Prisma Access provides secure access to applications and resources hosted in public clouds like AWS and Azure. There are a few key requirements to access Prisma Access:
Get a Prisma Access License
You need to purchase a Prisma Access license from Palo Alto Networks or an authorized reseller. The license enables access to the Prisma Access cloud service. There are two main license options:
- Prisma Access: Provides access to Prisma Access only
- Prisma Access with Cortex Data Lake: Adds Cortex Data Lake for advanced analytics and reporting
Choose a Deployment Model
Prisma Access is available as a cloud-delivered service or as a virtual appliance (VM-Series) that can be deployed on-premises:
- Cloud-delivered: Prisma Access is hosted and managed by Palo Alto Networks in the cloud. No on-premises footprint required.
- Virtual appliance: The VM-Series runs on-premises to locally inspect traffic and connect to the Prisma Access cloud service. Provides an additional layer of security.
Select the Right Capacity
Prisma Access is licensed based on capacity. Available capacities include:
- 1 Gbps
- 2 Gbps
- 5 Gbps
- 10 Gbps
Choose the capacity that matches your expected bandwidth usage.
Configure the Prisma Access Infrastructure
Once you have a Prisma Access license, you can start setting up the infrastructure. This involves:
- Configuring the Prisma Access portal
- Setting up CloudBlades for desired capabilities like firewall, DNS security, etc.
- Deploying connectors in branch offices to locally break out traffic
- Onboarding mobile users
Set Up the Prisma Access Portal
The Prisma Access portal allows you to manage the service. You can access it at https://access.paloaltonetworks.com. Follow these steps:
- Log in with the credentials provided when you purchased Prisma Access.
- Accept the terms of use.
- Set up a local administrator account.
- Configure system settings like time zone and NTP.
Deploy CloudBlades
CloudBlades provide network security capabilities like the following:
- Firewall
- DNS security
- Data loss prevention
- Threat prevention
Enable the CloudBlades you require for your environment. You can deploy multiple CloudBlades.
Install Connectors
Connectors locally break out traffic to Prisma Access in branch offices. You need to deploy connectors in each office. Steps include:
- Install the connector software on a server or virtual appliance.
- Configure the connector with the Prisma Access portal credentials.
- Connect the LAN and WAN interfaces.
The connectors will securely tunnel traffic to Prisma Access for inspection and routing.
Onboard Mobile Users
To support remote users, install the Prisma Access Mobile User Protection software on their devices. This registers users with Prisma Access for secure remote access.
Configure Network Policies
With the infrastructure in place, you can start configuring network security policies, such as:
- Access control rules
- Threat prevention profiles
- Data filtering
- DNS security policies
Apply policies based on your security requirements to protect access to cloud and internet destinations.
Access Control Rules
Access control rules allow or block traffic between users, branches, mobile users, and cloud/internet destinations. For example:
- Allow finance users access to Office 365 and Salesforce
- Block guest Wi-Fi users from internal applications
Threat Prevention Profiles
Threat prevention profiles inspect traffic for known threats and block suspicious activity. Customize profiles for groups like:
- Default (for all traffic)
- Internet browsing
Enable protections like anti-malware, vulnerability protection, spyware blocking, and more.
Data Filtering
Create data filtering policies to control access to websites and web content. For example:
- Allow engineering team unrestricted access
- Block malicious, gambling, or adult content for all users
DNS Security
DNS security policies protect your users by blocking known malicious domains, preventing data exfiltration, and filtering adult content.
Connect to Cloud and SaaS Applications
With policies enforced, you can enable access to authorized cloud and SaaS applications like:
- Office 365
- Salesforce
- Box
- G Suite
- AWS
- Azure
Prisma Access supports any application over HTTPS/TLS. Connections are secured via the connectors and Prisma Access infrastructure.
Set Up a Virtual Private Network
For access to private applications in IaaS environments like AWS and Azure, set up an IPsec VPN from Prisma Access:
- Deploy a gateway instance in AWS or Azure.
