0% found this document useful (0 votes)
609 views386 pages

Prisma Access Panorama Admin

Uploaded by

Mao Ricky
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
609 views386 pages

Prisma Access Panorama Admin

Uploaded by

Mao Ricky
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 386

Prisma Access Administrator’s Guide

(Panorama Managed)

paloaltonetworks.com/documentation
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation


• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal www.paloaltonetworks.com/documentation.
• To search for a specific topic, go to our search page www.paloaltonetworks.com/documentation/
document-search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
[email protected].

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2017-2020 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
November 18, 2020

2 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) |


Table of Contents
Prisma Access Overview................................................................................... 7
Prisma Access...............................................................................................................................................9
Prisma Access Infrastructure Management........................................................................................11
Prisma Access Release and Infrastructure Updates......................................................................... 12
Prisma Access Scheduled and Unscheduled Upgrades.......................................................12
Prisma Access and Panorama Version Compatibility.......................................................... 14
Cadence for Software and Content Updates for Prisma Access...................................... 15
Manage Upgrade Options for the GlobalProtect App.....................................................................18
Select the Active GlobalProtect App Version....................................................................... 18
Manage Users’ Access to GlobalProtect App Updates....................................................... 20
Perform Staged Updates of the GlobalProtect App............................................................ 20
Notifications and Alerts for Panorama, Cloud Services Plugin, and PAN-OS Dataplane
Versions....................................................................................................................................................... 25
Prisma Access Licensing..........................................................................................................................27
Retrieve the IP Addresses for Prisma Access....................................................................................29
Prisma Access Infrastructure IP Addresses........................................................................... 29
Run the API Script Used to Retrieve IP Addresses............................................................. 31
API Command Examples............................................................................................................ 34
Pre-Allocate IP Addresses for Mobile User Locations........................................................ 36
Be Notified of Changes to IP Addresses................................................................................38
Legacy Scripts Used to Retrieve IP and Loopback Addresses...........................................39
Plan for IP Address Changes for Mobile Users, Remote Networks, and Service
Connections................................................................................................................................................ 44
Service IP and Egress IP Address Allocation for Remote Networks............................................ 53
How to Calculate Remote Network Bandwidth............................................................................... 54
Prisma Access APIs...................................................................................................................................55

Activate and Install the Prisma Access Components............................... 57


Activate and Install Prisma Access....................................................................................................... 59
Transfer or Update Prisma Access Licenses...................................................................................... 66
Supported Update Paths............................................................................................................ 66
Reset Your Prisma Access License.......................................................................................... 66
Transfer or Update Prisma Access Licenses Between Panorama Appliances................68
Configure Panorama Appliances in High Availability for Prisma Access..................................... 71
HA Prerequisites...........................................................................................................................71
Configure HA.................................................................................................................................71

Prepare the Prisma Access Infrastructure and Service


Connections........................................................................................................75
Set Up Prisma Access.............................................................................................................................. 77
Prisma Access Onboarding and Configuration Workflow..................................................77
Proxy Support for Prisma Access and Cortex Data Lake................................................... 79
Plan the Service Infrastructure and Service Connections...............................................................80
Configure the Service Infrastructure................................................................................................... 83
Create a Service Connection to Allow Access to Your Corporate Resources............................88
Verify Service Connection Status............................................................................................ 96
Verify Service Connection BGP Status...................................................................................99

TABLE OF CONTENTS iii


Create a Service Connection to Enable Access between Mobile Users and Remote
Networks...................................................................................................................................................101
Deployment Progress and Status....................................................................................................... 104
How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote
Network Connections............................................................................................................................109
Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections...................111
Default Routes............................................................................................................................111
Traffic Steering........................................................................................................................... 112
Traffic Steering Requirements................................................................................................113
Traffic Steering Examples........................................................................................................ 114
Zone Mapping and Security Policies for Dedicated Connections..................................119
Configure Traffic Steering....................................................................................................... 122
Routing Preferences for Service Connection Traffic..................................................................... 127
Routing Modes for Service Connections............................................................................. 127
Mobile User and Remote Network Routing to Service Connections Overview......... 127
Prisma Access Default Routing.............................................................................................. 129
Hot Potato Routing................................................................................................................... 132
Configure Routing Preferences.............................................................................................. 134
List of Prisma Access Locations..........................................................................................................135
List of Locations.........................................................................................................................135
List of Locations by Region.....................................................................................................139
Map of North America Locations.......................................................................................... 143

Secure Mobile Users with Prisma Access................................................ 145


Plan To Deploy Prisma Access for Users......................................................................................... 147
Configure Prisma Access for Users....................................................................................................149
Zone Mapping......................................................................................................................................... 165
Specify IP Address Pools for Mobile Users..................................................................................... 166
How the GlobalProtect App Selects a Prisma Access Location for Mobile Users.................. 167
View Logged In User Information and Log Out Current Users...................................................169
View Mobile Users from the Status Tab............................................................................. 169
View Mobile Users from the Monitor Tab.......................................................................... 170
How Prisma Access Counts Users........................................................................................ 171
Quick Configs for Mobile User Deployments................................................................................. 173
Prisma Access with On-Premise Gateways.........................................................................173
Manage Priorities for Prisma Access and On-Premise Gateways.................................. 175
DNS Resolution for Mobile Users and Remote Networks.............................................. 184
Sinkhole IPv6 Traffic From Mobile Users............................................................................189
Report Website Access Issues............................................................................................................ 194

Use Remote Networks to Secure Branches............................................ 195


Plan to Deploy Prisma Access for Networks.................................................................................. 197
Configure Prisma Access for Networks............................................................................................199
Verify Remote Network Connection Status....................................................................... 214
Verify Remote Connection BGP Status............................................................................... 216
Quick Configs for Remote Network Deployments........................................................................ 218
Remote Network Locations with Overlapping Subnets................................................... 218
Remote Network Locations with WAN Link...................................................................... 219
Use Predefined IPSec Templates to Onboard Service and Remote Network
Connections.................................................................................................................................221
Onboard Remote Networks with Configuration Import.................................................. 227
Configure Quality of Service in Prisma Access.................................................................. 231
Create a High-Bandwidth Network for a Remote Site.....................................................239

iv TABLE OF CONTENTS
Provide Secure Inbound Access to Remote Network Locations....................................247

Configure User-ID and User-Based Policies with Prisma Access........261


Configure User-ID in Prisma Access................................................................................................. 263
Configure User-ID for Remote Network Deployments................................................................ 264
Configure User-ID for Prisma Access Using the PAN-OS Integrated User-ID
Agent............................................................................................................................................. 265
Configure Your Prisma Access Deployment to Retrieve Group Mapping................................ 269
Retrieve Group Mappings Using a Master Device............................................................ 269
Implement User-ID in Security Policies For a Standalone Prisma Access
Deployment................................................................................................................................. 274
Redistribute User-ID Information Between Prisma Access and On-Premise Firewalls......... 276
Redistribute User-ID Information From Prisma Access to an On-Premise
Firewall..........................................................................................................................................276
Redistribute User-ID Information From an On-Premise Firewall to Prisma
Access........................................................................................................................................... 278
Get User and Group Information Using Directory Sync...............................................................281

