Prisma Access
Set Up Prisma Access
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Enable Dynamic Privilege Access for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
-
- Onboard Prisma Access
-
4.0 & Later
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
- Set Up Prisma Access
- Configure the Prisma Access Service Infrastructure
- Remote Networks: IPSec Termination Nodes and Service IP Addresses
- Remote Networks: IP Address Changes Related To Bandwidth Allocation
- Remote Networks: Service IP Address and Egress IP Address Allocation
- API Examples for Retrieving Prisma Access IP Addresses
- Get Notifications When Prisma Access IP Addresses Change
- Prisma Access Zones
- DNS for Prisma Access
- High Availability for Prisma Access
-
- Enable ZTNA Connector
- Delete Connector IP Blocks
- Set Up Auto Discovery of Applications Using Cloud Identity Engine
- Private Application Target Discovery
- Security Policy for Apps Enabled with ZTNA Connector
- Monitor ZTNA Connector
- View ZTNA Connector Logs
- Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT
-
- Enable Dynamic Privilege Access for Prisma Access Through Common Services
- Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
- Enable the Access Agent
- Set Up the Agent Infrastructure for Dynamic Privilege Access
- Create a Snippet
- Create a Project
- Traffic Steering for Dynamic Privilege Access
- Push the Prisma Access Agent Configuration
- Download the Dynamic Privilege Access Enabled Prisma Access Agent Package
-
- Install the Prisma Access Agent
- Log in to the Dynamic Privilege Access Enabled Prisma Access Agent
- Change Preferences for the Dynamic Privilege Access Enabled Prisma Access Agent
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Location
- Switch to a Different Project
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Server
- Switch Between the Prisma Access Agent and GlobalProtect App
- View and Monitor Dynamic Privilege Access Users
- View and Monitor Dynamic Privilege Access Projects
- App Acceleration in Prisma Access
-
-
- Planning Checklist for GlobalProtect on Prisma Access
- Set Up GlobalProtect Mobile Users
- GlobalProtect — Customize Tunnel Settings
- GlobalProtect — Customize App Settings
- Ticket Request to Disable GlobalProtect
- GlobalProtect Pre-Logon
- GlobalProtect — Clientless VPN
- Monitor GlobalProtect Mobile Users
- How the GlobalProtect App Selects Prisma Access Locations for Mobile Users
- Allow Listing GlobalProtect Mobile Users
-
- Explicit Proxy Configuration Guidelines
- GlobalProtect in Proxy Mode
- GlobalProtect in Tunnel and Proxy Mode
- Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
- SAML Authentication for Explicit Proxy
- Set Up Explicit Proxy
- Cloud Identity Engine Authentication for Explicit Proxy Deployments
- Proxy Mode on Remote Networks
- How Explicit Proxy Identifies Users
- Explicit Proxy Forwarding Profiles
- PAC File Guidelines
- Explicit Proxy Best Practices
- Monitor and Troubleshoot Explicit Proxy
- Block Settings for Explicit Proxy
- Use Special Objects to Restrict Explicit Proxy Internet Traffic to Specific IP Addresses
- Access Your Data Center Using Explicit Proxy
- App-Based Office 365 Integration with Explicit Proxy
- Configure Proxy Chaining with Blue Coat Proxy
- IP Address Optimization for Explicit Proxy Users- Proxy Deployments
- DNS Resolution for Mobile Users—Explicit Proxy Deployments
- View User to IP Address or User Groups Mappings
- Report Mobile User Site Access Issues
- Enable Mobile Users to Access Corporate Resources
-
-
- Planning Checklist for Remote Networks
- Allocate Remote Network Bandwidth
- Onboard a Remote Network
- Connect a Remote Network Site to Prisma Access
- Enable Routing for Your Remote Network
- Onboard Multiple Remote Networks
- Configure Remote Network and Service Connection Connected with a WAN Link
- Remote Networks—High Performance
- Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server
-
- Prisma Access Logs
- External Logs and Other Data
- Prisma Access Activity Dashboards and Reports
-
- Get Started with Prisma Access Monitoring in Strata Cloud Manager
- View and Monitor Applications
- View and Monitor App Acceleration
- View Mobile Users
- View and Monitor IPv6 for Mobile Users
- View and Monitor Branch Sites
- View Subscription Usage
- View and Monitor Prisma Access Locations
- View and Monitor Third-Party Device-IDs
- View and Monitor Remote Browser Isolation
- Prisma Access and Autonomous DEM
-
- Multitenancy Configuration Overview
- Plan Your Multitenant Deployment
- Create an All-New Multitenant Deployment
