GlobalProtect allows you to protect mobile users by installing the GlobalProtect app on their endpoints and configuring GlobalProtect settings in Prisma Access. GlobalProtect allows you to secure mobile users’ access to all applications, ports, and protocols, and to get consistent security whether the user is inside or outside your network.

When you secure mobile users using GlobalProtect, you will need to define the settings to configure the portal and gateways in the cloud. For example, you will define a portal hostname, set up the IP address pool for your mobile users, and configure DNS settings for your internal domains. You may be able to leverage using existing configurations for some of the required settings, such as what authentication profile to use to authenticate mobile users. If you already have a template with your authentication profiles, certificates, certificate profiles, and server profiles, you can add that template to the predefined template stack during onboarding to simplify the setup process.

While it is not necessary to push your Security policy settings and objects to Prisma Access during the onboarding process, if you already have device groups and templates with the configuration objects you need (for example, Security policy, zones, User-ID configuration, and other policy objects) go ahead and add them when you onboard. This way you can to complete the zone mapping that is required to enable Prisma Access to map the zones in your policy to the appropriate interfaces and zones within the cloud. However, if you don’t have your policy set yet, you can go back later and push it to Prisma Access for users.

In addition, if you want your mobile users to be able to connect to your remote network locations, or if you have mobile users in different geographical areas who need direct access to each other’s endpoints, you must configure at least one service connection with placeholder values, even if you don’t plan to use the connection to provide access to your data center or HQ locations. The reason this is required is because, while all remote network locations are fully meshed, Prisma Access gateways (also known as locations) connect to the service connection in a hub-and-spoke architecture to provide access to the internal networks in your Prisma Access infrastructure.