Redistribute HIP Information and View HIP Reports............................ 287


Redistribute HIP Information with Prisma Access......................................................................... 289
HIP Redistribution Overview.................................................................................................. 289
Use Cases for HIP Redistribution.......................................................................................... 289
Configure HIP Redistribution in Prisma Access................................................................. 295
View HIP Reports from Panorama.....................................................................................................298

Manage Multiple Tenants in Prisma Access............................................ 301


Multitenancy Overview.........................................................................................................................303
Multitenancy Configuration Overview..............................................................................................304
Plan Your Multitenant Deployment...................................................................................................307
Enable Multitenancy and Migrate the First Tenant....................................................................... 309
Add Tenants to Prisma Access........................................................................................................... 315
Delete a Tenant...................................................................................................................................... 319
Create a Tenant-Level Administrative User.....................................................................................320
Control Role-Based Access for Tenant-Level Administrative Users.......................................... 322
Remove Plugin Access for a Tenant-Level Administrative User.................................... 323
Sort Logs by Device Group ID for External Logging..................................................................... 327

Use DLP on Prisma Access..........................................................................331


DLP on Prisma Access.......................................................................................................................... 333
What is Enterprise DLP?...................................................................................................................... 334
List of Predefined Data Filtering Profiles............................................................................ 335
What’s Supported with DLP on Prisma Access?............................................................................ 337
Register and Activate DLP on Prisma Access................................................................................. 339
Enable DLP on Prisma Access.............................................................................................................343
Create a Data Pattern........................................................................................................................... 348
Create a Data Filtering Profile............................................................................................................ 349
View DLP Logs and File Snippets...................................................................................................... 353

Create and Configure Prisma Access for Clean Pipe............................. 357


Prisma Access for Clean Pipe Overview.......................................................................................... 359

TABLE OF CONTENTS v
Clean Pipe Use Cases............................................................................................................... 359
Clean Pipe Examples.................................................................................................................359
Clean Pipe and Partner Interconnect Requirements.........................................................360
Configure Prisma Access for Clean Pipe.......................................................................................... 362
Enable Multitenancy and Create a Tenant..........................................................................362
Complete the Clean Pipe Configuration.............................................................................. 366

Prisma Access Insights.................................................................................. 371


First Look at Prisma Access Insights................................................................................................. 373
Go to the Insights App..........................................................................................................................375
Give the Right People Access to Insights........................................................................................ 376
Learn About Insights Alerts................................................................................................................. 378
All Insights Alerts....................................................................................................................... 378
Investigate Alerts in the Insights App...................................................................................381
Turn on Alert Notifications..................................................................................................... 383
Choose a Preferred Window for Certain Prisma Access Upgrades........................................... 385
Release Updates..................................................................................................................................... 386

vi TABLE OF CONTENTS
Prisma Access Overview
Read the following section to get an overview of what Prisma Access is, how it can secure your
organization’s resources, who owns and manages the infrastructure and network components.

> Prisma Access


> Prisma Access Infrastructure Management
> Prisma Access Release and Infrastructure Updates
> Manage Upgrade Options for the GlobalProtect App
> Notifications and Alerts for Panorama, Cloud Services Plugin, and PAN-OS Dataplane
Versions
> Prisma Access Licensing
> Retrieve the IP Addresses for Prisma Access
> Plan for IP Address Changes for Mobile Users, Remote Networks, and Service Connections
> Service IP and Egress IP Address Allocation for Remote Networks
> How to Calculate Remote Network Bandwidth
> Prisma Access APIs

7
8 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview
© 2020 Palo Alto Networks, Inc.
Prisma Access
As your business expands globally with new remote network locations popping up around the globe and
mobile users roaming the world, it can be challenging to ensure that your business remains connected and
always secure. Prisma Access (formerly GlobalProtect Cloud Service) uses a cloud-based infrastructure,
allowing you to avoid the challenges of sizing firewalls and compute resource allocation, minimizing
coverage gaps or inconsistencies associated with your distributed organization. The elasticity of the
cloud scales as demand shifts and traffic patterns change. The cloud service operationalizes next-
generation security deployment to remote networks and mobile users by leveraging a cloud-based security
infrastructure managed by Palo Alto Networks. The security processing nodes deployed within the service
natively inspect all traffic in order to identify applications, threats, and content. Prisma Access provides
visibility into the use of SaaS applications and the ability to control which SaaS applications are available to
your users.

With Prisma Access, Palo Alto Networks deploys and manages the security infrastructure globally to secure
your remote networks and mobile users. Prisma Access is comprised of the following components:
• Cloud Services Plugin—Panorama plugin that enables both Prisma Access and Cortex Data Lake.
This plugin provides a simple and familiar interface for configuring and viewing the status of Prisma
Access. You can also create Panorama templates and device groups, or leverage the templates and
device groups you may have already created, to push configurations and quickly enforce consistent
security policy across all locations.
• Service Infrastructure—Prisma Access uses an internal service infrastructure to secure your
organization’s network. You supply a subnet for the infrastructure, and Prisma Access uses the IP
addresses within this subnet to establish a network infrastructure between your remote network

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 9


© 2020 Palo Alto Networks, Inc.
locations and mobile users, and service connections to your internal network resources (if applicable).
Internal communication within the cloud is established using dynamic routing.
• Service Connections—Your Prisma Access license includes the option to establish IPSec tunnels to allow
communication between internal resources in your network and mobile users and users in your remote
network locations. You could, for example, create a service connection to an authentication server in
your organization’s HQ or data center.
Even if you don’t require a service connection, we recommend that you create one with placeholder
values to allow network communication between mobile users and remote network locations and
between mobile users in different geographical locations.
• Mobile Users—You select locations in Prisma Access that function as cloud-based GlobalProtect
gateways to secure your mobile users. To configure this service, you designate one or more IP address
pools to allow the service to assign IP addresses for the client VPN tunnels.
• Remote Networks—Use remote networks to secure remote network locations, such as branches, and
users in those branches with cloud-based next-generation firewalls. You can enable access to the
subnetworks at each remote network location using either static routes, dynamic routing using BGP,
or a combination of static and dynamic routes. All remote network locations that you onboard are fully
meshed.
• Prisma Access for Clean Pipe—The Prisma Access for Clean Pipe service allows organizations that
manage the IT infrastructure of other organizations, such as service providers, MSSPs, or Telcos, to
quickly and easily protect outbound internet traffic for their tenants.
Prisma Access for Clean Pipe uses its own license and has its own requirements. However, it requires
the same Panorama and Cortex Data Lake licenses as the other Prisma Access products described in this
section.
Prisma Access forwards all logs to Cortex Data Lake. You can view the logs, ACC, and reports from
Panorama for an aggregated view into your remote network and mobile user traffic. To enable logging
for Prisma Access, you must purchase a Cortex Data Lake license. Log traffic does not use the licensed
bandwidth you purchased for Prisma Access.

10 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Prisma Access Infrastructure Management
It is important to understand who owns and manages the components in the Prisma Access infrastructure.
To see when Prisma Access updates the components of the cloud infrastructure, see Prisma Access Release
and Infrastructure Updates.

