Prisma Access Panorama Admin
Prisma Access Panorama Admin
(Panorama Managed)
paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2017-2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
November 18, 2020
iv TABLE OF CONTENTS
Provide Secure Inbound Access to Remote Network Locations....................................247
TABLE OF CONTENTS v
Clean Pipe Use Cases............................................................................................................... 359
Clean Pipe Examples.................................................................................................................359
Clean Pipe and Partner Interconnect Requirements.........................................................360
Configure Prisma Access for Clean Pipe.......................................................................................... 362
Enable Multitenancy and Create a Tenant..........................................................................362
Complete the Clean Pipe Configuration.............................................................................. 366
vi TABLE OF CONTENTS
Prisma Access Overview
Read the following section to get an overview of what Prisma Access is, how it can secure your
organization’s resources, who owns and manages the infrastructure and network components.
7
8 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview
© 2020 Palo Alto Networks, Inc.
Prisma Access
As your business expands globally with new remote network locations popping up around the globe and
mobile users roaming the world, it can be challenging to ensure that your business remains connected and
always secure. Prisma Access (formerly GlobalProtect Cloud Service) uses a cloud-based infrastructure,
allowing you to avoid the challenges of sizing firewalls and compute resource allocation, minimizing
coverage gaps or inconsistencies associated with your distributed organization. The elasticity of the
cloud scales as demand shifts and traffic patterns change. The cloud service operationalizes next-
generation security deployment to remote networks and mobile users by leveraging a cloud-based security
infrastructure managed by Palo Alto Networks. The security processing nodes deployed within the service
natively inspect all traffic in order to identify applications, threats, and content. Prisma Access provides
visibility into the use of SaaS applications and the ability to control which SaaS applications are available to
your users.
With Prisma Access, Palo Alto Networks deploys and manages the security infrastructure globally to secure
your remote networks and mobile users. Prisma Access is comprised of the following components:
• Cloud Services Plugin—Panorama plugin that enables both Prisma Access and Cortex Data Lake.
This plugin provides a simple and familiar interface for configuring and viewing the status of Prisma
Access. You can also create Panorama templates and device groups, or leverage the templates and
device groups you may have already created, to push configurations and quickly enforce consistent
security policy across all locations.
• Service Infrastructure—Prisma Access uses an internal service infrastructure to secure your
organization’s network. You supply a subnet for the infrastructure, and Prisma Access uses the IP
addresses within this subnet to establish a network infrastructure between your remote network
To see the features that Prisma Access supports, see What features does Prisma Access
support?
Prisma Access uses a shared ownership model. Palo Alto Networks manages the underlying security
infrastructure, ensuring it is secure, resilient, up-to-date and available to you when you need it. Your
organization’s responsibility is to onboard locations and users, push policies, update them, query logs, and
generate reports.
Your organization manages the following components of the security infrastructure:
• Users—You manage the onboarding of mobile users.
• Authentication—You manage the authentication of those users.
• Mobile device management (MDM)—You can control your organization's mobile devices that are
protected with Prisma Access using your own MDM software.
• Panorama and Cloud Services plugin—You make sure that the Panorama on which the Cloud Services
plugin is installed is running a Panorama version that supports the Cloud Services plugin. In addition, you
upgrade the Cloud Services plugin in Panorama after we inform you that a new plugin is available.
• Policy creation and management—You plan for and create the policies in Panorama to use with Prisma
Access.
• Log analysis and forensics—Prisma Access provides the logs, you provide the analysis and reporting,
using integrated tools provided by us or by another vendor.
• On-premise security—You provide the on-premise security between micro-segmentations of your on-
premise network. In some deployments, you can also direct all traffic to be secured with Prisma Access.
• Networking—You provide the network connectivity to Prisma Access.
• Monitoring—You monitor the on-premise network’s status.
• Service Connectivity—You provide the connectivity to the Prisma Access gateway for mobile users (for
example, provide an ISP), and you also provide the on-premise devices used as the termination points for
the IPSec tunnels used by service connections and remote network connections.
• Onboarding—You onboard the mobile users, HQ/Data center sites, and branch sites.
Palo Alto Networks manages the following parts of the security infrastructure:
• Prisma Access
• Cortex Data Lake—We manage the delivery mechanism for logs.
• Content updates—We manage the updating of the Prisma Access infrastructure, including PAN-OS
updates. For your mobile users, Prisma Access hosts several versions of the GlobalProtect app and you
can select the active GlobalProtect app version from that list.
• Fault tolerance—We manage the availability of the service.
• Auto scaling—We automatically scale the service when you add service connections or remote
networks, or when additional mobile users log in to one or more gateways in a single region.
• Provisioning—We provision the infrastructure with everything that is required.
• Service monitoring—We monitor the service status and keep it functioning.
You can retrieve the status of all cloud services, including Prisma Access and Cortex Data
Lake, along with a historical record of the uptime of each service, by accessing the https://
status.paloaltonetworks.com/ website. You can also sign up for email or text message
updates at this site to be notified in advance when infrastructure updates are planned and
real-time notifications when updates occur, and when Palo Alto Networks creates, updates,
or resolves an incident.
Release Definitions
The following list defines scheduled and unscheduled releases, along with the advance notification we
provide you for each release. To make sure that you receive notifications for all releases, register for email
or text notifications for Prisma Access at the https://status.paloaltonetworks.com/ website.
• Scheduled Release—Prisma Access divides scheduled releases into major and minor releases.
• Major Release—A major release typically includes significant new features and optimizations that
require a maintenance window.
Notification—Palo Alto Networks provides you with a notification 21 days before a major release,
including a feature preview document that lists features that are available with the release and any
changes to default behavior.
• Minor Release—A minor release includes incremental features and optimizations. In some cases, Palo
Alto Networks may combine a hotfix with a minor release.
Upgrade Types
Palo Alto Networks upgrades its cloud-based infrastructure without any intervention required from you.
Some upgrades require that you perform an action, such as install a new plugin.
The following list includes the different types of scheduled and unscheduled upgrades for Prisma Access:
• Infrastructure Upgrade—Palo Alto Networks upgrades the Prisma Access infrastructure, which includes
the underlying service backend, orchestration, and monitoring infrastructure.
• Dataplane Upgrade—Palo Alto Networks upgrades the Prisma Access dataplane that enables traffic
inspection and security policy enforcement on your network and user traffic.
• Cloud Services Plugin Upgrade—Your network administrator will need to upgrade the Cloud Services
plugin on the Panorama appliance that manages Prisma Access.
• Panorama Software Upgrade—A Prisma Access and Panorama Version Compatibility might be required
to ensure compatibility with Prisma Access.
The following table shows you what is included with each release, including the maintenance window we
provide and any impact to your Prisma Access service.
Infrastructure Maintenance 2-8 hours (always 2-8 hours (always 2-8 hours (if
Upgrade Window required) required) required)
Impact Palo Alto Networks uses this window to upgrade the dataplane for
all customers. You can make configuration changes and commits
during this window. Our goal is to minimize impact to network
traffic, but in some cases there may be a brief interruption.
Palo Alto Networks schedules the upgrades at a local time that is
minimally disruptive to business functions.
The Panorama upgrade is required, regardless of the Cloud Services plugin version you are running at the
end-of-support date. You cannot continue using an earlier version of the Cloud Services plugin with an
earlier, unsupported Panorama version.
Cloud Services Available after the plugin release. No You perform the tasks to
plugin version upgrade the plugin. See
Prisma Access Scheduled and
Unscheduled Upgrades for
details about when Prisma
Access updates its plugin
version. See Upgrade the
Cloud Services Plugin to
upgrade the plugin in the
Panorama appliance.
Antivirus Every hour, 10 minutes after the Yes Prisma Access is always
protection hour up-to-date with the latest
Antivirus release.
The System Status page also provides you information about your current Panorama
version, Cloud Services plugin version, and dataplane version. You can receive notifications
and alerts on this page when plugin or Panorama versions become end of support (EoS) for
use with Prisma Access. See Notifications and Alerts for Panorama, Cloud Services Plugin,
and PAN-OS Dataplane Versions for details.
If your currently-active version is end-of-life, Prisma Access notifies you and requests that you activate a
supported version.
You can select different GlobalProtect versions in a multi-tenant deployment. The GlobalProtect app
version settings you apply are per tenant and not global; you control the app version on a per-tenant basis.
You can replace the current active version with another hosted version from the Service Setup page by
completing the following steps.
STEP 1 | Select Panorama > Cloud Services > Configuration > Service Setup.
STEP 2 | Select Activate new GlobalProtect App version and compare it to the active GlobalProtect
version.
After the app has been activated, you receive a success message.
STEP 4 | Select the Agent tab and select the app configuration.
STEP 6 | In the App Configurations area, select a choice in Allow User to Upgrade GlobalProtect App to
specify whether mobile users can upgrade their GlobalProtect app version to the active version
that is hosted on Prisma Access and, if they can, whether they can choose when to upgrade:
• Allow with Prompt (default)—Prompt users when a new version is activated and allow users to
upgrade their software when it is convenient.
• Disallow—Prevent users from upgrading the app software.
• Allow Manually—Allow users to manually check for and initiate upgrades by selecting Check Version
in the GlobalProtect app.
• Allow Transparently—Automatically upgrade the app software whenever a new version becomes
available on the portal.
• Internal—Automatically upgrade the app software whenever a new version becomes available on the
portal, but wait until the endpoint is connected internally to the corporate network. This prevents
delays caused by upgrades over low-bandwidth connections.
STEP 1 | If you have not yet created it, create a user group for the first group of users to which you
want to roll out the GlobalProtect app update.
STEP 2 | Create a new GlobalProtect agent configuration to use for the first group of users.
1. In Panorama, select Network > GlobalProtect > Portals.
2. Select the Mobile_User_Template from the Template drop-down.
3. Select GlobalProtect_Portal to edit the Prisma Access portal configuration.
4. Select the Agent tab.
5. Select the DEFAULT configuration and Clone it.
You can also Add a new configuration; but cloning the existing configuration copies over required
information for the new configuration.
6. Specify a Name for the configuration.
STEP 3 | Select Move Up to move your configuration above the default configuration.
When an app connects, the portal compares the source information in the packet against the agent
configurations you have defined. As with security rule evaluation, the portal looks for a match starting
from the top of the list. When it finds a match, it delivers the corresponding configuration to the app.
STEP 5 | When you want to let the rest of the users update their apps, change Allow User to Upgrade
GlobalProtect App in the DEFAULT configuration to a selection that allows it (either Allow
with Prompt or Allow Transparently).
The Service Setup page provides you with the following information:
Area Description
Panorama Alert Displays the current Panorama version that you are running. The
Upgrade requirements area provides you with information about
Panorama versions, including dates when currently compatible Panorama
versions reach their end of support (EoS) dates for managing Prisma
Access. Use this information to plan your Panorama upgrade in advance
of its EoS date.
Plugin Alert Displays the current Cloud Services plugin that is installed on the
Panorama that manages Prisma Access. The Upgrade requirements area
provides you with dates when the next plugin version will be released,
the deadline for upgrading to the next plugin, and the date when you will
GlobalProtect App Displays the currently-running (active) version of the GlobalProtect app
Activation that mobile users can download from the Prisma Access portal, and
shows you the available GlobalProtect app versions to which you can
upgrade. See Select the Active GlobalProtect App Version for details.
Dataplane PAN-OS version Displays the current PAN-OS version that your dataplane is running.
The dataplane is the component of the Prisma Access infrastructure
that enables traffic inspection and security policy enforcement on your
network and user traffic.
If Prisma Access has scheduled a dataplane upgrade, it displays in this
area, along with the date for which it is scheduled. If you want to cancel
this upgrade, you can cancel the scheduled upgrade from this area.
Share/Delete Contact Allows you to share contact information (Company name, contact name,
Information email, and phone number) so that you can be contacted about Palo Alto
Networks service upgrades.
If you have previously entered contact information, you can delete the
information you entered in this area.
Do not use any of the following special characters in the contact
information area:
• " (Double quotes)
• ' (Apostrophe)
• < (less than sign)
• > (greater than sign)
• & (ampersand)
This section describes the licenses that were available before November 17, 2020; for an
overview of the licenses that are available after November 17, 2020, see the Prisma Access
1.8 Administration Guide.
The 1000 Mbps bandwidth option is in preview mode. The throughput during preview is
delivered on a best-effort basis and the actual performance will vary depending upon the
traffic mix. The 500 Mbps option supports SSL decryption, but Palo Alto Networks does
not guarantee 500 Mbps of throughput if it is enabled.
To enable traffic peaks, the service allows you to go 10% over the allocated bandwidth for each site;
traffic overages above this peak limit is dropped. See How to Calculate Remote Network Bandwidth for
more details about the correct bandwidth to specify for your remote network.
A remote network’s bandwidth speed is enforced equally in both directions. If you assign a remote
network with 50Mbps bandwidth, then 55 Mbps (50 Mbps plus 10% overage allocation) is enforced
for both ingress and egress traffic. If you have an asymmetric internet connection (which is a common
deployment), you should specify the higher of the two values to fully utilize the circuit.
• Prisma Access for Users (formerly GlobalProtect Cloud Service for Mobile Users)—You license Prisma
Access for mobile users based on number of users, with tiers from 200 users to more than 50,000 users.
Prisma Access for mobile users requires the GlobalProtect app on each supported endpoint. Though
there is no strict policing of the mobile user count, the service does track the number of unique users
over the last 90 days to ensure that you have purchased the proper license tier for your user base, and
stricter policing of user count may be enforced if continued overages occur.
• Prisma Access for Clean Pipe—The Prisma Access for Clean Pipe service allows organizations that
manage the IT infrastructure of other organizations, such as service providers, MSSPs, or Telcos, to
quickly and easily protect outbound internet traffic for their tenants.
Prisma Access for Clean Pipe uses its own license and has its own requirements. However, it requires
the same Panorama and Cortex Data Lake licenses as the other Prisma Access products described in this
section.
When a Prisma Access license expires, you can still use the service and collect logs
for 15 days after license expiration. You cannot make changes to configuration. Prisma
To learn about events that cause Prisma Access IP addresses to change and to plan for
those changes, see Plan for IP Address Changes for Mobile Users, Remote Networks, and
Service Connections.
Mobile User GlobalProtect gateway Retrieves the gateway IP addresses. You must
(gp_gateway) add both gateway and portal IP addresses to
allow lists for your mobile user deployments.
Mobile users connect to a Prisma Access
gateway to access internal or internet
resources, such as SaaS or public applications,
for which you have provided access.
Remote Network Remote Network IP addresses Includes Service IP Addresses that Prisma
(remote_network) Access assigns for the Prisma Access remote
network connection, and egress IP addresses
that Prisma Access uses to make sure that
remote network users get the correct default
language for their region. Add these addresses
to allow lists in your network to give Prisma
Access access to internet resources.
Clean Pipe Clean Pipe IP Addresses If you have a Clean Pipe deployment, add
(clean_pipe) these IP addresses to an allow list to give
This command does not retrieve loopback addresses; to retrieve loopback IP addresses, use
the loopback API command.
If you have already generated an API key, the Current Key displays. If you haven’t yet generated
a key or want to replace the existing key to meet audit or compliance check for key rotation, click
Generate New API Key for a new key.
STEP 2 | Create a .txt file and put the API command options in the file.
{
"serviceType": "service-type",
"addrType": "address-type",
"location": "location"
}
Where option.txt is the .txt file you created in Step 2 and Current-API-Key is the Prisma Access API key.
For example, given a .txt file name of option.txt and an API key of 12345abcde, use the following
API command to retrieve the public IP address for all locations:
The API command returns the addresses in the following format: { "result":
[ { "address_details": [ { "address": "1.2.3.4", "addressType": "address-
type", "serviceType": "service-type" } ], "addresses": [ "1.2.3.4" ],
"zone": "zone-name", "zone_subnet": zone-subnet] },
Where:
• address_details shows the details of the address for each location.
• address shows the IP address you need to add to your allow lists.
• addressType specifies the type of address specified with the addrType keyword (either active,
reserved, or pre-allocated if you are pre-allocating IP addresses for mobile user locations).
• serviceType shows the type of IP address (either remote network (remote_network),
GlobalProtect gateway (gp_gateway), GlobalProtect portal (gp_portal), or Clean Pipe (clean_pipe).
• addresses lists all the IP addresses for the location that you need to add to your allow lists.
• zone is the Prisma Access location associated with the IP addresses.
• zone_subnet is the subnet for mobile user gateways and portals. Prisma Access provides this subnet
if you pre-allocate mobile user IP addresses.
If there are any problems with the options in the .txt file, the API returns an error similar to the
following:
{"status": "error","result": "Invalid json format in the request. trace_id:
xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx "}
STEP 4 | Update the allow lists on your on-premises servers or SaaS application policy rules with the IP
addresses you retrieved.
Palo Alto Networks recommends that you only pre-allocate IP addresses for locations that
you want to onboard later.
STEP 2 | Pre-allocate the mobile user egress IP addresses by creating a .txt file and specifying the
following options in the .txt file you create.
Enter the following text in the .txt file:
{
"actionType": "pre_allocated",
"serviceType": "gp_gateway",
"location": "location"
}
Where location is the Prisma Access location where you want to pre-allocate the IP addresses.
Enter a maximum of 12 locations. Entering more than 12 locations might cause timeout errors when
Prisma Access retrieves the pre-allocated IP addresses.
STEP 3 | Enter the CURL command as shown in Step 3 of the task in Run the API Script Used to
Retrieve IP Addresses.
STEP 4 | Retrieve the IP addresses and subnets you requested, including their validity period, by re-
opening the .txt file, removing the existing information, and editing it.
• To request Prisma Access to retrieve all pre-allocated IP addresses, enter the following text in the .txt
file.
{
"serviceType": "all",
"addrType": "pre_allocated",
"location": "all"
While Prisma Access returns up to four addresses for each location (one active and one
reserved gateway IP address and, if required, one active and one reserved portal IP
address), the API command can return a large amount of information. To make the output
more readable, if you have Python installed, you can add | python -m json.tool at
the end of the CURL command.
STEP 5 | Re-enter the CURL command as shown in Step 3 in the task in Run the API Script Used to
Retrieve IP Addresses to retrieve the pre-allocated addresses.
Prisma Access returns the information in the following format:
"status": "success",
"result": [
{
"zone": "prisma-access-zone1",
"addresses": ["ip-address1","ip-address2"]
"zone_subnet" : [subnet-and-mask1","subnet-and-mask2"]
"address_details":[
{"address":"ip-address1",
"service_type":"service-type",
"addressType":"pre-allocated",
"expiring_in" : "validity-period" },
{"address":"ip-address2",
"service_type":"gp_gateway",
"addressType":"pre-allocated",
"validity_period_remaining" : "90 days" } ,
},
Variable Explanation
ip-address1 and ip-address2 The egress IP addresses that Prisma Access has pre-allocated for
the specified location.
Prisma Access retrieves two IP addresses for each location; you
must add both of these IP addresses to your allow lists.
subnet-and-mask1 and subnet- The subnets that Prisma Access has pre-allocated and reserved
and-mask2 for the egress IP addresses in your deployment.
You could receive an error if you attempt to pre-allocate IP addresses for locations that meet one of the
following criteria:
• You have already onboarded the location.
• You onboarded, then deleted the location.
In this case, enter the following text in the .txt file to retrieve the IP addresses for the location:
{
"serviceType": "gp_gateway",
"addrType": "all",
"location": "all"
}
• You have reached the maximum number of mobile user locations allowed by your license and cannot
add any more locations.
• You entered the location name incorrectly.
• You entered a serviceType other than gp_gateway.
• you entered an actionType other than pre_allocated.
• You previously requested egress IP addresses for a location that is also a #unique_36 and have not
yet onboarded it.
Prisma Access sends this notification a few seconds before the new IP address becomes
active. We recommend that you use automation scripts to both retrieve and add the new IP
addresses to an allow list in your network.
STEP 1 | Select Panorama > Cloud Services > Configuration > Service Setup.
STEP 2 | Add an IP Change Event Notification URL where you can be notified of IP address changes in
your Prisma Access infrastructure.
You can specify an IP address or an FQDN to an HTTP or HTTPS web service that is listening for change
notifications. Prisma Access sends these notifications from the internet using a public IP address.
You do not need to commit your changes for the notification URL to take effect.
The following table shows the keywords and parameters that are available in the legacy API scripts used
with Prisma Access, and provides information and recommendations about which API to use for the type of
deployment you have.
These legacy commands retrieve two types of IP addresses, public IP and egress IP addresses. We provide
you with two different legacy API commands so that you can retrieve all the IP addresses you need to add
to an allow list.
• A public IP address is the source IP address that Prisma Access uses for requests made to an internet-
based source. Add the public IP address to an allow list in your network to give Prisma Access access to
internet resources such as SaaS applications or publicly accessible partner applications.
Mobile user, remote network, and clean pipe deployments use public IP addresses.
• An egress IP address is an IP address that Prisma Access uses for egress traffic to the internet, and you
must also add these addresses to an allow list to give Prisma Access access to internet resources.
Among other purposes, Prisma Access uses egress IP addresses so that users receive web pages in the
language they expect from a Prisma Access location. All locations have public IP addresses; however, not
all locations have egress IP addresses. The following locations do not use egress IP addresses:
• Any locations that you added before the release of Prisma Access 1.4.
• Bahrain
• Belgium
• France North
• France South
get_egress_ip_all=yes command This command retrieves all the IP addresses that you add to an
allow list to give Prisma Access access to internet resources such
curl -k -H header-api-
as SaaS applications or publicly accessible partner applications.
key:Current-API-Key"https://
This command has the following constraints:
api.gpcloudservice.com/
getAddrList/latest? • This command can retrieve a large number of addresses (more
get_egress_ip_all=yes than 200). If your enterprise cannot add this number of IP
addresses to an allow list, you can use the gpcs_gp_gw and
gpcs_gp_portal keywords to retrieve only the IP addresses
you are currently using; however you will have to rerun these
commands every time you add a location. In addition, if a
scaling event occurs, you will need to the new IP addresses to
an allow list.
• Prisma Access does not list the locations that are associated
with these IP addresses; therefore, we recommend that you
all the IP addresses that are returned with this command to an
allow list.
• This command does not give you loopback addresses.
gpcs_gp_gw and gpcs_gp_portal Use this command if your deployment limits the amount of
keywords IP addresses you can add to an allow list. You must add all IP
addresses returned with this command to an allow list in your
curl -k -H header-api-
network. You can also retrieve the loopback IP addresses with
key:Current-API-Key"https://
this command.
api.gpcloudservice.com/
getAddrList/latest? This command has the following limitations:
fwType=gpcs_gp_gw |
• It doesn’t list any of the reserved IP addresses used for scaling
gpcs_gp_portal&addrType=public_ip
events.
| egress_ip_list | loopback_ip"
• It doesn’t list any of the reserved IP addresses used for
locations that you haven’t yet added.
gpcs_remote_network keyword Use this command to find the IP addresses that you need to add
to an allow list for remote network deployments.
curl -k -H header-api-
key:Current-API-Key"https://
api.gpcloudservice.com/
gpcs_clean_pipe keyword Use this command to find the IP addresses that you need to add
to an allow list for clean pipe deployments.
curl -k -H header-api-
key:Current-API-Key"https://
api.gpcloudservice.com/
getAddrList/latest?
fwType=gpcs_clean_pipe&addrType=public_ip
| egress_ip_list | loopback_ip"
STEP 1 | Get the API key by selecting Panorama > Cloud Services > Configuration > Service Setup;
then, selecting Generate API Key.
You need this key to authenticate to Prisma Access and retrieve the list of IP addresses using the curl
command listed below. Only a Panorama administrator or Superuser can generate or access this API key.
STEP 2 | Enter the following command to retrieve the mobile user public IP addresses:
Every time Prisma Access uses the reserved set of public IP addresses, it allocates another set of
reserved IP addresses. If you think that Prisma Access has used the reserved set of public IP addresses
(for example, if a large number of mobile users have accessed a single location), you can run this API
command again to find the new set of reserved public IP addresses. All IP addresses persist after an
upgrade.
STEP 1 | Get the API key and add an IP Change Event Notification URL where you can be notified of IP
address changes in your Prisma Access infrastructure.
See Be Notified of Changes to IP Addresses for details.
STEP 2 | Retrieve the public IP addresses, loopback IP addresses, or both for Prisma Access.
Use the API key and the API endpoint URL either manually or in an automation script:
header-api-key:Current
API Key "https://api.gpcloudservice.com/getAddrList/latest?
fwType=$fwType&addrType=$addrType"
where you need to replace Current API Key with your API key and use one or both of the following
keywords and arguments:
Keyword Description
fwType keyword
gpcs_gp_portal Retrieves Prisma Access portal IP addresses (for mobile user deployments).
gpcs_remote_network Retrieves Prisma Access remote network IP addresses (for remote network
deployments).
addrType keyword
public_ip Retrieves the source IP addresses that Prisma Access uses for requests
made to an internet-based source.
For mobile user locations, Prisma Access lists the IP addresses by location.
For remote networks, Prisma Access lists the IP addresses by remote
network name.
egress_ip_list Retrieves the IP addresses that Prisma Access uses with public IP addresses
for additional egress traffic to the internet.
loopback_ip Retrieves the source IP addresses used by Prisma Access for requests made
to an internal source (for example, a RADIUS or Active Directory server),
and is assigned from the infrastructure subnet.
curl -k -H header-api-
key:1234y9ydxb__0UmxetVTbC8XTyFMaoT4RBZBKBjfX419YVufeFG7
"https://api.gpcloudservice.com/getAddrList/latest?
fwType=gpcs_remote_network&addrType=public_ip"
or use a simple python script to retrieve the list of all IP addresses, for example:
#!/usr/bin/python
import subprocess
import json
api_key = '1234y9ydxb__0UmxetVTbC8XTyFMaoT4RBZBKBjfX419YVufeFG7' # Replace
with your key
api_end_point = 'https://api.gpcloudservice.com/getAddrList/latest' # This
call retrieves IP addresses for all your Prisma Access firewalls
args = ['curl', '-k', '-H', 'header-api-key:' + api_key, api_end_point]
p = subprocess.Popen(args, stdout=subprocess.PIPE)
output = p.communicate()
dout = json.loads(output[0])
addrStrList = dout['result']['addrList']
addrList = []
for addr_str in addrStrList:
addrList.append(addr_str.split(":")[1])
print(addrList)
STEP 3 | Update the allow lists on your on-premises servers or SaaS application policy rules with the IP
addresses you retrieved.
Then a large number of users log in to the Seoul location. To accommodate these extra users, Prisma Access
adds a second gateway for the Seoul location and takes the reserved address from the first Seoul gateway
(51.1.1.4) and makes this the active IP address for the second Seoul gateway. It then adds two additional
IP addresses (51.1.1.5 and 51.1.1.6 in this example) to use as reserved IP addresses for the two Seoul
gateways.
The following graphic shows a sample deployment with three Prisma Access portals, three locations
(Sydney, Tokyo, and Seoul), and an active and reserved public IP address for each portal and location.
After an infrastructure upgrade, Prisma Access reverses the public IP addresses for each portal and location.
In this example, the Sydney location’s active public IP address changes from 51.1.1.1 to 51.1.1.2 and its
reserved public IP address changes from 51.1.1.2 to 51.1.1.1. Adding both the active and reserved public IP
addresses to allow lists ensures that users can still access the Prisma Access portals and gateways after an
infrastructure upgrade.
In addition, egress IP addresses can change if Prisma Access creates a new compute region
and you decide to use this new compute region with locations you have already onboarded.
See Remote Network Egress IP Allocation Changes After a Compute Region Change for
details.
These bandwidth guidelines apply only when you upgrade an existing connection. A single remote network
connection, even a 500 Mbps (w/o SSL Decryption) or 1000 Mbps (Preview) connection, always receives a
single Service IP Address, regardless of its size.
The 1000 Mbps bandwidth option is in preview mode. The throughput during preview is
delivered on a best-effort basis and the actual performance will vary depending upon the
traffic mix. The 500 Mbps option supports SSL decryption, but Palo Alto Networks does not
guarantee 500 Mbps of throughput if it is enabled.
The following example shows three remote network connections in the same location, each with a
bandwidth of 100 Mbps. Since the total bandwidth is 300 Mbps, Prisma Access assigns a single IP address
for all connections in the location.
If you reduce the bandwidth of a remote network connection, the Service IP address does
not change.
To find the service IP addresses in Panorama, select Panorama > Cloud Services > Status > Network Details
tab and click the Remote Networks radio button to display the Service IP Address for the remote networks,
or use the API script.
Since the new compute region will have new egress IP addresses, Palo Alto Networks
recommends that you schedule a compute region change during a maintenance window or
during off-peak hours.
1. Delete the remote network location or locations associated with the new compute region.
Prisma Access allocates the loopback IP addresses from the infrastructure subnet that you specify when
you enable the Prisma Access infrastructure. You can add the entire infrastructure subnet to an allow
list and avoid planning for mobile user loopback IP changes during an infrastructure upgrade. To find
the infrastructure subnet, select Panorama > Cloud Services > Status > Network Details > Service
Infrastructure and view the Infrastructure Subnet.
Retrieve these addresses using the Retrieve Public, Loopback, and Egress IP Addresses used to retrieve
public IP and loopback IP addresses.
The following example shows a Prisma Access deployment that has an infrastructure subnet of
172.16.0.0/16. Prisma Access has assigned loopback IP addresses 172.16.0.1 and 192.16.0.3 for mobile
users from the infrastructure subnet.
After in infrastructure upgrade (for example, to prepare for a new release of the Cloud Services plugin),
Prisma Access assigns two different IP addresses for mobile users from the infrastructure subnet
(172.16.0.1 is changed to 172.16.0.2 and 172.16.0.3 is changed to 172.16.0.4).
However, Eastern Canada uses a different default language (French) than Central Canada (English). For this
reason, Prisma Access assigns them different egress IP addresses. If you run the API script for egress IP
addresses, you will receive two different IP addresses for these two locations.
• Site A has a 100 Mbps connection both upstream and downstream. For this site, specify a remote
network connection of 100 Mbps.
• Site B has an asymmetric connection, with 100 Mbps upstream and 25 Mbps downstream, and you want
to make sure that the remote network connection does not throttle the upstream traffic. In this case,
specify a remote network connection of 100 Mbps.
• Site C has an asymmetric connection, with 25 Mbps upstream and 100 Mbps downstream. For this
site, you want to make sure that the remote network connection does not throttle the upstream traffic,
but throttling the downstream traffic is acceptable. In this case, you can specify a remote network
connection of 25 Mbps, which ensures that Prisma Access delivers 25 Mbps reliably in both directions.
The Prisma Access APIs are located in the following XML Path Language (XPath) nodes in the XML tree:
• Configuration Commands: XML API > Configuration Commands > devices >
entry[@name='localhost.localdomain'] > plugins > cloud_services
• Operational Commands: XML API > Operational Commands > request > plugins > cloud_services >
prisma-access
You can also use the web interface to find Prisma Access APIs. See the PAN-OS and Panorama API Usage
Guide for details.
57
58 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
Activate and Install Prisma Access
Use the following workflow to activate your Prisma Access licenses and download and install the Cloud
Services plugin. If you are upgrading an existing Prisma Access deployment to a new version, use the
workflow in the Prisma Access Release Notes (Panorama Managed) to upgrade the Cloud Services plugin.
This section describes the installation procedure for licenses that were available before
November 17, 2020; for an overview of the installation procedure for the licenses that are
available after November 17, 2020, see the Prisma Access 1.8 Administration Guide.
STEP 1 | Before you begin, make sure that you have the following information and resources:
• Be sure that you have the order fulfillment email that contains the activation links that are required to
activate Prisma Access.
• If you are going to set up Prisma Access in High Availability (HA) mode with a primary and secondary
Panorama, Configure Panorama Appliances in High Availability for Prisma Access before you license
and activate Prisma Access.
STEP 2 | (Optional) If you will use an existing Panorama to manage Prisma Access, be sure you that the
Panorama on which you will install the Cloud Services plugin (which activates Prisma Access) is
running the minimum Panorama version.
During product activation, you can select an existing Panorama to manage Prisma Access, if that
Panorama has a valid support license. Alternatively, if you have a licensed Panorama that you have
not yet installed, you can select that Panorama during product activation. In either case, the activation
process allows the Panorama appliance you select to manage Prisma Access, and you must make sure
that the Panorama appliance is running the minimum software version.
You can manage Prisma Access with a Panorama appliance running one of the following versions:
• PAN-OS 9.0.4 or a later PAN-OS 9.0 version
• PAN-OS 9.1.1 or a later PAN-OS 9.1 version
• PAN-OS 10.0.0 or a later PAN-OS 10.0 version
Note the upgrade path to use if you are upgrading from PAN-OS 9.0 to 10.0.
The Prisma Access infrastructure supports PAN-OS features up to release 9.1. You must upgrade your
Panorama to a version of 9.1.1 or later to take advantage of PAN-OS 9.1 features.
Make a note of the serial number of the Panorama appliance; you use that serial number
in a later step.
STEP 3 | When you receive the activation email from Palo Alto Networks, click Activate to activate your
products.
Select any of the links in the email to activate all of your licensed Prisma Access and Cortex Data Lake
products. You will be prompted to sign in to the Hub if you are not signed in already.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 59
© 2020 Palo Alto Networks, Inc.
STEP 4 | Select the products you want to activate; then, click Start Activation.
In most cases, activate all products that display; however, if you want to associate Prisma Access with a
Cortex Data Lake you have already activated, deselect Cortex Data Lake.
STEP 5 | Assign the products you selected with a Customer Support Account; then, click Next.
If you have multiple support accounts associated with your email, select the account to which you want
to assign the products.
STEP 6 | Choose the Panorama appliance that will manage Prisma Access; then, click Next.
• To use an existing Panorama appliance, select Use existing Panorama and select the serial number of
the Panorama appliance that you want to use.
60 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
• If you want to register a new Panorama appliance, review the steps to register either a Panorama
virtual or hardware appliance.
Enter the serial number of the Panorama appliance in the Enter Serial # area.
STEP 7 | Choose the Cortex Data Lake options; then, click Confirm Selections.
• In the Cortex Data Lake Selection area, choose whether to activate a new Cortex Data Lake instance
(Activate New), or select an existing Cortex Data Lake instance.
• In the Region Selection area, select a region for Cortex Data Lake.
The progress bar can appear to pause during product activation. Wait until the progress bar reaches
100%. The activation process takes approximately 20 minutes.
STEP 8 | When setup is complete, copy the one-time password (OTP). You use this in a later step to
verify your account on Panorama.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 61
© 2020 Palo Alto Networks, Inc.
STEP 9 | Download and install the Cloud Services plugin.
See the Palo Alto Networks Compatibility Matrix for the Panorama versions that are supported with the
Cloud Services plugin.
You can either download the plugin from the Customer Support Portal, or you can check for plugin
updates directly from Panorama.
• To download and install the Cloud Services plugin by downloading it from the Customer Support
Portal, complete the following steps.
1. Log in to the Customer Support Portal and select Software Updates.
2. Find the Cloud Services plugin in the Panorama Integration Plug In section and download it.
Do not rename the plugin file or you will not be able to install it on Panorama.
3. Log in to the Panorama Web Interface of the Panorama you licensed for use with the Prisma
Access, select Panorama > Plugins > Upload and Browse for the plugin File that you downloaded
from the CSP.
4. Install the plugin.
• To download and install the new version of the Cloud Services plugin directly from Panorama,
complete the following steps:
1. Select Panorama > Plugins and click Check Now to display the latest Cloud Services plugin
updates.
62 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
Installing a newer version of the Cloud Services plugin overwrites the previously installed version. If
you are installing the plugin for the first time, after you successfully install, Panorama refreshes and the
Cloud Services menu displays on the Panorama tab.
You also have to re-verify your account every 3 months; complete these steps to re-verify
the account.
1. In Panorama, select Panorama > Cloud Services > Configuration and click Verify.
If Verify is disabled, check that you have configured a DNS server and NTP server on Panorama >
Setup > Services.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 63
© 2020 Palo Alto Networks, Inc.
2. Paste the One-time Password you copied from Step 8 and click OK.
64 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
4. Click OK.
Do not click Cancel, even if you did not make any changes to this page.
STEP 13 | Continue to configure your Prisma Access deployment by Enabling the Service Infrastructure.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 65
© 2020 Palo Alto Networks, Inc.
Transfer or Update Prisma Access Licenses
If you need to transfer your Prisma Access license from one Panorama appliance to another, or if you have
an evaluation Prisma Access license and you purchase a production license, use this workflow to transfer or
update your license.
If you are upgrading from an evaluation to a paid license, do not proceed with this workflow
until the order process is complete, the order has been fulfilled, and the support portal is
showing the newly purchased cloud service licenses.
If you are upgrading your Prisma Access license from evaluation to production, make sure
that your Panorama appliance has active, paid licenses before starting this procedure. If your
66 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
Panorama has an evaluation license, you need to transfer the Prisma Access license to a
Panorama with a production license.
STEP 2 | Make a note or take a screenshot of the licenses you have, the quantity of licenses, and the
expiration date of each license.
STEP 4 | From the Panorama administration console, select Panorama > Licenses and click Retrieve
license keys from license server.
This step should refresh the licenses you already have, and the new licenses should reflect the new
quantity you purchased and the new expiration date.
STEP 5 | Delete any existing certificates using CLI from Panorama by entering the following command:
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 67
© 2020 Palo Alto Networks, Inc.
STEP 6 | Enter the debug plugins cloud_services reset-endpoint command to reset the
Panorama appliance.
STEP 7 | Create the new certificate with the new OTP by entering the following command, where value
is the new OTP:
STEP 8 | Complete the one-time password (OTP) verification procedure and verify the Panorama
appliance.
STEP 9 | In Panorama, verify that you can make configuration changes and can successfully push the
configuration to Prisma Access.
If the licenses do not update correctly, or if you are not able to make configuration changes after the
refresh, contact Palo Alto Networks support.
STEP 1 | (Optional) Export a snapshot of your Panorama configuration to a host external to Panorama or
to an on-premise firewall.
