Prisma Access

As your business expands globally with new remote network locations popping up around the globe and mobile users roaming the world, it can be challenging to ensure that your business remains connected and always secure. Prisma Access uses a cloud-based infrastructure, allowing you to avoid the challenges of sizing firewalls and compute resource allocation, minimizing coverage gaps or inconsistencies associated with your distributed organization. The elasticity of the cloud scales as demand shifts and traffic patterns change. The cloud service facilitates next-generation security deployment to remote networks and mobile users by leveraging a cloud-based security infrastructure managed by Palo Alto Networks. The security processing nodes deployed within the service natively inspect all traffic in order to identify applications, threats, and content. Prisma Access provides visibility into the use of SaaS applications and the ability to control which SaaS applications are available to your users.
With Prisma Access, Palo Alto Networks deploys and manages the security infrastructure globally to secure your remote networks and mobile users. Prisma Access includes the following components:
  • Cloud Services Plugin
    —Panorama plugin that enables both Prisma Access and Cortex Data Lake.
    This plugin provides a simple and familiar interface for configuring and viewing the status of Prisma Access. You can also create Panorama templates and device groups, or leverage the templates and device groups you may have already created, to push configurations and quickly enforce consistent security policy across all locations.
  • Service Infrastructure
    —Prisma Access uses an internal service infrastructure to secure your organization’s network. You supply a subnet for the infrastructure, and Prisma Access uses the IP addresses within this subnet to establish a network infrastructure between your remote network locations and mobile users, and service connections to your internal network resources (if applicable). Internal communication within the cloud is established using dynamic routing.
  • Service Connections
    —If your Prisma Access license includes it, you have the option to establish IPSec tunnels to allow communication between internal resources in your network and mobile users and users in your remote network locations. You could, for example, create a service connection to an authentication server in your organization’s HQ or data center.
    Even if you don’t require a service connection, we recommend that you create one with placeholder values to allow network communication between mobile users and remote network locations and between mobile users in different geographical locations.
  • Prisma Access for Mobile Users
    —Provides consistent security for your mobile users whether they are accessing applications at your data center, using SaaS applications, or browsing the internet. You can enable your mobile users to connect to Prisma Access through:
    • You can deploy the GlobalProtect app to your users (available for smartphones, tablets, or laptops running Microsoft Windows, Apple macOS and iOS, Android, Google Chrome OS, and Linux) so that they can tunnel the traffic to Prisma Access for policy enforcement and threat prevention. The GlobalProtect app also provides host information profile (HIP) reporting so that you can create granular policies based on device state to ensure that endpoints adhere to your security standards—for example, they are equipped with the most up-to-date patches, encryption, and virus definitions—in order to access your most sensitive applications. Or, to enable secure access to users on unmanaged devices, you can enable
      Clientless VPN
      . Prisma Access dynamically scales in and out per region based on where your users are at the moment.
    • With the Okyo Garde add-on for Prisma Access, your organization can deploy the same Palo Alto Networks security technologies that they trust to secure their campus networks in the homes of employees to support work-from-home (WFH) use cases. Once Okyo Garde devices are set up in the homes of this new remote workforce, they become endpoints for enforcement of your GlobalProtect policies.
    • If your organization’s existing network already uses explicit proxies and deploys PAC files on your client endpoints, you can smoothly migrate to Prisma Access to secure mobile users’ outbound internet traffic.
  • Remote Networks
    —Use remote networks to secure remote network locations, such as branches, and users in those branches with cloud-based next-generation firewalls. You can enable access to the subnetworks at each remote network location using either static routes, dynamic routing using BGP, or a combination of static and dynamic routes. All remote network locations that you onboard are fully meshed.
  • Multitenancy
    —If your organization requires that you manage multiple Prisma Access instances, Prisma Access offers multitenancy, which enables you to create up to 200 instances (tenants) on a single Panorama appliance (or 2 appliances in high availability (HA) mode), with each tenant having their own separate templates and template stacks, device groups, and access domains.
  • Prisma Access for Clean Pipe
    —The Prisma Access for Clean Pipe service allows organizations that manage the IT infrastructure of other organizations, such as service providers, MSSPs, or Telcos, to quickly and easily protect outbound internet traffic for their tenants.
    Prisma Access for Clean Pipe has its own requirements; however, it requires the same Panorama and Cortex Data Lake licenses as the other Prisma Access products described in this section.
Prisma Access forwards all logs to Cortex Data Lake. You can view the logs, ACC, and reports from Panorama for an aggregated view into your remote network and mobile user traffic. To enable logging for Prisma Access, you must purchase a Cortex Data Lake license. Log traffic does not use the licensed bandwidth you purchased for Prisma Access.

Recommended For You