Onboard Mobile Users in Mainland China to Prisma Access
Focus
Focus
Prisma Access

Onboard Mobile Users in Mainland China to Prisma Access

Table of Contents

Onboard Mobile Users in Mainland China to Prisma Access

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama)
You are responsible for complying with Chinese regulations. VPNs must run on sanctioned providers’ infrastructure, such as Alibaba cloud. Do not use VPNs to access any content that has been banned by the Chinese government. You must assume responsibility to implement appropriate security policies that prevent access to any banned content (for example, disallow mobile users in China to perform a Google search outside of China). You must use this solution to provide secure access to business and corporate applications only, including private and approved SaaS applications. Palo Alto Networks recommends that you consult with your organization’s legal department before deploying this solution.
Before you start to provide secure access for mobile users in mainland China, determine your requirements and purchase the following Palo Alto Networks and third-party software and licensing:
  • If you use Alibaba Cloud as the hybrid connectivity, create an account on Alibaba Cloud with Admin privileges and the ability to create a CEN and perform real-name registration. This process can take 48 hours.
    In addition, gather the following required information to use Alibaba Cloud:
    • The regions where you will deploy Alibaba Cloud in mainland China.
    • The amount of bandwidth you will use for the CEN.
      Take both the bandwidth and the cost of the CEN into consideration when planning to use a CEN.
  • A Prisma Access subscription.
  • A licensed Palo Alto Networks next-generation firewall (either a VM-series or on-premise firewall) with a GlobalProtect subscription located in mainland China.
    You should also determine if your deployment requires additional subscriptions.
  • An IP address pool for mobile users in China.
    This pool must not overlap with pools used by Prisma Access in other regions.
  • A public key infrastructure (PKI) that can issue the required server certificates and key pairs that are required for the GlobalProtect gateway in China.
    Alternatively, you can use self-signed certificates.
  • In addition to the software requirements, you need a basic understanding of public cloud networking.