While Prisma Access saves all its infrastructure settings, including public and loopback IP addresses, you
need to transfer any Panorama-specific configuration to the new Panorama appliance. You can export
your configuration after the license transfer process is complete, but we recommend exporting it before
you transfer the licenses as a best practice.
STEP 4 | Find the production Panorama appliance to which you will be transferring the production
Prisma Access plugin and complete these steps:
1. Verify that it has an active support license.
2. Make a note of this serial number; you use it in a later step.
STEP 5 | Search for the current Panorama appliance you are using to run Prisma Access by using the
serial number.
The model name should be in the format PAN-PRA-25-Exx.
68 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
STEP 6 | Click the Actions icon for the current Panorama appliance.
STEP 7 | Select Transfer Licenses and choose the Panorama appliance to which you will be migrating.
STEP 8 | Review the EULA and click Agree, then click Submit.
STEP 9 | Wait for a confirmation message in the Support Portal for a successful transfer.
STEP 10 | After the successful transfer of licenses, login to the administration console of your
production Panorama appliance.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 69
© 2020 Palo Alto Networks, Inc.
STEP 11 | Select Panorama > Support and verify that the Panorama appliance has a valid support
license.
STEP 12 | Click Dashboard and verify that the running software version is a minimum of 9.0.4.
STEP 13 | Verify that the Panorama appliance is configured to use NTP by selecting Panorama >
Setup > Services > NTP and setting a value, such as pool.ntp.org, for the NTP Server.
STEP 15 | Select Panorama > Licenses and click Retrieve license keys from license server.
This should refresh the screen with recently transferred Prisma Access and Cortex Data Lake licenses
you purchased. If the cloud service licenses do not appear, contact Palo Alto Networks Support for
assistance.
STEP 16 | Complete the one-time password (OTP) verification procedure and verify the Panorama
appliance.
STEP 17 | Migrate the configuration from the previous Panorama appliance to the current Panorama
appliance.
• If the production Panorama appliance is completely new, export the configuration from the Panorama
appliance you used during the evaluation (if you have not done so already) and import it to this
Panorama appliance.
• If this is the Panorama appliance that you have been using to manage your existing VMs and devices,
load a partial configuration to this Panorama appliance.
You can now use this Panorama appliance to configure and manage Prisma Access.
70 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
Configure Panorama Appliances in High
Availability for Prisma Access
Deploying Panorama appliances in a high availability (HA) configuration provides redundancy in case of a
system or network failure and ensures that you have continuous connectivity to Prisma Access. In an HA
configuration, one Panorama appliance peer is the active-primary and the other is the passive-secondary.
In the event of a failover, the secondary peer becomes active and takes over the role of managing Prisma
Access.
• HA Prerequisites
• Configure HA
HA Prerequisites
To simplify the HA set up, configure the Panorama appliances in HA after you purchase Prisma Access and
Cortex Data Lake auth codes and components and associate the serial number of the primary Panorama
appliance on which you plan to install the Cloud Services plugin with the auth codes, but before you
Activate and Install Prisma Access. However, you can also use this process to configure existing Panorama
appliances that already have the plugin installed.
Whether you are just getting started with a new pair of Panorama appliances, or you have already set up
your standalone Panorama appliance and completed the licensing and installation procedures, make sure to
check the prerequisites before you enable HA:
You must register the Panorama appliance HA peers to the same customer account on the Customer
Support Portal (CSP).
The Panorama appliance peers must be of the same form factor (hardware appliances of the same
model or identical virtual appliances) and same OS version and must have the same set of licenses. The
premium support license is required for Prisma Access and Cortex Data Lake.
The serial number of the primary Panorama appliance is tied to your Prisma Access and Cortex Data
Lake auth codes. If you have installed and set up the plugin on a standalone Panorama appliance, ensure
that you use that Panorama appliance as the primary peer. If you need to assign this standalone peer as
the secondary Panorama appliance, contact Palo Alto Networks support for assistance with transferring
the license to the primary Panorama appliance peer before you continue.
Configure HA
Set up your Panorama appliances in an HA configuration.
STEP 2 | Make sure that the primary (active) and secondary (passive) Panorama appliances are
synchronized and that the HA link state between them is up.
1. Access the Dashboard on the primary Panorama appliance and select Widgets > System > High
Availability to display the HA widget.
2. Sync to peer, click Yes, and wait for the Running Config to display Synchronized.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 71
© 2020 Palo Alto Networks, Inc.
3. Make sure that the Local peer is active.
4. Access the Dashboard on the passive Panorama appliance and select Widgets > System > High
Availability to display the HA widget.
5. Verify that the Running Config displays Synchronized.
6. Make sure that the Local peer is passive.
STEP 3 | Install the Prisma Access components on the primary Panorama appliance.
1. Log in to the primary Panorama appliance and select Panorama > Licenses.
2. Click Retrieve the license keys from license server.
3. Activate and Install Prisma Access, including generating a one-time password (OTP) and verifying
your account.
STEP 4 | On the primary Panorama appliance, Access the CLI and enter the following operational
command:
tail follow yes mp-log plugin_cloud_services.log
STEP 6 | Log in to the secondary Panorama appliance and Activate and Install Prisma Access.
When you log in to the Customer Support Portal (CSP) to generate the OTP, make sure that you specify
the serial number for the secondary Panorama appliance.
STEP 7 | Commit your changes on the primary and secondary Panorama appliance.
1. Commit > Commit and Push your changes.
72 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
2. Click OK and Push.
STEP 8 | Verify that the primary and secondary Panorama appliances are still in a synchronized state.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 73
© 2020 Palo Alto Networks, Inc.
74 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
Prepare the Prisma Access Infrastructure
and Service Connections
Use the sections in the following chapter to plan and begin configuration of your Prisma
Access deployment.
75
76 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Set Up Prisma Access
The following sections provide you with the summary steps that you take to install and configure Prisma
Access and information about proxy server support between Panorama, Prisma Access, and Cortex Data
Lake.
• Prisma Access Onboarding and Configuration Workflow
• Proxy Support for Prisma Access and Cortex Data Lake
If you are setting up a deployment that includes multiple instances of Prisma Access on
a single Panorama (multi-tenancy), see Manage Multiple Tenants in Prisma Access. Most
organizations do not have a need to create and manage multiple tenants.
STEP 1 | Add the following URLs and ports to an allow list on any security appliance that you use with
the Panorama appliance that manages Prisma Access.
In addition, if your Panorama appliance uses a proxy server (Panorama > Setup > Service > Proxy
Server), or if you use SSL forward proxy with Prisma Access, be sure to add the following URLs and ports
to an allow list on the proxy or proxy server.
• api.gpcloudservice.com (for Prisma Access)
• api.paloaltonetworks.com (for Prisma Access)
• apitrusted.paloaltonetworks.com (for Prisma Access)
• The FQDNs and ports required for Cortex Data Lake
STEP 2 | Add the ports used by Panorama to allow lists in your network.
STEP 3 | Identify your license requirements; then Activate and Install the Prisma Access Components.
After you install the Cloud Services plugin, the plugin creates a Panorama administrative user with
a username of __cloud_services. This user account is required to enable communication between
Enterprise DLP on Prisma Access and the Prisma Access management infrastructure. Palo Alto Networks
recommends that you change the password for this administrative user in accordance with your
organization’s password policy.
If you delete the __cloud_services user, you must re-add the user manually. The account is used to
register and activate Enterprise DLP on Prisma Access, and for continued DLP scanning using the data
patterns and data filtering profiles referenced in security policy rules.
STEP 4 | Import your existing Panorama configuration to Prisma Access, or create new templates and
device groups to begin configuration of Prisma Access.
In order to push configuration—such as security policy, authentication policy, server profiles, security
profiles, address objects, and application groups—to Prisma Access, you must either create new
templates and device groups with the configuration settings you want to push to Prisma Access, or
leverage your existing device groups and templates by adding them to the template stacks and device
group hierarchies that get created when you onboard the service.
Configuration is simplified in Prisma Access because you do not have to configure any of the
infrastructure settings, such as interfaces and routing protocols. This configuration is automated and
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 77
© 2020 Palo Alto Networks, Inc.
pushed from Panorama in the templates and device groups that the service creates automatically. You
can configure any infrastructure settings that are required by the service, such as settings required
to create IPSec VPN tunnels to the IPSec-capable devices at your remote network locations, directly
from the plugin. Optionally, you can add templates and device group hierarchies to the configuration to
simplify the service setup.
To simplify the service setup, create or import the templates and device groups you need before you
begin the setup tasks for using Prisma Access.
When creating templates and device groups for Prisma Access, you do not need to assign managed
devices to it. Instead, you will add them to the template stacks and device group hierarchies created by
the service. Do not add any of the templates or device groups created by Prisma Access to any other
template stacks or device groups.
Also note that some settings that are available in a non-Prisma Access template or device
group may not be supported in Prisma Access. See What Features Does Prisma Access
Support? for a list of supported features.
STEP 5 | Enable the service infrastructure and service connections that allows communication between
Prisma Access elements.
1. Plan to enable the service infrastructure and service connections.
2. Enable the service infrastructure.
3. Create a service connection to allow access to your corporate resources.
If you don’t require access to your corporate resources, you should still create a service connection to
enable access between mobile users and remote networks.
STEP 6 | Plan To Deploy Prisma Access for Users and Configure Prisma Access for Users, if required for
your deployment.
We recommend using local authentication as a first step to verify that the service is set up and your
users have internet access. You can later switch to using your corporate authentication methods.
1. Configure Prisma Access for Users.
2. Configure zones for mobile users.
1. Create two zones in the Mobile User Template. For example, Mobile-Users and Internet.
2. Map the zones. You should map any zone that is not Prisma Access connected users or HQ or
branch offices to Untrust.
Under Panorama > Cloud Services > Configuration > Mobile Users, map Internet to Untrust;
Mobile-Users to Trust.
3. Configure Security policies for the device group.
To create a Security policy to allow traffic to the Internet, select the Mobile_User_Device_Group
Policies > Security > Prerules > Add a rule. For example: Mobile-Users to Internet.
4. Commit your changes to get started with the service.
1. Commit locally on Panorama.
2. Commit and Push to Prisma Access.
3. Select Panorama > Cloud Services > Status > Monitor > Mobile Users to view the Status and
verify that you can ping the Portal FQDN.
5. Validate that Prisma Access is securing Internet traffic for mobile users.
1. Download and install the GlobalProtect app.
2. Use the app to connect to the portal as a mobile user (local user).
3. Browse to a few websites on the internet and check the traffic logs on Panorama.
78 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
STEP 7 | Plan, create, and configure remote network connections.
1. Add one or more remote networks to Prisma Access.
You can onboard one location and then add additional locations using the bulk import capability.
2. Create a Security policy rule to allow traffic from the remote networks to HQ (For example: Trust to
Trust).
3. Validate the connectivity between the service connection, remote network connection, and mobile
users.
STEP 8 | Retrieve the IP Addresses for Prisma Access and Retrieve Public and Egress IP Addresses for
Mobile User Deployments.
You add these addresses to an allow list on your organization’s network to limit inbound access to your
enterprise network and applications.
STEP 9 | (Optional) Change the authentication method from local authentication to your organization’s
authentication method.
1. Create an authentication profile that meets your organization’s requirements (LDAP, RADIUS, etc).
2. If your organization uses an on-premise authentication server such as RADIUS or Active Directory,
add the IP addresses that Prisma Access uses as its source IP address for internal requests (Prisma
Access Infrastructure IP Addresses) to allow lists in your network, or allow the IP addresses of the
entire Infrastructure Subnet (Prisma Access takes the loopback IP address from this subnet).
3. Update the Authentication Profile for the Prisma Access portal and gateway to use this new
authentication profile.
STEP 10 | (Optional) Forward logs from Cortex Data Lake (formerly Logging Service) to an external
Syslog receiver by setting up the Log Forwarding app.
Panorama Queries to Cortex If the proxy server is the default route on Panorama, you cannot view
Data Lake for Reports and the data on the ACC and Monitor > Logs pages.
Logs
You can view data on the ACC and Monitor > Logs pages if Panorama
has an alternate route to the Cortex Data Lake and you can bypass the
proxy server.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 79
© 2020 Palo Alto Networks, Inc.
Plan the Service Infrastructure and Service
Connections
Plan the Service Infrastructure
To Enable the Service Infrastructure in the cloud for your remote network locations and mobile users, you
must provide a subnet that Prisma Access uses to establish a network infrastructure between your remote
network locations, mobile users, and service connections to your headquarters/data center (if applicable).
The IP addresses in this subnet also enable Prisma Access to determine the service routes for services
such as LDAP, DNS, or SCEP, as well as enable other inter-service communication. Because a large number
of IP addresses will be required to set up the infrastructure, you must use a /24 subnet (for example,
172.16.55.0/24) at a minimum. This subnetwork will be an extension to your existing network or with the
IP address pools you assign for Prisma Access for users. If you have a large number of mobile users, branch
offices, or both, provide a larger infrastructure subnet.
Use the following recommendations and requirements when adding an infrastructure subnet:
• You can assign Prisma Access an infrastructure subnet from a existing supernet in your organization’s IP
address pool, but do not assign any of the IP addresses from the infrastructure subnet for any other use
in your existing network.
The following example shows a Prisma Access infrastructure subnet, 10.10.1.0/24, that you assigned
from an existing supernet, 10.0.0.0/8. After you assign 10.10.1.0/24 as the infrastructure subnet, your
organization cannot use any IP addresses from that subnet. For example, you can assign 10.10.2.1 to an
endpoint, but 10.10.1.1 is not allowed because that IP address is part of the infrastructure subnet.
• If you create a new subnet for the infrastructure subnet, use a subnet that does not overlap with other
IP addresses you use internally.
• We recommend using an RFC 1918-compliant subnet. While the use of non-RFC 1918-compliant
(public) IP addresses is supported, we do not recommend it, because of possible conflicts with internet
public IP address space.
• Do not specify any subnets that overlap with the 100.64.0.0/15 subnet range because Prisma Access
reserves that subnet for its internal use.
80 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
• The subnet cannot overlap with the IP address pools you plan to use for the address pools you assign for
your mobile users deployment.
• Because the service infrastructure can be very large, you must designate a /24 subnet at a minimum.
While each service connection provides approximately 1 Gbps of throughput, the actual
throughput is dependent on several factors, including:
• Traffic mix (for example, frame size)
• Latency and packet loss between the service connection and the headquarters location or
data center
• Service provider performance limits
• Customer termination device performance limits
• Other customer data center traffic
If you configure Prisma Access to manage multiple tenants, each tenant can use up
to 3 service connections with no cost to the license. You can add more than 3 service
connections to each tenant, however each additional service connection takes 300 Mbps
from your remote network license.
In order for Prisma Access to route users to the resources they need, you must provide the routes to the
resources. You can do this in one or more of the following ways:
• Define a static route to each subnetwork or specific resource that you want your users to be able to
access.
• Configure BGP between your service connection locations and Prisma Access.
• Use a combination of both methods.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 81
© 2020 Palo Alto Networks, Inc.
If you configure both static routes and enable BGP, the static routes will take precedence. While it might
be convenient to use static routes if you have just a few subnetworks or resources you want to allow
access to, in a large data center/HQ environment where you have routes that change dynamically, BGP
will enable you to scale easier. Dynamic routing also provides redundancy for your service connections.
If one service connection tunnel is down, BGP can dynamically route mobile user and remote network
traffic over the operational service connection tunnel.
If you are creating a service connection to allow mobile users access to remote network
locations, you do not need this information.
If you have an existing template that contains IPSec tunnel, Tunnel Monitoring, and IPSec
Crypto Profile configurations, you can add that template to the template stack to simplify
the process of creating the IPSec tunnels. Or, you can edit the Service_Conn_Template
that gets created automatically and create the IPSec configurations required to create
the IPSec tunnel back to the corporate site. Prisma Access also provides you with a set
of predefined IPSec templates for some commonly-used network devices, and a generic
template for any device that is not included in the predefined templates.
List of IP subnetworks at the site.
List of internal domains that the cloud service will need to be able to resolve.
IP address of a node at your network’s site to which Prisma Access can send ICMP ping requests for
IPSec tunnel monitoring.
Make sure that this address is reachable by ICMP from the entire Prisma Access infrastructure subnet.
Service account for your authentication service, if required for access.
Network reachability settings for the service infrastructure subnet.
We recommend that you make the entire service infrastructure subnet reachable from the HQ or Data
Center site. Prisma Access uses IP addresses for all control plane traffic, including tunnel monitoring,
LDAP, User-ID, and so on from this subnet.
Traffic over the service connections does not count towards the remote network bandwidth pool that you
purchased.
82 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Configure the Service Infrastructure
Before you can begin setting up Prisma Access to secure your remote networks and/or mobile users, you
must configure an infrastructure subnet, which Prisma Access will use to create the network backbone
for communication between your service connections, remote networks, and mobile users, as well as
with the corporate networks you plan to connect to Prisma Access over service connections. Because a
large number of IP addresses will be required to set up the infrastructure, you must use a /24 subnet (for
example, 172.16.55.0/24) at a minimum. See Plan the Service Infrastructure and Service Connections for
the requirements and guidelines to use when assigning an infrastructure subnet.
STEP 1 | Select Panorama > Cloud Services > Configuration > Service Setup and click the gear icon to
edit the Settings.
STEP 2 | On the General tab, specify an Infrastructure Subnet, for example, 172.16.55.0/24.
See Plan the Service Infrastructure and Service Connections for the requirements and guidelines to use
when assigning an infrastructure subnet.
STEP 3 | Enter the Infrastructure BGP AS you want to use within the Prisma Access infrastructure. If
you want to use dynamic routing to enable Prisma Access to dynamically discover routes to
resources on your remote networks and HQ/data center locations, specify the autonomous
system (AS) number. If you do not supply an AS number, the default AS number 65534 will be
used.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 83
© 2020 Palo Alto Networks, Inc.
STEP 4 | (Optional) Add one or more templates to the predefined template stack,
Service_Conn_Template_Stack.
The templates you add here can help simplify the process of adding new service connections. For
example, if you add a template containing existing IPSec configuration settings, such as IPSec tunnel,
Tunnel Monitoring, and IPSec Crypto Profile configurations, you can select these configurations
when defining the tunnel settings for each service connection rather than having to create the tunnel
configuration from scratch. You can optionally edit the predefined Service_Conn_Template with tunnel
settings that you can leverage when creating the tunnels from Prisma Access to your corporate network
sites.
84 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
3. Configure the device groups you are using to push settings to Prisma Access with a Log Forwarding
profile that forwards the desired log types to Panorama/Logging Service.
The Cloud Services plugin automatically adds the following Log Settings (Device > Log Settings) after
a new installation or when removing non-Prisma Access templates from a Prisma Access template
stack:
• Log Settings for System logs (system-gpcs-default), User-ID logs (userid-gpcs-default), HIP Match
logs (hipmatch-gpcs-default), and GlobalProtect logs (gp-prismaaccess-default) are added to the
Mobile_User_Template.
• Log Settings for System logs (system-gpcs-default), User-ID logs (userid-gpcs-default), and
GlobalProtect logs (gp-prismaaccess-default) are added to the Remote_Network_Template.
• Log Settings for System logs (system-gpcs-default) and GlobalProtect logs (gp-prismaaccess-
default) are added to the Service_Conn_Template.
These Log Setting configurations automatically forward System, User-ID, HIP Match, and
GlobalProtect logs to Cortex Data Lake.
To apply log setting changes, perform the following steps, then commit and push your changes:
• To apply the log setting to the mobile user template, select Panorama > Cloud Services >
Configuration > Mobile Users, click the gear icon to edit the settings, and click OK.
• To apply the log setting to the remote network template, select Panorama > Cloud Services >
Configuration > Remote Networks, click the gear icon to edit the settings, and click OK.
• To apply the log setting to the service connection template, select Panorama > Cloud Services >
Configuration > Service Setup, click the gear icon to edit the settings, and click OK.
See Add Log Settings to Prisma Access (Panorama Managed) for a video that describes
the log settings process.
The way you enable log forwarding for other log types depends on the type. For logs that are
generated based on a policy match, use a log forwarding profile. See the Cortex Data Lake Getting
Started Guide for more information.
STEP 7 | (Optional) Change the routing preferences and enable HIP redistribution.
1. Specify the Routing Preference to use with service connections.
You can specify network preferences to use either your organization’s network, or the Prisma Access
network, to process the service connection traffic.
• Default—Prisma Access uses default routing in its internal network.
• Hot potato routing—Prisma Access hands off service connection traffic to your organization’s
WAN as quickly as possible.
Changing the Prisma Access service connection routing method requires a thorough
understanding of your organization’s topology and routing devices, along with an
understanding of how Prisma Access routing works. We recommend that you read the
Routing Preferences for Service Connection Traffic section carefully before changing
the routing method from the default setting.
2. Enable HIP Redistribution to have Prisma Access use service connections to redistribute HIP
information from mobile users and users at remote networks.
See Redistribute HIP Information with Prisma Access for more information about enabling HIP
redistribution.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 85
© 2020 Palo Alto Networks, Inc.
STEP 8 | Click OK to save the Service Setup settings.
STEP 9 | Commit all your changes to Panorama and push the configuration changes to Prisma Access.
1. Click Commit > Commit to Panorama.
2. Click Commit > Push to Devices and click Edit Selections.
3. On the Prisma Access tab, make sure Service setup is selected and then click OK.
Prisma Access should automatically select the components that need to be committed.
4. Click Push.
86 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
that opening layer 4 ports instead of using Palo Alto Networks App-IDs is less secure
and not recommended.
STEP 10 | Verify that Prisma Access is successfully connected to Cortex Data Lake.
1. Select Panorama > Cloud Services > Status > Status > Cortex Data Lake and verify that the Status is
OK.
If the status is Error, click the details link to view any errors.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 87
© 2020 Palo Alto Networks, Inc.
Create a Service Connection to Allow Access
to Your Corporate Resources
To create a service connection to allow access to your corporate resources, complete the following steps.
If you are creating a service connection to allow communication between mobile users
and remote networks, instead of enabling access to your corporate resources, follow the
instructions in Create a Service Connection to Enable Access between Mobile Users and
Remote Networks.
STEP 1 | Select Panorama > Cloud Services > Configuration > Service Connection.
STEP 2 | Add a new service connection to one of your corporate network sites.
STEP 5 | Select or add a new IPSec Tunnel configuration to access the firewall, router, or SD-WAN
device at the corporate location:
• If you have added a template to the Service_Conn_Template_Stack (or modified the predefined
Service_Conn_Template) that includes an IPSec Tunnel configuration, select that IPSec Tunnel
from the drop-down. Note that the tunnel you are creating for each service connection connects
Prisma Access to the IPSec-capable device at each corporate location. The peer addresses in the IKE
Gateway configuration must be unique for each tunnel. You can, however, re-use some of the other
common configuration elements, such as Crypto profiles.
The IPSec Tunnel you select from a template must use Auto Key exchange and IPv4
only.
• To create a new IPSec Tunnel configuration, click New IPSec Tunnel, give it a Name and configure
the IKE Gateway, IPSec Crypto Profile, and Tunnel Monitoring settings.
• If the IPSec-capable device at your HQ or data center location uses policy-based VPN, on the
Proxy IDs tab, Add a proxy ID that matches the settings configured on your local IPSec device to
ensure that Prisma Access can successfully establish an IPSec tunnel with your local device.
• Leave Enable Replay Protection selected to detect and neutralize against replay attacks.
• Select Copy TOS Header to copy the Type of Service (TOS) header from the inner IP header to the
outer IP header of the encapsulated packets in order to preserve the original TOS information.
• To enable tunnel monitoring for the service connection, select Tunnel Monitor.
• Enter a Destination IP address.
Specify an IP address at your HQ or data center site to which Prisma Access can send ICMP ping
requests for IPSec tunnel monitoring. Make sure that this address is reachable by ICMP from the
entire Prisma Access infrastructure subnet.
• If you use tunnel monitoring with a peer device that uses multiple proxy IDs, specify a Proxy ID or
add a New Proxy ID that allows access from the infrastructure subnet to your HQ or data center
site.
88 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
The following figure shows a proxy ID with the service infrastructure subnet (172.16.55.0/24
in this example) as the Local IP subnet and the HQ or data center’s subnet (10.1.1.0/24 in this
example) as the Remote subnet.
The following figure shows the Proxy ID you created being applied to the tunnel monitor
configuration by specifying it in the Proxy ID field.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 89
© 2020 Palo Alto Networks, Inc.
You must configure a static route on your CPE to the Tunnel Monitor IP Address for
tunnel monitoring to function. To find the destination IP address to use for tunnel
monitoring from your data center or HQ network to Prisma Access, select Panorama >
Cloud Services > Status > Network Details, click the Service Infrastructure radio
button, and find the Tunnel Monitor IP Address.
STEP 6 | BGP and hot potato routing deployments only—Select a service connection to use as the preferred
backup (Backup SC).
You can select any service connection that you have already added. Prisma Access uses the Backup
SC you select as the preferred service connection in the event of a link failure. Selecting a backup
service connection can prevent asymmetric routing issues if you have onboarded more than two service
connections. This choice is available in Hot potato routing mode only.
STEP 7 | If you have a secondary WAN link at this location, select Enable Secondary WAN and then
select or configure an IPSec Tunnel the same way you did to set up the primary IPSec tunnel.
90 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
If the primary WAN link goes down, Prisma Access detects the outage and establishes a tunnel to the
headquarters or data center location over the secondary WAN link. If the primary WAN link becomes
active, the link switches back to the primary link.
If you use static routes, tunnel failover time is less than 15 seconds from the time of detection,
depending on your WAN provider.
If you configure BGP routing and have enabled tunnel monitoring, the shortest default hold time to
determine that a security parameter index (SPI) is failing is the tunnel monitor, which removes all routes
to a peer when it detects a tunnel failure for 15 consecutive seconds. In this way, the tunnel monitor
determines the behavior of the BGP routes. If you do not configure tunnel monitoring, the hold timer
determines the amount of time that the tunnel is down before removing the route. Prisma Access uses
the default BGP HoldTime value of 90 seconds as defined by RFC 4271, which is the maximum wait
time before Prisma Access removes a route for an inactive SPI. If the peer BGP device has a shorter
configured hold time, the BGP hold timer uses the lower value.
When the secondary tunnel is successfully installed, the secondary route takes precedence until the
primary tunnel comes back up. If the primary and secondary are both up, the primary route takes
priority.
STEP 8 | Enable routing to the subnetworks or individual IP addresses at the corporate site that your
users will need access to.
Prisma Access uses this information to route requests to the appropriate site. The networks at each
site cannot overlap with each other or with IP address pools that you designated for the service
infrastructure or for the Prisma Access for users IP pools. You can configure Static Routes, BGP, or a
combination of both.
To configure Static Routes:
1. On the Static Routes tab, click Add and enter the subnetwork address (for example,
172.168.10.0/24) or individual IP address of a resource, such as a DNS server (for example,
10.32.5.1/32) that your remote users will need access to.
2. Repeat for all subnets or IP addresses that Prisma Access will need access to at this location.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 91
© 2020 Palo Alto Networks, Inc.
To configure BGP:
1. On the BGP tab, select Enable.
When you enable BGP, Prisma Access sets the time to life (TTL) value for external BGP (eBGP) to 8
to accommodate any extra hops that might occur between the Prisma Access infrastructure and your
customer premises equipment (CPE) that terminates the eBGP connection.
Prisma Access does not accept BGP default route advertisements for either service
connections or remote network connections.
2. (Optional) Select from the following choices:
• To prevent the Prisma Access BGP peer from forwarding routes into your organization’s network.
Don’t Advertise Prisma Access Routes.
By default, Prisma Access advertises all BGP routing information, including local routes and all
prefixes it receives from other service connections, remote networks, and mobile user subnets.
Select this check box to prevent Prisma Access from sending any BGP advertisements, but still use
the BGP information it receives to learn routes from other BGP neighbors.
Since Prisma Access does not send BGP advertisements if you select this option,
you must configure static routes on the on-premise equipment to establish routes
back to Prisma Access.
• To reduce the number of mobile user IP subnet advertisements over BGP to your customer
premises equipment (CPE), specify Prisma Access to summarize the subnets before it advertises
them by selecting Summarize Mobile User Routes before advertising.
92 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
By default, Prisma Access advertises the mobile users IP address pools in blocks of /24 subnets;
if you summarize them, Prisma Access advertises the pool based on the subnet you specified.
For example, Prisma Access advertises a public user mobile IP pool of 10.8.0.0/20 using the /20
subnet, rather than dividing the pool into subnets of 10.8.1.0/24, 10.8.2.0/24, 10.8.3.0/24, and so
on before advertising them. Summarizing these advertisements can reduce the number of routes
stored in CPE routing tables. For example, you can use IP pool summarization with cloud VPN
gateways (Virtual Private Gateways (VGWs) or Transit Gateways (TGWs)) that can accept a limited
number of routes.
If you have hot potato routing enabled and you enable route summarization, Prisma
Access no longer prepends AS-PATHs, which might cause asymmetric routing.
Be sure that your return traffic from the data center or headquarters location has
guaranteed symmetric return before you enable route summarization with hot
potato routing.
3. Enter the IP address assigned as the Router ID of the eBGP router on the data center/HQ network
for which you are configuring this service connection as the Peer Address.
4. Enter the Peer AS, which is the autonomous system (AS) to which the firewall virtual router or BGP
router at your data center/HQ network belongs.
5. (Optional) Enter an address that Prisma Access uses as its Local IP address for BGP.
Specifying a Local Address is useful where the device on the other side of the connection (such as
an Amazon Web Service (AWS) Virtual Private Gateway) requires a specific local IP address for BGP
peering to be successful. Make sure that the address you specify does not conflict or overlap with IP
addresses in the Infrastructure Subnet or subnets in the service connection.
You must configure a static route on your CPE to the BGP Local Address.
6. (Optional) Enter and confirm a Secret passphrase to authenticate BGP peer communications.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 93
© 2020 Palo Alto Networks, Inc.
STEP 9 | (Optional) If you configured a Secondary WAN and you need to change the Peer Address or
Local Address for the secondary (backup) BGP peer, deselect Same as Primary WAN and enter
a unique Peer and, optionally, Local IP address for the secondary WAN.
In some deployments (for example, when using BGP to peer with an AWS VPN gateway), the BGP peer
for the primary and secondary WAN might be different. In those scenarios, you can choose to set a
different BGP peer for the secondary WAN.
For BGP deployments with secondary WANs, Prisma Access sets both the primary and
secondary tunnels in an UP state, but follows normal BGP active-backup behavior for
network traffic. Prisma Access sets the primary tunnel as active and sends and receives
traffic through that tunnel only; if the primary tunnel fails, Prisma Access detects the
failure using BGP rules, sets the secondary tunnel as active, and uses only the secondary
tunnel to send and receive traffic.
STEP 10 | If required, enable Quality of Service for the service connection and specify a QoS profile or
add a New QoS Profile.
You can create QoS profiles to shape QoS traffic for remote network and service connections and apply
those profiles to traffic that you marked with PAN-OS security policies, traffic that you marked with an
on-premise device, or both PAN-OS-marked and on-premise-marked traffic. See Configure Quality of
Service in Prisma Access for details.
94 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
STEP 11 | Commit all your changes to Panorama and push the configuration changes to Prisma Access.
1. Click Commit > Commit to Panorama.
2. Click Commit > Push to Devices and select Edit Selections. On the Prisma Access tab, make sure
Service setup is selected, then click OK and Push.
Prisma Access should automatically select the components that need to be committed.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 95
© 2020 Palo Alto Networks, Inc.
STEP 12 | Add more service connections by repeating Step 2 through Step 11.
The first three service connections are included with no license cost; each connection after the third
uses 300 Mbps from your licensed remote networks bandwidth pool. After you Add your fourth and
subsequent network connection, Prisma Access displays a page informing you of your remaining licensed
remote networks bandwidth. To confirm your addition, Allocate 300 Mbps for an additional service
connection; then Allocate the bandwidth for the service connection.
STEP 13 | Configure the IPSec tunnel or tunnels from your IPSec-capable device on your corporate
network back to Prisma Access.
1. To determine the IP address of the tunnel within Prisma Access, select Panorama > Cloud Services >
Status > Network Details, click the Service Connection radio button, and note the Service IP Address
for the site.
The Service IP Address is the public-facing address that you will need to connect to when you create
the tunnel from your IPSec-capable device back to the service connection.
2. On your IPSec-capable device at the corporate location, configure an IPSec tunnel that connects to
the Service IP Address within Prisma Access and commit the change on that device so that the tunnel
can be established.
96 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
The Deployment Status area allows you to view the progress of onboarding and deployment jobs before
they complete, as well as see more information about the status of completed jobs. See Deployment
Progress and Status for details.
If the status is not OK, hover over the Status icon to view any errors.
To see a graphical representation of the service connection along with status details, select Service
Connection on the Monitor tab.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 97
© 2020 Palo Alto Networks, Inc.
Click the tabs below the map to see additional information about the service connections.
Status tab:
• Location—The location where your service connection is deployed.
• Remote Peer—The corporate location to which this s service infrastructure is setting up an IPSec tunnel.
• Allocated Bandwidth—The number of service connections you have allocated multiplied by 300 Mbps.
This number does not reflect the available service connection bandwidth.
While each service connection provides approximately 1 Gbps of throughput, the actual
throughput is dependent on several factors, including:
•
Traffic mix (for example, frame size)
•
Latency and packet loss between the service connection and the headquarters
location or data center
• Service provider performance limits
• Customer termination device performance limits
• Other customer data center traffic
• ECMP—If you have equal cost multipath (ECMP) configured for this service connection. Since ECMP is
not used for service connections, this status is Disabled).
• Config Status—The status of your last configuration push to the service. If the local configuration and
the configuration in the cloud match, the Config Status is In sync. If you have made a change locally, and
not yet pushed the configuration to the cloud, this may display the status Out of sync. Hover over the
status indicator for more detailed information. After committing and pushing the configuration to Prisma
Access, the Config Status changes to In sync.
• BGP Status—Displays information about the BGP state between the firewall or router at your corporate/
headquarters location and Prisma Access where the service connection is established. Although you
98 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
might temporarily see the status pass through the various BGP states (Idle, Active, Open send, Open
pend, Open confirm, most commonly, the BGP status shows:
• Connect—The router at your data center/headquarters is trying to establish the BGP peer
relationship with Prisma Access.
• Established—The BGP peer relationship has been established.
This field will also show if the BGP connection is in an error state:
• Warning—There has not been a BGP status update in more than eight minutes. This may indicate an
outage on the firewall.
• Error—The BGP status is unknown.
• Tunnel Status—The operational status of the connection between Prisma Access and your service
connection.
Statistics tab:
• Location—The location where your service connection is deployed.
• Remote Peer—The corporate location to which the service connection is setting up an IPSec tunnel.
• Ingress Bandwidth (Mbps)—The bandwidth from the HQ/data center location to Prisma Access.
• Ingress Peak Bandwidth (Mbps)—The peak load from the HQ/data center location into the cloud service.
• Egress Bandwidth (Mbps)—The bandwidth from Prisma Access into the HQ/data center location.
• Egress Peak Bandwidth (Mbps)—The peak load from Prisma Access into the HQ/data center location.
• QoS—Select this button to display a graphic chart that shows a real-time and historical QoS statistics,
including the number of dropped packets per class. This chart displays only for service connections or
remote network connections that have QoS enabled.
The BGP Status dialog displays. This table provides you with the following information:
• Peer—Routing information for the BGP peer, including status, total number of routes, configuration, and
runtime statistics and counters. The total number of routes display in the bgpAfiIpv4-unicast Counters
area, in the Incoming Total and Outgoing Total fields.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 99
© 2020 Palo Alto Networks, Inc.
• Local RIB—BGP routes that Prisma Access uses locally. Prisma Access selects this information from
the BGP RIB-In table, which stores the information sent by neighboring networking devices, applies
local BGP import policies and routing decisions, and stores the Local RIB information in the Routing
Information Base (RIB).
Note that only the first 256 entries are shown. To view additional entries, enter a subnet or IP address in
the Filter field and click Apply Filter to view a subset of the routing entries up to a maximum of 256.
• RIB Out—Routing information that Prisma Access advertises to its peers through BGP update messages.
See How BGP Advertises Mobile User IP Address Pools for an example of this table.
100 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Create a Service Connection to Enable Access
between Mobile Users and Remote Networks
We recommend always creating a service connection, even if you don’t need to access resources at your
organization’s HQ or data center. You must configure a service connection to allow network communication
between mobile users and remote network locations and between mobile users in different geographical
locations.
We recommend creating this type of service connection for the following environments:
• Your deployment includes both remote networks and mobile users and you do not already have a
service connection configured.
• You have mobile users in different geographical areas who need direct access to each other’s endpoints.
• You have already configured a service connection, but the existing service connection is not in an ideal
location between the remote networks and mobile users.
All remote network locations communicate to each other in a mesh network. Mobile users connect to
remote networks using the service connection in a hub-and-spoke network. In some cases, it might
improve network efficiency to place another service connection closer to the remote network or
networks that the mobile users most frequently access.
To configure a service connection to connect mobile users and remote networks, Add a service connection
using the following values:
• Specify a Region that is close to your mobile users.
• Add an IPSec Tunnel and IKE Gateway, using placeholder values.
• Add placeholder Corporate Subnets.
Since Prisma Access doesn’t route any traffic through this tunnel, any value that does not conflict or
overlap with other configured subnets is valid.
The following example shows a Prisma Access deployment with mobile users in different geographical areas
and remote networks. The remote network connections are connected in a mesh network in the Prisma
Access infrastructure, but the mobile users cannot connect to the remote networks. In addition, the mobile
users in different geographic areas cannot connect to each other without a service connection.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 101
© 2020 Palo Alto Networks, Inc.
After you add a service connection, the service connection connects the mobile users and the remote
networks in a hub-and-spoke network.
102 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Another case where a service connection of this type is useful is when the service connection is far from
the mobile users. The following figure shows an example of this network deployment.
Adding a second service connection that is closer to the mobile users creates a more efficient network
between the mobile users and remote networks.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 103
© 2020 Palo Alto Networks, Inc.
