Written by

greg jorgensen

Date published

March 25, 2023

(Panorama Managed)

Prisma Access (Panorama Managed) is a deployment option for Palo Alto Networks' Prisma Access, which allows customers to manage the solution using Panorama, Palo Alto Networks' centralized management console.

Panorama is used to manage and Orchestrate Palo Alto Networks firewalls and security policies in large and complex multi-device environments.

Benefits of using Panorama are:

Unified management
Consistent security policies
Simplified administration
Enhanced visibility: Panorama provides an aggregated view of network security events and logs

Prisma Access (Panorama Managed): Overview;

Traditional approach:

The security perimeter traditionally has been aligned with the organisation’s perimeter firewall
The Perimeter is Now Everywhere

Multiprotocol Label Switching (or MPLS) is expensive.
VPN solutions that backhaul traffic back to the company’s headquarters where applications can be then accesses adds unnecessary latency
The traditional design for mobile users is a legacy solution that forces mobile user connections through the data centre to enforce Security policy

Problems With Traditional Security:

Non-agile - New office locations and rapid changes to work-places environments (covid) means that locations and employees may be unsecured for an amount of time while a VPN is configured or a firewall is added to the network.
Security posture is inconsistent
Complex and higher-cost, due to inconsistencies
Poor user experience - users might be confused or frustrated using a VPN and a proxy at the same time which may result in the user avoiding the security policy altogether

SASE

SASE (Secure Access Service Edge) is a cloud-native security architecture that combines several different security technologies and services to provide a comprehensive security solution. Some of the components that make up a SASE solution include:

Cloud access security brokers (CASB)
Secure web gateways (SWG)
Firewall as a service (FWaaS)
Zero-trust network access (ZTNA)
Secure DNS
Data loss prevention (DLP)
Identity and access management (IAM)
Network traffic analysis (NTA)

Prisma SD-WAN is a cloud-based software-defined wide area network solution that provides secure and optimized access to applications and data over the internet and hybrid WAN.

💡

The Prisma Access cloud network extends the customer's network and includes both security and connectivity nodes. The security nodes are responsible for providing security services, while the connectivity nodes handle connectivity functions.

Headquarters, branch offices, and mobile users all access Prisma Access by establishing a connection via the network as a service layer.

After they connect, traffic then will pass through the security as a service layer to enforce policy and to prevent threats.

Prisma Access also offers a Clean Pipe service for companies that manage the IT infrastructure of other organisations.

⚠️

(Clean Pipe is a service provided by some Internet Service Providers (ISPs) and telecommunication companies to deliver a secure and cleaner internet connection to their customers by filtering out malicious traffic and cyber threats before they reach the end-users.)

Prisma SASE (Cloud-Managed Prisma Access) is a different product and implementation than Prisma Access (Panorama Managed)

Prisma Access Panorama managed is an on-prem solution. Prisma SASE is a cloud-managed solution that includes Prisma Access (cloud managed) and Prisma SD-WAN, which are managed in different user interfaces.

^ a little confusing 😕

Let’s try to break this down:

Prisma SASE is the overarching framework that combines various security functions (SWG, CASB, ZTNA, FWaaS)
Prisma Access is a component of the broader Prisma SASE solution
Prisma Access, is a specific component of the broader Prisma SASE offering which focuses on providing SECURE REMOTE ACCESS
The goal of Prisma Access is to deliver network security and connectivity for globally distributed users and branch offices through a multi-cloud, scalable architecture

Prisma Access provides the underlying connectivity for users to access various components of the Prisma SASE solution, including the Secure Web Gateway (SWG).

By leveraging Prisma Access, users can securely connect to Prisma SASE's cloud-delivered services, regardless of their geographic location.

Prisma Access creates a secure, encrypted tunnel from the user's device or branch office to the nearest Prisma SASE point of presence (PoP).

Once connected, the traffic is then subject to the different security functions offered by Prisma SASE

Organizations can use Prisma Access as a standalone service to secure users' access to applications and enforce security policies

Prisma Access addresses specific connectivity and security needs in the context of remote access, such as providing firewall-as-a-service (FWaaS), VPN connectivity, and zero-trust network access (ZTNA) but not the other security tools included with the SASE offering.

