Prisma Access
Focus
Focus

Prisma Access

Table of Contents

Prisma Access

As your business expands globally with new remote network locations popping up around the globe and mobile users roaming the world, it can be challenging to ensure that your business remains connected and always secure. Prisma Access uses a cloud-based infrastructure, allowing you to avoid the challenges of sizing firewalls and compute resource allocation, minimizing coverage gaps or inconsistencies associated with your distributed organization. The elasticity of the cloud scales as demand shifts and traffic patterns change. The cloud service facilitates next-generation security deployment to remote networks and mobile users by leveraging a cloud-based security infrastructure managed by Palo Alto Networks. The security processing nodes deployed within the service natively inspect all traffic in order to identify applications, threats, and content. Prisma Access provides visibility into the use of SaaS applications and the ability to control which SaaS applications are available to your users.
With Prisma Access, Palo Alto Networks deploys and manages the security infrastructure globally to secure your remote networks and mobile users. Prisma Access includes the following components:
  • Cloud Services Plugin—Panorama plugin that enables both Prisma Access and Strata Logging Service.
    This plugin provides a simple and familiar interface for configuring and viewing the status of Prisma Access. You can also create Panorama templates and device groups, or leverage the templates and device groups you may have already created, to push configurations and quickly enforce consistent security policy across all locations.
  • Service Infrastructure—Prisma Access uses an internal service infrastructure to secure your organization’s network. You supply a subnet for the infrastructure, and Prisma Access uses the IP addresses within this subnet to establish a network infrastructure between your remote network locations and mobile users, and service connections to your internal network resources (if applicable). Internal communication within the cloud is established using dynamic routing.
  • Service Connections—If your Prisma Access license includes it, you have the option to establish IPSec tunnels to allow communication between internal resources in your network and mobile users and users in your remote network locations. You could, for example, create a service connection to an authentication server in your organization’s HQ or data center.
    Even if you don’t require a service connection, we recommend that you create one with placeholder values to allow network communication between mobile users and remote network locations and between mobile users in different geographical locations.
  • Mobile Users—GlobalProtect—You select locations in Prisma Access that function as cloud-based GlobalProtect gateways to secure your mobile users. To configure this service, you designate one or more IP address pools to allow the service to assign IP addresses for the client VPN tunnels.
  • Mobile Users—Explicit Proxy—You can configure an Explicit Proxy using a proxy URL and a Proxy Auto-Configuration (PAC) file. The GlobalProtect app is not required to be installed on the users’ endpoints. The explicit proxy secures HTTP and HTTPS outbound internet traffic for mobile users and allows you to retrofit and replace an existing proxy set up. If your organization requires an explicit proxy design for regulatory or auditing compliance, you can meet those requirements using Prisma Access Explicit Proxy.
  • Remote Networks—Use remote networks to secure remote network locations, such as branches, and users in those branches with cloud-based next-generation firewalls. You can enable access to the subnetworks at each remote network location using either static routes, dynamic routing using BGP, or a combination of static and dynamic routes. All remote network locations that you onboard are fully meshed.
  • Multitenancy—If your organization requires that you manage multiple Prisma Access instances, Prisma Access offers multitenancy, which enables you to create up to 200 instances (tenants) on a single Panorama appliance (or 2 appliances in high availability (HA) mode), with each tenant having their own separate templates and template stacks, device groups, and access domains.
  • Prisma Access for Clean Pipe—The Prisma Access for Clean Pipe service allows organizations that manage the IT infrastructure of other organizations, such as service providers, MSSPs, or Telcos, to quickly and easily protect outbound internet traffic for their tenants.
    Prisma Access for Clean Pipe has its own requirements; however, it requires the same Panorama and Strata Logging Service licenses as the other Prisma Access products described in this section.
Prisma Access forwards all logs to Strata Logging Service. You can view the logs, ACC, and reports from Panorama for an aggregated view into your remote network and mobile user traffic. To enable logging for Prisma Access, you must purchase a Strata Logging Service license. Log traffic does not use the licensed bandwidth you purchased for Prisma Access.