Deployment Progress and Status
When you configure and commit and push your changes for a service connection, remote network
connection, mobile user deployment, or clean pipe instance, Prisma Access begins a series of events to
complete the deployment process. To allow you to view the progress of onboarding and deployment
jobs before they complete, and to view the status of completed jobs, Prisma Access provides you with
deployment status information that is available on the Prisma Access status page.
Checking the progress of a job is useful if, for example, you need the Service IP Address of a service
connection or remote network connection to complete the IPSec tunnel connection to your customer
premises equipment (CPE). Since Prisma Access does not create the Service IP Address until onboarding
is complete, you can view the status of the onboarding job from the deployment status page, instead of
refreshing the Network Details page and waiting for the Service IP Address to display.
To view the status of deployment jobs, select Panorama > Cloud Services > Status > Status.
The Deployment Status area displays a graphic element (a bubble) showing the status of the deployment,
along with the following text:
104 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Deployment Status Text Description
Click details to view the Job ID of the job, its status, and the percentage of its completion. The Job ID field
is the Job ID that is associated with the commit operation in Panorama.
To view more details of a specific deployment job, click the left arrow next to Job ID. The following
screenshot shows the deployment status of a commit that has the Panorama Job ID of 1555. The overall
status is Warning because two of the nodes failed during the commit stage.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 105
© 2020 Palo Alto Networks, Inc.
The first line of the job status shows the following information:
• The type of deployment job (either Service Connections, Remote Networks, Clean Pipe), or the type of
mobile user onboarding operation (GlobalProtect Gateways, GlobalProtect Portals, or both gateways
and portals).
• The Number of Nodes that are in the job.
Nodes represent the number of cloud firewalls, gateways, or portals that Prisma Access is configuring
for a specific job. The number of nodes do not always correspond to the number of Service Connections,
Remote Networks, mobile user locations, or Clean Pipe instances that you deployed; for example,
onboarding a location might cause configuration changes to both Prisma Access firewalls and portals.
• The number of nodes that are still being provisioned (Provisioning in Progress).
• The number of nodes that failed (Provisioning Failed).
• The number of nodes that completed provisioning (Provisioning Complete).
The next line in the table provides more granular information about the deployment job. The following
screenshot shows three mobile user locations (Australia Southeast, South Africa West, and Brazil East)
being successfully onboarded.
106 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Field Description
Name (Service Connection, The name of the service connection, remote network connection, or
Remote Network, and Clean clean pipe instance.
Pipe deployments only)
Location The location where the service connection, remote network connection,
mobile user, or clean pipe node was onboarded.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 107
© 2020 Palo Alto Networks, Inc.
Field Description
Action Needed If a job failed, provides additional information about the steps you can
perform to fix the issue (either Commit and push your changes from
Panorama again or Open a support case).
Prisma Access does not retain the details of jobs that you onboard and later delete. For example, job 42233
added the Australia Southeast, South Africa West, and Brazil East mobile user locations. If you delete those
locations later, clicking the left arrow next to Job ID for job 42233 does not provide any additional details
about the job.
108 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
How BGP Advertises Mobile User IP Address
Pools for Service Connections and Remote
Network Connections
If you enable BGP for service connections or remote network connections, after you Configure Prisma
Access for Users, Prisma Access allocates the mobile user IP address pools you specified using Class C
(/24) address blocks. BGP therefore advertises allocated mobile user subnets in blocks of /24, rather
than the entire pool(s) associated with that region. When Prisma Access adds a /24 subnet for a Prisma
Access gateway, it automatically sends a BGP advertisement. As subnets are added and removed, Prisma
Access automatically updates its BGP advertisements. This allocation method provides more flexibility
when advertising BGP routes, especially if you configured a Worldwide pool instead of allocating pools per
region. Dividing the IP address pool into smaller subnets allows the same subnet to be added, removed, or
deleted and then reused in different regions when allocated address space is exhausted.
The following screenshot, from Panorama > Cloud Services > Status > Network Details > Mobile Users,
shows three /20 IP pools for mobile users divided by region.
The RIB Out table, from Panorama > Cloud Services > Status > Network Details > Service Connection >
Show BGP Status (in the Branch AS and Router area), shows the mobile users address pool divided into
blocks of /24 subnets for BGP route advertisements. Note that the entire /20 subnets are not advertised.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 109
© 2020 Palo Alto Networks, Inc.
110 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Use Traffic Steering to Forward Internet-
Bound Traffic to Service Connections
Prisma Access allows you to create traffic steering rules to specify targets for internet-bound traffic from
mobile users and remote network connections. You can specify the traffic to be redirected to a service
connection before sending to the internet, or you can specify the traffic to directly egress to the internet.
This functionality is known as Traffic Steering.
Alternatively, you can configure Prisma Access to accept a default route from your CPE to Prisma Access
so that Prisma Access forwards internet-bound mobile user traffic to the best service connection in your
deployment.
The following sections provide an overview of default routes and traffic steering, as well as the steps you
take to configure it.
• Default Routes
• Traffic Steering
• Traffic Steering Requirements
• Traffic Steering Examples
• Traffic Forwarding Rule Guidelines
• Zone Mapping and Security Policies for Dedicated Connections
• Configure Traffic Steering
Default Routes
Starting with Prisma Access 1.7, you can configure Prisma Access to accept default routes being advertised
from your CPE to service connections. You can use BGP or static routes to advertise the default route.
Prisma Access uses BGP to advertise these routes over multiple service connections, which allows Prisma
Access to route mobile user traffic through the best service connection for a given mobile user location.
To enable service connections to accept default routes, specify Accept Default Route over Service
Connections when you configure global settings for service connections.
After you enable default routes, your internet-bound traffic will be steered to service connections instead
of egressing from the mobile user locations. This functionality can be useful if you want to redirect internet-
bound traffic to the data center; for example, if you have a third-party security stack in your data center and
you want the stack to perform additional screening or inspection.
Use the following guidelines when implementing default routes:
• Default routes apply to mobile user deployments only; remote network connections operate normally
with no change when you enable default routes.
• You do not need to specify target service connections or traffic steering rules when you allow default
routes, although they are supported for use with default routes. See Traffic Steering Examples for
examples of using default routes with traffic steering.
• When you specify the Accept Default Route over Service Connections setting, all Prisma Access service
connections, with the exception of dedicated service connections, accept default routes and will use the
routes in traffic forwarding decisions.
• Before you enable this setting, make sure that your data centers are sending default routes; otherwise,
routing through service connections will fail.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 111
© 2020 Palo Alto Networks, Inc.
• Palo Alto Networks recommends that all data centers advertise a default route; when Prisma Access
receives the routes, it can then select the best service connection to use for the remote network
location.
• When you create service connections, use either static routes only or BGP only for the connections. Palo
Alto Networks does not recommend mixing service connections that use BGP and static routes when
using default routes.
• Using default routes is supported with multi-tenant deployments.
• Prisma Access does not forward Clientless VPN, portal, or gateway SAML authentication traffic to a
public identity provider (IdP) using the default route.
For more information and examples of implementing default routes with traffic steering, see Traffic Steering
Examples.
Traffic Steering
In standard Prisma Access deployments, a service connection provides access to internal network resources,
such as authentication services and private apps in your headquarters or data center. Service connections
process internal traffic, where no internet access is required. In some cases, you might want to redirect
internet-bound traffic to the data center. Traffic steering allows you to redirect mobile user or remote
network traffic to a service connection before being sent to the internet.
You can use traffic steering with mobile user deployments, remote network deployments, or a combination
of both. Use traffic steering to direct internet-bound network traffic based on many criteria including IP
addresses, URLs, Custom URL categories, service type (HTTP or HTTPS), User-ID, Dynamic Address Groups
(DAGs) and IP-based External Dynamic Lists (EDLs).
112 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
• The service connections apply source NAT to the forwarded traffic. The source IP address is the
is the EBGP Router address of the service connection (Panorama > Cloud Services > Status >
Network Details > Service Connection > EBGP Router), which is taken from the Infrastructure Subnet
(Panorama > Cloud Services > Status > Network Details > Service Infrastructure).
• The zone for all service connections associated with this target changes from Trust to Untrust. Check
your zone mapping and security policies to make sure that your network reflects this change.
• Service connections that are configured as dedicated service connections do not participate in BGP
routing, either internally or externally.
• If your dedicated service connection uses BGP, the BGP status shows as Not Enabled when you
open the status page (Panorama > Cloud Service > Status > Monitor > Service Connection), select a
region, then select the Status tab. To check the BGP status of a service connection, check the service
connections configuration page (Panorama > Cloud Services > Configuration > Service Connection).
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 113
© 2020 Palo Alto Networks, Inc.
• Traffic steering is not supported in a multi-tenant deployment.
• If you have primary and backup tunnels configured, traffic steering using policy-based forwarding rules
will not work after a failover from the primary (active) to the backup tunnel. Default routing works in a
failover scenario with primary and backup tunnels.
Use non-dedicated service connections with default routes; dedicated service connections
do not participate in BGP routing, so they cannot receive BGP advertisements from the HQ
or data center.
114 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
To enable default routes, select Accept Default Route over Service Connections when you configure traffic
steering settings. After you configure this setting and commit and push your changes, Prisma Access sends
internet-bound traffic over the service connections.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 115
© 2020 Palo Alto Networks, Inc.
To allow Prisma Access to route Office 365 traffic directly to the internet, perform the following actions:
• Create an EDL (Object > External Dynamic Lists) with IP addresses that match the Office 365 addresses.
• Create a Custom URL category (Objects > Custom Objects > URL Category) with URLs that match
Office 365 URL.
• create create traffic forwarding rules and specify the EDL and URL category you created as destination
match criteria with an Action of Forward to the internet.
This configuration sends Office 365 traffic directly to the internet, while other internet-bound traffic is sent
to the data center for further processing before egressing to the internet.
116 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
To enable this deployment, you perform the following actions in the Traffic Steering tab:
• Create a Target Service Connection group that assigns one or more service connections to the target
and select Dedicated for PBF Only, which makes the target service connection or connections
dedicated.
If you create a target with more than one service connection, Prisma Access chooses the
best service connection to forward the internet-bound traffic.
• Create a policy-based-forwarding rule that forwards traffic to the URL. The following screenshot shows
the traffic destination being assigned a wildcard URL *.box.com.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 117
© 2020 Palo Alto Networks, Inc.
• Create an Action in the forwarding rule of Forward to the target and specify the target group name you
created (dedicated in this case).
118 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
For example, you want to enforce the following rules for your network traffic:
• You have an internal HTTP server with an IP address of 10.1.1.1 in the data center, and you want to
direct internal HTTP and HTTPS traffic to this server. The IP address of the server is 10.1.1.1.
Traffic to this server should not go to the internet and should be processed internally; therefore, choose
a non-dedicated target for this traffic, because this type of target processes both internal and internet-
bound traffic.
• You want office365.com traffic to be routed directly to the internet.
• You want traffic from *.example.com or any traffic defined in a custom URL category of custom-social-
networking to be routed to a dedicated connection.
• You want any other HTTP and HTTPS traffic to use the same non-dedicated service connection target as
that used for the internal HTTP server.
For this example, create the rules from the most specific to the least specific, as shown in the following
screenshot. Do not add the rule that allows all HTTP and HTTPS traffic first, or Prisma Access would direct
all HTTP and HTTPS traffic to the non-dedicated connection without evaluating any of the other rules.
These steps show a sample configuration; you can tailor this example to suit your
deployment.
STEP 2 | Select the correct Template from the drop-down list (either Mobile_User_Template for mobile
users or Remote_Network_Template for remote networks).
If you have a mobile user and a remote network deployment, you need to perform these steps twice;
once in the Mobile_User_Template and once in the Remote_Network_Template.
STEP 3 | Add two zones for your trusted and untrusted zones.
This example creates two zones called Trust and Untrust.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 119
© 2020 Palo Alto Networks, Inc.
STEP 4 | Create default policies for the zones you created.
1. Select Policies > Security > Post Rules.
2. Select the correct Device Group from the drop-down list (either Mobile_User_Device_Group for
remote networks or Remote_Network_Device_Group for mobile users).
If you have a mobile user and remote network deployment, you need to perform these steps twice;
once in the Mobile_User_Device_Group and once in the Remote_Network_Device_Group.
3. Add a default policy to use for Trust zone-to-Trust zone traffic.
This policy allows Any traffic to pass for all Source, User, Destination, Application, and Service/URL
Category traffic.
120 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
4. Add a default policy to use for Trust zone-to-Untrust zone traffic, using the same parameters you
used for the Trust-to-Trust policy.
When complete, you have two security policies, one for Trust-to-Trust traffic and one for Trust-to-
Untrust traffic.
STEP 5 | Define Zone Mapping for the remote networks, mobile users, or both, as required for your
deployment.
1. Set the zone mapping for the remote networks, mobile users, or both.
• For mobile users, select Panorama > Cloud Services > Configuration > Mobile Users.
• For remote networks, select Panorama > Cloud Services > Configuration > Remote Networks.
2. Click the gear icon next to Zone Mapping to edit the settings.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 121
© 2020 Palo Alto Networks, Inc.
3. Set the Zone Mapping for your deployment, moving the zone for trusted traffic to the Trusted Zones
and the zone for untrusted traffic to the Untrusted Zones; then, click OK.
STEP 1 | (Existing Traffic forwarding deployments only) If you were using rules to forward traffic to service
connections before the Cloud Services 1.7 was released, make a note of the changes that
Prisma Access applies after you upgrade the plugin.
• For URLs in rules, including URLs in custom URL categories, Prisma Access makes the following
changes during the upgrade to 1.7:
• Prisma Access no longer supports URLs with wildcards using the format *example.com,
*fqdn.example.com, or fqdn.example.*. If you have any URLs in this format, Prisma Access notes
them after the upgrade and asks you to change them.
• Prisma Access prepends existing URLs in rules with *. For example, Prisma Access prepends a URL
of example.com with *.example.com, which means that URLs of example.com, www.example.com,
and fqdn.example.com match a URL of example.com.
• Prisma Access prepends an asterisk to URLs in custom URL categories, if you use this category
in a traffic steering forwarding rule. If you use the same URL category policies for both traffic
steering and other security policy rules, these changes apply to both the traffic steering rules and
other security policy rules.
If you have custom URL categories that are not used in traffic steering forwarding rules, Prisma
Access does not change the URLs in those categories.
• For existing URLs in rules with wildcards, Prisma Access adds a URL with no wildcards. For
example, for a URL of *.example.com, Prisma Access adds a URL of example.com so that URLs of
example.com match as well as www.example.com and fqdn.example.com.
• Prisma Access adds service-http and service-https in the Service tab to URLs. Prisma Access
continues to use only TCP ports 80 and 8080 for HTTP and TCP port 443 for HTTPS to process
URLs.
• Prisma Access moves custom URL categories from the URL area to the URL Category area.
• Service connections that are part of a traffic forwarding target group with configuration set to
Dedicated for PBF only no longer participate in static and BGP routing. You must ensure that there
are no routable networks behind the service connections that are included in this type of target
group.
STEP 2 | Onboard your service connections, mobile users and remote networks, as applicable to your
deployment.
STEP 3 | Select Panorama > Cloud Services > Configuration > Traffic Steering.
122 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
STEP 4 | (Optional, mobile user deployments only) Allow Prisma Access to accept and install the default
route advertised over one or more service connections from the CPE by clicking the gear icon
to open the Settings and selecting Accept Default Route over Service Connections.
Default routes have specific guidelines that you must follow when using them; for example, default
routes are supported for mobile user deployments only and have no effect on remote network
deployments. Be sure to review these guidelines before implementing default routes with traffic
steering.
STEP 5 | (Optional) Create a target group and assign a service connection to it.
1. In the Target Service Connections for Traffic Forwarding area, Add a group and give it a Group
Name.
2. Add a Target for the traffic, specifying the Service Connection to use with the target; then, click OK.
You can specify multiple service connections for a single target as long as they are in different
locations and Prisma Access will select the best service connection to use. However, a given service
connection can only exist in one target and you cannot add a single service connection to two
different targets.
3. Choose whether to make the service connections associated with this target a dedicated service
connection.
• You can use a dedicated service connection to steer traffic to a third-party security stack or
cloud that is not on your premises and does not need to participate in routing. To set a service
connection to be used as a dedicated service connection, select Dedicated for PBF Only.
Dedicated service connections change their zones; see Traffic Steering for details.
• Deselect Dedicated for PBF Only if you will send both normal service connection-related and
traffic steering traffic through the service connection; with this choice, the zone for the service
connection remains as Trust.
STEP 6 | Create rules for the target you created and apply them to the target.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 123
© 2020 Palo Alto Networks, Inc.
1. In the Traffic Forwarding Rules area, Add a traffic forwarding rule.
2. in the General tab, Name the traffic forwarding rule.
3. In the Source tab, specify rules for source traffic.
• In the Source Address field, specify one or more of the following objects, or select Any to have
traffic from any source go to this target:
• An IP address
• An address object that you created in Panorama (Objects > Addresses)
• A Dynamic Address Group (DAG)
• An IP address-based External Dynamic List (EDL) (URLs are not supported in EDLs)
• In the Source User field, specify rules for source user traffic. You can specify the following user
information:
• Users
Enter users in either the domain/user or the user@domain format.
• User groups
Use full distinguished names (DNs) when entering user groups.
• Users configured on Panorama (Device > Local User Database > Users)
• User groups configured on Panorama (Device > Local User Database > User Groups)
If you use address objects, DAGs, EDLs, users, or user groups, specify them as Shared to share them
with all device groups in Prisma Access.
Prisma Access automatically populates users from the mobile users device group
only.
4. In the Destination tab, specify the following values:
• In the Destination area, specify one of the following criteria, or select Any to have traffic
processed by the rules in the URL and URL Category fields:
• An IP address or prefix
• An address object that you created in Panorama (Objects > Addresses)
• A Dynamic Address Group (DAG)
• An IP address-based External Dynamic List (EDL)
124 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
• fqdn.example.*
URLs entered in the URL area for traffic forwarding rules do not use the same URL pattern
matching that is used by next-generation firewalls. Instead, they use the pattern matching as
described in the following table.
example.com • example.com
• www.example.com
• *.example.com
*.example.com • example.com
• www.example.com
• *.example.com
fqdn.example.com • fqdn.example.com
• www.fqdn.example.com
• *.fqdn.example.com
*.fqdn.example.com • fqdn.example.com
• www.fqdn.example.com
• *.fqdn.example.com
• In the URL Category field, enter a custom URL category (Objects > Custom Objects > URL
Category) When you create a custom URL category, enter URLs in all lower case. Traffic steering
supports custom URL categories only.
Wildcards for URL categories follow next-generation firewall guidelines. If you create a URL
Category, make sure that you configure it as Shared.
Use the following guidelines when configuring destination options:
• Selecting Any in the URL area of the Destination tab overrides any selections you make in the
Destination area and changes those selections to Any.
• If you specify a URL or URL category, Prisma Access only matches HTTP and HTTPS traffic, even
when service is set to Any.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 125
© 2020 Palo Alto Networks, Inc.
Specify service-http to forward HTTP traffic and specify service-https to specify HTTPS traffic.
Select Any to forward traffic of any service type.
6. In the Action tab, select the Target Group Name that you want to apply to the traffic forwarding rule.
7. Forward traffic to the specified service connection target, or send the traffic directly to the internet
without going through the service connection.
• To have Prisma Access forward traffic to a service connection target, select Forward to the target;
then select the Target Group Name.
• To have Prisma Access forward traffic directly to the internet without first sending it to a service
connection, select Forward to the internet.
STEP 9 | Commit and push your changes to make them active in Prisma Access.
1. Select Commit > Commit and Push and Edit Selections in the Push Scope.
2. Select Prisma Access, then select Service Setup, Remote Networks, and Mobile Users.
126 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Routing Preferences for Service Connection
Traffic
Prisma Access uses BGP for dynamic routing, and uses BGP path selection to install routes in the route
table. When Prisma Access routes traffic to your headquarters or data center using service connections, it
uses routing methods that direct that traffic effectively. Prisma Access uses a default routing model that
was designed to fit the majority of network deployments; however, not all organization’s networks are the
same. To fit a wider range of deployments, Prisma Access allows you choose another mode for service
connection routing. The following sections describe the BGP routing methods that Prisma Access uses,
along with the factors you need to consider in your organization’s network before changing Prisma Access’
default method of service connection routing.
Changing the Prisma Access service connection routing method requires a thorough
understanding of your organization’s topology and routing devices, along with an
understanding of how Prisma Access routing works as described in this section. We
recommend that you read this section carefully before changing the routing method from the
default setting.
Prisma Access supports static routing and dynamic routing using BGP for service and remote network
connections; this section assumes that you use BGP routing for your Prisma Access deployments. When
you select BGP routing, your organization’s network learns BGP information from Prisma Access.
• Routing Modes for Service Connections
• Mobile User and Remote Network Routing to Service Connections Overview
• Prisma Access Default Routing
• Hot Potato Routing
• Configure Routing Preferences
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 127
© 2020 Palo Alto Networks, Inc.
customer premises equipment at the data center. The following diagram shows mobile users in Regions
1 and 2 being routed to the respective service connections in that region. Mobile users in Region 1 are
accessing applications A and B located at Data Center 1. If your organization’s network uses BGP routing
for their service connections and a service connection experiences an ISP failure at Data Center 1, Prisma
Access detects the failure and routes the traffic for applications A and B to Data Center 2 after BGP
convergence, providing redundancy to your network’s data centers.
Prisma Access uses the following timing with BGP when it detects a failure: If you configure
BGP routing and have enabled tunnel monitoring, the shortest default hold time to determine
that a security parameter index (SPI) is failing is the tunnel monitor, which removes all
routes to a peer when it detects a tunnel failure for 15 consecutive seconds. In this way, the
tunnel monitor determines the behavior of the BGP routes. If you do not configure tunnel
monitoring, the hold timer determines the amount of time that the tunnel is down before
removing the route. Prisma Access uses the default BGP HoldTime value of 90 seconds
as defined by RFC 4271, which is the maximum wait time before Prisma Access removes
a route for an inactive SPI. If the peer BGP device has a shorter configured hold time, the
BGP hold timer uses the lower value. When the secondary tunnel is successfully installed,
the secondary route takes precedence until the primary tunnel comes back up. If the primary
and secondary are both up, the primary route takes priority.
Remote Network-service connection routing—Prisma Access creates a full mesh network with other
remote networks and service connections. As with mobile users, Prisma Access uses iBGP for its internal
routing and eBGP to peer with customer premises equipment to exchange routes. If a user in Branch 1 is
accessing application A from Data Center 1 in your organization’s data center and the link between Branch
1 and Data Center 1 goes down, Prisma Access routes the traffic for application A to Data Center 2 after
BGP convergence.
128 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Prisma Access Default Routing
The following figure shows an example of Prisma Access routing service connection traffic in default routing
mode. The organization’s network has three separate networks in three data centers and does not have a
backbone connecting the networks. In default routing mode, mobile user pools are advertised equally on
the three networks, as shown at the bottom of the figure.
Note that, when Prisma Access advertises mobile user routes, it divides the subnets into Class C /24
address blocks before advertising them; thus, it advertises the /20 mobile user subnets in chunks of /24 as
prefixes are consumed by the gateways.
Make a note of how Prisma Access uses BGP route advertisements:
• Prisma Access does not adjust the default BGP attributes for mobile user advertised routes (Prisma
Access adds its AS number to the route advertisements).
• Prisma Access advertises mobile user routes in blocks of /24 subnets and adds BGP community values
in the routes it advertises through the service connection. The following figure shows a mobile user
deployment with three service connections and three different IP address blocks specified for the mobile
user IP address pool: 192.168.64.0/20 for the Asia, Australia & Japan region, 192.168.72.0/20
for the Africa, Europe & Middle East region, and 192.168.48.0/20 for the North America & South
America region. Prisma Access divides these routes into block of /24 and advertises them with an
Prisma Access’ AS number of 65534, but also appends the BGP community values to the advertisements
(Z for Asia, Y for EU, and X for US). Those routes are shown in the middle of the figure. In this way, you
can differentiate service connections in your network, even though Prisma Access assigns the same AS
number to them.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 129
© 2020 Palo Alto Networks, Inc.
You can view the community string by selecting Panorama > Cloud Services > Status > Network Details >
Service Connection > Show BGP Status and find the Community field in the Peer tab.
The following figure shows a more common network with a full-mesh eBGP backbone. The figure shows
the routes that Prisma Access has learned from your organization’s network on the top right. Note the extra
routes that Prisma Access has learned through the Prisma Access backbone (iBGP) and your organization’s
backbone (eBGP).
For traffic between mobile users in the North America & South America region (US in the diagram) and the
data center in your organization’s Africa, Europe & Middle East region (EU in the diagram), Prisma Access
chooses the path through the EU service connection because it prefers routes with a shorter AS-PATH.
130 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
In deployments with a full-mesh eBGP backbone, asymmetry can arise when Prisma Access cannot reach a
particular data center due to an ISP/CPE failure at the customer’s data center. The following figure shows
what could happen when the link to the EU service connection goes down. Your network detects the link
failure and builds a new route table for AS 200. Traffic from the US service connection to AS 200 uses the
path through AS 100 because the eBGP route for your backbone between AS 200 and AS 100 is preferred
to the iBGP route between service connections EU and US. However, return traffic is not guaranteed
through the same path because the on-premise CPE can choose either path (shown in red) to return the
traffic.
The previous examples show a network whose routes have not been aggregated (that is, you have not
performed route summarization before you send the BGP route advertisements to Prisma Access). The
following example shows a network that summarizes its routes to 10.0.0.0/8 before sending to Prisma
Access. If you select default routing, this configuration can lead to asymmetric routing issues, because
Prisma Access cannot determine the correct return path from the summarized routes.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 131
© 2020 Palo Alto Networks, Inc.
If your Prisma Access deployment has Remote Networks, Palo Alto Networks does not
recommend the use of route summarization on Service Connections. Route summarization
on service connections is for Mobile Users deployments only.
If you use route aggregation for mobile users, we strongly recommend that you enable hot potato
routing instead of default routing, where Prisma Access hands off the traffic as quickly as possible to
your organization’s network; in addition, we recommend that you select a Backup SC as described in the
following section for each service connection to have a deterministic routing behavior.
132 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Prefix Type Service Connection Tunnel Type Number Total AS-
of As-Path PATHs Seen
Prepends on the CPE
In hot potato routing mode, Prisma Access allows you to specify a backup service connection (Backup SC)
during onboarding. Specifying a Backup SC informs Prisma Access to use that service connection as the
backup when a service connection link fails.
The following figure shows a hot potato routing configuration for traffic between the US service connection
and AS 200, with the EU service connection configured as the Backup SC of the US connection. Using hot
potato routing, Prisma Access sends the traffic from its closest exit path through the US service connection.
The return traffic takes the same path through AS100 because this path has a shorter AS-PATH to the
mobile user pool in the US location. Prisma Access prepends the AS-PATH to its prefix advertisements
depending on whether the tunnel is a primary tunnel, a backup tunnel, or not used for either primary or
backup.
Because you have set up a backup service connection, if the link to the US service connection goes down,
hot potato routing sends the traffic out using its shortest route through the EU service connection. This
routing scenario also applies to networks that use route aggregation.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 133
© 2020 Palo Alto Networks, Inc.
You can also use backup service connections for multiple service connections in a single region. The
following figure shows a Prisma Access deployment with two service connections in the North America
region. In this case, you specify a Backup SC of US-E for the US-W service connection, and vice versa, to
ensure symmetric routing.
134 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
List of Prisma Access Locations
The following table lists the available locations for Prisma Access.
The locations are sorted by an alphabetical list and by regions. When you onboard service connections or
remote network connections, the locations appear alphabetically in the drop-down. When you onboard
mobile users, the locations are sorted by region. If you are in North America, we provide a map you can use
as a reference.
• List of Locations
• List of Locations by Region
• Map of North America Locations
List of Locations
The following table provides an overall list of locations.
Locations
Andorra
Argentina
Australia East
Australia South
Australia Southeast
Austria
Bahrain
Bangladesh
Belarus
Belgium
Bolivia
Brazil Central
Brazil East
Brazil South
Bulgaria
Cambodia
Canada Central
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 135
© 2020 Palo Alto Networks, Inc.
Locations
Canada East
Canada West
Chile
Colombia
Costa Rica
Croatia
Czech Republic
Denmark
Ecuador
Egypt
Finland
France North
France South
Germany Central
Germany North
Germany South
Greece
Hong Kong
Hungary
India North
India South
India West
Indonesia
Ireland
Israel
Italy
136 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Locations
Japan Central
Japan South
Jordan
Kenya
Kuwait
Liechtenstein
Lithuania
Luxembourg
Malaysia
Mexico Central
Mexico West
Moldova
Monaco
Myanmar
Netherlands Central
Netherlands South
New Zealand
Nigeria
Norway
Pakistan South
Pakistan West
Panama
Paraguay
Peru
Philippines
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 137
© 2020 Palo Alto Networks, Inc.
Locations
Poland
Portugal
Romania
Russia Central
Russia Northwest
Saudi Arabia
Singapore
Slovakia
Slovenia
South Korea
Spain Central
Spain East
Sweden
Switzerland
Taiwan
Thailand
Turkey
UK
Ukraine
US Central
US East
US Northeast
US Northwest
138 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Locations
US South
US Southeast
US Southwest
US West
Uzbekistan
Venezuela
Vietnam
Locations
Africa Region
Kenya
Nigeria
Asia Region
Bangladesh
Cambodia
Hong Kong
India North
India South
India West
Indonesia
Malaysia
Myanmar
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 139
© 2020 Palo Alto Networks, Inc.
Locations
Pakistan South
Pakistan West
Philippines
Singapore
South Korea
Taiwan
Thailand
Vietnam
ANZ Region
Australia East
Australia South
Australia Southeast
New Zealand
Europe Region
Andorra
Austria
Belarus
Belgium
Bulgaria
Croatia
Czech Republic
Denmark
Finland
France North
France South
140 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Locations
Germany Central
Germany North
Germany South
Greece
Hungary
Ireland
Italy
Liechtenstein
Lithuania
Luxembourg
Moldova
Monaco
Netherlands Central
Netherlands South
Norway
Poland
Portugal
Romania
Russia Central
Russia Northwest
Slovakia
Slovenia
Spain Central
Spain East
Sweden
Switzerland
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 141
© 2020 Palo Alto Networks, Inc.
Locations
UK
Ukraine
Uzbekistan
Japan Region
Japan Central
Japan South
Bahrain
Egypt
Israel
Jordan
Kuwait
Saudi Arabia
Turkey
Canada Central
Canada East
Canada West
Costa Rica
Mexico Central
Mexico West
Panama
US Central
US East
US Northeast
142 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Locations
US Northwest
US South
US Southeast
US Southwest
US West
Argentina
Bolivia
Brazil Central
Brazil East
Brazil South
Chile
Colombia
Ecuador
Paraguay
Peru
Venezuela
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 143
© 2020 Palo Alto Networks, Inc.
144 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
Secure Mobile Users with Prisma Access
Securing mobile users from threats and risky applications is often a complex mix of procuring
and setting up the security and IT infrastructure and then ensuring bandwidth and uptime
requirements in multiple locations around the globe while staying within your budget.
However, with Prisma Access for users (formerly GlobalProtect cloud service for mobile users),
the infrastructure is deployed for you and scales based on the number of active users and
their locations. Users then connect to Prisma Access for mobile users to receive their VPN
configuration, which routes them to the closest Prisma Access gateway for policy enforcement.
This enables you to enforce consistent security for your users even in locations where you do
not have a network infrastructure and IT presence.
To configure this service, you must supply an IP address pool that will be used to assign IP
addresses for the client VPN tunnels. The addresses in this pool must not overlap with other
address pools you use internally or the IP subnet you assign when you Enable the Service
Infrastructure.
145
146 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Plan To Deploy Prisma Access for Users
To ensure that you will be able to successfully enable the service and enforce consistent policy for your
mobile users (protecting users with the GlobalProtect app installed on their endpoints and allowing users to
securely access applications using Clientless VPN), make sure you account for the following configuration
requirements before you begin to Configure Prisma Access for Users.
Use this checklist to make sure that you have everything ready to deploy your Prisma Access for users.
Pre-Installation checklist:
• IP address pool—To configure Prisma Access for users, you need to provide an IP address pool
that does not overlap with other IP addresses you use internally or with the IP address pool you
designated for the Infrastructure Subnet.
We recommend using an RFC 1918-compliant IP address pool. While the use of non-
RFC 1918-compliant (public) IP addresses is supported, we do not recommend it
because of possible conflicts with internet public IP address space. In addition, do not
specify any subnets that overlap with the 100.64.0.0/15 subnet range because Prisma
Access reserves that subnet for its own internal use.
Prisma Access uses this IP address pool to assign IP addresses to the virtual network adapters
of endpoints when they connect to Prisma Access using the GlobalProtect app. Each device that
connects to a Prisma Access mobile user gateway requires its own IP address. You specify the
IP address pools that Prisma Access uses for the IP address allocation during the mobile user
onboarding process. We recommend that the number of IP addresses in the pool is 2 times the
number of mobile user devices that will connect to Prisma Access. If your organization has a bring
your own device (BYOD) policy, or if a single user has multiple user accounts, make sure that you
take those extra devices and accounts into consideration when you allocate your IP pools. If the IP
address pool reaches its limit, additional mobile user devices will not be able to connect.
When mobile user devices connect to a gateway, Prisma Access takes IP addresses from the pools
you specified and allocates them to the gateway in /24 blocks. When a /24 block reaches its limit
as more user devices log in, Prisma Access allocates more /24 blocks from the pool to the gateway.
Prisma Access advertises these /24 subnets into its backbone as they are allocated based on their
gateway assignments.
• Template—Prisma Access for users automatically creates a template stack and a top-level template
for the cloud service. If you are already running GlobalProtect on premise and you want to
leverage your existing configuration, you can add additional templates to the stack to push existing
GlobalProtect portal, GlobalProtect gateway, User-ID, server profile (for example, for connecting
to your authentication service), certificate, and SSL/TLS service profile configurations to Prisma
Access for users. If you do not have templates with existing configuration settings, you can manually
enter the required configuration settings when you Configure Prisma Access for Users. Additionally,
any template(s) you add to the stack must contain the zone configuration for the zones you use to
enforce Security policy for your mobile users.
• Parent Device Group—When you configure Prisma Access for users, you must specify a parent
device group to use when you push your address groups and Security policy, Security profiles, other
policy objects (such as application groups and objects), HIP objects and profiles, and authentication
policy that the service requires to enforce consistent policy for your remote users.
• Locations to Onboard—Prisma Access provides you with worldwide locations where you can
Configure Prisma Access for Users. Before you onboard your locations, view this list to determine
which locations you should onboard for your mobile users deployment.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 147
© 2020 Palo Alto Networks, Inc.
Choose locations that are closest to your users or in the same country as your users. If a location is
not available in the country where your mobile users reside, you can pick a location that uses the
same language as your mobile users.
You can also divide the locations by geographical region. Keeping all locations in a single region
allows you to specify an IP address pool for that region only, which can be useful if you have a limited
number of IP addresses that you can allocate to the pool. A single regional IP address pool also
provides more granular control over deployed regions and allows you to exclude regions as required
by your policy or industry regulations.
• Portal Hostname—Prisma Access for users enables you to quickly and easily set up the portal
hostname using a default domain name (.gpcloudservice.com). In this case, the cloud service
automatically publishes the hostname to public DNS servers and handles all certificate generation.
However, you can opt to use your own company domain name in the portal hostname. If you plan to
use your company domain name, you must obtain your own certificates for the portal and configure
an SSL/TLS service profile to point to the certificate before you configure the service. Additionally, if
you use your own domain name in the portal hostname, you also need to configure your DNS servers
to point to the portal DNS CNAME, which is provided during the configuration process.
• Service Connection—You must create and configure a service connection if you want to enable
your mobile users to access resources, such as authentication servers, on your internal network (for
example, an authentication server in your data center or HQ location) or enable your mobile users to
access your remote network locations.
Even if you don’t plan to use the connection to provide access to your internal resources, you must
configure at least one service connection with placeholder values if you want your mobile users
to be able to connect to your remote network locations or if you have mobile users in different
geographical areas who need direct access to each other’s endpoints.
• IPv6 Usage in Your Network—Determine whether you want to perform any mitigation for IPv6
traffic in your network to reduce the attack surface. In a dual stack endpoint that can process both
IPv4 and IPv6 traffic, mobile user IPv6 traffic is not sent to Prisma Access by default and is sent to
the local network adapter on the endpoint instead. For this reason, Palo Alto Networks recommends
that you configure Prisma Access to sinkhole IPv6 traffic.
Post-Installation checklist:
• Add the Public IP Addresses to an allow list in Your Network—After you onboard your locations, you
need to Retrieve Public and Egress IP Addresses for Mobile User Deployments used by each location
and add these locations’ IP addresses to an allow list in your network to allow mobile users access
to SaaS or public applications. If you add more locations, you will also need to retrieve the new IP
addresses that Prisma Access allocates for the newly-added location or locations.
148 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Configure Prisma Access for Users
When you configure Prisma Access for users, you will need to define the settings to configure the portal
and gateways in the cloud. For example, you will define a portal hostname, set up the IP address pool for
your mobile users, and configure DNS settings for your internal domains. You may be able to leverage
using existing configurations for some of the required settings, such as what authentication profile to use
to authenticate mobile users. If you already have a template with your authentication profiles, certificates,
certificate profiles, and server profiles, you can add that template to the predefined template stack during
onboarding to simplify the setup process.
While it is not necessary to push your Security policy settings and objects to the cloud during the
onboarding process, if you already have device groups and templates with the configuration objects you
need (for example, Security policy, zones, User-ID configuration, and other policy objects) go ahead and add
them when you onboard. This way you can to complete the zone mapping that is required to enable Prisma
Access to map the zones in your policy to the appropriate interfaces and zones within the cloud. However,
if you don’t have your policy set yet, you can go back later and push it to Prisma Access for users.