To see the features that Prisma Access supports, see What features does Prisma Access
support?

Prisma Access uses a shared ownership model. Palo Alto Networks manages the underlying security
infrastructure, ensuring it is secure, resilient, up-to-date and available to you when you need it. Your
organization’s responsibility is to onboard locations and users, push policies, update them, query logs, and
generate reports.
Your organization manages the following components of the security infrastructure:
• Users—You manage the onboarding of mobile users.
• Authentication—You manage the authentication of those users.
• Mobile device management (MDM)—You can control your organization's mobile devices that are
protected with Prisma Access using your own MDM software.
• Panorama and Cloud Services plugin—You make sure that the Panorama on which the Cloud Services
plugin is installed is running a Panorama version that supports the Cloud Services plugin. In addition, you
upgrade the Cloud Services plugin in Panorama after we inform you that a new plugin is available.
• Policy creation and management—You plan for and create the policies in Panorama to use with Prisma
Access.
• Log analysis and forensics—Prisma Access provides the logs, you provide the analysis and reporting,
using integrated tools provided by us or by another vendor.
• On-premise security—You provide the on-premise security between micro-segmentations of your on-
premise network. In some deployments, you can also direct all traffic to be secured with Prisma Access.
• Networking—You provide the network connectivity to Prisma Access.
• Monitoring—You monitor the on-premise network’s status.
• Service Connectivity—You provide the connectivity to the Prisma Access gateway for mobile users (for
example, provide an ISP), and you also provide the on-premise devices used as the termination points for
the IPSec tunnels used by service connections and remote network connections.
• Onboarding—You onboard the mobile users, HQ/Data center sites, and branch sites.
Palo Alto Networks manages the following parts of the security infrastructure:
• Prisma Access
• Cortex Data Lake—We manage the delivery mechanism for logs.
• Content updates—We manage the updating of the Prisma Access infrastructure, including PAN-OS
updates. For your mobile users, Prisma Access hosts several versions of the GlobalProtect app and you
can select the active GlobalProtect app version from that list.
• Fault tolerance—We manage the availability of the service.
• Auto scaling—We automatically scale the service when you add service connections or remote
networks, or when additional mobile users log in to one or more gateways in a single region.
• Provisioning—We provision the infrastructure with everything that is required.
• Service monitoring—We monitor the service status and keep it functioning.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 11


© 2020 Palo Alto Networks, Inc.
Prisma Access Release and Infrastructure
Updates
Learn about the different types of Prisma Access releases and updates that you need to stay up-to-date
and secure your users. Some of the updates are managed by Palo Alto Networks, such as Prisma Access
infrastructure updates and you will receive advance notification so you can plan around them. Other
updates are your responsibility and you must schedule the specified version of the content update, software
update, and plugin version (as required), at your earliest convenience.

You can retrieve the status of all cloud services, including Prisma Access and Cortex Data
Lake, along with a historical record of the uptime of each service, by accessing the https://
status.paloaltonetworks.com/ website. You can also sign up for email or text message
updates at this site to be notified in advance when infrastructure updates are planned and
real-time notifications when updates occur, and when Palo Alto Networks creates, updates,
or resolves an incident.

• Prisma Access Scheduled and Unscheduled Upgrades


• Prisma Access and Panorama Version Compatibility
• Cadence for Software and Content Updates for Prisma Access

Prisma Access Scheduled and Unscheduled Upgrades


Prisma Access has scheduled upgrades, including major (x.0 and 1.x) and minor (1.7.x) releases, that
include new features and optimizations to deliver best-of-breed security for your remote networks and
mobile users. Prisma Access might also need to occasionally make unscheduled upgrades for hotfixes and
emergency bug fixes. The following sections define the releases, list the types of upgrades that Palo Alto
Networks include for each release, and show you the advance notification and maintenance windows for
each release type.
• Release Definitions
• Upgrade Types

Release Definitions
The following list defines scheduled and unscheduled releases, along with the advance notification we
provide you for each release. To make sure that you receive notifications for all releases, register for email
or text notifications for Prisma Access at the https://status.paloaltonetworks.com/ website.
• Scheduled Release—Prisma Access divides scheduled releases into major and minor releases.
• Major Release—A major release typically includes significant new features and optimizations that
require a maintenance window.
Notification—Palo Alto Networks provides you with a notification 21 days before a major release,
including a feature preview document that lists features that are available with the release and any
changes to default behavior.
• Minor Release—A minor release includes incremental features and optimizations. In some cases, Palo
Alto Networks may combine a hotfix with a minor release.

12 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Notification—Palo Alto Networks provides you with a notification 10 days before a scheduled minor
release upgrade, including a feature preview document that lists the new features that are available
with the release.
• Unscheduled Release—Unscheduled Prisma Access upgrades include hotfixes or emergency bug fixes
(for example, fixes for zero-day threats or plugin changes).
Notification—Palo Alto Networks will make every effort to give you 48 hours’ notice before an
unscheduled upgrade. On occasion, you may receive a shorter notice for an unscheduled upgrade.

Upgrade Types
Palo Alto Networks upgrades its cloud-based infrastructure without any intervention required from you.
Some upgrades require that you perform an action, such as install a new plugin.
The following list includes the different types of scheduled and unscheduled upgrades for Prisma Access:
• Infrastructure Upgrade—Palo Alto Networks upgrades the Prisma Access infrastructure, which includes
the underlying service backend, orchestration, and monitoring infrastructure.
• Dataplane Upgrade—Palo Alto Networks upgrades the Prisma Access dataplane that enables traffic
inspection and security policy enforcement on your network and user traffic.
• Cloud Services Plugin Upgrade—Your network administrator will need to upgrade the Cloud Services
plugin on the Panorama appliance that manages Prisma Access.
• Panorama Software Upgrade—A Prisma Access and Panorama Version Compatibility might be required
to ensure compatibility with Prisma Access.
The following table shows you what is included with each release, including the maintenance window we
provide and any impact to your Prisma Access service.

Upgrade Type Scheduled Upgrades Unscheduled


Upgrades
Major Minor

Infrastructure Maintenance 2-8 hours (always 2-8 hours (always 2-8 hours (if
Upgrade Window required) required) required)

Impact No impact to network traffic; however you cannot perform commits


during the maintenance window.
Palo Alto Networks schedules the upgrades at a local time that is
minimally disruptive to business functions.

Dataplane Maintenance 72 hours — 72 hours


Upgrade Window
(always required) (not required) (if required)

Impact Palo Alto Networks uses this window to upgrade the dataplane for
all customers. You can make configuration changes and commits
during this window. Our goal is to minimize impact to network
traffic, but in some cases there may be a brief interruption.
Palo Alto Networks schedules the upgrades at a local time that is
minimally disruptive to business functions.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 13


© 2020 Palo Alto Networks, Inc.
Upgrade Type Scheduled Upgrades Unscheduled
Upgrades
Major Minor

Cloud Services Maintenance (always required) (if required) (if required)


Plugin Window
Upgrade
Impact Palo Alto Networks notifies you in advance if an upgrade to
the Cloud Services plugin is required, and when the plugin
will be available, using the notification schedule as defined in
Release Definitions. During the plugin upgrade, you cannot make
configuration changes and commits in Panorama.
After Palo Alto Networks provides you with the advance
notification, you must plan to schedule a maintenance window to
upgrade the plugin and complete the plugin upgrade within five days
of its availability. You cannot use the previous version of the plugin
to perform changes to configuration and commits in Panorama
after the three-day upgrade window.

