The rapid transition to a hybrid workforce, where employees can now work fluidly between corporate offices, branch offices, home offices, or on the road has accelerated the change in how and where business is done, including organizations in China. You can use Prisma Access to secure mobile users, branch offices, and headquarters and data center locations in China. If your organization currently uses Explicit Proxies and PAC files, you can seamlessly transition from traditional or cloud proxy-based secure web gateway (SWG) solutions to Prisma Access. This is especially beneficial for securing mobile users' internet access. Additionally, Prisma Access Explicit Proxy feature is ideal for organizations that require proxy usage for compliance reasons and to protect endpoints deployed in no-default route networks.

The instances of Prisma Access in China are hosted in China and manage your organization's cybersecurity infrastructure while following all regulations and mandates. What's more, Prisma Access China enables a consistent end-user experience, extending consistent visibility and control to locations within mainland China.

The procedures you use to onboard Prisma Access locations in mainland China follow the same procedures you use to onboard Prisma Access deployments in other locations around the globe. However, make sure that you're aware of the following differences:

• Deployment Type (New or Existing) —You can only deploy Prisma Access China in a new Prisma Access environment. Upgrades or migrations from an existing Prisma Access deployment are not supported.
• Deployment Type (Panorama or Cloud Managed Prisma Access) —Prisma Access China is supported with both Cloud Managed and Panorama Managed Prisma Access deployments.
• Required SKUs—When you purchase Prisma Access for a deployment in mainland China, SKUs are required that are specific to Prisma Access China. Work with your authorized Palo Alto Networks representative or partner to make sure that you purchase the correct SKUs for your Prisma Access China deployment.
• Supported Panorama Versions (Prisma Access (Managed by Panorama) Deployments Only)—If you decide to use Prisma Access (Managed by Panorama), Prisma Access China requires a special build in China; before you begin installation, you must deploy your hardware or virtual (AWS, KVM, or ESXi) Panorama appliance from one of the following images that are available in mainland China.
  • Panorama-AWS-10.2.3 (AWS)
  • Panorama-KVM-10.2.3-h4.qcow2 (KVM)
  • One or more of the following ESXi images:
    • If your deployment does not use the Cloud Identity Engine for authentication, download and install this image: Panorama-ESX-10.2.3-h4.ova
    • If your deployment uses the Cloud Identity Engine for authentication, download and install the Panorama-ESX-10.2.3-h4.ova image, then download and install this image on top of the ova image: Panorama_pc-10.2.4-ch139
      In addition, if your deployment uses the Cloud Identity Engine, reach out to your Palo Alto Networks team, who will open a case to copy the correct certificate authority (CA) certs to use with the Cloud Identity Engine in China.
  Only use a new Panorama appliance with Prisma Access China. Use this appliance to manage Prisma Access China only, don't use it to manage on-premises firewalls.
• Required Panorama Physical Location (Panorama Managed Deployments Only)—The Panorama you use to manage Prisma Access China must be installed and located in mainland China. If it's a hardware appliance, it must be based in mainland China; if it's a Panorama virtual appliance, the cloud location where the appliance is instantiated must be in China.
• Supported Locations—Prisma Access China supports the following locations in mainland China:
  • China North—Beijing (uses the China North compute location)
  • China Northwest—Ningxia (uses the China Northwest compute location)
• Supported Strata Logging Service Region—Prisma Access China supports the Strata Logging Service China region only, which is automatically populated for you during product activation.
  If you want to enable log forwarding from Strata Logging Service in China to an external log server, changes are required to the Prisma Access infrastructure in China. Reach out to your Palo Alto Networks team to begin the process of forwarding logs. Be aware that configuring log forwarding profiles to send logs to servers outside China can result in personally identifiable information leaving China.
• Required GlobalProtect Version—Prisma Access China supports all the GlobalProtect versions supported in a standard Prisma Access.
• Feature Support— Prisma Access supports Mobile Users—Explicit Proxy deployments in China. You can use one of the following methods to connect:

  • GlobalProtect in Proxy mode
  • GlobalProtect in Tunnel and Proxy mode
  • PAC file with Kerberos
  • Proxy mode with remote networks
  Prisma Access Explicit Proxy in China only supports Internet and SaaS applications.
  PAC file with SAML authentication, IP address optimization, private IP address visibility with Proxy mode on remote networks are not supported.
  If you use Strata Cloud Manager to manage your Explicit Proxy deployment, reach to your Palo Alto Networks Account representative to enable Explicit Proxy in China.
• Mobile User IP Address Support—When you configure mobile user IP address Pools in a Prisma Access deployment, use only a Worldwide pool. Selecting a regional or location group address can cause errors on commit.
• Required Cloud Services Plugin Version—4.1.0-h20
  If you're running a plugin version earlier than 4.1.0-h20 (for example, 3.2.1-h18), you should upgrade your plugin to the minimum required version.
• Feature Support—All features and add-ons are supported with Prisma Access China, except for the following add-ons and functionality:
  • Base Prisma Access Functionality—The following Prisma Access functionality isn't supported:
    • Secure Inbound Access to Remote Network Locations
    • Autonomous DEM (ADEM) add-on
    For a detailed list of nonsupported features, contact your Palo Alto Networks representative.
  • To access external SaaS apps or other external internet resources outside of China through a cross-border line (for example, an MPLS line), you can use traffic steering to redirect mobile user or remote network traffic to a service connection before sending it to the internet.
  • GlobalProtect Portal Name Change—The GlobalProtect portal name for Prisma Access China is <portal-name>.prismaaccess.cn.
  • Other Prisma Access Component and Add-On Compatibility—The supported add-ons depend on your license type and your customer's privacy profile and governance. Prisma Access China provides you with two licenses: Level 1 provides a solution that limits the amount of Personal Identifiable Information (PII) exporting out of mainland China and Level 2 allows more add-ons and features that don't restrict data exporting to outside of China.
  The following table shows you the support for other Prisma Access components and add-ons; a check mark (√) indicates that it's supported and dash (—) indicates that it's not supported:

  Component or Add-On	Level 1 License Support (Panorama Only)	Level 2 License Support
  Access to private apps via service connection	√ For Enterprise licenses, five service connections are provided with the license. For Business Premium and Enterprise licenses, additional service connections are available as an add-on.	√ For Enterprise licenses, five service connections are provided with the license. For Business Premium and Enterprise licenses, additional service connections are available as an add-on.
  Standard Threat Prevention	√	√
  Advanced Threat Prevention	—	√
  Standard URL Filtering	√	√
  Advanced URL Filtering	—	√
  DNS Security	√	√
  Advanced WildFire	—	√
  Next-Generation Cloud Access Security Broker (CASB-X)	—	√ (available as an add-on)
  Enterprise DLP	—	√ (available as an add-on)
  SaaS Inline	—	√ (available as an add-on)
  IoT Security	—	√ (available as an add-on)