In addition, if you want your mobile users to be able to connect to your remote network locations, or if
you have mobile users in different geographical areas who need direct access to each other’s endpoints,
you must configure at least one service connection with placeholder values, even if you don’t plan to
use the connection to provide access to your data center or HQ locations. The reason this is required is
because, while all remote network locations are fully meshed, Prisma Access gateways (also known as
locations) connect to the service connection in a hub-and-spoke architecture to provide access to the
internal networks in your Prisma Access infrastructure.
STEP 1 | Select Panorama > Cloud Services > Configuration > Mobile Users.
STEP 2 | Configure the template stack and device group hierarchy that the cloud service will push to the
portal and gateway.
1. Edit the Settings.
2. In the Templates section of the Settings tab, Add the template that contains the configuration you
want to push to Prisma Access for users.
Although you can add existing templates to the stack from the plugin, you cannot
create a new template from the plugin. Instead, use the workflow to add a new
template.
You can Add more than one existing template to the stack and then order them appropriately using
Move Up and Move Down. This is important because Panorama evaluates the templates in the
stack from top to bottom and settings in templates that are higher in the stack take priority over
the same settings specified in templates that are lower in the stack. You cannot move the default
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 149
© 2020 Palo Alto Networks, Inc.
Mobile_User_Template from the top of the stack; this prevents you from overriding any settings that
Prisma Access requires to create the network infrastructure in the cloud.
If you want to customize the agent configuration that the Prisma Access for users
pushes to clients from the portal, you must edit the GlobalProtect Portal configuration
in the Mobile_User_Template to add a new agent configuration. After configuring
the Agent configuration, move it above the DEFAULT agent configuration that is
predefined in the template to ensure that your settings take precedence over the
default settings. When editing this template, do not remove or change the External
Gateway entry.
3. In the Device Group section, select the Parent Device Group that contains the configuration settings
you want to push to Prisma Access for users, or leave the parent device group as Shared to use the
Prisma Access device group shared hierarchy.
You will push all of the configuration—including the address groups, Security policy, Security profiles,
and other policy objects (such as application groups and objects), HIP objects and profiles and
authentication policy—that Prisma Access for users needs to enforce consistent policy to your mobile
users using the device group hierarchy you specify here. In addition, you must make sure that you
have configured a Log Forwarding profile that forwards the desired log types to Panorama/Logging
Service in a device group that gets pushed to Prisma Access for users; this is the only way that the
cloud service knows which logs to forward to Cortex Data Lake.
150 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
STEP 3 | (Optional) Configure Prisma Access to use the Directory Sync service to retrieve user and group
information.
You must configure Directory Sync to retrieve user and group information from your Active Directory
(AD) before you enable and configure Directory Sync integration in Prisma Access using the settings in
the Group Mapping Settings tab. See Get User and Group Information Using Directory Sync for details.
STEP 5 | Map the zones configured within the selected template stack as trusted or untrusted.
On a Palo Alto Networks next-generation firewall, Security policy is enforced between zones, which map
to physical or virtual interfaces on the firewall. However, with Prisma Access for users, the networking
infrastructure is automatically set up for you, which means you no longer need to configure interfaces
and associate them with zones. However, to enable consistent security policy enforcement, you must
map the zones you use within your organization as trust or untrust so that Prisma Access for users can
translate the policy rules you push to the cloud service to the internal zones within the networking
infrastructure.
1. Edit the Zone Mapping settings.
By default, all of the zones in the Mobile_User_Template_Stack are classified as Untrusted Zones.
2. For each zone you want to designate as trusted, select it and click Add to move it to the list of
Trusted Zones.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 151
© 2020 Palo Alto Networks, Inc.
3. Click OK to save your changes.
152 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
domain. For example, if you specified a DNS hostname of acme-portal.acme.com, you would need
to create a DNS CNAME entry that maps that hostname to acme-portal.gpcloudservice.com on
your internal DNS servers.
3. Select an Authentication Profile that specifies how Prisma Access should authenticate mobile users
or create a new one.
If you added a parent device group that contains an authentication profile configuration, you should
see it on the list of available profiles. If you did not push the profile in the device group, you can
create an authentication profile now.
4. Select an Authentication Override Certificate to encrypt the secure cookies that mobile users
authenticate to the portal and gateway.
If you added a parent device group that contains the certificate you want to use to encrypt
authentication cookies, you should see it on the list of available certificates. If you did not push a
certificate in the device group, you can import or generate one now.
5. (Optional) If you do not require GlobalProtect endpoints to have tunnel connections when on the
internal network, enable Internal Host Detection.
1. Select the Internal Host Detection check box.
2. Enter the IP Address of a host that users can reach only from the internal network.
3. Enter the DNS Hostname for the IP address you entered. Clients that try to connect perform
a reverse DNS lookup on the specified address. If the lookup fails, the client determines that it
needs a tunnel connection to Prisma Access for users.
Prisma Access copies the internal host detection settings you specify here to the
settings in your GlobalProtect portal configuration (Network > GlobalProtect >
Portals > <portal-config> > Agent > <agent-config> > Internal). If you change your
portal configuration settings through Network > GlobalProtect > Portals at a later time,
those changes are not reflected in the settings you specify here. For this reason, Palo
Alto Networks recommends that you either enter the internal host detection settings
here or configure the same settings in both places.
STEP 7 | Select the Locations and the regions associated with those locations where you want to deploy
your mobile users.
The Locations tab displays a map. Highlighting the map shows the global regions (Americas, Europe,
and Asia Pacific) and the locations available inside each region. Select a region, then select the locations
you want to deploy in each region. Limiting your deployment to a single region provides more granular
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 153
© 2020 Palo Alto Networks, Inc.
control over deployed regions and allows you to exclude regions as required by your policy or industry
regulations. See List of Prisma Access Locations for the list of regions and locations. You can select a
location in a region that is closest to your mobile users, or select a location as required by your policy or
industry regulations.
Specify a single region to reduce the minimum IP address pool that you need in Step 8. See Specify IP
Address Pools for Mobile Users for more information.
Prisma Access uses the Hong Kong, Netherlands Central, and US Northwest locations
as fallback mobile user locations if other locations are not available. For this reason, Palo
Alto Networks strongly recommends that you enable at least one of these locations during
mobile user onboarding.
2. Select one or more Prisma Access gateways within your selected region using the map.
Hovering your cursor over a location highlights it. White circles indicate an available location; green
circles indicate that you have selected that location.
154 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
In addition to the map view, you can view a list of regions and locations. Choose between the map
and list view from the lower left corner. In the list view, the list displays regions sorted by columns,
with all locations sorted by region. You can select All sites within a region (top of the dialog).
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 155
© 2020 Palo Alto Networks, Inc.
STEP 8 | Set up the IP address pools that Prisma Access for users uses to assign IP addresses to
GlobalProtect endpoints by selecting the IP Pools tab and Add and IP address pool.
• Region—Select Worldwide to use a single IP address pool for all GlobalProtect clients using the cloud
service or select an available region.
You can use a single IP address pool for all GlobalProtect endpoints Worldwide, you can set separate
pools for each region where you have mobile users, or you can specify both Worldwide and region-
specific IP pools. For example, you can add an pool for a specific region and then add a Worldwide
pool to use for all other regions. Prisma Access then uses the Worldwide IP addresses to scale as you
onboard additional gateways in other regions to accommodate more mobile users. If you specify a
pool for a region, and you exhaust the available IP addresses in that pool, Prisma Access will take IP
addresses from the Worldwide pool to use in that region.
• IP Pool—Enter an IP address pool to assign to the endpoints in the selected region. The addresses
in this pool must not overlap with other networks you use internally or with the pools you assigned
when you Enable the Service Infrastructure.
If you deploy locations in a single region, the minimum required subnet is /23 (512 IP addresses)
per location. Additional locations require a minimum /23 subnet. If you specify a Worldwide subnet,
the minimum required subnet is /23 but we recommend providing enough subnets to allocate a
number of IP addresses that is equal to or greater than the number of licensed mobile users so that
they can log in at the same time. Do not use the 100.64.0.0/15 subnet, because Prisma Access
reserves this subnet for its internal use. See how to Specify IP Address Pools for Mobile Users for
more information.
STEP 9 | To specify the DNS resolution settings that Prisma Access uses for mobile users, select
Network Services tab and then click Add.
GlobalProtect endpoints with an active tunnel connection use their virtual network adapters rather than
their physical network adapters and therefore require separate DNS resolution settings. You can use a
DNS settings for all GlobalProtect endpoints Worldwide, you can set separate pools for each geographic
region where your users are located, or you can specify both a Worldwide and regional pools.
• For Internal Domains:
• Select a Region (North America & South America, Africa, Europe & Middle East, or Asia, Australia
& Japan), or specify Worldwide to apply the DNS settings globally.
156 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
You must specify at least one DNS proxy with a Region of Worldwide, or your commit will fail.
You can also specify a DNS proxy for one or more regions and specify another Worldwide DNS
proxy for the rest of the world. If you specify multiple proxy settings with a mix of regional and
worldwide regions, Prisma Access uses the regional settings for the Locations in the region you
specify; otherwise, Prisma Access uses the worldwide settings.
• Specify the IP addresses of the Primary DNS and Secondary DNS servers that your mobile users
should use to resolve internal domains.
• (Optional) If you want your internal DNS server to only resolve the domains you specify, enter the
domains to resolve in the Domain List.
You can use a wildcard (*) in front of the domains in the domain list, for example *.acme.local
or .acme.com. You can specify a maximum of 1,024 domain entries.
• For Public Domains:
• Enter a Primary DNS choice.
To use the default Prisma Access DNS server, select Use Cloud Default. To use the same server
that you use to resolve internal domains, select Same as Internal Domains. To use a third-party or
public DNS server, select Custom DNS Server, then specify the IP address of the DNS server.
• Enter a Secondary DNS choice, choosing from the same options you chose for the Prisma DNS.
• (Optional) Add a Client DNS Suffix Search List to specify the suffix that the client should use
locally when an unqualified hostname is entered that it cannot resolve, for example, acme.local.
Do not enter a wildcard (*) character in front of the domain suffix. You can add multiple suffixes.
You can also create a .csv file that has the list of domain suffixes and Import them, rather
than manually adding them. Separate multiple entries with commas or semicolons such as
www.example1.com,www.example2.com,www.example3.com. There is no limit to the
number of DNS suffixes you can enter.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 157
© 2020 Palo Alto Networks, Inc.
STEP 10 | (Optional) If your deployment uses Windows Internet Name Service (WINS) based, you can
specify WINS servers to resolve NetBIOS name-to-IP address mapping by selecting WINS
Configuration; selecting a region for the WINS server or selecting Worldwide to apply the
WINS configuration worldwide, then specifying a Primary WINS and, optionally, Secondary
WINS server address.
After you enable WINS, Prisma Access can push WINS configuration to mobile users’ endpoints over
GlobalProtect.
STEP 11 | (Optional) If you allow your mobile users to manually select gateways from the GlobalProtect
app, select the Manual Gateway Locations that the users can view from their GlobalProtect
app.
Choosing a subset of onboarded locations reduces the number of available gateways that mobile users
can view in their GlobalProtect app for manual gateway selection.
If you do not select manual gateways in this tab, Prisma Access selects the following list of gateways by
default.
• Australia Southeast
• Belgium
• Brazil South
• Canada East
• Finland
158 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
• France North
• Germany Central
• Hong Kong
• India West
• Ireland
• Israel
• Japan Central
• Netherlands Central
• Saudi Arabia
• Singapore
• South Africa Central
• South Korea
• Taiwan
• UK
• US East
• US West
Prisma Access lets you select only gateways that you have onboarded. For example, if you don’t choose
UK when you select locations, you cannot select UK as a manual gateway (the location is grayed out).
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 159
© 2020 Palo Alto Networks, Inc.
If you allow users to manually choose more than 25 gateways, we recommend using
version 5.0.3 or later of the GlobalProtect app for the best end user experience.
STEP 13 | To secure traffic for your mobile users, you must create security policy rules.
1. Select the Device Group in which to add policy rules. You can select the Mobile_User_Device_Group
or the parent device group that you selected when setting up Prisma Access for mobile users.
2. Create security policy rules. Make sure that you do not define security policy rules to allow traffic
from any zone to any zone. In the security policy rules, use the zones that you defined in the
template stack you are pushing to the cloud service.
STEP 15 | (Optional) Forward logs for other log types to Cortex Data Lake.
To do this, you must create and attach a log forwarding profile to each policy rule for which you want to
forward logs. See the Cortex Data Lake Getting Started Guide for more information.
1. Select the Device Group in which you added the policy rules.
2. Select Objects > Log Forwarding and Add a profile. In the Log Forwarding Profile Match List, Add
each log type that you want to forward.
The following example enables forwarding of Traffic, Threat Prevention, WildFire Submission, URL
Filtering, Data Filtering, and Authentication logs.
3. Select Panorama/Logging Service as the Forward Method. When you select Panorama, the logs
are forwarded to Cortex Data Lake. You will be able to monitor the logs and generate reports from
Panorama. Cortex Data Lake provides a seamless integration to store logs without backhauling them
to your Panorama at the corporate headquarters, and Panorama can query Cortex Data Lake as
needed.
160 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
4. Select Policies > Security and edit the policy rule. In Actions, select the Log Forwarding profile you
created.
STEP 16 | Commit all your changes to Panorama and push the configuration changes to Prisma Access.
1. Click Commit > Commit to Panorama.
2. Click Commit > Push to Devices and click Edit Selections.
3. On the Prisma Access tab, make sure Prisma Access for users is selected and then click OK.
4. Click Push.
STEP 17 | To verify that Prisma Access for users is deployed and active, select Panorama > Cloud
Services > Status > Status.
After the provisioning completes, the mobile users Status and Config Status should show OK.
The Deployment Status area allows you to view the progress of onboarding and deployment jobs before
they complete, as well as see more information about the status of completed jobs. See Deployment
Progress and Status for details.
To view the number of unique users who are currently logged in, or to log out a logged in user, click the
hyperlinked number next to Current Users. See View Logged In User Information and Log Out Current
Users for details.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 161
© 2020 Palo Alto Networks, Inc.
To view historical information of previously-logged in users for a 90-day time period, click the number
next to Users (Last 90 days).
To export the list of users to a csv file, select Export to CSV. Note that a maximum of 45,000 users can
be exported to a CSV file.
To display a map that shows the locations of Prisma Access portals and gateways running in the regions
you have selected, select Monitor; then, select Mobile Users.
162 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Select a region to get more detail about that region.
STEP 18 | If you chose to Use Company Domain for your portal hostname, you must add a DNS entry
on your internal DNS servers to map the portal hostname you defined to the Portal DNS
CNAME displayed on the Cloud Services > Configuration > Mobile Users > Onboarding >
General tab (for example, <portal_hostname>.gpcloudservice.com).
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 163
© 2020 Palo Alto Networks, Inc.
For Mac OS or Windows users, you can direct users to the Prisma Access portal address, where they can
download the GlobalProtect app from the portal.
Prisma Access manages the version of the GlobalProtect app on the portal and this is not
configurable; however, you can Manage Upgrade Options for the GlobalProtect App in
Panorama to control the availability of an app version and control the ability of users to
download it.
Alternatively, you can host GlobalProtect app software on a web server for your Mac OS and Windows
users. Prisma Access is compatible with any GlobalProtect app versions that are not listed as end of life.
Mobile app users can download and install the GlobalProtect mobile app from the appropriate app store
for their operating systems.
164 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Zone Mapping
On a firewall, zones are associated with interfaces. But within Prisma Access, the networking infrastructure
is automatically set up for you. This means that you no longer need to worry about configuring interfaces
and associating them with the zones your create. However, to enable consistent security policy
enforcement, you must create zone mappings so that Prisma Access will know whether to associate a zone
with an internal (trust) interface or an external (untrust) interface. This will ensure that your security policy
rules are enforced properly. By default, all of the zones you push to Prisma Access are set to untrust. You
should leave any zones associated with internet-bound traffic, including your sanctioned SaaS applications,
set to untrust. However, for all zones that enable access to applications on your internal network or in your
data center, you must map them to trust. Notice in the example below, all sanctioned SaaS applications—
Office 365 and Salesforce in this case—are segmented into the sanctioned-saas zone to enable visibility
and policy enforcement over the use of these applications. To enable Prisma Access to associate the
sanctioned-saas zone with an external-facing interface, you must map this zone to untrust. Similarly, the
eng-tools and dc-apps zones provide access to applications in the corporate office and you must therefore
designate them as trusted zones.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 165
© 2020 Palo Alto Networks, Inc.
Specify IP Address Pools for Mobile Users
You need to make sure that you have specified an IP address pool that allows enough coverage for the
mobile users in your organization. It is important to remember that each unique user can use multiple
devices to connect to Prisma Access at the same time, and each connected device requires a unique IP
address from the pool. We recommend that the number of IP addresses in the pool is 2 times the number
of mobile user devices that will connect to Prisma Access. If your organization has a bring your own device
(BYOD) policy, or if a single user has multiple user accounts, make sure that you take those extra devices
and accounts into consideration when you allocate your IP pools. If your pool space is limited, you can
specify a smaller address pool; however, if your IP address pool reaches its limit, additional mobile user
devices will not be able to connect.
In Panorama, the UI validates that you enter valid IP subnets (for example, if you enter a pool with a subnet
of less than /23, it will prompt you to change it). However, it does not check to ensure that you have
allocated sufficient IP addresses for your deployment.
This validation is not available if you configure locations using CLI. If you deploy all locations
using CLI, we recommend that you add a /18 address in the Worldwide pool for mobile
users.
Prisma Access checks your configuration to make sure that you have specified the following minimum IP
address pool:
• A minimum of /23 (512 IP addresses) is required for either a Worldwide or regional address pool.
• If you do not onboard any Prisma Access gateways in a region, an IP address pool for that region is
not required. For example, if you specify gateways in the US East, US Northwest, and US Northeast
locations, you need to only specify an IP address pool for the North America & South America region.
Conversely, if you enable mobile user locations in Europe without specifying either a Worldwide address
pool or an IP address pool in Africa, Europe, & Middle East, your deployment will fail.
• If you specify a mix of Worldwide and regional pools, Prisma Access uses the IP pools in the region first.
If regional pools are exhausted, Prisma Access will take IP address blocks from the Worldwide pool,
which allows you to configure extra IP addresses in the Worldwide IP address pool to function as a
fallback pool.
If you specify more than one block of IP address pools, Prisma Access uses the pools in the order that
you entered them during mobile user setup.
166 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
How the GlobalProtect App Selects a Prisma
Access Location for Mobile Users
When a mobile user connects to a Prisma Access location, the app uses the following selection process to
determine to which location it connects.
You enable the mobile user locations where you want Prisma Access to be present during
mobile user onboarding. If you do not select the location during onboarding, Prisma Access
does not use it in your deployment.
• If the mobile user connects in a country that has a Prisma Access location, the user connects to the
location in that country.
• If the mobile user cannot connect to an in-country location for any reason, Prisma Access selects from
one or more of the following mobile user locations to connect the user based on region:
• Asia, Australia & Japan: Taiwan, Singapore, Japan Central, India West
• Africa, Europe & Middle East: Finland, UK, Netherlands Central, Germany Central
• North America & South America: US Central, US Northeast, Brazil South, Canada East
Palo Alto Networks recommends that you add these locations in their respective regions during mobile
user onboarding to provide redundancy.
• Prisma Access has designated the following locations as alternative (fallback) locations. If mobile users
cannot access in-country or in-region locations, Prisma Access connects mobile users to one of the
following locations:
• Hong Kong
• Netherlands Central
• US Northwest
Palo Alto Networks strongly recommends that you enable at least one of these locations during
mobile user onboarding.
• If you use on-premise gateways with Prisma Access locations, you can specify priorities in Prisma Access
to let mobile users connect to either a specific on-premise GlobalProtect gateway or a Prisma Access
location. See Manage Priorities for Prisma Access and On-Premise Gateways for details.
• When mobile users connect, the GlobalProtect app does not use the following Prisma Access locations
in the automatic gateway selection process, even if you selected the Prisma Access locations in the
plugin during onboarding. However, mobile users can still manually select one of these locations and set
it as a preferred location (gateway) as long as you allow them to manually select those locations during
mobile user onboarding:
• Australia: Australia East and Australia South
• Brazil: Brazil East and Brazil Central
• Canada: Canada Central
• France: France South
• Germany: Germany North and Germany South
• India: India North and India South
• Japan: Japan South
• Mexico: Mexico West
• Netherlands: Netherlands South
• Pakistan: Pakistan West
• Russia: Russia Northwest
• South Africa: South Africa West
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 167
© 2020 Palo Alto Networks, Inc.
• Spain: Spain East
168 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
View Logged In User Information and Log Out
Current Users
There are several locations in Panorama where you can view the list of logged-in users. You can view
unique users, the location in which the users are logged in, and tables that provide additional information. It
is also important to understand how Prisma Access counts the number of users in each location.
You can get a detailed view of users from several locations:
• To see an overall view of users and to open a table that allows you to view and log out logged-in users,
select Panorama > Cloud Services > Status > Status.
• To see a graphic view of users in a map view, and to view users by region and location, select
Panorama > Cloud Services > Status > Service Stats > Mobile Users.
• To learn how Prisma Access counts users in each of these areas, see How Prisma Access Counts Users.
To view more details about the users who are currently logged in, click the hyperlinked number next to
Current Users to display the Current Users table.
The total number of users that display in the Status page, and the number that displays in
the pop-up table, might be different; the number that displays in the table might be larger.
See How Prisma Access Counts Users for details.
You can log out active users from the Current Users table; to do so, select the user and click Logout. Note
that you might have to close and then re-open the screen to have Prisma Access remove the logged-out
user from the Current Users page.
The following screen shows users who logged in with the GlobalProtect app and with Clientless VPN.
The screen shows the users’ username, public IP, and last login time. If the user is logged in with the
GlobalProtect app, it also shows their client OS, private IP address, and computer name.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 169
© 2020 Palo Alto Networks, Inc.
View Mobile Users from the Monitor Tab
To view the number of unique users that are logged in per region, select Panorama > Cloud Services >
Status > Service Stats > Mobile Users.
The number of users that displays in the global map view page and the number that displays
in the table per region might be different; the number that displays in the table might be
larger. See How Prisma Access Counts Users for details.
170 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
How Prisma Access Counts Users
The number of total users that display in the status areas might be different than the number that displays
in the associated tables. The following section describes the differences.
• Status tab (Panorama > Cloud Services > Status > Status)—The number of users that displays in the main
page, in the Mobile Users area, might be different than the number that displays in the table when you
click the Current Users hyperlink. The number that displays in the Mobile Users area counts the number
of unique users; the list of users in the Current Users table counts all users per login or connection. If a
single user is logged in to more than one gateway or is connected with multiple devices, the number in
the table might be larger.
For example, a user user1 is logged into two gateways in the United Kingdom location; this condition
might have occurred because Prisma Access automatically added gateways when a large number of
users logged in to the same location. In this case, Prisma Access counts user1 once in the Mobile Users
area, but twice in the Current Users table.
• Monitor tab (Panorama > Cloud Services > Status > Service Stats > Mobile Users)—The number of
Users you see in the global map might be different than the number that displays in the table when you
select a region. A user that is logged in to more than one gateway or is connected with multiple devices
might show up multiple times in the table.
The following screenshots provide an example. There are 23 unique users logged into the Asia region, as
shown in the global map.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 171
© 2020 Palo Alto Networks, Inc.
If you select the Asia region, Prisma Access gives the number of unique users (23) on the top left of the
region page. However, two users are connected via multiple devices in the South Korea location (for
example, a smart phone and a computer). Because the users have two separate connections, Prisma
Access counts them twice in the table, giving a total number count in the table of 25.
172 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Quick Configs for Mobile User Deployments
The following topics show some common Prisma Access deployment scenarios for remote networks and
provide instructions for how to configure them.
For information about integrating Prisma Access with third-party authentication providers, refer to the
Prisma Access Integration Guide.
• Prisma Access with On-Premise Gateways
• Manage Priorities for Prisma Access and On-Premise Gateways
• DNS Resolution for Mobile Users and Remote Networks
• Sinkhole IPv6 Traffic From Mobile Users
• Collect User and Group Information Using the Directory Sync Service
• Configure Quality of Service in Prisma Access
You cannot use your own portal with Prisma Access. You can only use the portal that is
deployed when your Prisma Access for mobile users is provisioned.
To configure one of these hybrid Prisma Access deployments, you must edit the GlobalProtect_Portal
configuration within the Mobile_User_Template to add your on-premise gateways to the appropriate
regions:
STEP 2 | Add your on-premise gateway to the list of gateways in the agent configuration.
1. Select the Agent tab and select the DEFAULT agent configuration or Add a new one.
2. Select the External tab and Add your on-premise gateway.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 173
© 2020 Palo Alto Networks, Inc.
If you add a new agent configuration and you want to add the Prisma Access
gateways to the list of external gateways in that configuration, you must set the Name
to GP cloud service and the Address to gpcloudservice.com. You must enter these
values exactly as shown, and you cannot use either of these values for non-Prisma
Access gateways.
3. Enter the Name of the gateway and specify either the FQDN or IP address of the gateway in the
Address field; this value must exactly match the common name (CN) in the gateway certificate.
4. (Optional) If you want mobile users to only connect to the gateway when they are in the
corresponding region, Add the Source Region to restrict the gateway to. For example, if you have a
gateway in France, you would select FR (France). If you have a gateway in Sweden, you would select
(SE) Sweden.
One benefit of this is that users will then be able to access a gateway that enables access to internet
resources in their own language.
5. Configure other agent settings as necessary to complete the agent configuration.
6. Click OK to save the portal configuration.
STEP 3 | Commit all your changes to Panorama and push the configuration changes to Prisma Access.
1. Click Commit > Commit to Panorama.
2. Click Commit > Push to Devices and click Edit Selections.
3. On the Prisma Access tab, make sure Prisma Access for users is selected and then click OK.
174 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
4. Click Push.
If you add on-premise gateways to your Prisma Access deployment, check to see if the
priority for the Prisma Access gateways is set to None and, if it is, change the priority. If
the priority is set to None, the service will not select a gateway. See Configure Priorities
for Prisma Access and On-Premise Gateways to change the priority of your Prisma Access
gateways.
If you require users to connect to a specific Prisma Access gateway, you can Allow Mobile Users to
Manually Select Specific Prisma Access Gateways. Mobile users choose one of the Prisma Access gateways
using the GlobalProtect app that is installed on their endpoint.
Complete the following workflow to configure gateway priorities in Prisma Access.
• Set Equal Gateway Priorities for On-Premise and Prisma Access Gateways
• Set a Higher Gateway Priority for an On-Premise Gateway
• Set Higher Priorities for Multiple On-Premise Gateways
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 175
© 2020 Palo Alto Networks, Inc.
• Configure Priorities for Prisma Access and On-Premise Gateways
• Allow Mobile Users to Manually Select Specific Prisma Access Gateways
176 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
This example also specifies a source region of Indonesia for the on-premise gateway. We recommend
specifying a source region for the following reasons:
• Specifying a source region for an on-premise gateway allows users in a region to access that gateway
and prevents users outside of that region from connecting to that gateway. In this example, only mobile
users in Indonesia can connect to the on-premise gateway with the source region of Indonesia, and the
higher priority means that the on-premise gateway has priority over the Prisma Access gateways.
• If you set a source region of Any for the on-premise gateway in Indonesia, every mobile user in your
organization would prefer the on-premise gateway in Indonesia, because of its higher priority and
worldwide accessibility. This configuration means that mobile users might never connect to the Prisma
Access gateways.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 177
© 2020 Palo Alto Networks, Inc.
Medium. Specifying a source region for the on-premise gateways allows users in those regions to access
those gateways, and prevents users outside of those regions from connecting to those gateways.
In this example, the GlobalProtect app for mobile users in Sweden selects the on-premise gateway in
Sweden because of the source region and higher gateway priority.
STEP 2 | Select Network > GlobalProtect > Portals in the Mobile_User_Template template.
178 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
STEP 5 | Click the name of the agent to configure.
The default agent is named DEFAULT.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 179
© 2020 Palo Alto Networks, Inc.
3. Be sure that the Manual check box is selected.
Checking the Manual check box ensures that mobile users can select a specific Prisma Access
gateway if it is required.
Do not add a source region for the Prisma Access gateways; any region you specify is
not applied to the configuration.
4. Click OK.
If you set the priority of on-premise external gateways higher than Prisma Access
gateways, we recommend that you specify source regions for the external gateways.
If you specify Any for the region, the GlobalProtect app might never select Prisma
Access gateways over on-premise gateways because of the higher priority for the on-
premise gateways.
4. Select the Manual check box to allow users to manually switch to the gateway.
5. Set the Priority of the on-premise gateway to Highest (the default).
180 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
6. Click OK.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 181
© 2020 Palo Alto Networks, Inc.
STEP 9 | (Optional) Set the priority for additional gateways by repeating Step 8.
The following figure shows a sample configuration with multiple gateways that have source regions
in Norway, Sweden, and Denmark. Note that the Manual check box is selected, which indicates that a
mobile user can manually select any of these gateways.
182 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Allow Mobile Users to Manually Select Specific Prisma Access Gateways
When system administrators specify priorities for gateways in Panorama, they can only specify priorities for
all Prisma Access gateways as a whole.
When configuring the Prisma Access gateways, do not specify a source region. Any region
you specify is not applied to the configuration.
To choose a specific Prisma Access gateway, mobile users can select the gateway on their endpoint from
the drop-down list in their GlobalProtect app.
This configuration requires that you configure Manual selection of the gateway when you
Configure Priorities for Prisma Access and On-Premise Gateways.
The following figure shows a user choosing a list of Prisma Access gateways from the endpoint’s
GlobalProtect app.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 183
© 2020 Palo Alto Networks, Inc.
The tasks you perform to connect to a specific gateway are based on the operating system of your
endpoint. For details, see the following sections from the GlobalProtect App User Guide:
• Download and Install the GlobalProtect App for Windows
• Download and Install the GlobalProtect App for Mac
• Use the GlobalProtect App for Chrome OS
• Use the GlobalProtect App for Linux
Internal DNS Resolution Method External DNS Resolution Method Prisma Access Proxies
the DNS Request (Yes/
No)
184 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Internal DNS Resolution Method External DNS Resolution Method Prisma Access Proxies
the DNS Request (Yes/
No)
To disable the proxy, you must specify the same server to resolve external domains as
the one that you use to resolve internal domains by selecting Same as Internal Domains
during mobile user or remote network onboarding.
The source IP address of the DNS request depends on whether or not Prisma Access proxies the DNS
request.
• When Prisma Access does not proxy the DNS requests, the source IP address of the DNS request
changes to the IP address of the device that requested the DNS lookup. This source IP address allows
you to enforce source IP address-based DNS policies or identify endpoints that communicate with
malicious domains. This behavior applies for both mobile users and remote network deployments.
• When Prisma Access proxies the DNS requests, the source IP address of the DNS request changes to
the following addresses:
• Mobile User deployments—The source IP address of the DNS request is an IP address taken from the
mobile user IP address pool for internal requests and the mobile user location’s gateway IP address
for external requests.
• Remote Network deployments—The source IP address of the DNS request is the EBGP Router
Address for internal requests and the Service IP Address of the remote network connection for
external requests.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 185
© 2020 Palo Alto Networks, Inc.
The following figure shows the DNS requests for internal domains being resolved by the DNS server in the
headquarters or data center location, while requests for external domains are resolved by Prisma Access’
Cloud Default DNS server. In this case, Prisma Access proxies the requests, and the source IP address
of the DNS request changes to an IP address from the mobile user IP address pool (172.16.55.0/24) for
internal requests and to the mobile user location’s gateway IP address (15.1.1.1 in this example) for external
requests.
The following figure shows the organization using a third-party or public DNS server accessible through
the internet for requests to external domains. Prisma Access proxies these requests as well, and the source
186 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
IP address changes to an IP address from the mobile user IP address pool (172.16.55.0/24) for internal
requests and to 15.1.1.1 for external requests.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 187
© 2020 Palo Alto Networks, Inc.
If Prisma Access proxies the DNS request, the source IP addresses of the proxied DNS requests changes
to the EBGP Router Address for internal requests and the Service IP Address of the remote network
connection for external requests, as shown in the following figure.
When you configure the DNS address in your network to use for Prisma Access proxied
external requests, specify the Remote Network DNS Proxy IP Address (Panorama > Cloud
Services > Status > Service Infrastructure > Remote Network DNS Proxy IP Address). In the
following example, you would specify 172.1.255.254 in your network for the DNS server.
188 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Sinkhole IPv6 Traffic From Mobile Users
In a dual stack endpoint that can process both IPv4 and IPv6 traffic, the GlobalProtect app sends mobile
user IPv4 traffic to be protected through the GlobalProtect VPN tunnel to Prisma Access. However, mobile
user IPv6 traffic is not sent to Prisma Access by default and is sent to the local network adapter on the
endpoint instead. To reduce the attack surface for IPv6-based threats, Palo Alto Networks recommends
that you configure Prisma Access to sinkhole IPv6 traffic. Because endpoints can automatically fall back to
an IPv4 address, you can enable a secure and uninterrupted user experience for mobile user traffic to the
internet.
In addition, Palo Alto Networks recommends that you configure GlobalProtect to completely disable
network traffic on the local network adapter. If you have a hybrid Prisma Access deployment with on-
premise next-generation firewalls configured as GlobalProtect gateways, you can configure IPv6 sinkhole
functionality on the on-premise GlobalProtect gateway.
• Configure Prisma Access to Sinkhole IPv6 Traffic
• Configure GlobalProtect to Disable Direct Access to the Local Network
• Set Up an IPv6 Sinkhole On the On-Premise Gateway
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 189
© 2020 Palo Alto Networks, Inc.
To configure Prisma Access so that it sinkholes all mobile user IPv6 traffic, complete the following steps.
STEP 1 | Open a secure CLI session with admin-level privileges, using the same IP address that you use
to log in to the Panorama that manages Prisma Access.
STEP 3 | Enter the set plugins cloud_services mobile-users ipv6 yes command.
If you need to disable this command in the future, enter set plugins cloud_services mobile-
users ipv6 no.
Disabling local network access causes all traffic, including IPv4 and IPv6 traffic, from being
sent to the local adapter. In addition, you won't be able to access resources on your local
subnet, such as printers.
190 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
STEP 1 | Select Network > GlobalProtect > Gateways.
STEP 5 | Select Split Tunnel; then, select No direct access to local network.
STEP 6 | (Panorama and Prisma Access deployments only) Commit your changes locally to make them active
in Panorama.
1. Select Commit > Commit to Panorama.
2. Make sure that your change is part of the Commit Scope.
3. Click OK to save your changes to the push scope.
4. Commit your changes.
STEP 7 | Commit and Push your changes to make them active in Prisma Access.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 191
© 2020 Palo Alto Networks, Inc.
5. Select IP Pools; then, Add an IPv6 pool to assign to the virtual network adapter on the endpoints that
connect to the GlobalProtect gateway uses for mobile network traffic and click OK.
STEP 3 | Add a security policy to set a TCP reset action that will terminate sessions with IPv6 source
traffic that matches the IP pools you configured in Step 1.
1. Select Policies > Security and Add a new security policy.
2. Set the Source Address in the rule to match the IP pools you configured in Step 1.
192 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
3. Select Actions; then, select an Action Setting of Reset Client and click OK.
STEP 5 | (Optional) Perform this task on all the gateway firewalls in your deployment.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 193
© 2020 Palo Alto Networks, Inc.
Report Website Access Issues
Some websites such as stubhub.com, ticketmaster.com, or dollartree.com, block traffic from the cloud IP
address range. When users who are secured by Prisma Access attempt to access these websites, they can
be denied access with the following message on the web browser:
Access Denied.
You don't have permission to access "http://www.dollartree.com/" on this server. Reference
#18.7f955b8.1509600370.44eb7c8
To report this problem, enter https://reportasite.gpcloudservice.com/ from a web browser
and provide the URL of the website that is inaccessible. After 24-48 hours, return to https://
reportasite.gpcloudservice.com/ and enter the same URL to see its status.
Palo Alto Networks reviews all reported sites. If an access issue is found, Palo Alto Networks
categorizes the site and adds an egress policy which changes the IP address of the
site. When users access a site using a different IP address, their first attempt might be
unsuccessful because the client is expected to receive a TCP RST packet, which causes
modern browsers to auto-retry the connection and successfully load the site.
If, after 48 hours, the website continues to be blocked even after a retry operation, verify that you have
configured security policy to allow the user to access the specific website/web category. After confirming
that your acceptable use policy allows the requested web content, open a Support Case with Palo Alto
Networks Technical Support for assistance with the impacted traffic flow, specifying the steps taken to
isolate the issue.
194 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
Use Remote Networks to Secure Branches
As you business scales and your office locations become geographically distributed, Prisma
Access for networks allows you to speedily onboard your remote network locations and
deliver best-in-breed security for your users. It offers a convenient option that removes the
complexity in configuring and managing devices at every remote location. The service provides
an efficient way to easily add new remote network locations and minimize the operational
challenges with ensuring that users at these locations are always connected and secure, and it
allows you to manage policy centrally from Panorama for consistent and streamlined security
for your remote network locations.
To connect your remote network locations to Prisma Access, you can use the Palo Alto
Networks next-generation firewall or a third-party, IPSec-compliant device including SD-WAN,
that can establish an IPSec tunnel to the service.
195
196 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Plan to Deploy Prisma Access for Networks
Prisma Access for networks allows you to pick the geographic locations where you want to deploy Prisma
Access to secure your remote network locations.
Before you begin to Configure Prisma Access for Networks, make sure you have the following configuration
items ready to ensure that you will be able to successfully enable the service and enforce policy for users in
your remote network locations:
Service Connection—If your remote network locations require access to infrastructure in your corporate
headquarters to authenticate users or to enable access to critical network assets, you must create a
service connection so that headquarters and the remote network locations are connected. If the remote
network location is autonomous and does not need to access to infrastructure at other locations, you do
not need to set up the service connection (unless your mobile users need access).