What about Panorama managed vs. Cloud managed?

Panorama: is a centralised management platform that allows organisations to manage multiple firewalls and security services from a single location, including on-prem firewalls.

*A Panorama deployment typically involves deploying a physical or virtual Panorama appliance

Cloud Managed: This deployment option uses the Prisma Access management console, which is a cloud-based management interface that is separate from Panorama. Administrators can manage the service from anywhere with an internet connection using a web browser.

The Prisma SD-WAN client, also known as the Prisma SD-WAN Edge, is a software-based endpoint that is installed on the organisation's branch office or remote location’s endpoints.

It acts as a gateway between the local network and the cloud, providing secure and optimised connectivity through the use of VPNs. It can also monitor network metrics, and uses network probes to actively measure the performance of routes and paths.

This sounds sort of like Prisma Access, no?

Well the Prisma SD-WAN client and the Prisma Access client are two different software-based endpoints that are designed for different use cases. The Prisma SD-WAN client provides secure and optimised connectivity between the organisation's branch offices and the cloud, while the Prisma Access client provides secure access to cloud applications for end-users, regardless of their location.

Both the Prisma SD-WAN Edge client and the Prisma Access client can be installed on an endpoint at the same time

This can be useful in situations where an organisation wants to provide both secure and optimised connectivity between their branch offices and the cloud, as well as secure access to cloud applications for remote end-users.

Administrators can configure the clients to work together in a way that best meets the organisation's requirements, such as configuring the Prisma Access client to use the VPN connection provided by the Prisma SD-WAN Edge client.

I think basically, the SD-WAN client is really meant for office workers and offers optimised connectivity unlike Access, while the Access client is the newer version of this that was built specifically for remote workers to connect to the cloud - both have similarities but they serve different purposes within Prisma's suite of cloud security tools.

✅

Palo Alto ADEM stands for "Palo Alto Application Data and Event Manager". It is a security information and event management (SIEM) solution provided by Palo Alto Networks

Prisma Access Definitions

Service Connections

You must configure a service connection and nodes to enable network communication between mobile users and remote network locations and between mobile users in different geographical locations.

Service connections are created by using IPsec tunnels between the Prisma Access infrastructure and central sites that usually contain resources to which your remote network users and mobile users need access to.

The service connections are not rate-limited and do not enforce the security policy.

🧑‍🏭

The Service Connection is responsible for securely transmitting traffic between the customer's on-premises network and the Prisma Access cloud.

Corporate Access Nodes

Prisma Access deploys corporate access nodes (CANs) at locations with configured service connections.

Corporate Access Nodes act as a secure gateway between remote users or branch offices and the organisation's internal network, either a data centre or private cloud.

A data centre resource cannot originate a connection to the internet over a service connection.
If you want to enforce a Security policy on the service connection, the policy must be configured on the on-premises firewall that terminates the service connection.

Remote Networks

Remote Networks connect to offices that require connections to and from the internet, as well as Prisma Access.

Remote networks create a remote network security processing node (RN-SPN)

Remote Networks are the branch offices or remote locations that need secure access to resources, while Service Connections are the encrypted connections between the on-premises network infrastructure and the Prisma Access cloud infrastructure that enable secure communication and consistent security policy enforcement.

👍

Used to onboard offices where functionality similar to a Palo Alto Networks next-generation platform feature set is required

Security Processing Nodes

Prisma Access deploys security processing nodes at compute locations with configured remote network connections.

Security processing nodes enforce security policies for all traffic that is initiated rom the remote site, eliminating on-prem security devices.

The network needs to be IPsec-compliant.
NAT is enabled by default for all internet-bound user traffic without the need for explicit NAT policy rules.

Remote networks terminate on the customer’s network with an IPsec VPN tunnel the same way service connections do.