Prisma Access and Panorama Version Compatibility


When Prisma Access upgrades its infrastructure and dataplane after a major release, the upgrades can be
incompatible with earlier Panorama versions. Because of the fast-paced release of Prisma Access and the
Cloud Services plugin, the software compatibility (end-of-support) dates for Panorama are shorter than the
software end-of-life dates for Panorama releases and apply to Panorama version compatibility with Prisma
Access only.
If the Panorama appliance that manages Prisma Access is running a software version that is incompatible
(not supported) with the upgrades, you must upgrade Panorama to a compatible version to take full
advantage of the capabilities of the infrastructure and dataplane upgrades. It is Palo Alto Networks’ goal
to make this process as seamless as possible; for this reason, we make every effort to provide you with
adequate notice of Panorama and Prisma Access version compatibility requirements.
Use the dates in the following table to learn when the software version of the Panorama that manages
Prisma Access is no longer compatible with Prisma Access. Before the end-of-support date, you should plan
to perform an upgrade to a supported Panorama version.

Panorama Software Version End-of-Support Dates for Prisma Access Deployments

9.0 February 1, 2021


Before this date, you must upgrade your Panorama version to 9.1.2
or later.

While the Cloud Services plugin 1.7 supports


Panorama 9.0 versions until February 1, 2021,
any version of the Cloud Services plugin after
1.7 requires a minimum version of 9.1.2 before
installation.

14 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Panorama Software Version End-of-Support Dates for Prisma Access Deployments
A Panorama version that is incompatible with Prisma Access
includes all versions of that release; for example, when a 9.0 release
is incompatible, all current 9.0.x versions of that release, including
9.0.4 and 9.0.7, are incompatible.

9.1 August 20, 2021


Before this date, you must upgrade your Panorama to a version that
is later than 9.1.x. Palo Alto Networks will update this document
with more specific upgrade guidelines as newer Panorama software
releases become generally available.

The Panorama upgrade is required, regardless of the Cloud Services plugin version you are running at the
end-of-support date. You cannot continue using an earlier version of the Cloud Services plugin with an
earlier, unsupported Panorama version.

Cadence for Software and Content Updates for Prisma Access


The following table informs you of the software and content updates that you must install to get the latest
applications and threat signatures and leverage the threat prevention capabilities provided by Palo Alto
Networks.

Component Update Schedule Cloud Comments


Controlled? (Yes/
No)

Upgrades to For major Prisma Access releases, No See Prisma Access


Panorama you might need to upgrade and Panorama Version
software for your Panorama version for the Compatibility to learn when
compatibility following use cases: a Panorama version becomes
with Prisma incompatible with Prisma
• Required Upgrade—On
Access Access. See Upgrade the
occasion, you will be required
Cloud Services Plugin for
to upgrade the software
the currently supported
version on Panorama Prisma
Panorama versions to use
Access and Panorama Version
with Prisma Access. To
Compatibility with Prisma
upgrade your Panorama to
Access.
a new version, see Install
• Maintenance Window— Content and Software
Your organization will need Updates for Panorama.
to schedule a maintenance
window to upgrade the
Panorama software
version.
• Impact—You cannot use
the new plugin version
until you upgrade your
Panorama version.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 15


© 2020 Palo Alto Networks, Inc.
Component Update Schedule Cloud Comments
Controlled? (Yes/
No)
• Notification—Palo Alto
Networks will provide you
with a notification 100
days before the scheduled
major release upgrade.
• Optional Upgrade—In other
cases, you might need to
upgrade the Panorama
software version to use the
new features that Prisma
Access supports in the major
release.
• Maintenance Window—
Your organization will need
to schedule a maintenance
window to upgrade the
Panorama software
version.
• Impact—You cannot use
the new features that
Prisma Access supports
until you upgrade your
Panorama.
• Notification—Palo Alto
Networks will notify
you of any Panorama
requirements 21 days
before a scheduled major
release upgrade as defined
in Release Definitions.

Cloud Services Available after the plugin release. No You perform the tasks to
plugin version upgrade the plugin. See
Prisma Access Scheduled and
Unscheduled Upgrades for
details about when Prisma
Access updates its plugin
version. See Upgrade the
Cloud Services Plugin to
upgrade the plugin in the
Panorama appliance.

GlobalProtect • Major GlobalProtect App Yes The cloud controls the


app Releases (for example, x.0 or versions of the app that
5.x)—Prisma Access updates is available for upgrade;
the agent on the portal with however you can choose

16 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Component Update Schedule Cloud Comments
Controlled? (Yes/
No)
the latest major release between several different
7-10 days after the general hosted versions of the
availability of the x.0.1 version app and can control how
of that release. and when to roll out
GlobalProtect app updates to
For example, given an agent
the end users. See Manage
release of 5.1, Prisma Access
Upgrade Options for the
updates the agent on the
GlobalProtect App for
portal 7-10 days after the
details.
release of 5.1.1.
• Minor GlobalProtect App
Releases (for example, 5.1.x)
—Prisma Access updates the
agent on the portal with the
latest minor release 7-10 days
after the general availability of
that release.

Applications Daily with a threshold of 24 Yes We will provide


and threat hours. an update via the
updates status.paloaltonetworks.com
We release New App-IDs on the
page 48 hours prior to a
third Tuesday of every month.
cloud upgrade, and 24 hours
Plan to review and incorporate
prior to release of new App-
these new App-IDs within the
ID version.
24 hour threshold. Use the New
App-ID filter to minimize this
possible traffic impact.

Antivirus Every hour, 10 minutes after the Yes Prisma Access is always
protection hour up-to-date with the latest
Antivirus release.

WildFire Every 5 minutes Yes Prisma Access is always


up-to-date with the latest
WildFire release.

GlobalProtect Every hour Yes Prisma Access is always


Data File up-to-date with the latest
GlobalProtect data file
release.

Clientless VPN Every hour Yes Prisma Access is always


application up-to-date with the latest
signatures Clientless VPN application
signature release.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 17


© 2020 Palo Alto Networks, Inc.
Manage Upgrade Options for the
GlobalProtect App
Prisma Access hosts the GlobalProtect app version that macOS and Windows users in your organization can
download from the Prisma Access portal. Prisma Access offers several versions of the GlobalProtect app,
and you can choose to make one of those versions the active version. You can also manage mobile users'
access to the GlobalProtect app, or perform staged upgrades.
• Select the Active GlobalProtect App Version
• Manage Users’ Access to GlobalProtect App Updates
• Perform Staged Updates of the GlobalProtect App

Select the Active GlobalProtect App Version


Prisma Access manages the GlobalProtect app version for Windows and macOS users in your organization.
While Prisma Access hosts several GlobalProtect app versions, only one of the hosted versions is active.
When mobile users log in to the Prisma Access portal, the active version is the one they download and use
on their Windows and macOS devices.