Template—Prisma Access automatically creates a template stack (Remote_Network_Template_Stack)
and a top-level template (Remote_Network_Template) for Prisma Access for networks. To Configure
Prisma Access for Networks, you will either need to configure the top-level template from scratch
or leverage your existing configuration, if you are already running a Palo Alto networks firewall on
premise. The template requires the settings to establish the IPSec tunnel and Internet Key Exchange
(IKE) configuration for protocol negotiation between your remote network location and Prisma Access
for networks, zones that you can reference in security policy, and a log forwarding profile so that you
can forward logs from the Prisma Access for remote networks to Cortex Data Lake.
Parent Device Group—Prisma Access for networks requires you to specify a parent device group that
will include your security policy, security profiles, and other policy objects (such as application groups
and objects, and address groups), as well as authentication policy so that Prisma Access for networks
can consistently enforce policy for traffic that is routed through the IPSec tunnel to Prisma Access for
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 197
© 2020 Palo Alto Networks, Inc.
networks. You will need to either define policy rules and objects on Panorama or use an existing device
group to secure users in the remote network location.
If you use an existing device group that references zones, make sure to add the
corresponding template that defines the zones to the Remote_Network_Template_Stack.
Doing so will allow you to complete the zone mapping when you Configure Prisma Access
for Networks.
IP Subnets—In order for Prisma Access to route traffic to your remote networks, you must provide
routing information for the subnetworks that you want to secure using Prisma Access. You can do this
in several ways. You can either define a static route to each subnetwork at the remote network location,
or configure BGP between your service connection locations and Prisma Access, or use a combination
of both methods. If you configure both static routes and enable BGP, the static routes take precedence.
While it might be convenient to use static routes if you have just a few subnetworks at your remote
network locations, in a large deployment with many remote networks with overlapping subnets, BGP will
enable you to scale more easily.
198 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Configure Prisma Access for Networks
For each remote network that you want to secure using Prisma Access for networks, you must use the
following workflow to push the required policy configuration to the cloud service and onboard each remote
network so that you can start sending traffic from the remote site through the IPSec tunnel to Prisma
Access.
Before you begin onboarding your remote networks, be sure you go through the steps to Plan to Deploy
Prisma Access for Networks.
If you need to onboard many remote network locations, onboard a remote network using this workflow and
then import the remote network configuration.
STEP 1 | Select Panorama > Cloud Services > Configuration > Remote Networks and edit the settings
by clicking the gear icon in the Settings area.
1. In the Templates section, Add any templates that contain configuration you want to push to
Prisma Access for networks. For example, if you have existing templates that contain your zone
configurations, or IPSec tunnel, IKE Gateway, or crypto profile settings, you can add them to the
predefined Remote_Network_Template_Stack to simplify the onboarding process.
You can Add more than one template to the stack and then order them appropriately using Move
Up and Move Down. This is important because Panorama evaluates in the stack from top to bottom,
with settings in templates higher in the stack taking priority over the same settings specified in
templates lower in the stack. Note that you cannot move the default template from the top of the
stack.
Although you can add existing templates to the stack from the plugin, you cannot
create a new template from the plugin. Instead, use the workflow to add a new
template.
2. Select the Parent Device Group for Prisma Access for remote networks. You can select an existing
device group or use Shared.
You will push all of the configuration—including the security policy, security profiles, and other policy
objects (such as application groups and objects, and address groups), HIP objects and profiles and
authentication policy—that Prisma Access for networks needs to enforce consistent policy to your
remote network users using the device group hierarchy you specify here.
You don’t need to define all of the policy that you will push to the remote network
yet. Instead, configure the settings to onboard the remote site. You can then go back
and add the templates and device groups with the complete configurations to push
consistent policy out to your remote networks.
3. If you will be configuring remote networks that have overlapping subnets, select the Overlapped
Subnets check box to enable outbound internet access for those locations.
While configuring Remote Network Locations with Overlapping Subnets introduces some limitations,
it is acceptable in some cases (for example, if you want to add a guest network at a retail store
location).
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 199
© 2020 Palo Alto Networks, Inc.
STEP 2 | (Optional) Configure DNS Proxy settings for your remote network.
Prisma Access allows you to specify DNS servers to resolve both domains that are internal to your
organization and external domains. If you do not specify any settings, Prisma Access does not proxy DNS
requests for remote networks.
1. In the Remote_Network_Device_Group device group, select Policies > Security and Add a security
policy rule with an Application of DNS and an Action of Allow to allow DNS traffic.
Without a security policy rule to allow DNS traffic, DNS resolution does not occur.
2. If you configure Prisma Access to proxy the DNS requests from your remote networks, update the
DNS settings on all the endpoints in that network to use the Prisma Access Remote Network DNS
Proxy IP Address as the primary DNS server and use your DNS server as secondary DNS server. You
can get this DNS proxy IP from Panorama > Cloud Services > Status > Network Details > Service
Infrastructure.
3. Add one or more DNS proxy settings, entering the following values:
200 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
• For Internal Domains:
• Select a Region (North America & South America, Africa, Europe & Middle East, or Asia,
Australia & Japan), or specify Worldwide to apply the DNS settings globally.
You can add multiple region-specific DNS proxy settings, or specify a DNS proxy for one
or more regions and specify another worldwide DNS proxy for the rest of the world. If you
specify only a regional setting and onboard remote networks in that region only, Prisma Access
does not proxy the DNS requests, and the source IP address of the DNS request is the remote
network’s EBGP Router IP address. If you specify multiple proxy settings with a mix of regional
and worldwide regions, Prisma Access uses the regional settings for the Locations in the region
you specify; otherwise, Prisma Access uses the worldwide settings.
• Specify the IP addresses of the Primary DNS and Secondary DNS servers that your remote
network should use to resolve internal domains.
• (Optional) If you want your internal DNS server to only resolve the domains you specify, enter
the domains to resolve in the Domain List.
You can use a wildcard (*) in front of the domains in the domain list, for example *.acme.local
or .acme.com. You can specify a maximum of 1,024 domain entries.
• For External Domains:
• Enter a Primary DNS choice.
To use the default Prisma Access DNS server, select Use Cloud Default. To use the same
server that you use to resolve internal domains, select Same as Internal Domains. To use third-
party or public DNS server, select Custom DNS Server, then specify the IP address of the DNS
server.
• Enter a Secondary DNS choice, choosing from the same options you chose for the Prisma
DNS.
STEP 3 | (Optional) Configure Prisma Access to use the Directory Sync service to retrieve user and group
information.
You must configure Directory Sync to retrieve user and group information from your Active Directory
(AD) before you enable and configure Directory Sync integration in Prisma Access using the settings in
the Group Mapping Settings tab. See Get User and Group Information Using Directory Sync for details.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 201
© 2020 Palo Alto Networks, Inc.
STEP 4 | Create new zones in the one of the templates in the stack (Network > Zones> Add) or map
the zones referenced in existing templates you added to the stack as trusted or untrusted.
On Panorama, policy rules are defined in device groups, and zones are defined in templates.
Therefore, you need to make sure that you add the templates that reference the zones
included in your policy rules to the template stack.
On a Palo Alto Networks® next-generation firewall, security policy is enforced between zones, which
map to physical or virtual interfaces on the firewall. But as Prisma Access for networks has only two
zones, trust and untrust, you need to map any zone with traffic bound to the Internet (including your
sanctioned SaaS applications) as untrust and all internal zones as trust.
1. (Optional) Edit the zone mapping settings.
By default, all of the zones in Prisma Access for networks template stack a are classified as Untrusted
Zones. If you have not yet defined zones or if the templates in the Remote_Network_Template_Stack
do not have zone configurations, you can come back and add them when you push policy to Prisma
Access for networks.
2. For each zone you want to designate as trusted, select it and click Add to move it to the list of
Trusted Zones.
3. Click OK to save the mappings.
STEP 5 | Click Add in the Onboarding settings, and specify a Name to identify the infrastructure that
will secure the remote network location you are onboarding.
You cannot change the name of the remote network location after you enter it. Make sure
you know your naming scheme for your remote networks before you begin onboarding.
STEP 6 | (BGP deployments only) Create a configuration so that your remote network connection can use
up to four IPSec tunnels for its traffic (ECMP Load Balancing).
Note that QoS is not supported with ECMP load balancing, and static routes are not supported (BGP is
required). If your deployment uses one IPSec tunnel for its remote network connection or uses static
routes, select None for ECMP Load Balancing and continue to Step 9.
Specify a minimum Bandwidth of 50 Mbps.
Prisma Access divides the bandwidth you select by the number of tunnels; for example, if you specify
300 Mbps and add four tunnels, each tunnel carries 75 Mbps. If one of the tunnels goes down, your
network connection will now carry 225 Mbps instead of 300 Mbps.
1. Select one of the choices to enable or disable ECMP load balancing.
• None—Do not use ECMP load balancing (use a single remote network tunnel for this remote
network connection). This is the only choice you can make for static routes; BGP is required for
ECMP load balancing.
• Enabled with Symmetric Return—Specify up to four IPSec tunnels for this remote network
connection and force Prisma Access to use the same link for the return traffic as it used to send
the traffic.
Select this option if you use one or more tunnels as a backup tunnel to be used only if one of the
primary tunnels go down. If a link fails, Prisma Access uses one of the other tunnels to send and
receive traffic symmetrically.
202 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
2. Add an IPSec tunnel for the remote network connection and specify the following values:
• Enable—Enables BGP for the IPSec tunnel.
This selection is not configurable; you must enable BGP to configure ECMP.
• Summarize Mobile User Routes before advertising—Reduces the number of mobile user IP subnet
advertisements over BGP to your customer premises equipment (CPE) by summarizing them.
By default, Prisma Access advertises the mobile users IP address pools in blocks of /24 subnets;
if you summarize them, Prisma Access advertises the pool based on the subnet you specified.
For example, Prisma Access advertises a public user mobile IP pool of 10.8.0.0/20 using the /20
subnet, rather than dividing the pool into subnets of 10.8.1.0/24, 10.8.2.0/24, 10.8.3.0/24, and so
on before advertising them. Summarizing these advertisements can reduce the number of routes
stored in CPE routing tables. For example, you can use IP pool summarization with cloud VPN
gateways (Virtual Private Gateways (VGWs) or Transit Gateways (TGWs)) that can accept a limited
number of routes.
If you enable route summarization for a location that uses ECMP, you must enable
route summarization on all links to that location, or you will receive an error during
commit.
Prisma Access sets the community string for aggregated mobile user routes to 0xFFFE:0xFFF0.
• Advertise Default Route—Allows Prisma Access to advertise a default route for the remote
network using eBGP.
You must publish your default routes before you make this selection to advertise
them. In addition, be sure that your network does not have another default route
being advertised by BGP, or you could introduce routing issues in your network.
• Don’t Advertise Prisma Access Routes—Prevents the Prisma Access BGP peer from forwarding
routes into your organization’s network.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 203
© 2020 Palo Alto Networks, Inc.
By default, Prisma Access advertises all BGP routing information, including local routes and all
prefixes it receives from other service connections, remote networks, and mobile user subnets.
Select this check box to prevent Prisma Access from sending any BGP advertisements, but still use
the BGP information it receives to learn routes from other BGP neighbors.
Since Prisma Access does not send BGP advertisements if you select this option, you must
configure static routes on the on-premise equipment to establish routes back to Prisma Access.
• Peer AS—Specify the autonomous system (AS) to which the firewall, virtual router, or BGP router
at your remote network belongs.
• Peer IP Address—Enter the IP address assigned as the Router ID of the eBGP router on the
remote network for which you are configuring this connection.
• Local IP Address (Optional)—Enter an address that Prisma Access uses as its Local IP address for
BGP.Specify the IP address to use on the Prisma Access side of the tunnel.
Specifying a Local Address is useful where the device on the other side of the connection (such
as an Amazon Web Service (AWS) Virtual Private Gateway) requires a specific local IP address for
BGP peering to be successful. Make sure that the address you specify does not conflict or overlap
with IP addresses in the Infrastructure Subnet or subnets in the remote network.
• Secret and Confirm Secret (Optional)—Enter and confirm a passphrase to authenticate BGP peer
communications.
3. Repeat the previous step to add up to four tunnels to use with the remote network connection.
204 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 7 | Select the Location in which Prisma Access will deploy the infrastructure required to secure
your remote network location. This region should be geographically located close to your
remote network location.
See this table for a list of Prisma Access locations.
STEP 8 | Select the Bandwidth you want to allocate to this remote network location. The bandwidth
you select cannot exceed the total amount of bandwidth you have licensed. Use this setting to
define the amount of the total licensed bandwidth you want to allocate to this location.
To help you determine how much bandwidth a specific site needs, consider the bandwidth available
from your ISP at each location. See How to Calculate Remote Network Bandwidth for more details and
suggestions. If you enable ECMP Load Balancing, you must specify a minimum of 50 Mbps.
You can change the bandwidth of a remote network connection after you onboard it, with
the exception of the 500 Mbps (w/o SSL Decryption) or 1000 Mbps (Preview) bandwidth
choices. If you select either of these preview choices and then need to change the
bandwidth, you must first add an identical network with the only change being the lower,
non-Preview bandwidth choice, commit your changes, make a note of the Service IP
address and reconfigure your IPSec tunnel to use that address, then delete the existing
remote network with the preview bandwidth choice.
STEP 9 | (Static routing or single-tunnel deployments only) Select or add a new IPSec Tunnel configuration
to access the firewall, router, or SD-WAN device at the corporate location:
• If you have added a template to the Remote_Network_Template_Stack (or modified the predefined
Remote_Network_Template) that includes an IPSec Tunnel configuration, select that IPSec Tunnel
from the drop-down. Note that the tunnel you are creating for each remote network connection
connects Prisma Access to the IPSec-capable device at each branch location.
User the following guidelines when configuring an IPSec tunnel:
• The peer addresses in the IKE Gateway configuration must be unique for each tunnel. You can,
however, re-use some of the other common configuration elements, such as crypto profiles.
• The IPSec Tunnel you select from a template must use Auto Key exchange and IPv4 only.
• If you onboard multiple remote networks to the same location with dynamic IKE peers, you must
use the same IKE crypto profile for all remote network configurations.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 205
© 2020 Palo Alto Networks, Inc.
• To create a new IPSec Tunnel configuration, click New IPSec Tunnel, give it a Name and configure
the IKE Gateway, IPSec Crypto Profile, and Tunnel Monitoring settings.
• If the IPSec-capable device at your branch location uses policy-based VPN, on the Proxy IDs tab,
Add a proxy ID that matches the settings configured on your local IPSec device to ensure that
Prisma Access can successfully establish an IPSec tunnel with your local device.
• Leave Enable Replay Protection selected to detect and neutralize against replay attacks.
• Select Copy TOS Header to copy the Type of Service (TOS) header from the inner IP header to the
outer IP header of the encapsulated packets in order to preserve the original TOS information.
• To enable tunnel monitoring for the service connection, select Tunnel Monitor.
• Enter a Destination IP address.
Specify an IP address at your branch location to which Prisma Access can send ICMP ping
requests for IPSec tunnel monitoring. Make sure that this address is reachable by ICMP from the
entire Prisma Access infrastructure subnet.
• If you use tunnel monitoring with a peer device that uses multiple proxy IDs, specify a Proxy ID or
add a New Proxy ID that allows access from the infrastructure subnet to your branch location.
The following figure shows a proxy ID with the service infrastructure subnet (172.16.55.0/24 in
this example) as the Local IP subnet and the branch location’s subnet (10.1.1.0/24 in this example)
as the Remote subnet.
The following figure shows the Proxy ID you created being applied to the tunnel monitor
configuration by specifying it in the Proxy ID field.
206 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
You must configure a static route on your CPE to the Tunnel Monitor IP Address for
tunnel monitoring to function. To find the destination IP address to use for tunnel
monitoring from your branch location to Prisma Access, select Panorama > Cloud
Services > Status > Network Details, click the Service Infrastructure radio button, and
find the Tunnel Monitor IP Address.
STEP 10 | If you have a secondary WAN link at this location, select Enable Secondary WAN.
Be sure to create a unique IPSec tunnel for each remote network’s secondary WAN;
Prisma Access does not support reusing the same IPSec tunnel for secondary WANs in
multiple remote networks.
If you use static routes, tunnel failover time is less than 15 seconds from the time of detection,
depending on your WAN provider.
If you configure BGP routing and have enabled tunnel monitoring, the shortest default hold time to
determine that a security parameter index (SPI) is failing is the tunnel monitor, which removes all routes
to a peer when it detects a tunnel failure for 15 consecutive seconds. In this way, the tunnel monitor
determines the behavior of the BGP routes. If you do not configure tunnel monitoring, the hold timer
determines the amount of time that the tunnel is down before removing the route. Prisma Access uses
the default BGP HoldTime value of 90 seconds as defined by RFC 4271, which is the maximum wait
time before Prisma Access removes a route for an inactive SPI. If the peer BGP device has a shorter
configured hold time, the BGP hold timer uses the lower value.
When the secondary tunnel is successfully installed, the secondary route takes precedence until the
primary tunnel comes back up. If the primary and secondary are both up, the primary route takes
priority.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 207
© 2020 Palo Alto Networks, Inc.
STEP 11 | Enable routing to the subnetworks or individual IP addresses at the remote network site that
your users will need access to.
Prisma Access uses this information to route requests to the appropriate site. The networks at each
site cannot overlap with each other or with IP address pools that you designated for the service
infrastructure or for the Prisma Access for users IP pools. You can configure Static Routes, BGP, or a
combination of both.
• To configure Static Routes:
1. On the Static Routes tab, click Add and enter the subnetwork address (for example,
172.168.10.0/24) or individual IP address of a resource, such as a DNS server (for example,
10.32.5.1/32) that your remote users will need access to.
2. Repeat for all subnets or IP addresses that Prisma Access will need access to at this location.
• To configure BGP:
1. Select the BGP tab.
2. Select the ECMP Load Balancing choices. See Step 6.
3. If you select None for ECMP Load Balancing, enter the BGP choices.
208 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
4. To enable BGP for the remote network connection, select Enable.
When you enable BGP, Prisma Access sets the time to life (TTL) value for external BGP (eBGP) to
8 to accommodate any extra hops that might occur between the Prisma Access infrastructure and
your customer premises equipment (CPE) that terminates the eBGP connection.
5. To reduce the number of mobile user IP subnet advertisements over BGP to your customer
premises equipment (CPE) by summarizing them, select Summarize Mobile User Routes before
advertising.
By default, Prisma Access advertises the mobile users IP address pools in blocks of /24 subnets;
if you summarize them, Prisma Access advertises the pool based on the subnet you specified.
For example, Prisma Access advertises a public user mobile IP pool of 10.8.0.0/20 using the /20
subnet, rather than dividing the pool into subnets of 10.8.1.0/24, 10.8.2.0/24, 10.8.3.0/24, and so
on before advertising them. Summarizing these advertisements can reduce the number of routes
stored in CPE routing tables. For example, you can use IP pool summarization with cloud VPN
gateways (Virtual Private Gateways (VGWs) or Transit Gateways (TGWs)) that can accept a limited
number of routes.
Prisma Access sets the community string for aggregated mobile user routes to 0xFFFE:0xFFF0.
6. To allow Prisma Access to advertise a default route for the remote network using eBGP, select
Advertise Default Route.
If you select Advertise Default Route, be sure that your network does not have another default
route being advertised by BGP, or you could introduce routing issues in your network.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 209
© 2020 Palo Alto Networks, Inc.
You must publish your default routes before you make this selection to advertise
them. In addition, be sure that your network does not have another default route
being advertised by BGP, or you could introduce routing issues in your network.
7. To prevent the BGP peer on the Prisma Access firewall from forwarding routes into your
organization’s network, select Don’t Advertise Prisma Access Routes.
By default, Prisma Access advertises all BGP routing information, including local routes and all
prefixes it receives from other service connections, remote networks, and mobile user subnets.
Select this check box to prevent Prisma Access from sending any BGP advertisements, but still use
the BGP information it receives to learn routes from other BGP neighbors.
Since Prisma Access does not send BGP advertisements if you select this option, you must
configure static routes on the on-premise equipment to establish routes back to Prisma Access.
8. Enter the Peer AS, which is the autonomous system (AS) to which the firewall, virtual router, or
BGP router at your remote network belongs.
9. Enter the IP address assigned as the Router ID of the eBGP router on the remote network for
which you are configuring this connection as the Peer Address.
10.(Optional) Enter an address that Prisma Access uses as its Local IP address for BGP.
Specifying a Local Address is useful where the device on the other side of the connection (such
as an Amazon Web Service (AWS) Virtual Private Gateway) requires a specific local IP address for
BGP peering to be successful. Make sure that the address you specify does not conflict or overlap
with IP addresses in the Infrastructure Subnet or subnets in the remote network.
You must configure a static route on your CPE to the BGP Local Address.
For BGP deployments with secondary WANs, Prisma Access sets both the primary
and secondary tunnels in an UP state, but follows normal BGP active-backup
behavior for network traffic. Prisma Access sets the primary tunnel as active and
sends and receives traffic through that tunnel only; if the primary tunnel fails,
Prisma Access detects the failure using BGP rules, sets the secondary tunnel as
active, and uses only the secondary tunnel to send and receive traffic.
210 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 12 | If required, enable Quality of Service for the remote network connection and specify a QoS
profile or add a New QoS Profile.
You can create QoS profiles to shape QoS traffic for remote network and service connections and apply
those profiles to traffic that you marked with PAN-OS security policies, traffic that you marked with an
on-premise device, or both PAN-OS-marked and on-premise-marked traffic. See Configure Quality of
Service in Prisma Access for details.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 211
© 2020 Palo Alto Networks, Inc.
STEP 13 | Commit the configuration changes to Panorama and push the configuration out to Prisma
Access for networks.
1. Click Commit > Commit to Panorama.
2. Click Commit > Commit and Push. Click Edit Selections > Prisma Access, and select both Prisma
Access for networks and Prisma Access for service setup to push the configuration out to the service.
STEP 14 | Configure the IPSec-capable device at the remote network location to set up an IPSec
connection with Prisma Access for networks.
1. Find the Service IP Address for this remote network connection by selecting Panorama > Cloud
Services > Status > Network Details, clicking the Remote Networks radio button, and viewing the
212 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Service IP Address field. Prisma Access for networks infrastructure has assigned this IP address for
the Prisma Access remote network connection, and you must configure this as the peer IP address to
set up the IPSec tunnel between the remote network location and Prisma Access for networks.
2. Check the Local IP address for the device at the remote network location on the Panorama > Cloud
Services > Status > Network Details > Remote Networks page. If you are performing NAT at the
remote network location, the Local IP address displays the IP address of the device after NAT.
STEP 15 | To secure traffic at the remote network location you must create security policy rules.
1. Select Policies.
2. Select the Device Group in which to add policy rules. You can select the
Remote_Network_Device_Group or the parent device group that you selected for defining policies to
secure the remote network location.
3. Create security policy rules. Make sure that you do not define security policy rules to allow traffic
from any zone to any zone. In the security policy rules, use the zones that you defined in your
template.
If a user on your network is denied access to a website, report website access issues before you open
a ticket with Palo Alto Networks.
STEP 16 | Enable logging to Cortex Data Lake. You must create and attach a log forwarding profile to
each policy rule for which you want to forward logs.
1. Select Objects > Log Forwarding.
2. Select the Device Group in which you added the policy rules, for example,
Remote_Network_Device_Group.
3. Add a Log Forwarding profile. In the log forwarding profile match list, Add each Log Type that you
want to forward.
4. Select Panorama/Logging Service as the Forward Method to enable Prisma Access to forward the
logs to Cortex Data Lake. You will be able to monitor the logs and generate reports from Panorama.
Cortex Data Lake provides a seamless integration to store logs without backhauling them to your
Panorama at the corporate headquarters, and Panorama can query Cortex Data Lake as needed.
The following example enables forwarding of Traffic, Threat Prevention, WildFire Submission, URL
Filtering, Data Filtering, and Authentication logs to Cortex Data Lake.
5. Select Policies > Security and edit the policy rule. In Actions, select the Log Forwarding profile you
created.
STEP 17 | Commit all your changes to Panorama and push the configuration changes to Prisma Access.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 213
© 2020 Palo Alto Networks, Inc.
1. Click Commit > Commit to Panorama.
2. Click Commit > Push to Devices and click Edit Selections.
3. On the Prisma Access tab, make sure Prisma Access for networks is selected and then click OK.
4. Click Push.
To display a map that shows the locations of the remote networks in the regions you have selected, select
Panorama > Cloud Services > Status > Monitor and click the Remote Networks tab.
214 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Click the tabs below the map to see additional remote network statistics.
Status tab:
• Location—The location where your remote network is deployed.
• Remote Peer—The peer to which the remote network has an IPSec tunnel connection.
• Allocated Bandwidth (Mbps)—The amount of bandwidth you allocated for the remote network location.
To enable traffic peaks, the service allows you to go 10% over the allocated bandwidth for
each site; traffic overages above this peak limit is dropped.
• ECMP—Whether you have enabled ECMP Load Balancing on this remote network connection.
• Config Status—The status of your last configuration push to the service. If you have made a change
locally, and not yet pushed the configuration to the cloud, the status shows Out of sync. Hover over the
status indicator for more detailed information. After committing and pushing the configuration to Prisma
Access, the Config Status changes to In sync.
• BGP Status—Displays information about the BGP state between the firewall or router at the remote
network location and Prisma Access. Although you might temporarily see the status pass through the
various BGP states (idle, active, open send, open pend, open confirm, most commonly, the BGP status
shows:
• Connect—The router at the remote network location is trying to establish the BGP peer relationship
with Prisma Access.
• Established—The BGP peer relationship has been established.
This field will also show if the BGP connection is in an error state:
• Warning—There has not been a BGP status update in more than eight minutes. This may indicate an
outage on the firewall.
• Error—The BGP status is unknown.
• Tunnel Status—The operational status of the connection between Prisma Access and the remote
network.
• Inbound Access—Whether you have configured this remote network to provide secure inbound access
for internet-connected users.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 215
© 2020 Palo Alto Networks, Inc.
Statistics tab:
• Location—The location where your remote network is deployed.
• Remote Peer—The corporate location to which this remote network is setting up an IPSec tunnel.
• Allocated Bandwidth (Mbps)—The amount of bandwidth you allocated for the remote network location.
• Ingress Bandwidth (Mbps)—The bandwidth from the remote network location to Prisma Access.
For the Ingress Bandwidth, Ingress Peak Bandwidth, Egress Bandwidth, and Egress
Peak Bandwidth fields, when the bandwidth consumption on a remote network goes
beyond 80% of the allocated bandwidth, the numbers display in a red color.
• Ingress Peak Bandwidth (Mbps)—The peak load from the remote network location into the cloud
service.
• Egress Bandwidth (Mbps)—The bandwidth from Prisma Access into the remote network location.
• Egress Peak Bandwidth (Mbps)—The peak load from Prisma Access into the remote network location.
• QoS—Select this button to display a graphic chart that shows a real-time and historical QoS statistics,
including the number of dropped packets per class. This chart displays only for service connections or
remote network connections that have QoS enabled.
The BGP Status dialog displays. This table provides you with the following information:
• Peer—Routing information for the BGP peer, including status, total number of routes, configuration, and
runtime statistics and counters. The total number of routes display in the bgpAfiIpv4-unicast Counters
area, in the Incoming Total and Outgoing Total fields.
216 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
• RIB In—Routing information that has been received from different peers and is stored in the Routing
Information Base (RIB).
• RIB Out—Routing information that Prisma Access advertises to its peers through BGP update messages.
See How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network
Connections for an example of this table and for information about how BGP utilizes the IP address pool
you create for mobile users.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 217
© 2020 Palo Alto Networks, Inc.
Quick Configs for Remote Network
Deployments
The following topics show some common Prisma Access deployment scenarios for remote network
deployments and provide instructions for how to configure them:
• Remote Network Locations with Overlapping Subnets
• Remote Network Locations with WAN Link
• Use Predefined IPSec Templates to Onboard Service and Remote Network Connections
• Onboard Remote Networks with Configuration Import
• Configure Quality of Service in Prisma Access
• Create a High-Bandwidth Network for a Remote Site
• Provide Secure Inbound Access to Remote Network Locations
• Configure User-ID and User-Based Policies with Prisma Access
• DNS Resolution for Mobile Users and Remote Networks
• Collect User and Group Information Using the Directory Sync Service
Remote network connections with overlapped subnets support outbound internet only. Refer
to the table in the following figure for more details. You can bypass these limitations by
configuring source NAT on the on-premise Palo Alto Networks next-generation firewall (if
present) or networking device (router, switch, or SD-WAN device) that connects to the IPSec
tunnel used for the remote network connection with overlapped subnets.
218 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
If you add a location with overlapping subnets, it has no effect on locations that don’t use overlapping
subnets; those sites retain their existing functionality.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 219
© 2020 Palo Alto Networks, Inc.
To set up this configuration, create a remote network connection and create a service connection
to onboard the remote network and HQ locations. The details below show how to set up the router
configuration at each location to ensure optimal routing:
STEP 1 | Add the static routes on your router or on-premises IPSec capable device at the remote
network location.
If you have a Palo Alto Networks firewall at the edge of the WAN link, on Network > Virtual Routers >
Static Routes, Add the static routes:
220 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 2 | Configure the routes that you want to advertise to another directly connected location over
the WAN link.
In this example, you need to configure this on the at HQ location. If you have an on-premises Palo Alto
Networks firewall at the edge of the WAN link, you can set up route redistribution and configure which
BGP routes to export on Network > Virtual Routers > BGP.
In addition to the following templates, we provide a Generic template that you can use with
any on-premise device that is not listed here.
• Cisco appliances:
• Cisco Integrated Services Routers (ISRs)
• Cisco Adaptive Security Appliances (ASAs)
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 221
© 2020 Palo Alto Networks, Inc.
• Citrix
• CloudGenix
• Riverbed
• Silver Peak
Use the following workflows to onboard service connections or remote network connections using the
predefined IPSec templates.
You can also complete this step if you delete these templates and need to retrieve them.
• For service connections, select Panorama > Cloud Services > Configuration > Service Setup, click the
gear icon in the Settings area to open the Settings, then click OK.
• For remote network connections, select Panorama > Cloud Services > Configuration > Remote
Networks, click the gear icon in the Settings area to open the Settings, then click OK.
STEP 2 | Select Network, then select the correct Template (either Remote_Network_Template if you
are creating a remote network connection or Service_Conn_Template if you are creating a
service connection).
STEP 3 | Determine the type of device that is used to terminate the service connection or remote
network connection, and find a template to use with that device.
If your SD-WAN or IPSec device is not on the list, use the generic profiles.
STEP 4 | Select Network > Network Profiles > IKE Gateways and make the following changes to the
IKE gateway profile for your device:
You can use the IPSec crypto and IKE crypto profiles with no changes; however, you must make specific
changes to the IKE gateway profile to match the network settings.
• (Optional) If you know the public IP address of the on-premise device that will be used to set up the
IPSec tunnel with Prisma Access, set a static IP address by specifying a Peer IP Address Type of IP
and enter the Peer Address for the IPSec tunnel.
• If using a pre-shared key for the IPSec tunnel, specify a Pre-shared Key.
• Specify a Peer Identification of either IP Address or User FQDN.
Be sure that you match the settings you specify here when you configure the device used to
terminate the other side of the IPSec tunnel.
222 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 5 | Onboard the service connection or remote network connection, specifying the IPSec tunnel
configuration that matches the device on the other side of the IPSec tunnel.
STEP 6 | (Optional) If you need to add a backup tunnel (Secondary WAN) for a service connection or
remote connection, perform the following additional configuration steps.
1. Create a new IKE Gateway for the backup tunnel, copying the settings from the predefined template
you want to duplicate.
The following example creates a backup tunnel configuration for generic networking devices.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 223
© 2020 Palo Alto Networks, Inc.
2. Under Advanced Options, specify the IKE Crypto Profile for the predefined template you want to
use.
Palo Alto Networks recommends that you use GCM ciphers instead of CBC ciphers for
IPSec tunnels.
3. Create a new IPSec Tunnel, specifying the new IKE gateway you created, but copying all the other
settings from the default template.
224 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
4. When you onboard the service connection or remote network connection, Enable Secondary WAN
and specify the tunnel you created for the backup WAN.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 225
© 2020 Palo Alto Networks, Inc.
STEP 7 | Complete the configuration of the service connection or remote network connection by
matching the cryptos, pre-shared key, and Peer identifiers on the device that is used to
terminate the other side of the IPSec tunnel.
STEP 8 | (Optional) If you need to onboard multiple remote network connections that use the same types
of networking devices, Export the configuration of the remote network, edit the settings, then
Import that configuration.
See Onboard Multiple Remote Network Connections of the Same Type for details.
226 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
For more information, including a description of all editable fields in the CSV table, see Onboard Remote
Networks with Configuration Import.
STEP 1 | Select Panorama > Cloud Services > Configuration > Remote Networks (in the Onboarding
section).
STEP 2 | Select a region, then Export the configuration of a remote network that you have previously
onboarded.
You must select a remote network and click Export. A CSV file that includes the settings is downloaded
to your computer.
STEP 3 | Modify the CSV file to add configuration for remote networks.
See Fields in the Remote Networks Table for a description of the fields and the possible values in this
file.
You must rename the network(s) listed in the exported file. If the file has duplicate names the import will
fail.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 227
© 2020 Palo Alto Networks, Inc.
The configuration from the file are displayed on screen. The remote network you selected to import the
file will serve as a model configuration, and the remote networks listed in the file will inherit the keys
and any missing values that do not have to be unique from there.
region The remote network’s region. See the list of Prisma Access Y
locations for the values to enter.
Enter the locations exactly as they are in this document (for
example, US West, or Japan South).
228 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Field Description Required? (Y/N)
bgp_peer_address The BGP peer address of the remote network peer device. N
local_id_type The type of IKE ID that Prisma Access presents to the peer N
device. If you use certificates in the remote network to
which you import this file, all imported types specified will
refer to the Configured Certificate values.
local_id_value The value of the IKE ID that Prisma Access presents to the N
peer device. If you use certificates in the remote network to
which you import this file, all imported types specified will
refer to the Configured Certificate values.
peer_id_type The value of the IKE ID that the peer presents to Prisma N
Access. If you use certificates in the remote network to
which you import this file, all imported types specified will
refer to the Peer Certificate values.
peer_id_value The value of the IKE ID that Prisma Access presents to the N
peer device. If you use certificates in the remote network to
which you import this file, all imported types specified will
refer to the Peer Certificate values.
proxy_ids The proxy IDs that are configured for the peer. For route- N
based VPNs, leave this field blank. Specify the Proxy ID in
the following CSV configuration format:
[{"name":"proxyidname", "local":"1.2.3.4/32",
"remote":"4.3.2.1/32", "protocol":{"udp":
{"local-port":123, "remote-port":234}}},
{"name":"proxyidname2", "local":"2.3.4.5/32",
"remote":"3.4.5.6/32", "protocol":{"tcp": {"local-
port":234,"remote-port":345}}}]
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 229
© 2020 Palo Alto Networks, Inc.
Field Description Required? (Y/N)
sec_peer_ip_address The IP address of the Prisma Access peer device for the N
secondary IPSec tunnel.
sec_peer_id_type The value of the IKE ID that the peer presents to Prisma N
Access for the secondary IPSec tunnel. If you use certificates
in the remote network to which you import this file, all
imported types specified will refer to the Peer Certificate
values.
sec_monitor_ip The tunnel monitoring IP address the cloud will use for the N
secondary IPSec tunnel to determine that the IPSec tunnel is
up and the peer network is reachable.
sec_proxy_ids The proxy IDs that are configured for the peer for the N
secondary IPSec tunnel. For route-based VPNs, leave
this field blank. Specify the Proxy ID in the following CSV
configuration format:
[{"name":"proxyidname", "local":"1.2.3.4/32",
"remote":"4.3.2.1/32", "protocol":{"udp":
{"local-port":123, "remote-port":234}}},
{"name":"proxyidname2", "local":"2.3.4.5/32",
"remote":"3.4.5.6/32", "protocol":{"tcp": {"local-
port":234,"remote-port":345}}}]
230 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Configure Quality of Service in Prisma Access
Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to
dependably run high-priority applications and traffic under limited network capacity. You can configure QoS
in Prisma Access to prioritize business-critical traffic or traffic that requires low latency, such as VoIP or
videoconferencing. You can also reserve a minimum amount of bandwidth for business-critical applications.
Prisma Access uses the same QoS profiles and supports the same Differentiated Services Code Point
(DSCP) markings as next-generation Palo Alto Networks firewalls. However, the configuration process is
different than configuring QoS on next-generation firewalls.
Prisma Access can either mark ingress traffic using a security policy or it can honor DSCP markings set by
your organization's on-premise device.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 231
© 2020 Palo Alto Networks, Inc.
QoS Examples
The following examples show how Prisma Access marks and shapes traffic.
In the following example, the administrator created a security policy on the Mobile_User_Device_Group to
mark incoming mobile user traffic. These policies assign traffic an IP precedence value of AF11.
The administrator also created QoS profiles with QoS policy rules, enabled QoS on the service connection
and remote network connection, and applied the profiles to those connections to shape the traffic at the
traffic’s egress point based on the QoS markings.
Prisma Access marks traffic at its ingress point based on security policies or honors marking
set by your on-premise devices, and shapes the traffic on egress to your service connections
or remote network connections using QoS profiles.
232 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
The following example shows the QoS traffic flow from a branch office to an HQ/data center. The
administrator creates a security policy on the Remote_Network_Device_Group to mark the incoming traffic
from the remote network connection and enabled QoS and applied a QoS profile on the service connection
to shape the outgoing traffic.
The following example shows a hybrid deployment with an on-premise firewall at a branch that is
connected by Prisma Access with a remote network connection, and the on-premise firewall marks the
traffic. This deployment honors the marking set on the on-premise firewall. You must enable QoS and apply
a QoS profile on the service connection, so that Prisma Access can shape the traffic at egress.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 233
© 2020 Palo Alto Networks, Inc.
Prisma Access honors all DSCP marking from the on-premise device as long as that traffic does not match
an overriding security policy on Prisma Access.
STEP 1 | Add one or more security policy rules for remote networks and mobile users to mark the
ingress traffic for QoS.
You use these policies to match a traffic flow and assign it a selected DSCP value.
