Prisma Access Solutions for Mobile Users and Branch Offices in Mainland China

Use Prisma Access as a solution for mobile users and remote networks in mainland China.
Global expansion, mobile workforces, and cloud computing can shift the locations of your enterprise’s applications, data, and users. These changes introduce new opportunities globally, but they also introduce new vectors for cybersecurity risk. Prisma Access provides a solution to manage mobile users and branch offices anywhere in the world, including navigating access and security complexities in mainland China.
While Prisma Access is not available as a service in China, you can now extend its capabilities into mainland China, while still allowing a secure local internet breakout to mobile users and offices located in China. Palo Alto Networks provides this solution with a hybrid architecture that seamlessly integrates Prisma Access with a Next-Generation Firewall platform located in mainland China. You can use a firewall that is physically located in mainland China or a VM-series firewall that is deployed in a public cloud region in mainland China.
Users in mainland China connect to Prisma Access over a hybrid connection established between the firewall in mainland China and a location outside of the mainland. The following figure shows the process.
After users in mainland China connect to your organization’s next-generation firewall infrastructure, they get secure access to the internet and local SaaS providers in mainland China. To gain access to applications outside of China, the firewall connects to a Prisma Access location outside China using the hybrid connectivity of your choice, as shown in the following figure. To view more details about the configuration you perform, see the workflows you use to onboard mobile users and branch offices.
These solutions gives your organization the following benefits:
  • Delivers secure local internet breakout to mobile users and offices located in China.
  • Provides secure access to internal applications as well as SaaS and cloud applications, both inside and outside China.
  • Leverages an existing Next-Generation Firewall infrastructure to connect to Prisma Access.
The solution requires the following components:
  • An active Prisma Access subscription.
  • One or more next-generation firewalls in mainland China (either on-premise or VM-series).
    If your deployment in China has existing on-premise firewalls, you can leverage those for your deployment.
  • Connectivity to a location outside China over an approved channel (hybrid connectivity).
    You can use one of the following connections for the hybrid connectivity between mainland China and the location outside mainland China:
    • An MPLS circuit
    • A private line
    • Alibaba Cloud Express Connect (CEN)
The examples in this chapter use CEN as the hybrid connectivity.

Recommended For You