The System Status page also provides you information about your current Panorama
version, Cloud Services plugin version, and dataplane version. You can receive notifications
and alerts on this page when plugin or Panorama versions become end of support (EoS) for
use with Prisma Access. See Notifications and Alerts for Panorama, Cloud Services Plugin,
and PAN-OS Dataplane Versions for details.

If your currently-active version is end-of-life, Prisma Access notifies you and requests that you activate a
supported version.
You can select different GlobalProtect versions in a multi-tenant deployment. The GlobalProtect app
version settings you apply are per tenant and not global; you control the app version on a per-tenant basis.
You can replace the current active version with another hosted version from the Service Setup page by
completing the following steps.

STEP 1 | Select Panorama > Cloud Services > Configuration > Service Setup.

STEP 2 | Select Activate new GlobalProtect App version and compare it to the active GlobalProtect
version.

18 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
If your current GlobalProtect version is end-of-life (EoL), a message displays in this area
on the Service Setup page; if you receive this message, upgrade your GlobalProtect app
version by continuing to the next step.

STEP 3 | Select the version to which you want to upgrade.


A window displays to verify your choice.

After the app has been activated, you receive a success message.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 19


© 2020 Palo Alto Networks, Inc.
STEP 4 | View the System Status page to verify that the GlobalProtect app version you selected as
active is the Active GlobalProtect App version.

Manage Users’ Access to GlobalProtect App Updates


To manage mobile users' access to the active GlobalProtect app version that is hosted by Prisma Access,
complete the following steps.

STEP 1 | In Panorama, select Network > GlobalProtect > Portals.

STEP 2 | Select the Mobile_User_Template from the Template drop-down.

STEP 3 | Select GlobalProtect_Portal to edit the Prisma Access portal configuration.

STEP 4 | Select the Agent tab and select the app configuration.

STEP 5 | Select the App tab.

STEP 6 | In the App Configurations area, select a choice in Allow User to Upgrade GlobalProtect App to
specify whether mobile users can upgrade their GlobalProtect app version to the active version
that is hosted on Prisma Access and, if they can, whether they can choose when to upgrade:
• Allow with Prompt (default)—Prompt users when a new version is activated and allow users to
upgrade their software when it is convenient.
• Disallow—Prevent users from upgrading the app software.
• Allow Manually—Allow users to manually check for and initiate upgrades by selecting Check Version
in the GlobalProtect app.
• Allow Transparently—Automatically upgrade the app software whenever a new version becomes
available on the portal.
• Internal—Automatically upgrade the app software whenever a new version becomes available on the
portal, but wait until the endpoint is connected internally to the corporate network. This prevents
delays caused by upgrades over low-bandwidth connections.

Perform Staged Updates of the GlobalProtect App


If you manage a large organization, you might want to update mobile users to the latest version of the
GlobalProtect app in stages. For example, you could assign a smaller group to update their GlobalProtect
app before rolling out the update to everybody in your organization. To do so, complete the following task.

STEP 1 | If you have not yet created it, create a user group for the first group of users to which you
want to roll out the GlobalProtect app update.

20 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
You can use User-ID to map users to groups, or select Device > Local User Database > User Groups to
manually create a group.

STEP 2 | Create a new GlobalProtect agent configuration to use for the first group of users.
1. In Panorama, select Network > GlobalProtect > Portals.
2. Select the Mobile_User_Template from the Template drop-down.
3. Select GlobalProtect_Portal to edit the Prisma Access portal configuration.
4. Select the Agent tab.
5. Select the DEFAULT configuration and Clone it.
You can also Add a new configuration; but cloning the existing configuration copies over required
information for the new configuration.
6. Specify a Name for the configuration.

7. Select the Config Selection Criteria tab.


8. In the User/User Group area, select the user you created in Step 1.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 21


© 2020 Palo Alto Networks, Inc.
9. Select the App tab.
10.Change Allow User to Upgrade GlobalProtect App to either Allow with Prompt or Allow
Transparently.
Allow with Prompt prompts users when a new version is activated and allows them to upgrade
their software when it is convenient; Allow Transparently automatically upgrades the app software
whenever a new version becomes available on the portal.

22 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
11.Click OK to save your changes.

STEP 3 | Select Move Up to move your configuration above the default configuration.
When an app connects, the portal compares the source information in the packet against the agent
configurations you have defined. As with security rule evaluation, the portal looks for a match starting
from the top of the list. When it finds a match, it delivers the corresponding configuration to the app.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 23


© 2020 Palo Alto Networks, Inc.
STEP 4 | Repeat these steps for the DEFAULT configuration, but change Allow User to Upgrade
GlobalProtect App to Disallow to prevent users from updating to the latest GlobalProtect app
software.

STEP 5 | When you want to let the rest of the users update their apps, change Allow User to Upgrade
GlobalProtect App in the DEFAULT configuration to a selection that allows it (either Allow
with Prompt or Allow Transparently).

24 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Notifications and Alerts for Panorama, Cloud
Services Plugin, and PAN-OS Dataplane
Versions
Prisma Access consists of components you manage such as Panorama and the Cloud Services plugin,
components that Prisma Access manages such as the dataplane version, and components that Prisma
Access manages but whose version you can control (the GlobalProtect app version hosted on the Prisma
Access portal). The Service Setup page (Panorama > Cloud Services > Configuration > Service Setup shows
you the status of these components in a single page. This page also contains notifications that show you
when your current running Panorama version and plugin versions will be end of support (EoS) for use with
Prisma Access. Palo Alto networks provides you with advance notice of EoS dates to give your organization
sufficient time to plan the upgrade.

All dates are in Coordinated Universal Time (UTC).

The Service Setup page provides you with the following information:

Area Description

Panorama Alert Displays the current Panorama version that you are running. The
Upgrade requirements area provides you with information about
Panorama versions, including dates when currently compatible Panorama
versions reach their end of support (EoS) dates for managing Prisma
Access. Use this information to plan your Panorama upgrade in advance
of its EoS date.

Plugin Alert Displays the current Cloud Services plugin that is installed on the
Panorama that manages Prisma Access. The Upgrade requirements area
provides you with dates when the next plugin version will be released,
the deadline for upgrading to the next plugin, and the date when you will

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 25


© 2020 Palo Alto Networks, Inc.
Area Description
not be able to make changes and commits using the earlier plugin version.
Use this information to plan for the next Cloud Services plugin upgrade.

GlobalProtect App Displays the currently-running (active) version of the GlobalProtect app
Activation that mobile users can download from the Prisma Access portal, and
shows you the available GlobalProtect app versions to which you can
upgrade. See Select the Active GlobalProtect App Version for details.

Dataplane PAN-OS version Displays the current PAN-OS version that your dataplane is running.
The dataplane is the component of the Prisma Access infrastructure
that enables traffic inspection and security policy enforcement on your
network and user traffic.
If Prisma Access has scheduled a dataplane upgrade, it displays in this
area, along with the date for which it is scheduled. If you want to cancel
this upgrade, you can cancel the scheduled upgrade from this area.