1. Select Policies > Security > Pre Rules.
Alternatively, select Policies > Security > Post Rules to add a rule at the bottom of the rule order that
is evaluated after a pre-rule.
Be sure that you select the correct Device Group. To create a security rule for
a remote network, select the device group for the remote network (for example,
Remote_Network_Device_Group); for mobile users, select the device group for the
mobile users (for example, Mobile_User_Device_Group).
2. Add a security policy rule.
3. Enter a Name for the rule.
4. Define the matching criteria for the source or destination fields in the packet.
See Create a Security Policy Rule for details.
5. Click Actions, then select a QoS Marking of either IP DSCP or IP Precedence.
6. Enter the QoS value in binary form, or select the value from the drop-down.
The following screenshot shows a security policy rule that matches traffic marked with an IP DSCP
value of af11.
234 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 2 | Add one or more QoS policy rules.
You use QoS policies to bind DSCP marking to one of eight available classes. You use these classes later
when you create one or more QoS profiles.
1. Select Policies > QoS > Pre Rules.
Alternatively, select Policies > QoS > Post Rules to add a rule at the bottom of the rule order that is
evaluated after a pre-rule.
Be sure that you select the correct Device Group for the service connection (for
example, Service_Conn_Device_Group) or remote network connection (for example,
Remote_Network_Device_Group). If a rule in a Shared device group has defined
values other than the values in the General, DSCP/ToS, and Other settings areas,
Prisma Access does not apply the rule on the remote network and service connection.
2. Add a QoS policy rule.
3. Click General and enter a name for the policy rule.
4. Click the DSCP/ToS tab, then click Codepoints and Add one or more new codepoints.
5. Specify a Name for the DSCP/ToS rule, then select a Type and Codepoint.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 235
© 2020 Palo Alto Networks, Inc.
Alternatively, keep the default value (Any) to allow the policy to match to traffic regardless of the
Differentiated Services Code Point (DSCP) value or the IP Precedence/Type of Service (ToS) defined
for the traffic.
6. Click the Other Settings tab, then Choose the QoS Class to assign to the rule.
You define class characteristics in the QoS profile.
7. Click OK.
STEP 3 | Create one or more QoS profiles to shape QoS traffic on egress for service connections and
remote network connections.
You use profiles to shape the traffic at egress point by defining QoS classes and assigning a bandwidth
to them. You must select either an existing QoS profile or create a new QoS profile when you enable
QoS for Prisma Access.
1. Select the correct template the profile you want to create (Remote_Network_Template or
Service_Conn_Template); then, select Network > Network Profiles > QoS Profile and
2. Add a profile.
3. Enter a profile Name.
4. Set the overall bandwidth limits for the QoS profile rule.
• Enter an Egress Max that represents the maximum throughput (in Mbps) for traffic leaving the
service connection or remote network connection.
• For service connections, specify a number of up to 1 Gpbs (1,000 Mbps).
236 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Do not enter a number greater than 1 Gbps; Prisma Access calculates service
connection bandwidth per service connection IPSec tunnel and not cumulatively
across multiple tunnels.
• For remote network connections, specify a number up to the maximum licensed bandwidth of
your remote network connection.
• Enter an Egress Guaranteed bandwidth that is the guaranteed bandwidth for this profile (in
Mbps).
Any traffic that exceeds the Egress Guaranteed value is best effort and not guaranteed.
Bandwidth that is guaranteed but is unused continues to remain available for all traffic.
5. In the Classes section, Add one or more classes and specify how to mark up to eight individual QoS
classes.
• Select the Priority for the class (either real-time, high, medium, or low).
• Enter the Egress Max for traffic assigned to each QoS class you create.
The Egress Max for a QoS class must be less than or equal to the Egress Max for the QoS profile.
• Enter the Egress Guaranteed bandwidth in Mbps for each QoS class.
Guaranteed bandwidth assigned to a class is not reserved for that class—bandwidth that is unused
continues to remain available to all traffic. When a class of traffic exceeds the egress guaranteed
bandwidth, Prisma Access passes that traffic on a best-effort basis.
6. Click OK.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 237
© 2020 Palo Alto Networks, Inc.
STEP 4 | Enable QoS for the service connection, remote network connection, or both, and apply the
QoS profile to the connection.
1. Enable QoS.
• For service connections, select Panorama > Cloud Services > Configuration > Service Setup,
select a Connection Name, click the QoS tab, and Enable QoS.
• For remote network connections, select Panorama > Cloud Services > Configuration > Remote
Networks, select the hypertext for a remote network connection Name, click the QoS tab, and
Enable QoS.
2. Select the QoS profile you created in Step 3 and click OK.
238 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
This page displays a chart with real-time and historical QoS statistics, including the number of
dropped packets per class. This chart displays only for service connections or remote network
connections that have QoS enabled, shows the last five minutes of the connection’s network activity,
and refreshes every 10 seconds.
The following figure shows traffic being passed for classes 1,2,3, and 4. The data below the figure
shows the number of packets dropped based on the QoS configuration for classes 2, 3, and 4.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 239
© 2020 Palo Alto Networks, Inc.
Topology for High-Bandwidth Remote Network
The following diagram shows a sample topology for a branch location using multiple IPSec remote network
tunnels between the site and Prisma Access. In this diagram, we use four 300 Mbps remote network
tunnels to create a 1.2 Gbps throughput to traffic egressing to the internet. The CPE devices can be Palo
Alto Networks next-generation firewalls or other devices that are capable of creating multiple IPSec tunnels
and performing load balancing between these tunnels. One of the methods to achieve this is by enabling
ECMP with session stickiness. The CPE must maintain session affinity per tunnel while applying ECMP over
multiple tunnels.
This example shows four tunnels. The maximum number of tunnels you can use for a high-
bandwidth connection in Prisma Access is based on the maximum number of IPSec tunnels
your CPE devices support with the load balancing protocol you use (ECMP in this example).
Consider the following restrictions and recommendations before you deploy this configuration:
• Use BGP routing for the IPSec tunnels; static routing is not supported.
• Use this configuration for outbound internet access only.
• Do not use tunnel monitoring on either Prisma Access or the CPE devices. Availability of the IPSec
tunnel is determined by BGP peering between the CPE and Prisma Access’ remote network. If an IPSec
tunnel goes down and BGP connection is interrupted, the routes learned over BGP on that tunnel are
automatically removed from ECMP.
• Because you use BGP to determine when a tunnel goes down, consider the HoldTime value you have
configured on your CPE devices. The hold timer determines the amount of time that the tunnel is down
before removing the route. Prisma Access uses the default BGP HoldTime value of 90 seconds as
defined by RFC 4271. If you configure a lower hold time for the BGP CPE devices in the remote network
site, BGP uses the lower hold time value. Palo Alto Networks recommends a KeepAlive value of 10
seconds and a HoldTime value of 30 seconds for your CPE devices with this deployment.
240 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Create a High-Bandwidth Remote Network Connection
To create a high-bandwidth remote network connection, complete the following task.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 241
© 2020 Palo Alto Networks, Inc.
When complete, you have four 300 Mbps remote network connections for the same location. If you
configured backup tunnels, you also have four secondary tunnels to be used for failover purposes.
3. Select Panorama > Cloud Services > Status > Network Details > Remote Networks and make a note
of the Service IP Address and EBGP Router addresses.
242 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
You use the Service IP Address as the peer IP address when you configure the IPSec tunnel on
the CPE devices in the remote network site, and you use these addresses and the EBGP Router
addresses when you create static routes on the CPE devices.
STEP 2 | On the CPE devices in the remote network site, configure the remote network tunnels.
The configuration in these steps use Palo Alto Networks next-generation firewalls; you
can use any CPE device that supports IPSec tunnels and ECMP for this deployment.
1. Create four active tunnels from the active CPE to each of the four network connections. For the Peer
IP address, enter the Service IP Address of the remote network you received from Prisma Access in
Step 1.c.
2. (Optional) If you create backup tunnels, create them from the active CPE to each of the four network
connections. For the Peer IP address, enter the Service IP Address of the remote network you
received from Prisma Access in Step 1.c.
STEP 3 | Configure ECMP on the CPE devices in the remote network site.
1. Select Network > Virtual Routers.
2. Select the default virtual router, or Add a new virtual router.
3. Select Router Settings > Enable > ECMP, then Enable ECMP with a Max Path of 4 and a load balance
Method of Balanced Round Robin.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 243
© 2020 Palo Alto Networks, Inc.
STEP 4 | On the CPE devices in the remote network site, create static routes to the Prisma Access
Service IP Address and EBGP Router IP addresses you retrieved in Step 1.c.
As previously stated, dynamic routing with BGP is required for this configuration. To facilitate BGP
connection between the CPE and Prisma Access’ eBGP router, you need to add a static route for the
eBGP router IP address on the CPE, and the next-hop must be the tunnel interface on the CPE. You
must repeat this step for all other Remote Network eBGP router IP addresses on remaining tunnels.
The following example shows the route on the active CPE. If you created backup tunnels on a standby
CPE, create the same routing on the standby CPE.
If you are configuring a Palo Alto Networks next-generation firewall, select Static Routes > IPv4 to add
the static routes.
244 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 5 | Enable route redistribution on the CPE devices by selecting Redistribution Profile > IPv4, then
Add an IPv4 route redistribution profile.
STEP 6 | Select BGP > Peer Group, Enable BGP on the virtual router instance, then Add Remote
Network BGP peers.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 245
© 2020 Palo Alto Networks, Inc.
STEP 7 | Select BGP > Redist Rules, then attach the route redistribution profile you created in Step 5.
STEP 8 | Validate that the CPE is passing traffic on all four of its tunnels.
STEP 9 | Check the status of the ECMP-enabled connections from Prisma Access.
• Select Panorama > Cloud Services > Monitor > Remote Networks, select the region where you
deployed the ECMP connections, then select Status.
In this area, ECMP displays as No. This is expected because you are not configuring
the Prisma Access ECMP load balancing feature.
246 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
• Select Statistics to see that traffic is passing through each remote network tunnel.
When you have completed this workflow, you have created a high-bandwidth configuration for the
remote network. Keep in mind that this solution is supported for outbound traffic only.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 247
© 2020 Palo Alto Networks, Inc.
While this solution can provide access for up to 50,000 concurrent inbound sessions per
remote network, Palo Alto Networks does not recommend using this solution to provide
access to a high-volume application or website.
To make internet-accessible applications available from a remote network site, you first make a list of
the applications to which you want to provide access, and assign a private IP, port number, and protocol
combination for each application. If you use the same IP address for multiple applications, the port/protocol
combination must be unique for each application; if you use the same port/protocol combination for
multiple applications, each IP address must be unique.
To begin configuration, you choose how many public IP addresses you want to associate for the
applications. You can specify either 5 or 10 public IP addresses per remote network site. Each public IP
allocation takes bandwidth from your Remote Networks license, in addition to the license cost for the
remote network. 5 IP addresses take 150 MB from your remote network license allocation, and 10 IP
addresses take 300 MB. The following table provides examples of bandwidth cost.
Use the following examples as a guide; you can use any remote network bandwidth to
implement secure inbound access.
After you choose the number of public IP addresses, you then enter the application, along with its
associated private IP/port number/protocol combination, for which you want secure inbound access.
You can decide how you want to map your application to the public IP addresses. By default, Prisma Access
assigns the public IP addresses to the applications you specify, and multiple applications can be assigned
to a single IP address. If you need to map a single application to a single public IP address, you can select
Dedicated IP during system configuration. You can configure up to 100 inbound applications for each group
of provisioned public IP addresses (either 5 or 10).
248 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
The following example shows a sample configuration to enable inbound access for an application
(www.example.com) at a remote network site. You assign an IP address of 10.10.10.2, a port of 443, and
a protocol of TCP to the application. You then enter these values in Prisma Access when you configure
inbound access. After you save and commit your changes, Prisma Access assigns a public IP address to the
application you defined, in this case 52.1.1.1.
Prisma Access performs source network address translation (source NAT) on the packets by default. If the
IPSec-capable device at your remote network site is capable of performing symmetric return (such as a Palo
Alto Networks next-generation firewall), you can disable source NAT.
The following figure shows the traffic flow from users to applications. Since source NAT is enabled, the
source IP address in the routing table changes from the IP of the user’s device (34.1.1.1) to the remote
network’s EBGP Router address (Panorama > Cloud Services > Status > Network Details > Remote
Networks > EBGP Router). (172.1.1.1).
The following figure shows the return path of traffic with source NAT enabled.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 249
© 2020 Palo Alto Networks, Inc.
If you disable source NAT, Prisma Access still performs destination NAT, but the source IP address of the
request is unchanged.
For return traffic, SNAT is disabled, and the destination address for all routing tables is user’s IP address
(34.1.1.1).
250 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Guidelines for Using Secure Inbound Access
Use the following guidelines and restrictions when you configure a remote network to use secure inbound
access:
• The following locations are supported:
• Australia Southeast
• Belgium
• Brazil South
• Canada East
• Finland
• Germany Central
• Hong Kong
• India West
• Japan Central
• Netherlands Central
• Singapore
• Switzerland
• Taiwan
• UK
• US Central
• US East
• US Northwest
• US Southeast
• US Southwest
• You cannot modify an existing remote network to provide secure inbound access; instead, create a new
remote network.
• The inbound access feature is not available on remote networks that use ECMP load balancing.
• Application port translation is not supported.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 251
© 2020 Palo Alto Networks, Inc.
• The bulk import feature to onboard remote networks does not support inbound access. Use Panorama
to onboard new inbound access remote networks.
• Do not use remote network inbound access with traffic forwarding rules with service connections.
• Outbound traffic originating at the branch is not allowed on the inbound remote network.
• User-ID and application authentication are not supported.
• Prisma Access enforces the following rate limiting thresholds to provide flood protection, and measures
the rate in connections per second (CPS):
ICMP Flood 20 20
• Remote networks that are configured for secure inbound access can only be used for that purpose.
If you require outbound access as well as inbound access for a remote network site, create two
remote network sites in the same location—one for inbound access and one for outbound access—as
shown in the following figure. In this example, User 1 uses Remote Network 1 for inbound access to
www.example.com, while User 2 uses Remote Network 2 for outbound internet access from the remote
network location.
• If you have a custom Prisma Access deployment where one of the cloud providers is excluded, inbound
access might not be supported because you cannot choose the locations during remote network
onboarding.
• Secure inbound access is not supported with evaluation licenses.
STEP 1 | Select Panorama > Cloud Services > Configuration > Remote Networks and Add a connection.
Any bandwidth is supported for secure inbound access.
252 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 2 | Select Inbound Access and Enable secure inbound access.
If Palo Alto Networks has created a custom Prisma Access deployment for your
organization where one of the cloud providers is excluded, inbound access features may
not be configurable due to non-availability of the supported locations; in this case, no
locations display in the Location area, as shown in the following screenshot.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 253
© 2020 Palo Alto Networks, Inc.
STEP 3 | When prompted, click Close and select or re-select, a supported location.
Prisma Access prompts you with a verification window when you enable secure inbound access, to make
sure that you select a supported location.
STEP 5 | Select the Number of Public IPs that you want to allocate for secure inbound access (5 or 10).
The IP addresses you use for inbound secure access take bandwidth from your remote network license.
5 public IP addresses use 150 MB from your remote networks license; 10 public IP addresses use 300
MB from your remote network license.
254 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Provide the following values:
• Specify the name of the Application.
• Specify the Private IP address to use with this application.
• Specify the Protocol to use with the application (TCP or UDP).
• Specify the Port to user with the application.
• Choose whether you want to dedicate a single public IP address to a single application; to do so,
select Dedicated IP.
STEP 8 | (Optional) If you selected an unsupported location, a window prompts you to a supported
location. If required, select a supported location, then click OK.
STEP 10 | Wait approximately 30 minutes for Prisma Access to generate the public IP addresses; then
select Panorama > Cloud Services > Status > Network Details > Remote Networks and
make a note of the Public Address that is associated with the App Name for application you
created.
If you selected Dedicated IP, find the single application that is associated with the Public Address.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 255
© 2020 Palo Alto Networks, Inc.
STEP 11 | Create security policies to allow traffic from the inbound internet users.
Because Prisma Access’ default security policy only allows untrust-to-untrust traffic, you need to
configure security polices to allow untrust-to-trust (external-to-internal) traffic for your inbound access
applications. Palo Alto Networks recommends that you limit the type of access you permit to inbound
applications. The following examples provide access to SSH servers, web portals, and RDP servers.
1. Select Policies > Security and Add a policy.
Be sure to create this policy under the Remote_Network_Device_Group device group.
2. Select the Source traffic as external.
3. Create a policy to allow SSH server traffic by selecting the Destination Zone for destination traffic as
Internal and specifying a Destination Address of SSH-server-public.
256 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
4. Select an Application of ssh.
5. Select a Service/URL Category of application-default to allow or deny applications based only their
default ports as defined by Palo Alto Networks.
6. In Actions, select Allow.
7. Click OK to save the policy.
8. Create a policy to allow web portal access by creating a policy in the previous steps but substituting
the following settings in the Destination and Application tabs:
• Select a Destination Address of Web-Portal-Public.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 257
© 2020 Palo Alto Networks, Inc.
• Select an Application of web-browsing.
9. Create a security policy for RDP server access, using the same settings as you did for the other
policies but substituting RDP-Server-Public as the Destination Address and webrdp as the
Application.
When complete, you have three different policies to allow SSH server access, web portal access, and
RDP server access.
258 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 12 | Save and Commit your changes.
STEP 13 | Check that the remote network connection is operational and correctly processing inbound
traffic.
1. Select Panorama > Cloud Services > Status > > Status > Remote Networks and hover over the
Status and Config Status areas to see the tunnel’s status.
2. If you find issues, select Panorama > Cloud Services > Status > > Monitor > Remote Networks,
select the location of the remote network tunnel in the map, and hover over the Tunnel Status area
to determine the cause of the error.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 259
© 2020 Palo Alto Networks, Inc.
260 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
Configure User-ID and User-Based Policies
with Prisma Access
Prisma Access requires that you configure IP address-to-username mapping to consistently
enforce user-based policy for mobile users and users at remote network locations. In addition,
you need to configure username to user-group mapping if you want to enforce policy based on
group membership.
You can then configure your deployment to allow Panorama to get the list of user groups
retrieved from the group mapping, which allows you to easily select these groups from a drop-
down list when you create and configure policies in Panorama.
The following sections provide an overview and the steps you perform to configure and
implement User-ID in Prisma Access.
261
262 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
Configure User-ID in Prisma Access
This section provides the steps you perform to configure User-ID for Prisma Access.
STEP 1 | Configure IP address-to-username mapping for your mobile users and users at remote network
locations.
• For mobile users, the GlobalProtect agent in Prisma Access automatically performs User-ID mapping.
• For users at remote networks, configure User-ID for your remote network locations to map IP
addresses to User IDs.
STEP 2 | Configure username to user-group mapping for your mobile users and users at remote network
locations.
To configure username-to-user group mapping for all users, enable group mapping for mobile users and
for users at remote networks using an LDAP server profile.
We recommend using a Group Include List in the LDAP server profile, so that you can
specify which groups you want to retrieve, instead of retrieving all group information.
STEP 3 | Allow Panorama to use group mappings in security policies by configuring one or more next-
generation on-premise or VM-series firewalls as a Master Device.
If you don’t configure a Master Device with a Prisma Access User-ID deployment, use long-form
distributed name (DN) entries instead.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 263
© 2020 Palo Alto Networks, Inc.
Configure User-ID for Remote Network
Deployments
The process for retrieving User-ID information for Prisma Access is similar to configuring User-ID for on-
premise Palo Alto Networks next-generation firewalls. To configure User ID-to-IP address mapping for
Prisma Access, use the following workflow.
By default, the User-ID agent uses port 5007 to listen for User-ID information requests. Make sure
that you implement security policies that allow User-ID traffic from this port between Prisma Access
and the Active Directory server or User-ID Agent.
You can also use the paloalto-userid-agent App ID to retrieve the information from the
Windows domain controller; however, if you do this, you must decrypt the SSL traffic
for User-ID.
• To enable IP address-to-username mapping for users with client systems that aren’t logged in to your
domain servers—for example, users running Linux clients that don’t log in to the domain—you can
Map IP Addresses to Usernames Using Captive Portal.
To authenticate users using MFA, SAML, or Captive Portal, we recommend mapping a hostname to
the Captive Portal Redirect IP Address in Prisma Access and associating it with your internal DNS
servers. If you choose to use Kerberos single sign-on (SSO) with the captive portal, the hostname is
required. Alternatively, you can use the Captive Portal Redirect IP Address by itself to redirect users.
To find the Captive Portal Redirect IP Address, select Panorama > Cloud Services > Status >
Network Details > Service Infrastructure. Prisma Access assigns this IP address from the
infrastructure subnet IP address pool.
264 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
• To enable IP address-to-username mapping using syslog listening, Configure User-ID to Monitor
Syslog Senders for User Mapping.
• To enable IP address-to-username mapping for users on Windows-based terminal servers, Configure
User Mapping for Terminal Server Users.
• To enable IP address-to-username mapping using an XML API, Send User Mappings to User-ID Using
the XML API.
• To enable IP address-to-username mapping without using an agent, Configure User-ID for Prisma
Access Using the PAN-OS Integrated User-ID Agent.
STEP 1 | Create the User-ID service account in the Windows Active Directory (AD) server that is being
used by the authentication server.
Be sure that the user you create is part of the following groups:
• Distributed COM Users
• Event Log Readers
• Server Operators
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 265
© 2020 Palo Alto Networks, Inc.
We recommend only making these group associations. You do not have to configure
Domain Admin or Enterprise Admin privileges for the User-ID service account to work
correctly. Giving privileges to the account that aren’t required can give your network a
larger attack surface.
266 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
1. Select the CIMV2 folder.
2. Click Security.
3. Click Add
4. Select the service account you created in Step 1.
This example uses the UserID user with the email of [email protected].
5. Check Allow for the Enable Account and Remote Enable for the account you created.
6. Click Apply.
7. Click OK.
STEP 4 | In Panorama, select Device > User Identification > User Mapping and click the gear icon to
edit the settings.
Be sure that you have selected the Remote_Network_Template at the top of the page.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 267
© 2020 Palo Alto Networks, Inc.
STEP 5 | Make the following changes to the Palo Alto Networks User-ID Agent Setup settings:
1. Select WMI Authentication and enter the domain and username (in the format domain/username)
for the User-ID service account, along with a valid password.
2. (Optional) Select Server Monitor and change the default settings, if required.
• To disable security log monitoring on Windows servers, deselect Enable Security Log.
• To enable monitoring of user sessions on the monitored servers, select Enable Session.
3. (Optional) Select Client Probing and select Enable Probing to enable WMI probing.
4. Click OK to exit from the Palo Alto Networks User-ID Agent Setup.
STEP 6 | If you have not done so already, click Add in the Server Monitoring area and add a Name,
Description, Type, and Network Address for the server you need to monitor.
268 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
Configure Your Prisma Access Deployment to
Retrieve Group Mapping
After you configure User-ID mapping in Prisma Access, you need to be able to retrieve the current IP
address-to-username and username-to-user group information for mobile users and users at remote
networks. To allow the Panorama that manages your deployment to retrieve group mapping information,
you must add one or more next-generation firewalls to your deployment and then designate the firewall as
a Master Device. You then create policies in Panorama and enforce the policies using the list of user groups
that Panorama retrieved from the Master Device.
Panorama cannot retrieve group mapping information in Prisma Access deployments without next-
generation firewalls, because Prisma Access does not have any devices in its device groups that you can
specify as a Master Device. If you have a standalone Prisma Access deployment, you can still implement
User-ID mapping in policies by using long-form Distinguished Name (DN) entries.
• Retrieve Group Mappings Using a Master Device
• Configure an On-Premise or VM-Series Firewall as a Master Device
• Implement User-ID in Security Policies For a Standalone Prisma Access Deployment
Auto-population of users and groups is only applicable to the parent device group that is
associated with the master device. Auto-Population of users/groups is not applicable to the
child device groups (the Mobile_User_Device_Group, Remote_Network_Device_Group, or
Service_Conn_Device_Group, device groups). See Configure an On-Premise or VM-Series
Firewall as a Master Device for details.
The Master Devices can serve as the termination point of a remote network connection or service
connection, but this connection method is not required for the process to work, as shown in the following
example. The following figure shows a User-ID deployment where the administrator has configured an on-
premise device as a Master Device. Callouts in the figure show the process.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 269
© 2020 Palo Alto Networks, Inc.
1. A next-generation on-premise or VM-series firewall that the administrator has configured as a Master
Device retrieves the latest User-ID information from the LDAP server and User-ID agent in the data
center.
2. Panorama gets the list of usernames, user group names, and group mapping information from the Master
Device.
We recommend using a Group Include List in the LDAP server profile, so that you can
specify which groups you want to retrieve, instead of retrieving all group information.
STEP 1 | Create device groups for mobile users, remote networks, and service connection device groups
as required, and specify the on-premise device as the Master Device.
1. Select Panorama > Managed Devices > Device Groups.
2. Add a new device group.
3. Enter a Name for the device group.
4. Leave the Parent Device Group as Shared.
5. In the Devices area, select the Name of the on-premise or VM-Series device that you want to set as
the Master Device.
6. Select Store user and groups from Master Device if Reporting and Filtering on Groups is enabled in
Panorama Settings.
This option allows Panorama to locally store usernames, user group names, and group mapping
information that it receives from the Master Device.
7. Click OK.
The following screenshot creates a Master Device to be used for the service connection.
270 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
STEP 2 | Associate the device groups you created for your Prisma Access mobile user, remote network,
or service connection deployment.
• To associate the device group with a mobile user deployment, select Panorama > Cloud Services >
Configuration > Mobile Users and edit the settings by clicking the gear icon in the Settings area and
associate the device group you created for the service connection with the Parent Device Group.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 271
© 2020 Palo Alto Networks, Inc.
• To associate the device group with a remote network connection, select Panorama > Cloud
Services > Configuration > Remote Networks and edit the settings by clicking the gear icon in the
Settings area and associate the device group you created for the remote network connection with
the Parent Device Group.
272 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
• To associate the device group with a service connection, select Panorama > Cloud Services >
Configuration > Service Setup and edit the settings by clicking the gear icon in the Settings area and
associate the device group you created for the service connection with the Parent Device Group.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 273
© 2020 Palo Alto Networks, Inc.
After you create a parent device group, Prisma Access automatically populates
group mapping for the device group that is associated with the master device only.
For the previous examples, the auto-population would occur only in the User-
ID DG Mobile Users, User-ID DG Remote Connection, and User-ID DG Service
Connection device groups, and would not populate to the Mobile_User_Device_Group,
Remote_Network_Device_Group, or Service_Conn_Device_Group device groups,
respectively.
274 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
For example, given a User named Bob Alice who works in IT for Organization Hooli in the United States,
a matching security policy may have ou=IT Staff,O=Hooli,C=US if the policy is to be applied to all IT
staff, or CN=Bob Alice,ou=IT Staff,O=Hooli,C=US if the policy is only to be applied to Bob Alice.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 275
© 2020 Palo Alto Networks, Inc.
Redistribute User-ID Information Between
Prisma Access and On-Premise Firewalls
After you configure User-ID, you consistently enforce user-based policy for all mobile users and users at
remote network locations by configuring User-ID redistribution to redistribute the User-ID mapping from
Prisma Access to all next-generation firewalls that secure access to network resources.
Use one the following methods to redistribute User-ID mapping to mobile users and users in remote
networks from an on-premise next-generation firewall and vice versa, depending on the direction in which
you want to redistribute the User-IDs:
• Redistribute User-ID Information From Prisma Access to an On-Premise Firewall
• Redistribute User-ID Information From an On-Premise Firewall to Prisma Access
276 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
To redistribute User-ID mappings from Prisma Access to an on-premise firewall, complete the following
steps.
Before you start this task, find the User-ID Agent Address in Prisma Access by selecting
Panorama > Cloud Services > Status > Network Details, selecting the Service Connection
radio button, and viewing the information in the User-ID Agent Address field.
STEP 1 | Configure Prisma Access as a User-ID agent that redistributes user mapping information.
1. In the Panorama that manages Prisma Access, select Device > User Identification > User Mapping >
Palo Alto Networks User-ID Agent Setup.
Make sure that you have selected the Service_Conn_Template in the Templates drop-down at the
top of the page. The User-ID agent in Prisma Access receives its User-ID mapping from the domain
controller in the data center by way of the service connection.
2. Click the gear icon to edit the settings.
3. Select Redistribution.
4. Provide a User-ID Collector Name and a User-ID Collector Pre-Shared Key to identify Prisma Access
as a User-ID agent.
5. Click OK to save your changes.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 277
© 2020 Palo Alto Networks, Inc.
STEP 2 | Configure the on-premise firewall to collect the User-ID mapping from Prisma Access.
1. From the on-premise firewall, select Device > User Identification > User-ID Agents.
2. Add a User-ID Agent and give it a Name.
3. Select Host and Port.
4. Enter the User-ID Agent Address from Prisma Access in the Host field.
5. Enter the User-ID Collector Name and User-ID Collector Pre-Shared Key for the Prisma Access
collector you created in Step 1.
6. Click OK.
278 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
To redistribute User-ID mappings from an on-premise firewall to Prisma Access, complete the following
steps.
STEP 1 | Configure the on-premise firewall to redistribute User-ID information to Prisma Access.
1. From the on-premise firewall, select Device > User Identification > User Mapping > Palo Alto
Networks User-ID Agent Setup.
2. Click the gear icon to edit the settings.
3. Select Redistribution.
4. Provide a User-ID Collector Name and a User-ID Collector Pre-Shared Key to identify the on-
premise firewall as a User-ID agent.
5. Click OK to save your changes.
STEP 2 | Configure Prisma Access to collect the User-ID mapping from the on-premise firewall.
1. From the Panorama that manages Prisma Access, select Device > User Identification > User-ID
Agents.
Make sure that you have selected the Remote_Network_Template in the Templates drop-down at
the top of the page.
2. Add a User-ID Agent and give it a Name.
3. Select Host and Port.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 279
© 2020 Palo Alto Networks, Inc.
4. Enter the IP address of the MGT interface or service route that the firewall uses to send user
mappings in the Host field.
For the MGT interface, you can enter a hostname instead of the IP address.
5. Enter the User-ID Collector Name and User-ID Collector Pre-Shared Key, using the values for the
collector you created for the on-premise firewall in Step 1.
6. Click OK.
280 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
Get User and Group Information Using
Directory Sync
Prisma Access retrieves user and group information from your organization’s Active Directory (AD) to
enforce user- and group-based policy. You can simplify the retrieval of user and group information by using
Palo Alto Networks’ Directory Sync service.
In addition to simplifying user and group information retrieval, integrating Directory Sync with Prisma
Access can free up the bandwidth and load on your AD. Without Directory Sync integration, all the remote
networks and mobile users’ nodes individually communicate with your AD using the service connection.
You can use Directory Sync to retrieve user and group information for Prisma Access for mobile users,
remote networks, or both, by completing the following steps.
The Directory Sync integration with Prisma Access has the following implementation restrictions:
• Azure AD Directory Sync integration is not supported with Prisma Access.
• Make sure that the groups you use with Directory Sync do not have any of the following special
characters, because Prisma Access does not support the use of following special characters in groups
and commit operations will fail:
• " (Double quotes)
• ' (Apostrophe)
• < (less than sign)
• > (greater than sign)
• & (ampersand)
• If you associate Directory Sync with Prisma Access, your user and group names must use the NetBIOS
format that includes the domain.
• The username format must use either the email format (username@domain) or be in NetBIOS
\sAMAccountName format.
• Group names must be in the distinguishedName format (for example,
CN=Users,CN=Builtin,DC=Example,DC=com).
• Directory Sync does not apply any settings you specify in the group include list (Device > User
Identification > Group Mapping Settings > Group Include List); instead, it retrieves user and group
information from your entire configuration, including groups used in all device groups and templates.
STEP 1 | Create a Directory Sync instance for Prisma Access, and make a note of the instance name.
When you activate Directory Sync, it creates an instance. You use the instance name when you
associate Directory Sync with Prisma Access in a later step. Optionally, if you need to create a separate
instance for Prisma Access, create it and make a note of the instance name.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 281
© 2020 Palo Alto Networks, Inc.
STEP 3 | Associate the Panorama that manages Prisma Access with Directory Sync in the hub.
Directory Sync integration with Prisma Access is not supported in a multi-tenant environment.
1. Find the serial number of the Panorama that manages Prisma Access by selecting the Dashboard and
noting the Serial # that displays.
3. Find the serial number of the Panorama that manages Prisma Access, select it, then select Add
Directory Sync.
282 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
4. Enter the Directory Sync instance you retrieved in Step 1.
You do not need to select the Region; Directory Sync uses the same region that Prisma Access uses
for Cortex Data Lake.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 283
© 2020 Palo Alto Networks, Inc.
STEP 4 | Enable Directory Sync on Prisma Access.
1. On the Panorama that manages Prisma Access, select one of the following tabs:.
• To configure Directory Sync for Prisma Access for mobile users, select Panorama > Cloud
Services > Configuration > Mobile Users, select the gear icon to edit the settings, then select
Group Mapping Settings.
284 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
• To configure Directory Sync for Prisma Access for remote networks, select Panorama > Cloud
Services > Configuration > Remote Networks, select the gear icon to edit the settings, then select
Group Mapping Settings.
2. Select Enable Directory Sync Integration to enable Directory Sync with Prisma Access.
3. Enter the following information:
• Enter the Primary Username (the logon name attribute for the user, such as userPrincipalName or
sAMAccountName). This field is required.
• (Optional) Enter the E-Mail attribute (such as mail).
• (Optional) If you use alternate name attributes for the user, enter them. You can enter up to three
alternate user names (Alternate User Name 1, Alternate User Name 2, and Alternate User Name
3).
4. Click OK when complete.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 285
© 2020 Palo Alto Networks, Inc.
STEP 5 | Commit and push (Commit > Commit and Push) your changes.
286 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
Redistribute HIP Information and View HIP
Reports
Use the topics in this section to understand how HIP redistribution works in Prisma Access,
including some example use cases, and learn how to configure HIP redistribution and view HIP
reports from Panorama.
287
288 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information
and View HIP Reports
© 2020 Palo Alto Networks, Inc.
Redistribute HIP Information with Prisma
Access
To ensure consistent Host Information Profile (HIP) policy enforcement and to simplify policy management,
you can redistribute HIP information received from mobile users and users at remote networks that use
the GlobalProtect app from Prisma Access to other gateways, firewalls, and Panorama appliances in your
enterprise, including the Panorama that manages Prisma Access. To do so, you enable and configure HIP
redistribution in Prisma Access.
• HIP Redistribution Overview
• Use Cases for HIP Redistribution
• Configure HIP Redistribution in Prisma Access
To use HIP redistribution, users must have the GlobalProtect app installed on their endpoint.
While Prisma Access supports Clientless VPN, you cannot redistribute HIP information for
Clientless VPN users.
HIP redistribution is applicable to both mobile users and users at remote networks. However, for users at
remote networks, an on-premise gateway must detect that the user is internal to the organization’s network
using internal host detection before the on-premise gateway can send HIP information to Prisma Access.
In Prisma Access, you configure internal host detection when you configure your mobile user
deployment.
To assure consistent policy enforcement, you can use HIP redistribution to allow Prisma Access to
distribute users’ HIP information to other Panorama appliances, gateways, firewalls, and virtual systems
in your deployment, as well as distribute HIP information from those devices to Prisma Access in some
cases. This ability allows you to consistently apply HIP-based policy enforcement for users’ traffic, including
policies for internet-bound traffic or for traffic that is accessing an internal application or resource in your
organization’s headquarters or data center. Redistributing HIP information to the Panorama appliance also
lets you view detailed HIP information for Prisma Access users from that appliance.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information and View HIP
Reports 289
© 2020 Palo Alto Networks, Inc.
The following figure shows a mobile user whose endpoint is protected with the GlobalProtect app.
The user attempts to access an internal app at an HQ/data center whose access is controlled by a
next-generation firewall with HIP-based security policies. When the user logs in to the GlobalProtect
app, the app collects HIP information and sends it to Prisma Access; however, Prisma Access does not
redistribute this information to the on-premise firewall. Since the firewall does not have the user’s HIP
information, it blocks the user’s access to the app.
HIP redistribution allows you to distribute the mobile users’ HIP information to the on-premise firewall.
The firewall can then check the user’s HIP information against its configured security policies and grant
the user access to the app.
290 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information
and View HIP Reports
© 2020 Palo Alto Networks, Inc.
To redistribute HIP information from Prisma Access to the firewall, you allow Prisma Access to
redistribute HIP information, then Add a User-ID Agent (Panorama > User Identification > User-ID
Agents) on the firewall, and specify the Prisma Access User-ID Agent Address (Panorama > Cloud
Services > Status > Network Details > Service Connection > User-ID Agent Address) as the Host
(10.1.1.1 in the following example) and 5007 as the Port.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information and View HIP
Reports 291
© 2020 Palo Alto Networks, Inc.
• HIP redistribution from Prisma Access to Panorama—If you have multiple firewalls or gateways in your
organization with HIP-based security policies, you can redistribute the HIP information from Prisma
Access to the Panorama that manages Prisma Access by creating a User-ID agent in Panorama and
specifying the Prisma Access User-ID Agent Address as the User-ID Host. You can then redisribute HIP
reports from that Panorama appliance to the other managed Panorama appliances, gateways, firewalls,
and virtual systems in your enterprise, using the same workflow that you use to redistribute User-
ID information to managed firewalls and enforce consistent policy for internal apps and resources, as
shown in the following figure.
Alternatively, you can configure each internal firewall or gateway in your enterprise to directly collect
HIP information from Prisma Access, without using Panorama as a central location, by creating a User-
ID Agent in each device. Note, however, that Prisma Access uses service connections to send HIP
information, and service connection bandwidth consumption might increase if Prisma Access sends a
large number of HIP reports.
• HIP redistribution from a user at a remote network to Prisma Access—The previous use cases showed
Prisma Access collecting HIP information from mobile users. If you want to apply HIP-based policies in
Prisma Access for a user at a remote network location, you need a way to distribute the HIP information
from the remote network user’s GlobalProtect app to Prisma Access.
