Global expansion, mobile workforces, and cloud computing can shift the locations of your
enterprise’s applications, data, and users. These changes introduce new opportunities
globally, but they also introduce new vectors for cybersecurity risk. Prisma Access
provides a solution to manage mobile users and branch offices anywhere in the world,
including navigating access and security complexities in mainland China.
While Prisma Access is not available as a service in China, you can now
extend its capabilities into mainland China, while still allowing a secure local
internet breakout to mobile users and offices located in China. Palo Alto Networks
provides this solution with a hybrid architecture that seamlessly integrates Prisma
Access with a Next-Generation Firewall platform located in mainland China. You can use a
firewall that is physically located in mainland China or a VM-series firewall that is
deployed in a public cloud region in mainland China.
Users in mainland China connect to Prisma Access over a hybrid connection established
between the firewall in mainland China and a location outside of the mainland. The
following figure shows the process.
After users in mainland China connect to your organization’s next-generation firewall
infrastructure, they get secure access to the internet and local SaaS providers in
mainland China. To gain access to applications outside of China, the firewall connects
to a Prisma Access location outside China using the hybrid connectivity of your choice,
as shown in the following figure. To view more details about the configuration you
perform, see the workflows you use to onboard mobile users and branch offices.
These solutions gives your organization the following benefits:
Delivers secure local internet breakout to mobile users and offices located in
China.
Provides secure access to internal applications as well as SaaS and cloud
applications, both inside and outside China.
Leverages an existing Next-Generation Firewall infrastructure to connect to
Prisma Access.
The solution requires the following components:
An active Prisma Access subscription.
One or more next-generation firewalls in mainland China (either on-premise or
VM-series).
If your deployment in China has existing on-premise firewalls, you can leverage
those for your deployment.
Connectivity to a location outside China over an approved channel (hybrid
connectivity).
You can use one of the following connections for the hybrid connectivity between
mainland China and the location outside mainland China:
An MPLS circuit
A private line
Alibaba Cloud Express Connect (CEN)
The examples in this chapter use CEN as the hybrid connectivity.