- Configure the gateway to accept IPsec tunnels.
- Set up the VPN tunnel from Prisma Access to the virtual network.
Traffic accessing the virtual network is encrypted via the VPN tunnel.
Manage and Monitor the Solution
Prisma Access includes comprehensive management and monitoring capabilities through the portal. You can:
- View network activity and traffic logs
- Monitor network performance and health
- Check the status of connected branches and mobile users
- Troubleshoot issues and generate reports
Check Network Activity
Monitor network activity using:
- Traffic logs – View detailed logs for security, networking, and system events.
- App Dashboard – Get insights on application usage and traffic.
- Policies – Check policy hits for access control rules, data filtering, DNS security, etc.
Monitor Performance and Health
Keep tabs on the health of Prisma Access using:
- Network Summary – Check bandwidth, sessions, and throughput.
- Alerts – Get alerts for issues like high CPU or connection failures.
- SLA Dashboard – Validate performance against contractual SLAs.
Troubleshooting Tools
Troubleshoot issues with tools like:
- Ping/traceroute – Validate network connectivity and paths.
- Packet capture – Inspect packet-level activity.
- IPsec VPN status – Verify encryption tunnels.
- System logs – Analyze system logs and events.
Generate troubleshooting reports to send to Palo Alto Networks TAC if required.
Best Practices for Prisma Access
Follow these best practices when deploying and managing Prisma Access:
- Autoscaling – Enable autoscaling to dynamically adjust capacity based on usage.
- High availability – Use multiple connectors per branch for redundancy.
- Updates – Regularly apply Prisma Access software updates.
- Backups – Backup configurations periodically.
- Capacity planning – Monitor usage trends and plan upgrades.
Autoscaling
Autoscaling automatically scales Prisma Access capacity up or down based on traffic demands. This provides flexibility to adapt to changing requirements.
High Availability
Deploying two connectors per branch provides failover in case one connector goes down. Keep connectors on separate subnets for redundancy.
Updates
Regularly apply Prisma Access software updates to get the latest features, performance enhancements, and security fixes.
Backups
Take periodic backups of your Prisma Access configuration. This allows you to restore quickly in case of issues.
Capacity Planning
Analyze usage trends regularly and upgrade your Prisma Access license before hitting capacity limits. This avoids performance issues.
Prisma Access APIs and Integrations
Prisma Access provides APIs and integrations with other solutions to streamline management and security:
- REST APIs – Automate configuration and administration.
- Panorama – Manage Prisma Access policies via Panorama management plane.
- Cortex Data Lake – Stream logs to Cortex Data Lake for analytics and forensics.
- Autopilot – Automate Prisma Access deployments with Autopilot.
REST APIs
Prisma Access includes comprehensive REST APIs to automate configuration, deployment, and monitoring. APIs are available for tasks like:
- Provisioning sites and users
- Pushing policies
- Retrieving traffic logs
- Generating reports
Automate repetitive tasks by integrating Prisma Access APIs into your systems.
Panorama Integration
Manage Prisma Access security policies via Panorama to streamline administration. Panorama acts as the central management plane.
Cortex Data Lake
Integrate Prisma Access with Cortex Data Lake to enrich security analytics. Logs and metadata are streamed from Prisma Access to Cortex Data Lake for analysis.
Prisma Access Autopilot
Autopilot provides pre-defined packages to automate deployments of Prisma Access and connectors. Pick a package and the deployment is automated end-to-end.
Conclusion
Prisma Access makes it fast and easy to securely connect users to the cloud and SaaS applications. By following the best practices outlined, you can deploy Prisma Access to enable productivity while protecting your network.
Leverage the management portal to monitor performance, troubleshoot issues, and ensure policies are providing intended security. Consider integrating with tools like Panorama and Cortex Data Lake to further streamline operations.
With its flexible deployment models, rich feature set, and scalable architecture, Prisma Access is the ideal solution to secure access in today’s cloud-first world.