Share/Delete Contact Allows you to share contact information (Company name, contact name,
Information email, and phone number) so that you can be contacted about Palo Alto
Networks service upgrades.
If you have previously entered contact information, you can delete the
information you entered in this area.
Do not use any of the following special characters in the contact
information area:
• " (Double quotes)
• ' (Apostrophe)
• < (less than sign)
• > (greater than sign)
• & (ampersand)

26 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Prisma Access Licensing
The following sections describe the licensing options for Prisma Access, as well as components that are
required to use the service.

This section describes the licenses that were available before November 17, 2020; for an
overview of the licenses that are available after November 17, 2020, see the Prisma Access
1.8 Administration Guide.

• Prisma Access Licenses


• Other Required Licenses

Prisma Access Licenses


The licenses you need for Prisma Access depend on whether you want to use the service to secure your
remote networks, your mobile users, or both:
• Prisma Access for Networks (formerly GlobalProtect Cloud Service for Remote Networks)—To license
Prisma Access for networks you purchase a bandwidth pool, which you can divide among each remote
network location that you onboard in increments of 2 Mbps, 5 Mbps, 10 Mbps, 20 Mbps, 25 Mbps, 50
Mbps, 100 Mbps, 150 Mbps, 300 Mbps, 500 Mbps, or 1000 Mbps.

The 1000 Mbps bandwidth option is in preview mode. The throughput during preview is
delivered on a best-effort basis and the actual performance will vary depending upon the
traffic mix. The 500 Mbps option supports SSL decryption, but Palo Alto Networks does
not guarantee 500 Mbps of throughput if it is enabled.

To enable traffic peaks, the service allows you to go 10% over the allocated bandwidth for each site;
traffic overages above this peak limit is dropped. See How to Calculate Remote Network Bandwidth for
more details about the correct bandwidth to specify for your remote network.
A remote network’s bandwidth speed is enforced equally in both directions. If you assign a remote
network with 50Mbps bandwidth, then 55 Mbps (50 Mbps plus 10% overage allocation) is enforced
for both ingress and egress traffic. If you have an asymmetric internet connection (which is a common
deployment), you should specify the higher of the two values to fully utilize the circuit.
• Prisma Access for Users (formerly GlobalProtect Cloud Service for Mobile Users)—You license Prisma
Access for mobile users based on number of users, with tiers from 200 users to more than 50,000 users.
Prisma Access for mobile users requires the GlobalProtect app on each supported endpoint. Though
there is no strict policing of the mobile user count, the service does track the number of unique users
over the last 90 days to ensure that you have purchased the proper license tier for your user base, and
stricter policing of user count may be enforced if continued overages occur.
• Prisma Access for Clean Pipe—The Prisma Access for Clean Pipe service allows organizations that
manage the IT infrastructure of other organizations, such as service providers, MSSPs, or Telcos, to
quickly and easily protect outbound internet traffic for their tenants.
Prisma Access for Clean Pipe uses its own license and has its own requirements. However, it requires
the same Panorama and Cortex Data Lake licenses as the other Prisma Access products described in this
section.

When a Prisma Access license expires, you can still use the service and collect logs
for 15 days after license expiration. You cannot make changes to configuration. Prisma

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 27


© 2020 Palo Alto Networks, Inc.
Access shuts down its instances 15 days after license expiration and completely deletes the
instances and tenants 30 days after license expiration.

Other Required Licenses


In addition to the Prisma Access licenses, in order to run the service you must also have the following
licensed components:
• Panorama—You deploy and manage Prisma Access using the Cloud Services plugin for Panorama.
In order to use this plugin, you must have Panorama with a valid support license. See the Palo Alto
Networks Compatibility Matrix for the Panorama versions that are supported with the Cloud Services
plugin. When you license the Prisma Access components, you must tie the auth code to a licensed
Panorama serial number.
• Cortex Data Lake—The Prisma Access infrastructure forwards all logs to Cortex Data Lake. You can
view the Prisma Access logs, ACC, and reports directly from Panorama for an aggregated view into
your remote network and mobile user traffic. To enable logging for Prisma Access, you must purchase a
Cortex Data Lake license.

28 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Retrieve the IP Addresses for Prisma Access
If you are manually adding IP addresses of your Prisma Access infrastructure to an allow list in your
network, or if you are using an automation script to enforce IP-based restrictions to limit inbound access to
enterprise applications, you should understand what these addresses do and why you need to allow them,
as well as the tasks you perform to retrieve them.
While you do not perform these tasks until after you complete your Prisma Access configuration, it is useful
to understand these concepts in advance, so you understand what to do after your deployment is complete.

To learn about events that cause Prisma Access IP addresses to change and to plan for
those changes, see Plan for IP Address Changes for Mobile Users, Remote Networks, and
Service Connections.

• Prisma Access Infrastructure IP Addresses


• Run the API Script Used to Retrieve IP Addresses
• API Command Examples
• Pre-Allocate IP Addresses for Mobile User Locations
• Be Notified of Changes to IP Addresses
• Legacy Scripts Used to Retrieve IP and Loopback Addresses

Prisma Access Infrastructure IP Addresses


The following table provides you with a list of the IP address that Prisma Access uses for each deployment
type, along with the keyword you use when you run the API script to retrieve the IP addresses, and whether
or not you need to add them to an allow list.
For mobile users, during initial deployment, Prisma Access assigns two sets of IP addresses for each location
you deploy: one set that is assigned to Prisma Access locations and portals that are currently active, and
another set to reserve in case of a scaling event, infrastructure upgrade, or other event that causes Prisma
Access to add locations, portals, or both. The API script allows you to retrieve the reserved set of IP
addresses before they are used, preventing any issues with mobile users being able to access SaaS or public
applications during a scaling event.

Deployment Type IP Address Type Description

Mobile User GlobalProtect gateway Retrieves the gateway IP addresses. You must
(gp_gateway) add both gateway and portal IP addresses to
allow lists for your mobile user deployments.
Mobile users connect to a Prisma Access
gateway to access internal or internet
resources, such as SaaS or public applications,
for which you have provided access.

GlobalProtect portal Retrieves the portal IP addresses. You must


(gp_portal) add both gateway and portal IP addresses to
allow lists for your mobile user deployments.
As with gateways, you can retrieve both the
active IP addresses and ones that are reserved

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 29


© 2020 Palo Alto Networks, Inc.
Deployment Type IP Address Type Description
for a scaling event. See Run the API Script
Used to Retrieve IP Addresses for examples.
Mobile users log in to the Prisma Access
portal to receive their initial configuration and
gateway location.

Loopback IP addresses This address is the source IP address used


by Prisma Access for requests made to an
internal source, and is assigned from the
infrastructure subnet. Add the loopback
IP address to an allow list in your network
to give Prisma Access access to internal
resources such as RADIUS or Active Directory
authentication servers.
Palo Alto Networks recommends that you
allow all the IP addresses of the entire
infrastructure subnet in your network,
because loopback IP addresses for mobile
users can change. To find the infrastructure
subnet, select Panorama > Cloud Services >
Status > Network Details > Service
Infrastructure. The subnet displays in the
Infrastructure Subnet area.
To retrieve loopback IP addresses, use the
legacy API command.