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Sort Logs by Device Group ID in a Multitenant Deployment
-
- Add a New Compute Location for a Deployed Prisma Access Location
- How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections
- Proxy Support for Prisma Access and Strata Logging Service
- Block Incoming Connections from Specific Countries
- Prisma Access for No Default Route Networks
-
-
- Default Routes With Prisma Access Traffic Steering
- Traffic Steering in Prisma Access
- Traffic Steering Requirements
- Default Routes with Traffic Steering Example
- Default Routes with Traffic Steering Direct to Internet Example
- Default Routes with Traffic Steering and Dedicated Service Connection Example
- Prisma Access Traffic Steering Rule Guidelines
- Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
- Configure Traffic Steering in Prisma Access
- Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT
-
- Prisma Access Internal Gateway
-
- Configure Privileged Remote Access Settings
- Set Up the Privileged Remote Access Portal
- Configure Applications for Privileged Remote Access
- Set Up Privileged Remote Access Profiles
- Define Permissions for Accessing Privileged Remote Access Apps
- Configure Split Tunneling for Privileged Remote Access Traffic
- Manage Privileged Remote Access Connections
- Use Privileged Remote Access
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
-
5.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Set Up Prisma Access
Learn how to set up Prisma Access.
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Before you can use Prisma Access to secure your remote networks and mobile users,
configure an infrastructure subnet. Prisma Access uses IP addresses within this subnet
to establish a network between your remote network locations, mobile users, headquarters
and data center (if applicable). Prisma Access also uses service connections to access
internal resources from your headquarters or data center location.
This sub-network will be an extension to your existing network. Hence, it should not
overlap with any existing IP subnets in your network. The following example shows a
172.16.54.0/23 subnet that is being used for the Prisma Access infrastructure
subnet.
For small networks with less than 50 sites and 2500 mobile users, consider a /24 subnet.
For medium sized networks with less than 100 sites and less then 5000 mobile users,
consider a /23 subnet. In most cases a /23 subnet is sufficient. If there are more than
100 sites or 5000 mobile users or expected future growth, contact Palo Alto Networks to
evaluate whether you need a larger subnet size.
Learn how to set up Prisma Access.
Set Up Prisma Access (Strata Cloud Manager)
Learn how to set up your cloud service infrastructure for remote sites and mobile
users.
The following workflow provides you with the summary steps that you take
to install and configure Prisma Access.
- Launch Strata Cloud Manager through the hub.
- Launch an internet browser and Sign In to the hub.
- Launch Strata Cloud Manager.
- Specify trusted IP addresses for Prisma Access (Managed by Strata Cloud Manager) administrators.Only administrators that log in from these source IP addresses (and also that successfully authenticate) can access Prisma Access (Managed by Strata Cloud Manager). The IP addresses must be public addresses. By default, there aren’t any trusted addresses enforced (the list is set to any). To get started, find the Settings menu on the left navigation panel and click IP Restrictions.
- Enable the service infrastructure and service connections that allows communication between Prisma Access elements.
- Secure mobile users with GlobalProtect or Explicit Proxy, as required for your deployment.
- Plan, create, and configure remote network connections.
- (Optional) Change the authentication method from local authentication to your organization’s authentication method.
- (Optional) Forward logs from Strata Logging Service to an external Syslog receiver using Strata Logging Service.
- (Optional) Check the status of Prisma Access.You can retrieve the status of all cloud services, including Prisma Access and Strata Logging Service, and a historical record of the service uptime by accessing the app instance from the hub.You can also sign up for email or text message notifications so that you are notified when infrastructure updates are planned; when updates occur; and when Palo Alto Networks® creates, updates, or resolves an incident. To sign up for email updates, go to the Resources section of the hub home page and then select Service Status. You can then Subscribe to specific updates and incidents for your cloud services.
