateway

Set Higher Priorities for Multiple On-Premises Gateways

Configure Priorities for Prisma Access and On-Premises Gateways

Allow Mobile Users to Manually Select Specific Prisma Access Gateways

Allow Listing for Mobile Users—GlobalProtect Deployments

Manage Allow Listing for Existing Mobile User Deployments

Manage Allow Listing for New Prisma Access Deployments

Allow Listing Examples for Autoscale Events

Fields in the Egress IP Allow List table

Report Prisma Access Website Access Issues

Use Remote Networks to Secure Branches

Prisma Access Remote Network Deployments

Planning Checklist—Prisma Access Remote Networks

Onboard and Configure Remote Networks

Configure Prisma Access for Networks—Allocating Bandwidth by Compute Location

Configure Prisma Access for Networks—Allocating Bandwidth by Location

Verify Remote Network Connection Status

Verify Remote Connection BGP Status

Plan to Migrate to an Aggregate Bandwidth Remote Network Deployment

Migrate to the Aggregate Bandwidth Model

Remote Network Locations with Overlapping Subnets

Configure Remote Network and Service Connection Connected with a WAN Link

Use Predefined IPSec Templates to Onboard Service and Remote Network Connections

Onboard a Service Connection or Remote Network Connection Using Predefined Templates

Onboard Multiple Remote Network Connections of the Same Type

Supported IKE and IPSec Cryptographic Profiles for Common SD-WAN Devices

Onboard Remote Networks with Configuration Import

Fields in Remote Networks Table

How to Calculate Remote Network Bandwidth

Configure User-ID and User-Based Policies with Prisma Access

Configure User-ID in Panorama Managed Prisma Access

Configure User-ID for Remote Network Deployments

Get User and Group Information Using the Cloud Identity Engine

Populate User and Group Names in Security Policy Rules

Populate User Group Names in Security Policy Rules Using the Cloud Identity Engine

Populate User Group Names in Security Policy Rules Using a Master Device

Configure an on-premises or VM-Series Firewall as a Master Device

Use Long-Form DN Entries to Implement User- and Group-Based Policy

Redistribute User-ID Information Between Prisma Access and On-Premises Firewalls

Redistribute User-ID Information From Prisma Access to an On-Premise Firewall

Redistribute User-ID Information From an On-Premises Firewall to Prisma Access

Quality of Service in Prisma Access

QoS Examples

Configure QoS in Prisma Access

QoS for Remote Networks

QoS for Remote Networks Using Guaranteed Bandwidth and Bandwidth Allocation Ratios

Change the Guaranteed Bandwidth For Remote Networks

Select QoS Profiles for Remote Networks

Configure Quality of Service in Prisma Access

Configure Quality of Service for Clean Pipe

Manage Multiple Tenants in Prisma Access

Multitenancy Overview

Multitenancy Configuration Overview

Plan Your Multitenant Deployment

Create an All-New Multitenant Deployment

Enable Multitenancy and Migrate the First Tenant

Add Tenants to Prisma Access

Delete a Tenant

Create a Tenant-Level Administrative User

Control Role-Based Access for Tenant-Level Administrative Users

Remove Plugin Access for a Tenant-Level Administrative User

Sort Logs by Device Group ID in a Multitenant Deployment

Prisma Access Advanced Deployments

Advanced Deployments that Apply to All Prisma Access Types

Add a New Compute Location for a Deployed Prisma Access Location

IPv6 Support for Private App Access

Private App Access Over IPv6 Examples

Enable and Configure IPv6 Networking and IP Pools in Your Prisma Access Infrastructure

Enable IPv6 Networking for a Mobile Users—GlobalProtect Deployment

Enable IPv6 Networking for Service Connections

Enable IPv6 Networking for Remote Networks

DNS Resolution for Mobile Users—GlobalProtect and Remote Network Deployments

DNS Resolution for Mobile Users—GlobalProtect Deployments

DNS Resolution for Remote Networks

How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections

Proxy Support for Prisma Access and Cortex Data Lake

Prisma Access Service Connection Advanced Deployments

Service Connection Multi-Cloud Redundancy

Configure and Activate Service Connection Cloud Provider Redundancy for Panorama Managed Prisma Access

Supported In-Country Active and Backup Cloud Provider Redundancy Locations

Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections

Default Routes With Prisma Access Traffic Steering

Traffic Steering in Prisma Access

Traffic Steering Requirements

Default Routes with Traffic Steering Example

Default Routes with Traffic Steering Direct to Internet Example

Default Routes with Traffic Steering and Dedicated Service Connection Example

Prisma Access Traffic Steering Rule Guidelines

Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections

Configure Traffic Steering in Prisma Access

Routing for Service Connection Traffic

Mobile User and Remote Network Routing to Service Connections

Prisma Access Default Routing

Prisma Access Hot Potato Routing

Configure Routing Preferences

Create a High-Bandwidth Network Using Multiple Service Connections

Create a High-Bandwidth Connection to a Headquarters or Data Center Location

Configure More than Two Service Connections to a Headquarters or Data Center Location

Prisma Access Mobile Users—GlobalProtect Advanced Deployments

Configure Multiple Portals in Prisma Access

Dynamic DNS Registration Support for Mobile Users—GlobalProtect

Enable DDNS for Mobile Users—GlobalProtect

Verify Dynamic DNS Configuration

Identification and Quarantine of Compromised Devices in a Prisma Access GlobalProtect Deployment

Use Cases for Quarantine List Redistribution

Configure Quarantine List Redistribution in Prisma Access

Sinkhole IPv6 Traffic In Mobile Users—GlobalProtect Deployments

Configure GlobalProtect to Disable Direct Access to the Local Network