Remote Network Remote Network IP addresses Includes Service IP Addresses that Prisma
(remote_network) Access assigns for the Prisma Access remote
network connection, and egress IP addresses
that Prisma Access uses to make sure that
remote network users get the correct default
language for their region. Add these addresses
to allow lists in your network to give Prisma
Access access to internet resources.

Loopback IP addresses This is the source IP address used by Prisma


Access for requests made to an internal
source, and is assigned from the infrastructure
subnet. Add the loopback IP address to an
allow list to give Prisma Access access to
internal resources such as RADIUS or Active
Directory authentication servers. To retrieve
loopback IP addresses, use the legacy API
command.

Clean Pipe Clean Pipe IP Addresses If you have a Clean Pipe deployment, add
(clean_pipe) these IP addresses to an allow list to give

30 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Deployment Type IP Address Type Description
the Clean Pipe service access to internet
resources.

Loopback IP addresses This is the source IP address used by Prisma


Access for requests made to an internal
source, and is assigned from the infrastructure
subnet. Add the loopback IP address to an
allow list to give Prisma Access access to
internal resources such as RADIUS or Active
Directory authentication servers. To retrieve
loopback IP addresses, use the legacy API
command.

Run the API Script Used to Retrieve IP Addresses


Use the following steps to retrieve the IP addresses that Prisma Access uses in its infrastructure.

This command does not retrieve loopback addresses; to retrieve loopback IP addresses, use
the loopback API command.

STEP 1 | Get the API key.


You need this key to authenticate to Prisma Access and retrieve the list of IP addresses using the API
command. Only a Panorama administrator or Superuser can generate or access this API key.
1. Select Panorama > Cloud Services > Configuration > Service Setup.
2. Select Generate API Key.

If you have already generated an API key, the Current Key displays. If you haven’t yet generated
a key or want to replace the existing key to meet audit or compliance check for key rotation, click
Generate New API Key for a new key.

STEP 2 | Create a .txt file and put the API command options in the file.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 31


© 2020 Palo Alto Networks, Inc.
Using the API the command to use is a two-step process. First, you create a .txt file, specifying the
parameters for the IP addresses to retrieve, and save the file in a folder that is reachable from the
location where you run the command. Then, you run the API and specify the name and location of
the .txt file you created in the command.
Specify the following keywords and arguments in the .txt file. See API Command Examples for examples.
The examples in this document use a file name of options.txt but you can specify any file name, as long
as you reference it in the command.

Argument Possible choices (keywords) Comments

serviceType all all—Retrieves IP addresses you need to add


to an allow list for all service types (Remote
remote_network
Networks, Mobile Users (both gateways and
gp_gateway portals), and Clean Pipe, as applicable to your
deployment).
gp_portal
remote_network—Retrieves IP addresses you
clean_pipe
need to add to an allow list for remote network
deployments.
gp_gateway—Retrieves the gateway IP
addresses you need to add to an allow list for
mobile user deployments.
gp_portal —Retrieves the portal IP addresses
you need to add to an allow list for mobile user
deployments.
clean_pipe—Retrieves the IP addresses you
need to add to an allow list for clean pipe
deployments.

addrType all all—Retrieves all the IP addresses you need to


add to an allow list.
active
active—Retrieves the active IP addresses.
reserved
This keyword is applicable to mobile user
deployments only.
reserved—Retrieves the reserved IP addresses.
This keyword is applicable to mobile user
deployments only.
This API does not retrieve loopback IP
addresses. To retrieve loopback IP addresses,
use the legacy API command.

actionType pre_allocate Mobile User deployments only—An actionType


of pre_allocate allows you to retrieve IP
addresses or subnets for Prisma Access
gateways and portals for mobile user
deployments. Use this with a serviceType of
gp_gateway to retrieve pre-allocated gateway
IP addresses and a serviceType of gp_portal to
retrieve pre-allocated gateway IP addresses.

32 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Argument Possible choices (keywords) Comments
Retrieving the pre-allocated IP addresses lets
you add the gateway and portal IP addresses
to your organization’s allow lists before you
onboard mobile user locations, which in turn
gives mobile users access to external SaaS apps
immediately after you onboard the locations.
See Pre-Allocate IP Addresses for Mobile User
Locations for details.

location all all—Retrieves the IP addresses from all


locations. For mobile user deployments, this
deployed
keyword retrieves the IP addresses for both
locations you added during onboarding, and
locations you did not add.
deployed—Retrieves IP addresses in all locations
that you added during mobile user onboarding.
This keyword is applicable to mobile user
deployments only. Prisma Access associates IP
addresses for every mobile user location during
provisioning, even if you didn’t select that
location during mobile user onboarding. If you
specify all, the API command retrieves the IP
addresses for all mobile user locations, including
ones you didn’t select for the deployment.
If you specify deployed, the API command
retrieves only the IP addresses for the locations
you selected during onboarding.

Specify the options in the .txt file in the following format:

{
"serviceType": "service-type",
"addrType": "address-type",
"location": "location"
}

STEP 3 | Enter the following command to retrieve the IP addresses:

curl -X POST --data @option.txt -k -H header-api-key:Current-API-


Key Current-API-Key "https://api.gpcloudservice.com/getPrismaAccessIP/v2"

Where option.txt is the .txt file you created in Step 2 and Current-API-Key is the Prisma Access API key.
For example, given a .txt file name of option.txt and an API key of 12345abcde, use the following
API command to retrieve the public IP address for all locations:

curl -X POST --data @option.txt -k -H header-api-key:12345abcde "https://


api.gpcloudservice.com/getPrismaAccessIP/v2"

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 33


© 2020 Palo Alto Networks, Inc.
The API command can return a large amount of information. To make the output more
readable, if you have Python installed, you can add | python -m json.tool at the
end of the CURL command.

The API command returns the addresses in the following format: { "result":
[ { "address_details": [ { "address": "1.2.3.4", "addressType": "address-
type", "serviceType": "service-type" } ], "addresses": [ "1.2.3.4" ],
"zone": "zone-name", "zone_subnet": zone-subnet] },
Where:
• address_details shows the details of the address for each location.
• address shows the IP address you need to add to your allow lists.
• addressType specifies the type of address specified with the addrType keyword (either active,
reserved, or pre-allocated if you are pre-allocating IP addresses for mobile user locations).
• serviceType shows the type of IP address (either remote network (remote_network),
GlobalProtect gateway (gp_gateway), GlobalProtect portal (gp_portal), or Clean Pipe (clean_pipe).
• addresses lists all the IP addresses for the location that you need to add to your allow lists.
• zone is the Prisma Access location associated with the IP addresses.
• zone_subnet is the subnet for mobile user gateways and portals. Prisma Access provides this subnet
if you pre-allocate mobile user IP addresses.
If there are any problems with the options in the .txt file, the API returns an error similar to the
following:
{"status": "error","result": "Invalid json format in the request. trace_id:
xxxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx "}

STEP 4 | Update the allow lists on your on-premises servers or SaaS application policy rules with the IP
addresses you retrieved.