Set Up Prisma Access (Panorama)
Provides quick steps to implement Prisma Access.
The following workflow provides you with the
summary steps that you take to install and configure Prisma Access (Managed by Panorama)
Access.
If you are setting up a deployment
that includes multiple instances of Prisma Access on a single Panorama
(multitenancy), see .
Most organizations do not have a need to create and manage multiple
tenants.
- Add the following URLs and ports to an allow list on any security appliance that you use with the Panorama appliance that manages Prisma Access.In addition, if your Panorama appliance uses a (PanoramaSetupServiceProxy Server), or if you use SSL forward proxy with Prisma Access, be sure to add the following URLs and ports to an allow list on the proxy or proxy server.
- api.gpcloudservice.com (for Prisma Access)
- api.paloaltonetworks.com (for Prisma Access)
- apitrusted.paloaltonetworks.com (for Prisma Access)
If there is a Palo Alto Networks next-generation firewall between the Panorama appliance and the internet, you must add a security policy rule on the firewall to allow the paloalto-logging-service and paloalto-shared-services App-IDs from the Panorama appliance to the internet. These applications allow SSL-secured communication to Prisma Access and to Strata Logging Service that the Panorama appliance uses to query logs. If the Panorama appliance is behind a legacy Layer 4 firewall, permit ports 443 and 444 outbound from the Panorama to allow this traffic from the Panorama. Note that opening layer 4 ports instead of using Palo Alto Networks App-IDs is less secure and not recommended. - Add the ports used by Panorama to allow lists in your network.
- Import your existing Panorama configuration to Prisma Access, or create new templates and device groups to begin configuration of Prisma Access.In order to push configuration—such as security policy, authentication policy, server profiles, security profiles, address objects, and application groups—to Prisma Access, you must either create new templates and device groups with the configuration settings you want to push to Prisma Access, or leverage your existing device groups and templates by adding them to the template stacks and device group hierarchies that Prisma Access creates when you onboard the service.Prisma Access creates the following templates and device groups, depending on what you have purchased (for example, if you do not purchase an Explicit Proxy license, you will not see the Explicit Proxy templates and device groups):
- Templates:
- Explicit_Proxy_Template
- Explicit_Proxy_Template_Stack
- Mobile_User_Template
- Mobile_User_Template_Stack
- Remote_Network_Template
- Remote_Network_Template_Stack
- Service_Conn_Template
- Service_Conn_Template_Stack
- Device Groups:
- Explicit_Proxy_Device_Group
- Mobile_User_Device_Group
- Remote_Network_Device_Group
- Service_Conn_Device_Group
Configuration is simplified in Prisma Access because you do not have to configure any of the infrastructure settings, such as interfaces and routing protocols. This configuration is automated and pushed from Panorama in the templates and device groups that the service creates automatically. You can configure any infrastructure settings that are required by the service, such as settings required to create IPSec VPN tunnels to the IPSec-capable devices at your remote network locations, directly from the plugin. Optionally, you can add templates and device group hierarchies to the configuration to simplify the service setup.To simplify the service setup, create or import the templates and device groups you need before you begin the setup tasks for using Prisma Access.When creating templates and device groups for Prisma Access, you do not need to assign managed devices to it. Instead, you will add them to the template stacks and device group hierarchies that Prisma Access creates. Do not add any of the templates or device groups created by Prisma Access to any other template stacks or device groups. - Sign up for email notifications using Strata Cloud Manager.Prisma Access provides you with notifications about the service, including any dataplane upgrades, using notifications from this app.
- Change the default master key for Panorama and in the Cloud Services plugin.Palo Alto Networks recommends changing the master key in Panorama and in the Cloud Services plugin as a security best practice and that you change the master key monthly.Because the Panorama and Prisma Access master keys do not synchronize, Palo Alto Networks recommends that you do not automatically rotate the master key in Panorama without also synchronizing the master key in Prisma Access. You can use the Panorama UI or API commands to change the master keys.Be sure to keep track of the master key you deploy because master keys cannot be recovered. When a master key expires, you must enter the current master key in order to configure a new master key. You must reset your Panorama appliance to factory default if you cannot provide the current master key when it expires.
