Prisma Access Solutions for Mobile Users and Branch Offices
in Mainland China
Use Prisma Access as a solution for mobile users and
remote networks in mainland China.
Global expansion, mobile workforces, and cloud computing
can shift the locations of your enterprise’s applications, data,
and users. These changes introduce new opportunities globally, but
they also introduce new vectors for cybersecurity risk. Prisma Access
provides a solution to manage mobile users and branch offices anywhere
in the world, including navigating access and security complexities in
While Prisma Access is not available as a service
in China, you can now extend its capabilities into mainland China,
while still allowing a secure local internet breakout to mobile
users and offices located in China. Palo Alto Networks provides this
solution with a hybrid architecture that seamlessly integrates Prisma
Access with a Next-Generation Firewall platform located in mainland
China. You can use a firewall that is physically located in mainland
China or a VM-series firewall that is deployed in a public cloud
region in mainland China.
Users in mainland China connect to Prisma Access over a hybrid
connection established between the firewall in mainland China and
a location outside of the mainland. The following figure shows the
After users in mainland China connect to your organization’s
next-generation firewall infrastructure, they get secure access
to the internet and local SaaS providers in mainland China. To gain
access to applications outside of China, the firewall connects to
a Prisma Access location outside China using the hybrid connectivity of
your choice, as shown in the following figure. To view more details
about the configuration you perform, see the workflows you use to
onboard mobile users and branch offices.
These solutions gives your organization the following benefits:
Delivers secure local internet breakout to mobile users
and offices located in China.
Provides secure access to internal applications as well as
SaaS and cloud applications, both inside and outside China.
Leverages an existing Next-Generation Firewall infrastructure
to connect to Prisma Access.
The solution requires the following components:
An active Prisma Access subscription.
One or more next-generation firewalls in mainland China (either on-premise
If your deployment in China has existing on-premise
firewalls, you can leverage those for your deployment.
Connectivity to a location outside China over an approved
channel (hybrid connectivity).
You can use one of the following
connections for the hybrid connectivity between mainland China and
the location outside mainland China:
An MPLS circuit
A private line
Alibaba Cloud Express Connect (CEN)
The examples in this
chapter use CEN as the hybrid connectivity.