The following example shows a user at a remote network location whose internet access is located on
the remote network connection. In Prisma Access, you control the user’s internet access at the remote
network location with security policies created in the Remote_Network_Device_Group or in a shared
device group. To properly enforce the policies at the remote network location for the user, you need to
configure Prisma Access to retrieve the user’s HIP information from the internal gateway.
In this example, the GlobalProtect gateway at the HQ/data center that is configured as an internal
gateway using internal host detection checks the user’s HIP information from the user’s GlobalProtect
app. The internal gateway detects that the user is inside the remote network location and collects both
User-ID and HIP information from the user.
292 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information
and View HIP Reports
© 2020 Palo Alto Networks, Inc.
To distribute this HIP information from the internal gateway to Prisma Access, create a User-ID agent in
Panorama and specify the IP address of the internal gateway as the host.
• View detailed HIP logs from Panorama—When mobile users log in using the GlobalProtect app, the app
sends the HIP information to Prisma Access. Panorama retrieves the log results from Cortex Data Lake
to view the results of the HIP Match logs (Monitor > Logs > HIP Match); however, you cannot view
detailed HIP reports until you configure Panorama to redistribute HIP report details from Prisma Access
to Panorama.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information and View HIP
Reports 293
© 2020 Palo Alto Networks, Inc.
To redistribute detailed HIP information from mobile users to Panorama, create a User-ID agent in
Panorama and specify the User-ID Agent Address (Panorama > Cloud Services > Status > Network
Details > Service Connection > User-ID Agent Address) as the User-ID host. See Configure HIP
Redistribution in Prisma Access for details.
If you have configured an on-premise gateway as an internal gateway at a remote user location, you can
also send the HIP information for users at remote networks to Panorama by creating a User-ID agent
in Panorama and specifying the remote network EBGP Router address (Panorama > Cloud Services >
Status > Network Details > Remote Networks > EBGP Router) as the User-ID host. See Configure HIP
Redistribution in Prisma Access for details.
294 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information
and View HIP Reports
© 2020 Palo Alto Networks, Inc.
Configure HIP Redistribution in Prisma Access
To allow Prisma Access to collect and redistribute HIP information, complete the following task.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information and View HIP
Reports 295
© 2020 Palo Alto Networks, Inc.
2. Select the Management interface.
3. Select User-ID.
STEP 3 | Configure Panorama to collect the User-ID mapping from Prisma Access.
1. From the Panorama that manages Prisma Access, select Panorama > User Identification > User-ID
Agents.
2. Add a User-ID Agent and give it a Name.
3. Enter one of the following values in the Host field, depending on the types of HIP information you
want to collect.
• To collect HIP information for mobile users, enter the User-ID Agent Address (Panorama > Cloud
Services > Status > Network Details > Service Connection > User-ID Agent Address).
• To collect HIP information from users at a remote network locations with an internal gateway,
enter the IP address of the internal gateway.
• To collect HIP information from users are a remote network connection, enter the EBGP Router
address (Panorama > Cloud Services > Status > Network Details > Remote Networks > EBGP
Router as the User-ID host.
4. Enter 5007 in the port field.
By default, the User-ID agent uses port 5007 to listen for HIP information requests.
Make sure that your network does not block access to this port between Prisma
Access and the Active Directory server or User-ID Agent.
5. Select Enabled to enable Panorama to communicate with the User-ID agent.
6. Select HIP Report to enable Panorama to receive HIP reports from all mobile user locations.
7. Click OK.
296 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information
and View HIP Reports
© 2020 Palo Alto Networks, Inc.
STEP 4 | Repeat Step 3 for each service connection to which you want to configure HIP report
collection.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information and View HIP
Reports 297
© 2020 Palo Alto Networks, Inc.
View HIP Reports from Panorama
After you configure Prisma Access to collect and redistribute HIP information to Panorama, use the
following workflow to view HIP information in Panorama.
STEP 1 | Select Monitor > Logs > HIP Match to view HIP information.
STEP 2 | Click the icon to the left of a record to view detailed HIP information.
To view detailed HIP information, the Panorama that manages Prisma Access must be
running a minimum PAN-OS version of 9.0.5.
298 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information
and View HIP Reports
© 2020 Palo Alto Networks, Inc.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information and View HIP
Reports 299
© 2020 Palo Alto Networks, Inc.
300 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information
and View HIP Reports
Manage Multiple Tenants in Prisma Access
To allow you to create and manage multiple Prisma Access instances, Prisma Access offers
multitenancy, which enables you to create up to 200 instances (tenants) on a single Panorama
appliance (or 2 appliances in in high availability (HA) mode), with each tenant having their own
separate templates and template stacks, device groups, and access domains.
Existing or future non-multitenant deployments are not affected by multitenancy and will
continue to function normally. We recommend that you enable multitenancy only if your
organization has a need to manage multiple tenants in Prisma Access.
Follow this workflow to create multiple tenants in Panorama for Prisma Access:
This section only provides the tasks you perform to configure tenants for remote networks,
mobile users, or a combination of remote network and mobile user deployments. To configure
the Clean Pipe service, see Create and Configure Prisma Access for Clean Pipe.
301
302 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
Multitenancy Overview
Enabling multitenancy allows you to host multiple instances of Prisma Access on a single Panorama
appliance. Each instance is known as a Tenant.
Prisma Access tenants get their own dedicated Prisma Access instances and they are not shared between
tenants.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 303
© 2020 Palo Alto Networks, Inc.
Multitenancy Configuration Overview
Use the following workflow to enable and configure the ability to manage multiple tenants in a single
Panorama appliance.
STEP 1 | Enable multitenancy. If you have an existing Prisma Access instance, enabling multitenancy
automatically migrates your existing Prisma Access configuration to the first tenant.
You give the first (migrated) tenant a name and specify an access domain. Prisma Access migrates the
templates, template stacks, and device groups associated with the existing configuration and associates
them with the access domain you create.
After you migrate your initial configuration, the administrative user in Panorama becomes a superuser
with the ability to create and manage all Prisma Access tenants.
304 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
minimums) of either type. You can increase or decrease the bandwidth or mobile user allocation for
any tenants after onboarding, as long as you keep the minimum required allocation per tenant, and the
overall licensed capacity is not exceeded.
You can set up a multi-tenant configuration for only remote networks, only mobile users, or both. You
allocate licenses accordingly to each tenant when you enable multi-tenancy.
If you have a license for remote networks and mobile users, you can set up an individual tenant with
only mobile users or only remote networks. For example, if your Prisma Access deployment has a license
for mobile users and remote networks, you could set up a tenant for mobile users only, as long as you
specify a minimum of 200 mobile users for the tenant.
For each tenant you create after the first, Prisma Access automatically creates templates, template
stacks, and device groups for each tenant and associates them to the access domain you create. Prisma
Access creates this environment to allow you to create a tenant-level administrative user using an
administrative role based on the tenant’s device groups and templates, then creating an administrative
user based on that role. In this way, you create an administrative user that has access to a single tenant
without allowing that user access to the other tenants that are managed by the Panorama appliance.
Prisma Access creates template stacks, templates, and device group using the following naming
convention:
• A service connection template stack with the name of sc-stk-tenant, where tenant is the tenant’s
name.
• A service connection template with the name of sc-tpl-tenant.
• A service connection device group with the name of sc-dg-tenant.
• A mobile user template stack with the name of mu-stk-tenant.
• A mobile user template with the name of mu-tpl-tenant.
• A mobile user device group with the name of mu-dg-tenant.
• A remote network template stack with the name of rn-stk-tenant.
• A mobile user template with the name of rn-tpl-tenant.
• A mobile user device group with the name of rn-dg-tenant.
• A Clean Pipe template stack with the name of cp-stk-tenant.
• A Clean Pipe template with the name of cp-tpl-tenant.
• A Clean Pipe device group with the name of cp-dg-tenant.
Prisma Access creates template stacks, templates, and device groups for all Prisma Access types, even
those for which you might not be licensed. For example, if you purchase a license for remote networks,
Prisma Access automatically creates template stacks, templates, and device groups for remote networks,
mobile users, and Clean Pipe.
If you add custom templates, they cannot take precedence over the Prisma Access-created templates.
You allocate remote network and mobile user license resources for each tenant based on the license that
is associated with the Cloud Services plugin in Panorama.
The following figure shows a sample Prisma Access deployment using a license with a 20,000 Mbps
remote network bandwidth pool and 20,000 mobile users. The administrator allocated 5,000 Mbps
in remote network bandwidth and 5,000 mobile users for the existing configuration. After the
administrator enabled multitenancy, the license allocation migrated along with all other configuration to
the first tenant. The administrator then created additional tenants, each with a 5,000 Mbps bandwidth
pool for remote networks and 5,000 mobile users for each tenant. Prisma Access allocates the license
resources from the overall license allocation. After you complete this configuration, there is 5,000 Mbps
of remote network bandwidth and 5,000 mobile users available in the license.
Each tenant can use up to 3 service connections with no cost to the license. You can
add more than 3 service connections to each tenant, however each additional service
connection takes 300 Mbps from your remote network license.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 305
© 2020 Palo Alto Networks, Inc.
306 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
Plan Your Multitenant Deployment
Before you enable multitenancy, migrate the first tenant, and create additional tenants, make sure that you
have all required information and resources to do so by completing the following tasks:
If you are migrating an existing single-tenant deployment to a multi-tenant deployment, make a note of
the following Prisma Access features that are not supported:
• DLP on Prisma Access
• Directory Sync integration
• Traffic steering (using traffic forwarding rules with service connections)
Make a note of your license allocation for remote networks and mobile users.
Open your license (Panorama > Licenses) and find the Prisma Access Total Mbps (remote networks
bandwidth pool) for remote networks and User Limit (total number of licensed users) for mobile users.
When you create tenants, you assign resources for remote networks and mobile users from this license
allocation. If you run out of the minimum required licensed Mbps for remote networks or mobile users,
you cannot create additional tenants.
You should also make a note of the bandwidth and mobile users allocation for your
existing configuration. After you migrate your configuration to the first tenant, check these
values to verify that the first tenant migrated correctly.
Make a list of the names you will use to identify each tenant.
When you create tenant names, avoid using names like Tenant-1, Tenant-2, Tenant-3,
and so on. The system logs reserve a small number of characters for the tenant name in
the log output and, if tenants have similar names, it can be difficult to associate the tenant
with the logs. We recommend using a unique and short name for tenants (for example,
Acme or Hooli).
Make a list of the administrative users you will create and assign for each tenant, and note the maximum
number of administrative users that can be logged in concurrently.
When administrative users are performing normal multi-tenant operations such as configuration changes
and commit operations, we recommend having a maximum of 12 administrative users logged in to
Panorama concurrently.
An administrative user who can manage multiple tenants can provision up to 200 tenants at the same
time with a single commit operation.
Be sure that you have sufficient license resources to enable multiple tenants.
The minimum license allocation for each tenant is 200 Mbps for each remote network or 200 mobile
users. You can also create a tenant with only remote networks or mobile users, and can configure
tenants in differing configurations on the same Panorama. For example, you could create a tenant with
remote networks only, a tenant with mobile users only, or a tenant with both mobile users and remote
networks, as long as each tenant meets the minimum license allocation and the relevant licenses are
activated and associated with the Panorama where you configure the tenants.
When configuring a tenant in multitenancy mode, create a unique name for each IPSec tunnel and IKE
gateway for service connections and remote network connections, and try to use a name that will not be
duplicated by another tenant. While there is no effect to functionality, you cannot delete an IPSec tunnel
or IKE gateway if another tenant is using a tunnel or gateway with the same name.
Note that single-tenant users cannot view system logs; only superusers can. You can, however, sort logs
by tenant.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 307
© 2020 Palo Alto Networks, Inc.
Note that, when using the multitenancy feature and logged in as a tenant-level administrative user,
opening the Panorama Task Manager (clicking Tasks at the bottom of the Panorama web interface)
shows all tasks for all tenants, including any tasks done at the superuser (Admin) level.
308 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
Enable Multitenancy and Migrate the First
Tenant
Use the following workflow to enable multitenancy and migrate your existing configuration to the first
tenant you create.
When you enable multitenancy, Prisma Access automatically migrates the following components of your
configuration:
• The amount of licensed bandwidth for remote networks and mobile users.
• All service connection and remote network tunnel onboarding information, including tunnel
configuration.
• Existing mobile users onboarding information.
• Cortex Data Lake information.
• The templates, template stacks, and device groups for service connections, remote networks, and mobile
users.
Because of these device group changes, you create an access domain and add the migrated device groups,
templates, and template stacks, as shown in the following workflow.
If you don’t have an existing Prisma Access configuration, and you are creating an all-
new multi-tenant deployment, do not use this workflow; instead, complete the steps in Add
Tenants to Prisma Access to create the first tenant.
STEP 2 | Select Enable Multitenancy (located on the upper right of the page).
After you enable multitenancy, Panorama displays a notification informing you that the existing Prisma
Access configuration will be moved to the first tenant.
After you enable multitenancy, we recommend not disabling it. Clearing the Enable
Multitenancy option removes all the tenants that you have created except the first one,
including all configuration for those tenants, and reverts the first tenant’s configuration
back to a non-multitenant Prisma Access deployment.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 309
© 2020 Palo Alto Networks, Inc.
STEP 4 | Choose the type of deployment you want to use for the tenant.
• For a remote network, mobile user deployment, or to configure both deployment types for a tenant,
select Remote Networks/Mobile Users.
• For a clean pipe deployment, select Clean Pipe.
This section only describes how to configure tenants for remote network, mobile user, or both
remote network and mobile user deployment types. To configure the clean pipe service, see Create
and Configure Prisma Access for Clean Pipe.
310 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
4. (Optional) Click Templates to verify that Prisma Access added the following templates and template
stacks:
• Mobile_User_Template
• Mobile_User_Template_Stack
• Remote_Network_Template
• Remote_Network_Template_Stack
• Service_Conn_Template
• Service_Conn_Template_Stack
These are the default template stacks and templates for a standard Prisma Access deployment; if
you added other templates, be sure that Prisma Access added them.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 311
© 2020 Palo Alto Networks, Inc.
5. (Optional) If you have other templates associated with this configuration, select them.
6. Click OK to close the Access Domain page and return to the Tenants page.
STEP 6 | Make sure that the values in Bandwidth (Mbps) for remote networks and Users for mobile
users are correct.
These values automatically migrate from your existing configuration.
312 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
STEP 7 | Click OK.
The Panorama > Cloud Services > Configuration page shows the first tenant successfully migrated, and
a Tenants drop-down is added above the Tenants area.
STEP 8 | Select the tenant you just created in the Tenants drop-down to verify that all settings were
onboarded.
STEP 10 | Commit and push your changes to make them active in Prisma Access.
1. Select Commit > Commit and Push and Edit Selections in the Push Scope.
2. Select Prisma Access, then select the tenant you created, Service Setup, Remote Networks, and
Mobile Users.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 313
© 2020 Palo Alto Networks, Inc.
3. Click OK to save your changes to the Push Scope.
4. Commit and Push your changes.
Selecting a tenant from the drop-down list returns you to the Status page for that tenant.
314 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
Add Tenants to Prisma Access
After you migrate the existing information as a first tenant, you can create and configure additional tenants.
For each tenant you create after the first, Prisma Access creates a separate access domain with its own set
of template stacks and templates and its own domain groups.
Use this workflow to add more tenants to Prisma Access.
If you are creating an all-new multi-tenant deployment, use this workflow to add the first
tenant as well as additional tenants.
STEP 3 | Specify the amount of Bandwidth (Mbps) to allocate for the Remote Networks and the
number of Users to allocate for the Mobile Users.
STEP 4 | Make sure that Prisma Access applied the template stack, template, and device group service
settings to the service connection settings of the tenant you just created.
1. Select the tenant you created from the Tenant drop-down.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 315
© 2020 Palo Alto Networks, Inc.
2. Select Panorama > Cloud Services > Configuration > Service Setup.
3. Click the gear icon to the right of the Settings area to edit the settings.
4. Make sure that Prisma Access has associated the template stack (sc-stk-tenant), template (sc-
tpl-tenant), and device group (sc-dg-tenant) to your service connection settings.
5. Make sure that the Parent Device Group is set to Shared and click OK.
STEP 5 | Make sure that Prisma Access applied the template stack, template, and device group to the
remote network settings.
1. Select Panorama > Cloud Services > Configuration > Remote Networks and click the gear icon to the
right of the Settings area to edit the settings.
2. Make sure that the Prisma Access has associated the template stack (rn-stk-tenant), template (rn-
tpl-tenant), and device group (rn-dg-tenant) to your remote network settings.
3. Make sure that the Parent Device Group is set to Shared and click OK.
316 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
STEP 6 | Make sure that Prisma Access applied the template stack, template, and device group to the
mobile user settings.
1. Select Panorama > Cloud Services > Configuration > Mobile Users and click the gear icon to the right
of the Settings area to edit the settings.
2. Make sure that the Prisma Access has associated the template stack (mu-stk-tenant), template (mu-
tpl-tenant), and device group (mu-dg-tenant) to your remote network settings.
3. Make sure that the Parent Device Group is set to Shared and click OK.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 317
© 2020 Palo Alto Networks, Inc.
STEP 7 | Mobile User deployments only—Commit your changes locally to make them active in Panorama.
A local commit is required for the mobile user changes to take effect.
1. Select Commit > Commit to Panorama.
2. Make sure that the device groups, templates, and template stacks are part of the Commit Scope.
3. Click OK to save your changes to the Push Scope.
4. Commit your changes.
318 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
Delete a Tenant
To delete a tenant, complete the following task.
STEP 1 | Select Panorama > Cloud Services > Configuration, select the tenant, then Delete it.
Deleting a tenant also deletes all configuration for the tenant, including permanently removing any IP
addresses Prisma Access has assigned for service connections, remote networks, and mobile users.
When you delete a tenant, Prisma Access deletes the template and device group set for
which you are licensed, but does not delete the unlicensed set. For example, if you have
a Prisma Access for Users license and delete a tenant, Prisma Access deletes the mobile
user-related template stacks, templates, and device groups but does not delete the set it
created for the unlicensed Prisma Access for Networks. You can manually delete these
unused template and device group sets after you delete the tenant.
STEP 2 | Select Commit > Commit to Panorama and Commit your changes.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 319
© 2020 Palo Alto Networks, Inc.
Create a Tenant-Level Administrative User
You should create an administrative user for each tenant. In that way, a tenant-level administrator can
view and make changes to their tenant configuration but doesn’t have access to other tenants. To create
an administrative user for a specific tenant, complete the following task. For more information about role-
based access control (RBAC) for tenant-level administrative users, see Control Role-Based Access for
Tenant-Level Administrative Users.
Users who manage single tenants cannot see the system logs because the Monitor > Logs >
System choice is not available. This limitation applies to all Administrators who have an
administrative role of Device Group and Template. Only superusers can view system logs in
multitenancy mode.
STEP 1 | Create an administrative role with a type of Device Group and Template.
1. Select Panorama > Admin Roles.
2. Add an Admin Role Profile with a Role of Device Group and Template.
3. Click OK.
You can create a single Admin Role Profile and share it across multiple tenants; however, you must
create a separate administrator for each tenant.
While you tailor the administrative role for the needs of your organization, we
recommend deselecting Commit for Other Admins. Deselecting this choice allows a
tenant-level user to commit only the changes they have made, and prevents them
from unintentionally committing other changes that other tenant-level administrative
users have made that are not yet committed.
320 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
STEP 2 | Create and configure an Administrator for the tenant.
1. Select Panorama > Administrators.
2. Add an Administrator.
3. Enter and confirm a Password for the new Administrator.
4. Specify an Administrator Type of Device Group and Template Admin.
5. Specify the Access Domain that is associated with the device groups for that tenant.
6. Specify the Admin Role that you created in Step 1 for the tenant.
STEP 4 | Repeat Steps 2 and 3 to add additional users to manage your tenants as required.
STEP 5 | Select Commit > Commit to Panorama and Commit your changes.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 321
© 2020 Palo Alto Networks, Inc.
Control Role-Based Access for Tenant-Level
Administrative Users
If you manage a multi-tenant deployment, you can use role-based access control (RBAC) to create tenant-
level administrative users.
To modify RBAC-level access for tenant-level administrative users in Panorama, you create a tenant-level
administrative user, use an Admin Role Profile with a Role of Device Group and Template, and Enable,
Disable, or give Read Only access to areas of the Panorama Web UI. Use this method to manage access to
all Panorama components for tenant-level users, with the exception of access to the Cloud Services plugin
where you manage Prisma Access.
If you want to restrict a tenant-level user from configuring the Prisma Access components in Panorama, you
cannot use Admin Roles. To disallow users from configuring Prisma Access-specific configuration tasks, you
must prevent the user from accessing the Cloud Services plugin, which also prevents them from viewing it.
Using this method, you can create an administrative user for a security professional who has permissions
to make changes to security policies and push those changes to Panorama, but cannot view or make any
changes to Prisma Access configuration.
You can either enable or disable access to the Cloud Services plugin for a user, but you
cannot give a user read-only access; if a user has access to view the Cloud Services plugin,
the user can also make configuration changes to its components, including Prisma Access.
The following table shows sample tenant-level administrative roles and the steps you perform to create
those roles.
Create a networking-focused user who: Create a tenant-level administrative user, enabling Save and
Commit permissions in the Admin Role Profile, and disabling
• Can edit plugin configurations
or making Read Only any permissions that you don’t want
• Can commit to Panorama
the tenant-level administrative user to have.
• Can push configuration to Prisma
Access
Create a security-focused user who: To prevent a tenant-level administrative user from viewing
or accessing the plugin, remove plugin access for a
• Can view and make changes to
tenant-level administrator. For all other Panorama-related
security policies
permissions, change the Admin Role permissions for the
• Can commit to Panorama user.
• Cannot view, or make changes to, the
Cloud Services plugin
• Cannot push configuration to Prisma
Access (requires the superuser to
push the configuration)
Create a hybrid user who: You cannot make the Cloud Services plugin read-only. You
can either view it or disable it.
• Has read-only access to the Cloud
Services plugin
322 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
Sample Tenant-Level Configuration Configuration Task
• Has read-write access to the security
policy
• Cannot push the configuration to
Prisma Access (requires the superuser
to push the configuration)
This task assumes that you have Add Tenants to Prisma Access templates, template stacks,
and device groups for the tenant; you’ll be associating them to the tenant-level administrative
user.
STEP 1 | Create an administrative role with a type of Device Group and Template.
1. Select Panorama > Admin Roles.
2. Add an Admin Role Profile with a Role of Device Group and Template.
3. Click OK.
You can create a single Admin Role Profile and share it across multiple tenants.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 323
© 2020 Palo Alto Networks, Inc.
STEP 2 | Select Panorama > Access Domain and Add an Access Domain.
STEP 3 | Specify the Device Groups and Templates associated with the tenant.
If you created any device groups that are children or grandchildren of other device
groups under the Shared parent device group, select only the device group at the lowest
hierarchical level (child or grandchild); do not select the parent or you will have errors on
commit.
324 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 325
© 2020 Palo Alto Networks, Inc.
STEP 4 | Create and configure an Administrator for the tenant-level administrative user, specifying the
Access Domain you just created.
1. Select Panorama > Administrators.
2. Add an Administrator.
3. Enter and confirm a Password for the new Administrator.
4. Specify an Administrator Type of Device Group and Template Admin.
5. Specify the Access Domain that is associated with the device groups for that tenant.
6. Specify the Admin Role that you created in Step 1 for the tenant.
When you complete this example, the abcd-tenant-no-plugin-access Administrative user will have
permissions based on what you defined in the Admin Role profile, but will not be able to view or
configure the Cloud Services plugin (including Prisma Access). Note, however, that they will not be
able to push any changes that they make to the cloud.
STEP 5 | Select Commit > Commit to Panorama and Commit your changes.
326 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
Sort Logs by Device Group ID for External
Logging
To sort the logs manually by tenant in Panorama, select Monitor > Logs and choose the Device Group
associated with that tenant to display the logs for that device group. However, if you are forwarding your
logs to an external device, you might have a need to sort those logs at the tenant level. To do so, find the
device group ID in the logs that is associated with the device group and use that group ID-to-device group
mapping to associate the logs with a tenant.
There are four fields associated with the device group in the logs: DG Hierarchy Level 1, DG Hierarchy
Level 2, DG Hierarchy Level 3, and DG Hierarchy Level 4. These fields show the device group IDs in its
hierarchy. The shared device group (level 0) is not included in this structure.
DG Hierarchy Level 1 refers to the first device group level in the hierarchy. If you added children or
grandchildren device groups, the DG Hierarchy Level 2 through DG Hierarchy Level 4 fields show the
hierarchy from the child group to the great-grandchild group, respectively.
To find logs by tenant, complete the following task.
STEP 1 | Find the device group IDs associated with the device group.
• To find this information using a CLI command, log into Panorama as a superuser (admin-level user),
enter the show readonly command in configuration mode, and view the values in the device-
group heading. The IDs for the device groups display under the device group name. The following
example shows that the device ID for the acme-sc device group is 20.
Note that these device groups are at the first level in the hierarchy (DG Hierarchy Level 1); you use
that information in the query in the next step.
/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 327
© 2020 Palo Alto Networks, Inc.
For more information about using APIs with logs, see Retrieve Logs (API).
STEP 2 | Use the device group ID-to-device group name mapping to associate the logs with a tenant.
The following example shows an administrator retrieving the logs for Acme using the Log Forwarding
App to create a Syslog Forwarding Profile. Since the mapping example in Step 1 retrieves the device
group-to-device ID of 20 for Acme and the hierarchy is at Level 1, you use that in the query, along with
the following parameters:
• A descriptive Name for the profile.
• The Syslog Server IP address (you can also specify an FQDN).
• The Port on which the server is listening.
The default port for Syslog messages over TLS is 6514.
• The Facility selected from the drop-down.
STEP 3 | Add the Forwarding parameters that select the logs you want to forward.
The following example shows the administrator creating a Traffic log using a Custom filter with a Query
that selects the logs for Acme, based on the hierarchy level (DG Hierarchy Level 1) and the device group
(20) you retrieved in Step 1.
328 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 329
© 2020 Palo Alto Networks, Inc.
330 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
Use DLP on Prisma Access
Enforce your organization’s data security standards to prevent accidental data misuse, loss, or
theft with Data Loss Prevention (DLP) on Prisma Access.
331
332 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
DLP on Prisma Access
Data loss prevention (DLP) is a set of tools and processes that allow you to protect sensitive information
against unauthorized access, misuse, extraction, or sharing. DLP on Prisma Access enables you to use
Prisma Access to enforce your organization’s data security standards and prevent the loss of sensitive data
across mobile users and remote networks.
DLP on Prisma Access, also known as Enterprise DLP, is a cloud-based service that uses supervised
machine learning algorithms to sort sensitive documents into Financial, Legal, Healthcare, and other
categories for document classification to guard against exposures, data loss and data exfiltration. These
patterns can identify the sensitive information in your cloud apps and protect them from exposure.
While Enterprise DLP resembles the Data Filtering implementation that you use with next-generation
firewalls or with Panorama appliances, be sure to follow the steps in this document to implement DLP with
Prisma Access; the configuration tasks are different.
DLP is an add-on license on Prisma Access. You can either start with a 60-day trial or
purchase a license to use Enterprise DLP on Prisma Access.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 333
© 2020 Palo Alto Networks, Inc.
What is Enterprise DLP?
DLP on Prisma Access allows you to protect sensitive file data in the following ways:
• Prevent file uploads from leaking to unsanctioned web applications—Discover and conditionally stop
sensitive data from being leaked to untrusted web applications.
• Monitor uploads to sanctioned web applications—Discover and monitor sensitive data when it is
uploaded to sanctioned corporate apps.
To help you inspect content and analyze the data in the correct context so that you can accurately identify
what is sensitive data and secure it to prevent incidents, Enterprise DLP is enabled through a cloud service.
Enterprise DLP offers over 380 data patterns and many predefined data filtering profiles, and it is designed
to automatically make new patterns and profiles available to you for use in Data Filtering policies, as soon as
they are added to the cloud service. Use the following tools to configure DLP on Prisma Access:
• Data Patterns—Help you detect sensitive content and how that content is being shared or accessed on
your network.
Predefined data patterns and built-in settings make it easy for you to protect files that contain certain
file properties (such as a document title or author), credit card numbers, regulated information from
different countries (such as driver’s license numbers), and third-party DLP labels. To improve detection
rates for the sensitive data in your organization supplement the predefined data patterns, you can define
custom data patterns that are specific to your content inspection and data protection requirements. In a
custom data pattern, you can also define regular expressions and file properties to look for metadata or
attributes in the file's custom or extended properties and use it in a data filtering profile.
• Data Filtering Profiles—Power the data classification and monitoring capabilities available on Prisma
Access to prevent data loss and mitigate business risk.
Data filtering profiles are a collection of data patterns that are grouped together to scan for a specific
object or type of content. To perform content analysis, the predefined data profiles have data patterns
that include industry-standard data identifiers, keywords, and built-in logic in the form of machine
learning, regular expressions, and checksums for legal and financial data patterns. When you use the
data filtering profile in a Data Filtering policy rule, the firewall can inspect the content for a match and
take action.
After you utilize the data patterns (either predefined or custom), you manage data filtering profiles in
Panorama. You can use a predefined data filtering profile, or create a new profile and add data patterns
to it. You then create security policies and apply the profiles you added to the policies you create. If a
user uploads a file, and data in that file matches the criteria in the policies, Prisma Access either creates
an alert notification or blocks the file upload.
When you apply the profile to a policy, and a data pattern was matched that caused an alert or block
notification for a file, Prisma Access extracts a snippet of the sensitive data that caused the alert or block
notification. A snippets enables forensics by allowing you to verify why an uploaded file generated an alert
notification or was blocked. You view the snippets in the Data Filtering logs. By default, Prisma Access
uses data masking to partially mask the snippets to prevent the sensitive data from being exposed. You
can configure Prisma Access to completely mask the sensitive information, unmask the snippets, or disable
snippet extraction and viewing.
The data patterns and data filtering profiles are designed to work across Prisma SaaS and Prisma Access to
provide consistent data security at all locations—either in the cloud or across various enforcement points
in the SaaS applications, remote networks, and mobile users. When you create a new data pattern or data
filtering profile on Prisma Access, it becomes available for enforcement on Prisma SaaS so that you can
identify and protect data uniformly across connected applications.
To improve detection accuracy and reduce false positives, you can also specify:
334 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
• Proximity keywords—An asset is assigned a higher accuracy probability when a keyword is within a
200-character distance of the expression. If a document has a 16-digit number immediately followed
by Visa, that's more likely to be a credit card number. But if Visa is the title of the text and the 16-digit
number is on the last page of the 22-page document, that's less likely to be a credit card number.
You can also use more than one keyword in a keyword group and include or exclude keywords to find
when occurrences of specific words appear or do not appear within 200 characters of the expression.
• Confidence levels—Along with proximity keywords, confidence levels allow you to specify the
probability of the occurrence of proximity keywords in a pattern match. With a Low confidence Prisma
Access does not use proximity keywords to identify a match; with a High confidence Prisma Access
looks for the proximity keywords within 200 characters of the regular expressions in the pattern before
it considers the data pattern in a file to be a match.
• Basic and weighted regular expressions—A regular expression (regex for short) describes how to search
for a specific text pattern and then display the match occurrences when a pattern match is found. There
are two types of regular expressions—basic and weighted.
• A basic regular expression searches for a specific text pattern. When a pattern match is found, the
service displays the match occurrences.
• A weighted regular expression assigns a score to a text entry. When the score threshold is exceeded,
the service returns a match for the pattern.
To reduce false-positives and maximize the search performance of your regular expressions, you can
assign scores using the weighted regular expression builder when you create data patterns to find
and calculate scores for the information that is important to you. Scoring applies a match threshold,
and when a score threshold is exceeded, such as enough expressions from a pattern match an asset,
the asset will be indicated as a match for the pattern.
For more information, including a use case and best practices, see Configure Regular Expressions in
the Prisma SaaS Administrator’s Guide.
Bulk CCN Credit card numbers or Voyager Credit card numbers (more than
100).
Financial Information Bank statements, bank routing numbers, credit card numbers (strict
checking), bankruptcy filings.
GDPR Driver's License numbers, Tax IDs, National IDs, Passport numbers.
Gramm-Leach-Bliley Act (GLBA) Credit card numbers, Voyager credit card numbers, Magnetic stripe
information, Tax Id-US (TIN), National ID-US, Social Security Number
(SSN).
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 335
© 2020 Palo Alto Networks, Inc.
Predefined Data Filtering Profile Scans For
Intellectual Property Source code, AWS secret keys, access keys, company confidential.
There are two types of intellectual property. The Intellectual
Property - Basic data filtering profile contains a subset of the data
patterns that are included in the Intellectual Property data filtering
profile.
Malware All Microsoft Office documents, PDF, and portable executable files,
and known threats against WildFire. The verdict is based on a hash,
which is a unique fingerprint of a file.
Personally-Identifiable Tax IDs, National IDs, Passport numbers, and Driver’s License
Information (PII) numbers.
Sensitive content National ID, Bank information, AWS Secret keys or access keys,
company confidential, CCN.
336 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
What’s Supported with DLP on Prisma Access?
Here are the supported applications and operational parameters that you can use with DLP on Prisma
Access.
Web pdf doc/docx ppt/pptx xls/xlsx rtf csv Multi-File File size
Application uploads
• Applications—You can enforce DLP for web-based (HTTP- or HTTPS-based) uploads for the following
applications:
• Box (App-ID is boxnet-uploading)
• Gmail (App-ID is gmail-uploading)
• Microsoft OneDrive (App-ID is sharepoint-online-uploading)
• Microsoft SharePoint (App-ID is sharepoint-online-uploading)
• Slack (App-ID is slack-uploading)
• Web browsing (App-ID is web-browsing)
• File operations—You can upload files using HTTP and HTTPS (no FTP or SMTP) using HTTP/1.1.
Some applications, such as SharePoint and OneDrive, use HTTP/2 by default. To use
HTTP/2 files with HTTP/1.1, you need to create a decryption profile and a security policy
to strip out the ALPN headers. See Enable DLP on Prisma Access for instructions.
• Data flow—File uploads are supported (downloads are not supported).
• Concurrent file uploads—You can upload up to 25 files at a time.
• File size—Files of up to 20 MB are supported.
Enterprise DLP does not support machine learning pattern detection for files whose extracted file sizes
are larger than 1 MB.
• File types—Microsoft Office (.doc, .docx, .ppt, .pptx, .xls, .xlsx) .csv, .pdf, and .rtf.
• Response—Block and Alert actions are supported for HTTP and HTTPS files. The Block page does not
display the name of the file that Prisma Access blocked.
• Data Patterns and Data Filtering Profiles—Use predefined data patterns and data filtering profiles, or
create your own data patterns and data filtering profiles. You cannot clone data patterns; however, you
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 337
© 2020 Palo Alto Networks, Inc.
can clone predefined data filtering profiles if you want to add, remove, or modify data identifiers in the
existing profile.
For each data filtering profile, DLP on Prisma Access allows a maximum of 10 data patterns for a Block
rule and 50 data patterns for an Alert rule.
• Multi-tenancy—DLP on Prisma Access is not supported in a mulit-tenant deployment.
338 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
Register and Activate DLP on Prisma Access
DLP on Prisma Access enables you to secure remote networks and users, and requires an add-on license.
You can either purchase a license or try the 60-day trial.
When you request a trial from the web interface, you must wait 24 hrs for the request to be processed.
After the 60-day trial is approved, Palo Alto Networks lets you try the product for 60 days, along with a
30-day grace period to allow you to purchase the license. Palo Alto Networks deactivates DLP on Prisma
Access 90 days after the start of the trial if you do not purchase a license.
When you purchase a license, all you need to do it activate it in this workflow. The welcome email that
you receive when you purchase Enterprise DLP includes an auth code. Please disregard the auth code in
the email. The auth code in the email is automatically processed for you, all you need to do is follow the
instructions in this workflow.
To register and activate DLP on Prisma Access, complete the following steps.
If you have existing data patterns and data filtering profiles in a Prisma Access-specific
device group (Service_Conn_Device_Group, Remote_Network_Device_Group, or
Mobile_User_Device_Group), the patterns and profiles will be removed after you register and
activate DLP on Prisma Access.
STEP 1 | Check the minimum Panorama and content version on the Panorama appliance on which you
will install DLP on Prisma Access, and upgrade your Panorama or content version if required.
The minimum required Panorama version is 9.0.4, and the minimum required content version is 8190.
If you have DLP on Prisma Access enabled for more than one Prisma Access instance
in a single Customer Service Portal (CSP) account, data filtering profiles are synchronized
across all instances. This behavior can result in unexpected consequences; for example,
the deletion of a custom data pattern or data filtering profile for one instance does not
delete that pattern or profile for other instances in the CSP account. For this reason, Palo
Alto Networks recommends that you move each Prisma Access instance to its own CSP
account.
STEP 2 | Activate and install Prisma Access and configure your settings for the Prisma Access service
infrastructure; then, configure your mobile users deployment, your remote networks
deployment, or both, depending on your Prisma Access license.
Skip this step if you’ve already configured Prisma Access.
STEP 3 | Perform the following pre-checks to make sure that your environment is ready to request
Enterprise DLP on Prisma Access:
• Be sure that Panorama can access the dss.paloaltonetworks.com URL.
Add this URL to the allow list on any security appliance that you use with the Panorama
appliance. In addition, if your Panorama appliance uses a proxy server (Panorama > Setup >
Service > Proxy Server), or if you use SSL forward proxy with Prisma Access, be sure to add
dss.paloaltonetworks.com to the allow list on the proxy server.
• If you are using the same parent device group for on-premise firewalls and Prisma Access firewalls,
and would like to use the parent device group to configure security policy rules, open a command-
line interface (CLI) session in Prisma Access and enter the request plugins cloud_services
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 339
© 2020 Palo Alto Networks, Inc.
prisma-access dlp-enable-config-in-shared command. This command makes a copy of
the data filtering profile in the Shared device group that can be read by the on-premise firewalls.