SUMMARY:

Service Connections: These are secure, encrypted connections between an organisation's on-premises network infrastructure (e.g., data centre or private cloud) and the Prisma Access cloud infrastructure.
Corporate Access Nodes: These are strategically located points of presence (PoPs) within the Prisma Access cloud infrastructure that provide secure access to an organisation's data centre or private cloud resources. Corporate Access Nodes act as secure gateways between remote users or branch offices and the organisation's internal network.
Remote Networks: These refer to the branch offices or remote locations of an organisation that need secure access to internal resources and the internet - these remote networks create secure, encrypted connections between the branch offices and the Prisma Access cloud infrastructure.
Security Processing Nodes: These are cloud-based instances of Palo Alto Networks' next-generation firewalls within the Prisma Access infrastructure.

Prisma Access integrates these components to provide a comprehensive security solution for organisations with remote users and branch offices. Service Connections link the on-premises network to the Prisma Access cloud, while Corporate Access Nodes and Remote Networks facilitate secure access to internal resources. Security Processing Nodes enforce security policies on all traffic, ensuring consistent protection across the entire organisation.

Prisma Access Portal

Holds the config for all GlobalProtect 🌍 users. GlobalProtect is a remote access VPN solution.

The GlobalProtect gateway has been renamed to MU-SPN.

GlobalProtect consists of two main components:

GlobalProtect Gateway: The gateway is a Palo Alto Networks next-generation firewall (NGFW) that is configured to provide VPN access to remote users. It is responsible for authenticating users, establishing secure VPN tunnels, and enforcing security policies on the traffic from remote users.
GlobalProtect App: The app is a client software installed on the remote users' devices, such as laptops, smartphones, or tablets. It connects to the GlobalProtect Gateway and establishes a secure VPN tunnel, allowing users to access the organisation's resources securely.
GP 🌍 offers device posture checking, split tunnelling, and MFA.

MU-SPN is the termination point for mobile user VPN tunnels to connect to Prisma Access.

Service Infrastructure Subnet

Prisma Access uses the infrastructure subnet to create the network backbone for communication between your remote networks and mobile users.

Changing the service infrastructure subnet is potentially difficult; as a result, plan thoroughly before creating it within Prisma Access.

Small Networks

Small networks with less than 50 sites and 2,500 mobile users may consider a /24 subnet.

Midsized Networks

Midsized networks with less that 100 sites and less than 5,000 mobile users should consider a /23 subnet.

If a customer has more than 100 sites, the customer should consult with Palo Alto Networks to ensure that the service infrastructure /23 subnet is sufficient.

Bandwidth

Compute location is a cloud location where your RN-SPNs, SC-CANs, and MU-SPNs are hosted.
Several locations or onboarded remote networks may share one compute location.
Many remote networks can share one bandwidth pool.
This ability to share from one bandwidth pool gives you a more efficient way to allocate bandwidth to remote networks.

Allocation:

During the initial onboarding of a location, you will be prompted for the compute location bandwidth allocation. This bandwidth pool will then be available for all RN-SPNs associated with that compute location.

Cloud Secure Web Gateway (SWG)

Available with the Prisma Access version 2.0 and later, Prisma Access secure web gateway (SWG) is an explicit proxy connection method within Prisma Access. Auto scales.

Accepts Proxy connections VIA PAC file and SAML is currently supported.

SWG uses cookies to maintain user authenticated state.

SSL Decryption is required to validate user is authenticated.

⚠️

Any device that will support proxy settings and SAML for authentication cannot get the protection of Prisma Access security rules and threat scanning (why?)

This method could be used to migrate a legacy proxy-based server to forward to Prisma SWG (Ironport)

Palo Alto Networks Hub

The Palo Alto Networks Hub provides access to all cloud applications, including the Prisma Access management tools and add-ons needed for deployment. It also allows you to view forensics to troubleshoot your Prisma Access environment.

The Hub includes the following management tools and add-ons:

Cloud Identity Engine

Directory Sync Service

Prisma Access app (cloud-based management)

Prisma Access Insights
ADEM
Alerts Management
Log Viewer

Cortex Data Lake
Enterprise DLP
Lifecycle Security Review
Prisma SaaS
Prisma SD-WAN

The SASE Portal Page

The SASE portal provides direct access to the portal in which Prisma SASE (Cloud Managed) functions.

