Configure a Prisma Access China Deployment

1. (Optional) Create a Customer Support Portal (CSP) account that you can dedicate for your Prisma Access China deployments.
   While it's not required to create a dedicated CSP account for Prisma Access China only, you might find it beneficial because the Prisma Access setup and activation are unique to Prisma Access China.
2. (Prisma Access (Managed by Panorama) Deployments Only) Install the Panorama that will manage Prisma Access in China (if you have not done so already).
   View the Supported Panorama Versions for the image links and instructions to install Panorama.
3. Activate and install your Prisma Access China deployment (Cloud Managed or Panorama Managed).
4. (Optional, Prisma Access (Managed by Panorama) Deployments Only) If you need to install a Panorama device certificate (PanoramaSetupDevice Certificate), open a CLI session with the Panorama that manages Prisma Access and enter the following CLI command before downloading it:
   request certificate secure-bridge enable

   Entering this command before downloading the certificate ensures that you get a certificate that is signed in China.
5. Add the following URLs, IP addresses, and ports to an allow list on any security appliance that you use with Prisma Access.
   In addition, for Prisma Access (Managed by Panorama) deployments, if your Panorama appliance uses a proxy server (PanoramaSetupServiceProxy Server), or if you use SSL Forward Proxy with Prisma Access, be sure to add the following URLs, IP addresses, and ports to an allow list on the proxy or proxy server.

   • api.prismaaccess.cn (for Prisma Access)
   • api.sb.prismaaccess.com (for Prisma Access)
   • api-trusted.sb.prismaaccess.com (for Prisma Access)
   • *.proxy.prismaaccess.cn (for Prisma Access Explicit Proxy)
   • The FQDNs, ports, and IP addresses required for Strata Logging Service in China
   • The ports used by Panorama
6. (Prisma Access (Managed by Panorama) Deployments Only) Select DeviceSetupWildFire and enter cn.wildfire.paloaltonetworks.com.
   Use the WildFire China Cloud with Prisma Access China.
7. Configure the Prisma Access Service Infrastructure.
8. If you have a Mobile Users—GlobalProtect deployment, configure your deployment.
   Palo Alto Networks recommends using local authentication as a first step to verify that the service is set up and your users have internet access. You can later switch to using your corporate authentication methods.
9. Enable the service infrastructure and service connections that allow communication between Prisma Access elements.
10. Plan for and create a service connection to secure access to private apps.
11. Plan, create, and configure remote network connections to secure access to branch sites.
12. Retrieve the and add them to your organization's network allow lists.
    Add these addresses to limit inbound access to your enterprise's network and applications.

    (Prisma Access (Managed by Panorama) Deployments Only) If you have a Mobile User—GlobalProtect deployment, you can use the instead of this API to manage public IP address allocation and confirm that the IP addresses have been added to your allow lists before Prisma Access releases the IP addresses. In this way, Prisma Access only provisions the IP addresses that you have allow listed.
13. (Optional) Change the authentication method from local authentication to your organization’s authentication method and set up authentication for mobile users.