Prisma Access
Setting Priority for Prisma Access and On-Premises Gateways
Table of Contents
Setting Priority for Prisma Access and On-Premises Gateways
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Prisma Access enables you to extend the Palo Alto Networks security platform out to your mobile
users. In a hybrid deployment where your enterprise uses on-premises GlobalProtect
gateways, you can set priorities in Prisma Access to let mobile users connect to
either a specific on-premises GlobalProtect gateway or a Prisma Access gateway.
You
can select an on-premises gateway that is physically closest to
your mobile users and allow users to connect to a different gateway
(either on-premises or cloud) to ensure secure access for mobile
users if they change locations. You can also specify priority for
gateways that are in the same country or same linguistic area as
your mobile users.
If you add on-premises gateways to your Prisma Access deployment, check to see if the priority
for the Prisma Access gateways is set to None and, if it
is, change the priority. If the priority is set to None,
the service will not select a gateway. See Configure Priorities for Prisma Access and On-Premises Gateways to change the priority of your
Prisma Access gateways.
If you
require users to connect to a specific Prisma Access gateway, you
can allow mobile users to manually select specific Prisma Access
gateways. Mobile users choose one of the Prisma Access gateways
using the GlobalProtect app that is installed on their endpoint.
Complete
the following workflow to configure gateway priorities in Prisma
Access.
Set Equal Gateway Priorities for On-Premises and Prisma Access Gateways
To enable secure access for your mobile workforce
no matter where they are located, you can set equal priorities for
the on-premises GlobalProtect gateways and the Prisma Access gateways.
The GlobalProtect app uses Gateway Priority in a Multiple
Gateway Configuration to determine the preferred gateway.
You
can use this configuration if your mobile users are most often closer
to an on-premises gateway. When users change locations, the GlobalProtect
app chooses another gateway (either on-premises or Prisma Access
gateway) based on the highest priority and lowest response time.
The
following figure shows a sample configuration with two mobile users
in North America. You set the gateway priority to Highest for
both the Prisma Access gateways and the on-premises gateways.
In
this example, User 1’s GlobalProtect app determines that the Prisma
Access gateway has a lower response time than the on-premises gateway,
and user 2’s GlobalProtect app determines that the on-premises gateway
has a lower response time. Since all gateways have the same priority,
User 1 connects to the Prisma Access gateway and User 2 connects
to the on-premises gateway, based on the lower response time.
Set a Higher Gateway Priority for an On-Premises Gateway
In situations where you want to direct mobile
users to use an on-premises gateway instead of the Prisma Access
gateways, specify the on-premises gateways with a source region
and a higher priority than the Prisma Access gateway.
The
following figure shows a sample configuration for mobile users in
Indonesia. To avoid the possibility of mobile users being connected
to the nearest Prisma Access gateway in Singapore, you set the gateway
priority to Highest for the on-premises gateway
in Indonesia and set the priority to Medium for
the Prisma Access gateways.
This example also specifies a
source region of Indonesia for the on-premises gateway. We recommend
specifying a source region for the following reasons:
- Specifying a source region for an on-premises gateway allows users in a region to access that gateway and prevents users outside of that region from connecting to that gateway. In this example, only mobile users in Indonesia can connect to the on-premises gateway with the source region of Indonesia, and the higher priority means that the on-premise gateway has priority over the Prisma Access gateways.
- If you set a source region of Any for the on-premises gateway in Indonesia, every mobile user in your organization would prefer the on-premises gateway in Indonesia, because of its higher priority and worldwide accessibility. This configuration means that mobile users might never connect to the Prisma Access gateways.
Set Higher Priorities for Multiple On-Premises Gateways
To ensure that traffic to the internet stays
in language-specific regions, you can configure multiple gateways
in multiple source regions, setting the priority of the on-premise
gateways to Highest and the priority of the
Prisma Access gateways to Medium.
The
following figure shows a sample configuration for mobile users in
Scandinavia. Using this configuration, when the mobile users access
internet websites, the websites use the character encoding set that
is specific to their languages.
In this example, you configure
on-premises gateways with source regions in Denmark, Norway, and
Sweden. You set the priority of those gateways to Highest and
set the priority of the Prisma Access gateways to Medium.
Specifying a source region for the on-premises gateways allows users
in those regions to access those gateways, and prevents users outside
of those regions from connecting to those gateways.
In this
example, the GlobalProtect app for mobile users in Sweden selects
the on-premises gateway in Sweden because of the source region and
higher gateway priority.
Configure Priorities for Prisma Access and On-Premises Gateways
Use this workflow to configure priorities for a deployment that uses on-premises
gateways with Prisma Access.
- Log in to Prisma Access.Select in the Mobile_User_Template template.Click the portal name in the Name field.Click the Agent tab.
![]()
Click the name of the agent to configure.The default agent is named DEFAULT.Click the External tab.Set the priority of the Prisma Access gateways.- Click GP cloud service.Set the priority for your preferred configuration.
- To Set a Higher Gateway Priority for an On-Premises Gateway or Set Higher Priorities for Multiple On-Premises Gateways, change the priority from None to Medium.
![]()
Be sure that the Manual check box is selected.Checking the Manual check box ensures that mobile users can select a specific Prisma Access gateway if it is required.Do not add a source region for the Prisma Access gateways; any region you specify is not applied to the configuration.Click OK.Add one or more on-premises external gateways to your configuration.- Enter a descriptive Name for the gateway.The name you enter should match the name you defined when you configured the gateway, and it should be descriptive enough for users to know the location of the gateway to which they connect.Enter the FQDN or IP address of the interface where the gateway is configured in the Address field.You can configure an IPv4 address. The address you specify must exactly match the Common Name (CN) in the gateway server certificate.Add one or more Source Regionsfor the on-premises gateway, or select Any to make the gateway available to all regions.If you set the priority of on-premises external gateways higher than Prisma Access gateways, we recommend that you specify source regions for the external gateways. If you specify Any for the region, the GlobalProtect app might never select Prisma Access gateways over on-premises gateways because of the higher priority for the on-premises gateways.Select the Manual check box to allow users to manually switch to the gateway.Set the Priority of the on-premises gateway to Highest (the default).
![]()
Click OK.![]()
(Optional) Set the priority for additional gateways by repeating Step 8.Be sure to specify the correct source regions.The following figure shows a sample configuration with multiple gateways that have source regions in Norway, Sweden, and Denmark. Note that the Manual check box is selected, which indicates that a mobile user can manually select any of these gateways.![]()