How to get there:

SASE portal

Trusted and Untrusted Zones

Prisma Access classifies traffic as trusted or untrusted

Internal traffic that does not reach the public internet is in the trusted zone for both the source and destination

Traffic coming from or going to the internet references the untrusted zone

Prisma Access Components

Cortex Data Lake (CDL) is a scalable logging infrastructure that alleviates the need to plan and deploy log collectors to meet log retention needs.

Access must be configured to forward logs to the Cortex Data Lake. Other Palo Alto Networks products and services also can send logs to the CDL. NGFW, Access, and Cortex XDR.

🗣

Extended Detection and Response (XDR) is a security approach that consolidates and correlates data from multiple sources, such as endpoints, networks, and cloud environments, to improve threat detection and response.

Cortex XDR combines endpoint, network, and cloud data to prevent and respond to advanced cyber threats.

PA Cloud-Based management tool

The Prisma Access cloud-based management tool supports customers that require management that is specific to Prisma Access.

The Prisma SASE (cloud-based management tool) allows configuration of all main Prisma Access components (service connections, remote networks, explicit proxy, and mobile users).
It does not port objects or rules that may be in an existing Panorama into Prisma Access.
You cannot switch back and forth between Prisma Access (Panorama Managed) and Prisma SASE to manage a Prisma Access environment.

Are you already a Palo Alto customer? Do you have policies already setup on with on-premise devices? Then you should use Prisma Access Panorama to manage your access.

Are you a new customer that has no Palo Alto on-premise firewalls? You should be able to use Prisma Access Cloud Managed.

Deployment of Panorama appliances in a high availability (HA) configuration provides redundancy if a system or network fails.

🚧

Unlike with a regular Panorama implementation, with Panorama HA, you cannot log directly into RN-SPN, SC-CAN, portals, or gateways. Panorama is your only means of management.

Configure the Panorama appliances in HA after you purchase the Prisma Access and Cortex Data Lake auth codes and components.

Before you activate and install Prisma Access, associate the serial number of the primary Panorama appliance on which you plan to install the Cloud Services plugin with the auth codes.

*Panorama appliance can be deployed both physically on-premises as a hardware appliance or virtually in the cloud as a virtual machine*

Mobile Users Licenses

Prisma Access for mobile users requires the GlobalProtect application on each supported endpoint.

Tiers range from 200 users to more than 50,000 users.

Mobile user count is not strictly enforced.

Unique users over 90 days are tracked.

Remote Networks License

Bandwidth is divided among remote network locations

Packaging Overview

Note: You receive up to five locations for Prisma Access Local Edition, 100+ locations for Prisma Access Worldwide Edition.

Features/ Tiers:

Customer Success options:

Shared Ownership:

A Completed Implementation

A service connection is built to the data centre to service requests such as authentication to a domain controller.
Remote networks are connected to Prisma Access via an industry-standard IPsec VPN-capable device.

This deployment model is ideally suited for remote sites with a single WAN link. This model provides direct internet access through Prisma Access without the need to backhaul traffic to the central site.

Mobile users connecting to Prisma Access using the GlobalProtect application that is installed on their devices.
A service connection is onboarded, which will provision a corporate access node (SC-CAN) and provide connectivity to the data centre.
When mobile users are onboarded, one or more security processing nodes (MU-SPN) will be provisioned, depending on the number of mobile users.
When remote networks are onboarded, they will provision multiple remote network security processing nodes (RN-SPNs).

🔑

Service Connections link the on-premises network to the Prisma Access cloud, while Remote Networks facilitate secure access to internal resources for branch offices or remote locations.

Q: Which option lists the three prerequisites that are required for deploying Prisma Access?

A: Remote Networks license, Mobile Users license, service connections

Q: What is the maximum number of service connections that are included?

A: 5

This document provides an overview of Prisma Access, a cloud-based security service that offers firewall-as-a-service, VPN connectivity, and zero-trust network access. The document explains the different components of Prisma Access, including service connections, corporate access nodes, remote networks, and security processing nodes, and describes how they work together to provide a comprehensive security solution for remote users and branch offices. The document also discusses the differences between Panorama managed and cloud-managed Prisma Access, and provides information on licensing, bandwidth allocation, and deployment options.

Introduction

Add your content here

Prisma Access: Network Design and Planning