If you do not enter this command, you cannot refer to the data filtering profiles with Enterprise
DLP in non-Prisma Access device groups, because the Enterprise DLP data filtering profiles are only
available in the Prisma Access device group.
• Select Panorama > Administrators and verify that the __cloud_services user is present.
After you install the Cloud Services plugin, the plugin creates a Panorama administrative user with
a username of __cloud_services. This user account is required to enable communication between
Enterprise DLP on Prisma Access and the Prisma Access management infrastructure. Palo Alto
Networks recommends that you change the password for this administrative user in accordance with
your organization’s password policy.
If you delete the __cloud_services user, you must re-add the user manually. The account is used to
register and activate Enterprise DLP on Prisma Access, and for continued DLP scanning using the
data patterns and data filtering profiles referenced in security policy rules.
STEP 4 | Log in to Prisma Access and select Panorama > Cloud Services > Configuration > Service
Setup.
STEP 5 | In the Service Operations area, select Activate Enterprise DLP or Request a Trial.
If you have purchased an add-on Enterprise DLP license, when you click the link the Enterprise DLP
capabilities are ready for use. Please disregard the auth code in the welcome email you received with
your purchase. The auth code in the email is automatically processed for you.
A page displays indicating that your existing data filtering settings will be removed after your DLP on
Prisma Access request is approved.
After you register and active DLP on Prisma Access, the Cloud Services plugin enables DLP-specific
features in the following areas in Panorama.
340 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
If you have any existing data patterns, they will be removed when you register and
activate the DLP on Prisma Access.
• Device > Data Filtering Settings—Allows you to specify global settings for data filtering based on
latency, file size, and logging for files that are not scanned.
• Objects > Custom Objects > Data Patterns—Specifies patterns that you use with the data filtering
profile.
• Objects > Security Profiles > Data Filtering—Adds a data pattern to a data filtering profile and specify
additional parameters to send an alert or block action for files that match the patterns you specify.
• Device > Response Pages > Data Filtering Block Page—Adds a customizable page that displays to
users when Prisma Access blocks a file using a DLP-based security policy.
STEP 7 | Wait 24-48 hours; then select Panorama > Cloud Services > Configuration > Service Setup
and reselect Activate Enterprise DLP or Request a Trial to see the results of your request.
• If the DLP on Prisma Access request was approved, a pop-up window displays indicating that
Enterprise DLP has been activated and the Panorama appliance displays a banner indicating that DLP
configuration has changed and a push is required. If you see this page and banner, Commit and Push
your changes, then enable DLP on Prisma Access.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 341
© 2020 Palo Alto Networks, Inc.
• If you receive a page that indicates that your request was received and is being evaluated, either your
request is still being processed or it wasn’t approved; you can retry the request in 24 hours to see its
status. Do not open a case when this request is being evaluated.
• If you receive a message that Enterprise DLP activation was unsuccessful, the request is approved,
but Prisma Access has not yet provisioned the infrastructure. If you see this message, open a support
case on the Customer Service Portal (CSP).
342 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
Enable DLP on Prisma Access
Complete these steps to use DLP on Prisma Access successfully.
STEP 1 | Create a decryption profile and a decryption policy rule to remove ALPN headers from
uploaded files.
DLP on Prisma Access supports HTTP/1.1. Some applications, such as SharePoint and OneDrive,
support HTTP/2 for uploads by default. To make uploaded files from applications that use HTTP/2
compatible with DLP on Prisma Access, complete these steps.
1. Select Objects > Decryption > Decryption Profile.
Choose any device group in the Device Group drop-down at the top of the page; decryption profiles
are shared across device groups.
2. Add a new profile and give it a Name.
3. Select SSL Forward Proxy, then select Strip ALPN in the Client Extension area.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 343
© 2020 Palo Alto Networks, Inc.
STEP 2 | Disable the QUIC protocol by adding services and security policies.
Many supported web applications, such as Gmail, require that you disable the QUIC protocol for DLP on
Prisma Access to function correctly.
1. Select Policies > Security and Add a security policy that denies traffic using the quic application.
2. Select Objects > Services and Add two services: One for UDP on port 80 and one for UDP on port
443.
Newer versions of QUIC might be misidentified as unknown-udp. For this reason, Palo Alto
Networks recommends adding services for UDP port 80 and UDP port 443 and creating an additional
security policy to block UDP traffic on those ports.
3. Select Policies > Security and Add a security policy that includes the services you created to deny
traffic to UDP ports 80 and 443.
When complete, you will have two security policies: One that blocks the QUIC protocol and one that
blocks traffic on UDP ports 80 and 443.
STEP 3 | (Optional) Review the default values for snippets and data masking, and change the default
settings if required by your organization’s compliance or policy rules, by opening a command-
line interface (CLI) session with admin-level privileges on the Panorama that is running DLP on
Prisma Access and entering the following commands.
By default, Prisma Access retrieves snippets and puts them in the Data Filtering logs (Monitor > Logs >
Data Filtering. Prisma Access stores these snippets in the logs for 90 days. The default data masking
level is partial, which means that Prisma Access displays the last four digits of the value in clear text.
• Check the current configuration of snippets and data masking by entering the following command:
344 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
The following command output shows the default setting for snippets and data masking:
• A keyword of partial_mask displays only the last four digits in clear text.
• A keyword of no_mask displays all the values in clear text.
• A keyword of full_mask does not display any values.
When a file is scanned, DLP on Prisma Access stores snippets of data for every data
pattern match. These snippets are masked (full mask, partial mask, or no mask) based
on the settings you configured. If DLP detects that a file was previously scanned and the
file's contents were unchanged, scanning is skipped, and the verdict and snippets are
returned based on the earlier scan.
STEP 4 | Identify what content is sensitive in your environment and determine the types of data
patterns or data filtering profiles you require.
1. Determine the type of data pattern you need.
Prisma Access includes more than 380 predefined data patterns that contain many commonly-
used data patterns. If your data requirements need a custom data pattern, create a data pattern
and specify data detection techniques; otherwise, use one of the predefined data patterns for your
sensitive content.
2. Determine the type of data filtering profile you need.
Prisma Access includes many predefined data filtering profiles for specific types, such as financial
and healthcare-specific profiles. If your data requirements need a custom data filtering profile, create
a data filtering profile, add a data pattern to it, and specify matching criteria and confidence levels;
otherwise, use one of the existing data filtering profiles in the security policy you create.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 345
© 2020 Palo Alto Networks, Inc.
STEP 6 | Commit and Push your changes to make them active in Prisma Access.
After you configure DLP, you can view the DLP logs, including the snippets that Prisma Access retrieved
as the result of an Alert or Block action.
You can upload multiple files; however, if you use Box to upload multiple files, and one
or more of the files are larger than 5 MB, the upload of all files do not complete. To
continue, find the files in Box that are larger than 5 MB and click X to stop the upload
of those files.
346 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
4. View the DLP logs to verify that DLP on Prisma Access correctly applied the action you specified in
the security policy.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 347
© 2020 Palo Alto Networks, Inc.
Create a Data Pattern
Data patterns enable you to specify the match criteria and identify patterns using regular expressions, file
properties, or keywords that represent sensitive information on your network.
STEP 3 | Specify a Type and criteria for the data pattern and give it a Name.
Use one of the following data pattern types:
• Regular Expression—Create regular expressions to use in the data pattern.
You can choose Basic or Advanced data patterns. Use the Advanced data pattern to create a basic
or weighted regular expression. With weighted regular expressions, each text entry is assigned a
score, and when the score threshold is exceeded, such as enough expressions from a pattern match
an asset, the asset will be indicated as a match for the pattern.
You then use the query builder in the Regular Expressions area to add expressions, either regular
(Basic) or weighted (Advanced).
You can enter one or more Proximity Keywords to use with the Data Filtering pattern. Use proximity
keywords in a data filtering profile with a High Confidence. When you upload a file, Prisma Access
looks for the proximity keywords you specify within 200 characters of the regular expressions before
it considers the specified data pattern to be a match in the file.
• File Property—Add a file property pattern to match.
For data governance and protection of information, if you use classification labels or embed tags in
MS Office and PDF documents to include more information for audit and tracking purposes, you
can create a file property data pattern to match on the metadata or attributes that are a part of the
custom or extended properties in the file. Regardless of whether you use an automated classification
mechanism such as Titus or require users to add a tag, you can specify a name-value pair to match on
a custom or extended property embedded in the file.
DLP on Prisma Access supports file property data patterns in MS Office and PDF documents. Both
the OLE (.doc/.ppt) or XML (.docx/.pptx) formats of MS Office are supported.
You then add a Tag Name and Tag Value.
A Tag Name and Tag Value are an associated pair that specifies the property that you want to look
for (for example, you can specify a Tag Name of Label and a Tag Value of Confidential). You can add
as many file properties as you’d like. When you later reference the file property data pattern in a data
filtering profile, a boolean OR match is used in the match criteria.
348 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
Create a Data Filtering Profile
Use a data filtering profile to add data patterns and specify matches and confidence levels.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 349
© 2020 Palo Alto Networks, Inc.
• If you select Advanced options, create expressions by dragging and dropping data patterns,
Confidence levels, Operators, and Occurrence values into the field in the center of the page.
Specify the values in the order that they are shown in the following screenshot (data pattern,
Confidence, and Operator or Occurrence values).
You can create a profile with both Alert and Block actions; to do so, create the primary
pattern with an Alert action and a secondary pattern with a Block action as shown in Step
8.
STEP 7 | (Optional) Set the Log Severity recorded for files that match this rule.
The default severity is Informational.
STEP 8 | (Optional) Create a secondary pattern for this data filtering profile with a different action (alert
and block mode).
You can attach one data filtering profile per security policy rule. To create both Alert and Block actions
for a security policy rule, create a primary pattern with an Alert action and a secondary pattern with an
Block action.
You must specify a Primary Pattern with an Action of Alert and a Secondary Pattern with
an Action of Block to use alert and block mode.
350 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
3. Specify an Action of Block for the secondary pattern and Add more data patterns and match criteria.
STEP 10 | (Optional) Modify the response page that displays when Prisma Access blocks a file.
When Prisma Access blocks a file, it sends text to the browser of the user who requested the file,
informing them that the file has been blocked. You can change the text of this page by completing the
following steps.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 351
© 2020 Palo Alto Networks, Inc.
1. Select Device > Response Pages > Data Filtering Block Page.
2. Select Shared, then select Export to download the data-filter-block-page.txt file.
Leave the Data Filtering Block Page open; you upload the file after you edit it.
3. Open the .txt file in a text editor and edit the text that displays in the Block page.
4. In Panorama, Import the data-filter-block-page.txt file you just edited.
352 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
View DLP Logs and File Snippets
When DLP on Prisma Access detects sensitive content during a file upload, and you have created an Alert
or Block action, it generates a log. You can then view the sensitive content, called a snippet, from the
Data Filtering logs. A snippet is evidence or identifiable information associated with a pattern match. For
example, if you specified a data pattern of Credit Card Number, Prisma Access returns the user’s social
security number as the snippet that was matched. By default, Prisma Access returns snippets.
Prisma Access uses data masking to mask the data in the snippets. By default, Prisma Access displays the
last four digits of the value in clear text (partial masking). For example, Prisma Access displays a snippet of a
credit card number as XXXX-XXXX-XXXX-1234. You can also specify the data to be completely displayed
in clear text, or fully mask the data to hide all the values. You enable or disable snippet retrieval and specify
data masking levels when you enable DLP.
To view the DLP-specific logs, including file snippets, complete the following steps.
STEP 2 | View the DLP-specific Data Filtering logs by selecting Monitor > Logs > Data Filtering and, in
the Filter area, entering ( subtype eq data ).
You cannot search the logs by profile name. To search by profile, find the profile ID in the data filtering
logs. The profile ID is listed in the ID column in the logs.
STEP 3 | (Optional) View more details about the file, including file snippets.
1. Click the magnifying glass next to the file to view its details.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 353
© 2020 Palo Alto Networks, Inc.
2. Click the DLP tab; then, select a Pattern to view the pattern details.
354 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 355
© 2020 Palo Alto Networks, Inc.
356 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
Create and Configure Prisma Access for
Clean Pipe
Use Prisma Access for Clean Pipe to quickly and easily configure multiple instances of clean
outbound internet connections.
357
358 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma
Access for Clean Pipe
© 2020 Palo Alto Networks, Inc.
Prisma Access for Clean Pipe Overview
To allow organizations that manage the IT infrastructure of other organizations, such as service providers,
MSSPs, or Telcos, to quickly and easily protect outbound internet traffic for their tenants, Palo Alto
Networks provides Prisma Access for Clean Pipe. A service provider, MSSP, or Telco can route their
customers (configured as tenants) to Prisma Access for Clean Pipe using a Partner Interconnect. After the
traffic crosses the Partner Interconnect, it will be sent to a tenant-dedicated instance of the Clean Pipe for
security, and then routed to the Internet.
Prisma Access for Clean Pipe also provides an API that you can use to quickly and easily create Clean Pipes
for your tenants.
• Clean Pipe Use Cases
• Clean Pipe Examples
• Clean Pipe and Partner Interconnect Requirements
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma Access for Clean
Pipe 359
© 2020 Palo Alto Networks, Inc.
The following figure shows a single Clean Pipe in more detail for a tenant who wants a clean connection
to the internet. The Customer Edge (CE) router provides WAN connectivity for the tenant. The CE router
connects to a cloud router, and the cloud router provides connectivity for the Partner Interconnect. The
service provider creates a VLAN attachment for the tenant, and configures Prisma Access for Clean Pipe in
Panorama to provide security for the VLAN attachment, which protects the tenant’s internet-based traffic.
360 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma
Access for Clean Pipe
© 2020 Palo Alto Networks, Inc.
After you create a tenant, you can create clean pipes in that tenant. Each clean pipe must be a minimum
of 100 Mbps. Each Clean Pipe shares the tenant’s access domain, templates and template stack, and
device group.
• If configuring multiple Clean Pipes for a single tenant, each Clean Pipe is required to be a unique
location. If you want to configure two VLAN attachments for a single Clean Pipe location in an active/
backup configuration for intra-zone redundancy, specify the REDUNDANT choice when you add a new
Clean Pipe instance.
• When creating a connection within a Clean Pipe tenant, match the bandwidth allocation to that of the
VLAN attachment. Do not create a VLAN attachment that has a bandwidth that is higher or lower than
the connection's bandwidth.
• After you enable multi-tenancy, do not configure your Clean Pipe deployment with any of the other
tabs in the Configuration area, with the exception of the Generate API key link in the Service Setup
tab, which lets you generate an API key to retrieve Clean Pipe IP addresses. All configuration is unique
to Prisma Access for Clean Pipe and separate from other Prisma Access deployments, such as Prisma
Access for Networks or Prisma Access for Users.
• Do not make changes to a Clean Pipe configuration after you commit it. If you change a Clean Pipe
after it’s been committed, you will receive a commit error when you re-commit it. Instead, delete the
existing Clean Pipe and add a new one. Schedule this change during a system downtime window. If you
already made changes and have not yet committed, you can revert the changes by editing the Clean Pipe
configuration back to their previous values.
• Note that the locations used by Clean Pipe differ from other Prisma Access deployments. Prisma Access
for Clean Pipe supports the following locations:
• asia-east1
• asia-east2
• asia-northeast1
• asia-south1
• asia-southeast1
• australia-southeast1
• europe-north1
• europe-west2
• europe-west3
• europe-west4
• northamerica-northeast1
• southamerica-east1
• us-central1
• us-east1
• us-east4
• us-west1
• us-west2
• Note the following networking restrictions for Clean Pipe:
• ICMP is not supported.
• QoS is supported on ingress (from internet to Clean Pipe direction) only.
• User-ID is not supported.
• Clean Pipe supports session affinity based on source and destination IP addresses and is not
configurable.
• Trust-to-Trust policies are invalid for Clean Pipe, because the traffic is always internet-bound. Only
use Trust-to-Untrust policies.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma Access for Clean
Pipe 361
© 2020 Palo Alto Networks, Inc.
Configure Prisma Access for Clean Pipe
To set up Prisma Access for Clean Pipe for your tenants, complete the following steps.
• Enable Multitenancy and Create a Tenant
• Complete the Clean Pipe Configuration
362 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma
Access for Clean Pipe
© 2020 Palo Alto Networks, Inc.
7. In the Clean Pipe area, enter a Bandwidth (Mbps) for This Tenant.
Enter a minimum of 100 Mbps for each tenant you create.
8. Click OK.
STEP 3 | Create zones for the tenant and map those zones for the tenant.
1. Select Network > Zones.
Make sure that selected the Clean Pipe Template for the tenant you created (cp-tpl-tenant).
2. Create zones for the tenant (for example, Trust and Untrust).
3. Select Panorama > Cloud Services > Configuration and select the Tenant from the drop-down list.
4. Select the Clean Pipe tab.
5. Click the gear icon next to Zone Mapping to edit the settings.
6. Add and Remove the zones you created to map them to trusted and untrusted zones.
STEP 4 | Onboard a new Clean Pipe for the tenant you created.
1. Select Panorama > Cloud Services > Configuration > Clean Pipe.
2. Add a new Clean Pipe instance for the tenant, entering the following information:
• Name—Specify a name for the clean pipe.
• Bandwidth—Select the Bandwidth to allocate for the clean pipe.
You can onboard Clean Pipe instances in increments of 100 Mbps, 200 Mbps, 300 Mbps, 400
Mbps, 500 Mbps, 1000 Mbps, 2000 Mbps, 5000 Mbps, and 10000 Mbps. The amount of
bandwidth you specify must be within the licensed bandwidth allocation, and it must match the
bandwidth of the VLAN attachment you create in the Partner Interconnect.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma Access for Clean
Pipe 363
© 2020 Palo Alto Networks, Inc.
• Edge Availability Domain—Select the availability domain you want for the clean pipe. You can
choose 1, 2, ANY, or REDUNDANT.
• Specify ANY for a non-redundant Clean Pipe deployment.
Make sure that your cloud provider supports this choice; you must also select ANY on the
cloud provider side of the partner interconnect. If that choice is not available for your cloud
provider, make another choice.
• To specify two VLAN attachments in the same location in an active/backup configuration in
the same location, select REDUNDANT.
Prisma Access creates two pairing keys for a REDUNDANT configuration (one for each
availability zone), and appends the clean pipe name with zone1 for the first availability
zone and zone2 for the second availability zone. For example, if you specify a Name of San
Francisco, Prisma Access creates two zones named San Francisco-zone1 and San Francisco-
zone2.
Prisma Access assigns a BGP Multi-Exit Discriminator (MED) value of 100 for
zone1 and 200 for zone2. You must configure the same MED values for these
zones on your network’s customer premises equipment (CPE).
You can also build a pair of clean pipes for a single tenant redundancy in different locations; to do
so, specify 1 for the first clean pipe in one location and 2 for the second clean pipe in a different
location.
• BGP Peer ASN—Enter the BGP Autonomous System Number (ASN).
You can specify either a private or public BGP ASN.
Make a note of this value; you configure it on the customer edge (CE) router when you complete
the Clean Pipe configuration.
• Location—Select the location.
We recommend that you use the same location that you use when you create the VLAN
attachment for the partner interconnect.
• To enable QoS, select QoS, then select the QoS Profile to use with the clean pipe. Clean Pipe QoS
shapes on ingress.
364 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma
Access for Clean Pipe
© 2020 Palo Alto Networks, Inc.
STEP 6 | Commit your changes locally to make them active in Panorama.
Do not make changes to a Clean Pipe configuration after you commit it. If you change a
Clean Pipe after it’s been committed, you will receive a commit error when you re-commit
it. Instead, delete the existing Clean Pipe and add a new one. Since it takes some time
(up to 30 minutes) to create a new Clean Pipe, schedule this change during a system
downtime window. If you already made changes and have not yet committed, you can
revert the changes by editing the Clean Pipe configuration back to their previous values.
STEP 7 | Commit and push your changes to make them active in Prisma Access.
1. Select Commit > Commit and Push and Edit Selections in the Push Scope.
2. Select Prisma Access, then select Clean Pipe.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma Access for Clean
Pipe 365
© 2020 Palo Alto Networks, Inc.
STEP 9 | Click the Network Details tab, click the Clean Pipe radio button, and make a note of the
Pairing Key.
The MSSP CE and Cloud Router IP fields are blank when you start to configure the Clean Pipe. These
fields populate after you create the VLAN Attachment when you complete the Clean Pipe configuration.
If you specified a REDUNDANT connection, Prisma Access creates two pairing keys, one for each
availability zone, and appends the clean pipe name with zone1 for the first availability zone and zone2
for the second availability zone. The following screenshot shows the SanFrancisco clean pipe with a
redundant configuration; Prisma Access has created two pairing keys, one for SanFrancisco-zone1 and
one for SanFrancisco-zone2. In addition, Prisma Access assigns a BGP MED value of 100 for zone1 and
200 for zone2; make sure that you use those same values in your network’s CPE.
Make sure that you can access and configure the CE and cloud routers on the Partner
Interconnect (non-Prisma access) side of the Partner Interconnect.
STEP 1 | In the Partner Interconnect side of the configuration, create a VLAN attachment, using the
Pairing Key that you retrieved from Panorama.
For more information about creating VLAN attachments with Partner Interconnects and configuring
customer edge (CE) routers to communicate with cloud routers, refer to the Google Cloud
documentation at https://cloud.google.com/interconnect/docs/
Make sure that the location and bandwidth you select matches the Location you specified in Panorama.
The service provider you use for the Partner Interconnect uses the pairing key, along with your
requested connection location and capacity, to complete the configuration of your VLAN attachment.
STEP 2 | After the connection comes up, return to Panorama, select Panorama > Cloud Services >
Status > Network Details > Clean Pipe and make a note of the MSSP CE and Cloud Router IP
addresses.
366 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma
Access for Clean Pipe
© 2020 Palo Alto Networks, Inc.
These values populate after you enter the Pairing Key on the other side of the VLAN attachment.
2. Select Panorama > Cloud Services > Status > Clean Pipe, and click the Monitor tab to see a map with
the status of the deployed Clean Pipes.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma Access for Clean
Pipe 367
© 2020 Palo Alto Networks, Inc.
Click the tabs below the map to see additional statistics for the Clean Pipes.
Status tab:
• Compute Region—The compute region where your cloud service infrastructure is deployed for the
clean pipe instance.
• Name—The name of the clean pipe instance.
• Allocated Bandwidth (Mbps)—The amount of bandwidth you allocated for the clean pipe instance.
• Config Status—The status of your last configuration push to the service. If you have made a
change locally, and not yet pushed the configuration to the cloud, the status shows Out of sync.
Hover over the status indicator for more detailed information. After committing and pushing the
configuration to Prisma Access, the Config Status changes to In sync.
• BGP Status—Displays information about the BGP state between the firewall or router at the clean
pipe instance and Prisma Access. Although you might temporarily see the status pass through the
various BGP states (idle, active, open send, open pend, open confirm, most commonly, the BGP
status shows:
• Connect—The router at the clean pipe instance is trying to establish the BGP peer relationship
with the cloud firewall.
• Established—The BGP peer relationship has been established.
This field will also show if the BGP connection is in an error state:
• Warning—There has not been a BGP status update in more than eight minutes. This may
indicate an outage on the firewall.
• Error—The BGP status is unknown.
• Status—The operational status of the connection between Prisma Access and the clean pipe
instance.
Statistics tab:
• Region—The region where your cloud service infrastructure is deployed for the clean pipe
instance.
• Name—The name of the clean pipe instance.
• Allocated Bandwidth (Mbps)—The amount of bandwidth you allocated for the remote network
location.
• QoS— Select QoS to display a page that contains graphical QoS statistics.
• Avg Egress Bandwidth 5 Min (Mbps)—The average amount of clean pipe egress bandwidth
averaged over 5 minutes.
• Avg Egress Bandwidth 60 Min (Mbps)—The average amount of clean pipe egress bandwidth
averaged over 60 minutes.
• Avg Ingress Bandwidth 5 Min (Mbps)—The average amount of clean pipe ingress bandwidth
averaged over 5 minutes.
• Avg Ingress Bandwidth 60 Min (Mbps)—The average amount of clean pipe ingress bandwidth
averaged over 60 minutes.
• Egress Peak Bandwidth 1 Hour (Mbps)—The amount of peak egress bandwidth for the clean pipe
instance for the last 1 hour.
• Egress Peak Bandwidth 24 Hour (Mbps)—The amount of peak egress bandwidth for the clean
pipe instance for the last 24 hours.
• Egress Peak Bandwidth 7 Days (Mbps)—The amount of peak egress bandwidth for the clean pipe
instance for the last 7 days.
• Egress Peak Bandwidth 30 Days (Mbps)—The amount of peak egress bandwidth for the clean
pipe instance for the last 30 days.
• Ingress Peak Bandwidth 1 Hour (Mbps)—The amount of peak ingress bandwidth for the clean
pipe instance for the last 1 hour.
368 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma
Access for Clean Pipe
© 2020 Palo Alto Networks, Inc.
• Ingress Peak Bandwidth 24 Hour (Mbps)—The amount of peak ingress bandwidth for the clean
pipe instance for the last 24 hours.
• Ingress Peak Bandwidth 7 Days (Mbps)—The amount of peak ingress bandwidth for the clean
pipe instance for the last 7 days.
• Ingress Peak Bandwidth 30 Days (Mbps)—The amount of peak ingress bandwidth for the clean
pipe instance for the last 30 days.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma Access for Clean
Pipe 369
© 2020 Palo Alto Networks, Inc.
370 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma
Access for Clean Pipe
Prisma Access Insights
Continuously monitor the health and performance of your Prisma Access environment with the
new Insights app. All Prisma Access users can access and explore Insights—just visit the hub to
get started.
371
372 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights
© 2020 Palo Alto Networks, Inc.
First Look at Prisma Access Insights
The Prisma Access Insights app gives you a way to continuously monitor your Prisma Access environment.
When an event or status requires your attention, Insights sends you alert notifications so you can quickly
pinpoint issues that you can fix and so that you have visibility into the fixes the Prisma Access team is
working on.
Insights is available to all Prisma Access users. You can find it on the hub—no need to activate or set it up.
For every Prisma Access instance your organization owns, a corresponding Insights instance is available.
When you first log in to Insights, you’ll see a bird’s-eye view of your entire environment:
Multiple dashboards give you focused views of your different deployments, your alerts, and the Prisma
Access infrastructure. You can adjust and toggle your view to evaluate trends over time or examine
data from a different angle. Drilldown for details on specific users, sites, connections, or Prisma Access
infrastructure components.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights 373
© 2020 Palo Alto Networks, Inc.
Go to the Insights App to start exploring Prisma Access Insights.
374 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights
© 2020 Palo Alto Networks, Inc.
Go to the Insights App
The hub is a single place where you can access the Palo Alto Networks cloud services and apps for your
organization. The Insights app is available to all Prisma Access users. You can find the app on the hub—no
need to activate the app or set it up. When you log in to the hub, even if you’re logging in for the first time,
you’ll see the Prisma Access Insights app tile displayed on the hub homepage:
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights 375
© 2020 Palo Alto Networks, Inc.
Give the Right People Access to Insights
The hub is a single place where you can access the Palo Alto Networks cloud services and apps for your
organization. The Insights app available to Prisma Access users,, and you can find it on the hub. To access
the Insights app, you—and any others you’d like to use the app—must be assigned the required hub role.
Additionally, users to whom you want to send Prisma Access alert notifications must also have a hub role
that grants them access to Insights.
Only one of these roles is needed to use Insights and to receive Prisma Access alerts. The role you assign
depends on the level of access the user requires and the management interface you’re using for Prisma
Access (Panorama or the Prisma Access app).
Account Administrator—The account administrator role on the hub is automatically assigned to the first
user from your organization to register on the Palo Alto Networks customer support portal. However,
other users can also have this role; there’s no limit to the number of users to which you can assign this
or any other role. Account administrators can access any of your organization’s apps (including Insights),
and you must be an account administrator to assign roles to other users.
(Panorama Managed Prisma Access) A Panorama role—A Panorama app administrator and instance
administrator can access and use the Insights app.
Granting a user a Panorama role on the hub does not affect or impact Panorama access permissions.
Right now, the Panorama hub role only controls access to the Insights app.
(Cloud Managed Prisma Access only) A Prisma Access role—A Prisma Access app administrator and
instance administrator can access and use the Insights app. If you can log in to the Prisma Access app,
you already have one of these roles; they’re the same roles required to use the Prisma Access app for
cloud management.
Here’s how to view your hub role assignments and assign hub roles for Insights to other members of your
support account:
3. The Access Management page lists all the users in your organization and the roles to which they’re
assigned.
Account administrators have access to all of your organization’s apps. Other roles are specific to apps
or even app instances.
376 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights
© 2020 Palo Alto Networks, Inc.
1. On the hub Access Management page, search for and select the user to whom you want to assign a
role.
• Account—Assign the Account Administrator role to the user. Account administrators can access
all apps associated with this account.
• Panorama—Assign the Panorama App Administrator or Instance Administrator roles to the
user. Depending on the access level you choose, the user will be able to access Insights data
and receive alerts for all your Panorama Managed Prisma Access instances or only specific
instances. Granting a user a Panorama role on the hub does not affect or impact Panorama access
permissions. Right now, the Panorama hub role only controls access to the Insights app.
This role is for Panorama Managed Prisma Access users only. Do not use this role
if you’re using the Prisma Access app for Cloud Managed Prisma Access.
• Prisma Access—Assign the Prisma Access App Administrator or Instance Administrator roles to
the user. Depending on the access level you choose, the user will be able to access Insights data
and receive alerts for all your Cloud Managed Prisma Access instances or only specific instances.
This is the same role required to access the Prisma Access app for Cloud Managed Prisma Access.
Granting users this role will mean they can also access the Prisma Access app.
This role is for Cloud Managed Prisma Access users only. Do not use this role if
you’re using Panorama to manage Prisma Access.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights 377
© 2020 Palo Alto Networks, Inc.
Learn About Insights Alerts
Insights alerts you when something is not right in your Prisma Access environment. Alerts details describe
the issue, give you context, and guide you to a resolution. Alerts also let you know if there’s an issue
impacting the Prisma Access cloud infrastructure, so that you’re aware as the Prisma Access team works on
a fix.
Insights enables you to set up alert notifications, so that you can receive alerts directly in your email inbox.
Alerts are resolved only when the issue that triggered the alert is fixed; you cannot manually resolve alerts.
Users subscribed to alert notifications receive a notifications receive a notification both when Insights first
detects an issue and when it is resolved.
• All Insights Alerts
• Investigate Alerts in the Insights App
• Turn on Alert Notifications
Also subscribe to status updates for Palo Alto Networks cloud services.
Environment Alerts
Alert Scope What does this mean? What action can you take?
A Prisma Access Remote A Prisma Access location has Check the status of remote
location is down Networks been down for more than two network sites in this
minutes, and we’re working location to see how they are
on a fix. Check the status of impacted, and hang in there
remote network sites in this while the Prisma Access
location to see how they are team works to fix this. We’ll
impacted. send you a notification to
let you know when we’ve
resolved this.
A Prisma Access Mobile Users This Prisma Access location has Hang in there while the
location is down been down for more than two Prisma Access team works
minutes, and we’re working to fix this. We’ll send you a
378 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights
© 2020 Palo Alto Networks, Inc.
Alert Scope What does this mean? What action can you take?
on a fix. In the meantime, notification to let you know
mobile users in this location when we’ve resolved this.
automatically connect to
another of your Prisma Access
locations.
A Prisma Access Mobile Users The impact to your users is Hang in there while the
login portal is minimal when a single Prisma Prisma Access team works
down Access login portal is down. If on a fix. We’ll send you a
all Prisma Access login portals notification to let you know
are down, only Prisma Access when we’ve resolved this.
users who are connecting for
the first time are impacted.
These users must wait for the
portal to be up before they can
successfully log in.
A service Service All Prisma Access nodes that Hang in there while the
connection is down Connection process traffic for this service Prisma Access team works
connection are down. We’re on a fix. We’ll send you a
aware of this issue and working notification to let you know
on a fix. when we’ve resolved this.
A remote network Remote All tunnels connecting a Check the IPSec tunnel
site is not Networks remote network site Prisma configuration for this
connected to Access are down. remote network site.
Prisma Access
A tunnel is down Remote The tunnel has been down for Check the configuration for
(and tunnel Networks more than five minutes. Note the remote network site
monitoring is not that you do not have tunnel and the IPSec tunnel that is
enabled) monitoring configured. down.
Also consider turning
on tunnel monitoring to
proactively detect tunnel
connectivity issues.
A tunnel is down Remote Tunnel monitoring detects that Check the configuration for
(and tunnel Networks a tunnel has been down for the remote network site
monitoring is more than five minutes. and the IPSec tunnel that is
enabled) down.
A Prisma Access Prisma Access A Prisma Access Location Hang in there while the
location has lost Location has not been able to connect Prisma Access team works
connectivity to some SaaS applications on a fix. We’ll send you a
to some SaaS for more than five minutes. notification to let you know
applications This impacts mobile users when we’ve resolved this.
and remote network sites
connecting to this location.
A Prisma Access Prisma Access A Prisma Access location has Hang in there while the
location has Location not been able to reach the Prisma Access team works
on a fix. We’ll send you a
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights 379
© 2020 Palo Alto Networks, Inc.
Alert Scope What does this mean? What action can you take?
lost internet internet for more than five notification to let you know
connectivity minutes. when we’ve resolved this.
This impacts mobile users
and remote network sites
connecting to this location.
Upgrade Notifications
Alert What does this mean? What action can you take?
Planned Software Upgrade Informs you of the scheduled Go to Prisma Access Insights,
date for an upcoming software click the help icon, and
upgrade. choose your upgrade window
preference. If you don’t choose
an upgrade window, the upgrade
takes place on the scheduled
date, between 12 and 4 AM
local time for the Prisma Access
location.
Upgrade Window Confirmation Confirms that you’ve chosen Double-check the upgrade
a time window for a software window and the Prisma Access
upgrade to take place, and the locations you’ve chosen for
Prisma Access locations that’ll be upgrade.
upgraded.
Three Day Notice for a Software Lets you know that a software Plan for the upgrade window.
Upgrade upgrade is scheduled for three During the upgrade window, you
days from now, and the Prisma cannot save configurations for
Access locations that will be the deployments you have in the
upgraded. Prisma Access location that is
being upgraded.
380 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights
© 2020 Palo Alto Networks, Inc.
Alert What does this mean? What action can you take?
A Software Upgrade for a A Prisma Access location has Wait for all of your Prisma
Prisma Access Location is been successfully upgraded. Access locations to be
Complete The Prisma Access team now successfully upgraded before
has this location advanced trying out new features.
performance monitoring for
the next seven days to ensure a
seamless transition.
Software Upgrades for all All your Prisma Access locations A Prisma Access software
Prisma Access Locations are are successfully upgraded. upgrade can include transparent
Completed Successfully updates (infrastructure updates
or performance enhancements)
or new capabilities and
management features for you to
try out. To see what’s new with
Prisma Access, visit the release
notes for the Prisma Access
management interface you’re
using (Panorama Managed or
Cloud Managed).
Software Upgrade Roll-Back The Prisma Access team Hang in there while we roll-
closely monitors Prisma back Prisma Access. During
Access locations following a the roll-back, you cannot
software upgrade. We’ve found save configuration changes to
something unexpected, and are Prisma Access. You’ll receive a
rolling back to the last software notification when the roll-back is
version running in your Prisma complete.
Access environment.
Cancelled Software Upgrade A scheduled software upgrade is There’s no impact to you. The
canceled. Prisma Access team will let you
know when the next upgrade is
scheduled.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights 381
© 2020 Palo Alto Networks, Inc.
Click on an alert to learn more about the what’s happening and the impact to your mobile users and remote
sites.
382 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights
© 2020 Palo Alto Networks, Inc.
Turn on Alert Notifications
Enable Insights to send email alerts when it initially detects an issue and when the issue is resolved. These
alert notifications describe the issue and impact, and include a link to Insights where you can investigate
further.
The Palo Alto Networks email address from which you receive alert notifications is
[email protected].
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights 383
© 2020 Palo Alto Networks, Inc.
To send alert notifications to an email destination:
STEP 1 | Grant access to the Insights app for the people who you want to receive alert notifications.
To receive Insights alerts, you must be an Insights admin. There are three types of admin roles that can
access Insights, but only account administrators can grant users access to an app. Go to the hubto check
role assignments and assign roles.
STEP 3 | Go to Settings and add the email address to which Insights should send alert notifications.
The email accounts to which Insights sends alerts must be the same email accounts associated with
users in your Palo Alto Networks support account.
384 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights
© 2020 Palo Alto Networks, Inc.
Choose a Preferred Window for Certain Prisma
Access Upgrades
For certain Prisma Access upgrades—learn about the different types of Cloud Managed and Panorama
Managed updates—Prisma Access Insights gives you the option to choose a preferred upgrade window.
Because you cannot make configuration changes during a Prisma Access infrastructure upgrade, this gives
you a way to choose the window that works best for your organization. You can also choose the Prisma
Access locations to upgrade first—the Prisma Access team closely monitors the locations you choose for
seven days, and then continues to update remaining locations.
The option to choose a preferred upgrade window is available only for certain types of releases. To know
when a preferred upgrade window is available and to choose your window:
STEP 2 | After you are notified that an upgrade window preference is available, go to the Prisma Access
Insights app to choose your preferred upgrade window.
1. Go to the Insights App.
2. You’ll see a banner in the app, letting you know that you can choose your upgrade window
preferences.
Choose your preferred upgrade window from the selections available, along with the Prisma Access
locations you want upgraded during this window.
After you’ve submitted your preferred upgrade window, you’ll receive a Prisma Access Insights
notification confirming your window choice. You cannot change your upgrade window after
submitting your preference.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights 385
© 2020 Palo Alto Networks, Inc.
Release Updates
Here’s where you can learn about the latest Prisma Access Insights features and the known issues the team
is working on to improve your Insights experience:
• Insights Release Notes (Panorama Managed)
• Insights Release Notes (Cloud Managed)
386 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights