As your business expands globally with new remote network
locations popping up around the globe and mobile users roaming the
world, it can be challenging to ensure that your business remains
connected and always secure. Prisma Access uses a cloud-based infrastructure,
allowing you to avoid the challenges of sizing firewalls and compute
resource allocation, minimizing coverage gaps or inconsistencies
associated with your distributed organization. The elasticity of
the cloud scales as demand shifts and traffic patterns change. The
cloud service facilitates next-generation security deployment to
remote networks and mobile users by leveraging a cloud-based security
infrastructure managed by Palo Alto Networks. The security processing nodes
deployed within the service natively inspect all traffic in order
to identify applications, threats, and content. Prisma Access provides
visibility into the use of SaaS applications and the ability to
control which SaaS applications are available to your users.
With Prisma Access, Palo Alto Networks deploys and manages the
security infrastructure globally to secure your remote networks
and mobile users. Prisma Access includes the following components:
Cloud Services Plugin—Panorama plugin that enables
both Prisma Access and Strata Logging Service.
This
plugin provides a simple and familiar interface for configuring
and viewing the status of Prisma Access. You can also create Panorama templates
and device groups, or leverage the templates and device groups you
may have already created, to push configurations and quickly enforce consistent
security policy across all locations.
Service Infrastructure—Prisma Access uses an internal
service infrastructure to secure your organization’s network. You
supply a subnet for the infrastructure, and Prisma Access uses the
IP addresses within this subnet to establish a network infrastructure
between your remote network locations and mobile users, and service
connections to your internal network resources (if applicable).
Internal communication within the cloud is established using dynamic
routing.
Service Connections—If your Prisma Access license includes
it, you have the option to establish IPSec tunnels to allow communication
between internal resources in your network and mobile users and
users in your remote network locations. You could, for example,
create a service connection to an authentication server in your
organization’s HQ or data center.
Even if you don’t require
a service connection, we recommend that you create one with
placeholder values to allow network communication between mobile
users and remote network locations and between mobile users in different
geographical locations.
Mobile Users—GlobalProtect—You select locations in
Prisma Access that function as cloud-based GlobalProtect gateways
to secure your mobile users. To configure this service, you designate
one or more IP address pools to
allow the service to assign IP addresses for the client VPN tunnels.
Mobile Users—Explicit Proxy—You can configure an Explicit
Proxy using a proxy URL and a Proxy Auto-Configuration (PAC) file.
The GlobalProtect app is not required to be installed on the users’
endpoints. The explicit proxy secures HTTP and HTTPS outbound internet
traffic for mobile users and allows you to retrofit and replace
an existing proxy set up. If your organization requires an explicit
proxy design for regulatory or auditing compliance, you can meet
those requirements using Prisma Access Explicit Proxy.
Remote Networks—Use remote networks to secure remote
network locations, such as branches, and users in those branches with
cloud-based next-generation firewalls. You can enable access to
the subnetworks at each remote network location using either static
routes, dynamic routing using BGP, or a combination of static and
dynamic routes. All remote network locations that you onboard are
fully meshed.
Multitenancy—If your organization requires that you
manage multiple Prisma Access instances, Prisma Access offers multitenancy,
which enables you to create up to 200 instances (tenants) on a single
Panorama appliance (or 2 appliances in high availability (HA) mode),
with each tenant having their own separate templates and template stacks, device groups, and access domains.
Prisma Access for Clean Pipe—The Prisma Access for
Clean Pipe service allows organizations that manage the IT
infrastructure of other organizations, such as service providers,
MSSPs, or Telcos, to quickly and easily protect outbound internet
traffic for their tenants.
Prisma Access forwards all logs to Strata Logging Service. You
can view the logs, ACC, and reports from Panorama for an aggregated
view into your remote network and mobile user traffic. To enable
logging for Prisma Access, you must purchase a Strata Logging Service
license. Log traffic does not use the licensed bandwidth you purchased
for Prisma Access.