- Change the master key in Panorama.
- Select PanoramaMaster Key and Diagnostics.Do not specify a Current Master Key.
- Configure the New Master Key and Confirm Master Key.Make a note of the master key you configured.
- Configure the master key Lifetime and Time for Reminder.
- Click OK.
- Change the master key for Prisma Access by selecting PanoramaCloud ServicesConfigurationService OperationsEdit master key, then entering the same master key you entered for Panorama.
You can also change the master key by using API commands. This requires two steps–one to change the Panorama master key and one to change the Prisma Access master key. Use the following API commands to change the master key:- Panorama: XML APIOperational Commandsrequestmaster-key
- Prisma Access: XML APIOperational Commandsrequestpluginscloud_servicesprisma-accesssync
- Enable the service infrastructure and service connections that allows communication between Prisma Access elements.
- Create a service connection to allow access to your corporate resources.If you don’t require access to your corporate resources, you should still create a service connection to enable access between mobile users and remote networks.
- Prisma Access Mobile User Deployments and secure mobile users with GlobalProtect or Explicit Proxy, as required for your deployment.To set up GlobalProtect on Prisma Access (Managed by Panorama):
- Configure zones for mobile users by creating two zones in the Mobile_User_Template (for example, Mobile-Users and Internet) and mapping the zones. You should map any zone that is not Prisma Access connected users or HQ or branch offices to Untrust.Under PanoramaCloud ServicesConfigurationMobile Users, map Internet to Untrust; Mobile-Users to Trust.
- Configure authentication.We recommend using local authentication as a first step to verify that the service is set up and your users have internet access. You can later switch to using your corporate authentication methods.
- Configure Security policies for the device group.To create a Security policy to allow traffic to the Internet, select the Mobile_User_Device_Group PoliciesSecurityPrerulesAdd a rule. For example: Mobile-Users to Internet.
- Commit and push your changes to get started with the service.
- Select PanoramaCloud ServicesStatusMonitorMobile Users to view the Status and verify that you can ping the Portal FQDN.
- Validate that Prisma Access is securing Internet traffic for mobile users by downloading and installing the GlobalProtect app, using the app to connect to the portal as a mobile user (local user), browsing to a few websites on the internet, and checking the traffic logs on Panorama.
To secure mobile users with an explicit proxy:- Read the Explicit Proxy Configuration Guidelines.
- Configure SAML Authentication. SAML authentication is required for Explicit Proxy.
- Set up Group Mapping using the Cloud Identity Engine.
- Complete the Explicit Proxy configuration.
- Commit and Push your changes.
- Plan, create, and configure remote network connections.
- Add one or more remote networks to Prisma Access.You can onboard one location and then add additional locations using the bulk import capability.
- Create a Security policy rule to allow traffic from the remote networks to HQ (For example: Trust to Trust).
- Validate the connectivity between the service connection, remote network connection, and mobile users.
- Run the API Script Used to Retrieve Prisma Access IP Addresses and Use the Legacy Script to Retrieve Mobile User IP Addresses.You add these addresses to an allow list on your organization’s network to limit inbound access to your enterprise network and applications.
- (Optional) Change the authentication method from local authentication to your organization’s authentication method.
- Create an authentication profile that meets your organization’s requirements (SAML, LDAP, RADIUS, etc).
- If your organization uses an on-premises authentication server such as RADIUS or Active Directory, add the IP addresses that Prisma Access uses as its source IP address for internal requests (Retrieve the IP Addresses for Prisma Access) to allow lists in your network, or allow the IP addresses of the entire Infrastructure Subnet (Prisma Access takes the loopback IP address from this subnet).
- Update the Authentication Profile for the Prisma Access portal and gateway to use this new authentication profile.
- (Optional) Forward logs from Strata Logging Service to an external Syslog receiver using .