API Command Examples


Use the following examples when entering keywords and arguments in the .txt file for the API command. To
change the output of the command, change the options in the .txt file; the command itself does not change.

Retrieve These IP Specify These Parameters in the .txt File Comments


Addresses

Mobile User IP Addresses

All active and An addrType of all means that


reserved mobile { Prisma Access retrieves both active
"serviceType": "gp_gateway",
user IP Addresses and reserved IP addresses for the
"addrType": "all",
"location": "all" locations you selected during mobile
} user onboarding.
A location of all means that Prisma
Access retrieves IP addresses for all
available locations, including ones
that you have not onboarded. Prisma
Access reserves non-onboarded
location IP addresses so that you can

34 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Retrieve These IP Specify These Parameters in the .txt File Comments
Addresses
add these IP addresses to your allow
lists before you onboard them.

Active and reserved A location type of deployed means


IP addresses for { that Prisma Access retrieves only
"serviceType": "gp_gateway",
onboarded mobile the IP addresses for the locations
"addrType": "all",
user locations "location": "deployed" that you selected during mobile user
} onboarding.

All active IP An addrType of active means that


Addresses for { Prisma Access retrieves only the
"serviceType": "gp_gateway",
onboarded mobile active IP addresses, and does not
"addrType": "active",
user locations "location": "deployed" retrieve reserved IP addresses, for the
} locations you onboarded.

All reserved IP An addrType of reserved means


Addresses for { that Prisma Access retrieves only
"serviceType": "gp_gateway",
onboarded mobile the reserved IP addresses for the
"addrType": "reserved",
user locations "location": "deployed" locations you onboarded.
}
Do not use an addrType of reserved
with a location of all; Prisma Access
does not allocate active and reserved
IP addresses to locations that you
have not onboarded.

Remote Network IP Addresses

Retrieve all This command retrieves the public


remote network IP { and egress IP addresses of remote
"serviceType":
addresses networks you have onboarded. Do
"remote_network",
"addrType": "all", not use a location of deployed or an
"location": "all" addrType of reserved. You can use an
} addrType of active but it retrieves the
same addresses as if you specified an
addrType of all.

Clean Pipe IP Addresses

Retrieve all clean This command retrieves the public


pipe IP addresses { and egress IP addresses of clean
"serviceType": "clean_pipe",
pipes you have onboarded. Do not
"addrType": "all",
"location": "all" use a location of deployed or an
} addrType of reserved. You can use an
addrType of active but it retrieves the
same addresses as if you specified an
addrType of all.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 35


© 2020 Palo Alto Networks, Inc.
Pre-Allocate IP Addresses for Mobile User Locations
Prisma Access uses gateway and portal IP addresses in mobile user deployments. These IP addresses are
known collectively as egress IP addresses. If you require these egress IP addresses before you onboard the
location (for example, if your organization needs to add the egress IP addresses to allow lists to give mobile
users access to external SaaS applications), you can run an API script to have Prisma Access pre-allocate
these IP addresses for a location ahead of time, before you onboard it. You can then add the location’s
egress IP addresses to your organization’s allow lists before onboarding the location.
The API response also includes the public IP pool subnets for the egress IP addresses for the requested
location. The egress IP addresses of any locations you add are a part of this subnet. Adding the subnets to
your allow lists provides for future location additions without further allow list modification.
Prisma Access does not pre-allocate your IP addresses and subnets unless you request them using the API
script. After you run the pre-allocation script, they have a validity period of 90 days. These IP addresses
and subnets are unique, not shared, and dedicated to your Prisma Access deployment during the validity
period. You must onboard your locations before the validity period ends or you lose the addresses; to find
the validity period at any time, run the API script.

Palo Alto Networks recommends that you only pre-allocate IP addresses for locations that
you want to onboard later.

To pre-allocate IP addresses, complete the following task.

STEP 1 | Retrieve the Prisma Access API key.

STEP 2 | Pre-allocate the mobile user egress IP addresses by creating a .txt file and specifying the
following options in the .txt file you create.
Enter the following text in the .txt file:

{
"actionType": "pre_allocated",
"serviceType": "gp_gateway",
"location": "location"
}

Where location is the Prisma Access location where you want to pre-allocate the IP addresses.
Enter a maximum of 12 locations. Entering more than 12 locations might cause timeout errors when
Prisma Access retrieves the pre-allocated IP addresses.

STEP 3 | Enter the CURL command as shown in Step 3 of the task in Run the API Script Used to
Retrieve IP Addresses.

STEP 4 | Retrieve the IP addresses and subnets you requested, including their validity period, by re-
opening the .txt file, removing the existing information, and editing it.
• To request Prisma Access to retrieve all pre-allocated IP addresses, enter the following text in the .txt
file.

{
"serviceType": "all",
"addrType": "pre_allocated",
"location": "all"

36 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
}
• To request Prisma Access to retrieve all pre-allocated IP addresses for Prisma Access gateways for
a given location, enter the same information in the .txt file but substitute all with gp_gateway in
the .txt file.
• To request Prisma Access to retrieve all pre-allocated IP addresses for Prisma Access portals for a
given location, enter the same information in the .txt file but substitute all with gp_portal in
the .txt file.
Palo Alto Networks recommends that you enter all so you can retrieve all required pre-allocated egress
IP addresses to add to your allow lists.

While Prisma Access returns up to four addresses for each location (one active and one
reserved gateway IP address and, if required, one active and one reserved portal IP
address), the API command can return a large amount of information. To make the output
more readable, if you have Python installed, you can add | python -m json.tool at
the end of the CURL command.

STEP 5 | Re-enter the CURL command as shown in Step 3 in the task in Run the API Script Used to
Retrieve IP Addresses to retrieve the pre-allocated addresses.
Prisma Access returns the information in the following format:

"status": "success",
"result": [
{
"zone": "prisma-access-zone1",
"addresses": ["ip-address1","ip-address2"]
"zone_subnet" : [subnet-and-mask1","subnet-and-mask2"]
"address_details":[
{"address":"ip-address1",
"service_type":"service-type",

"addressType":"pre-allocated",
"expiring_in" : "validity-period" },
{"address":"ip-address2",
"service_type":"gp_gateway",
"addressType":"pre-allocated",
"validity_period_remaining" : "90 days" } ,

},

Where the variables represent the following API command output:

Variable Explanation

prisma-access-zone1 The Prisma Access location for which pre-allocated IP addresses


were retrieved.

ip-address1 and ip-address2 The egress IP addresses that Prisma Access has pre-allocated for
the specified location.
Prisma Access retrieves two IP addresses for each location; you
must add both of these IP addresses to your allow lists.

subnet-and-mask1 and subnet- The subnets that Prisma Access has pre-allocated and reserved
and-mask2 for the egress IP addresses in your deployment.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 37


© 2020 Palo Alto Networks, Inc.
Variable Explanation

service-type The type of the pre-allocated egress IP address (either


gp_portal for a Prisma Access portal or gp_gateway for a
Prisma Access gateway).

validity-period The remaining time, in days, for which the pre-allocated IP


address is valid.
You must onboard your mobile user location before the IP
addresses’ validity period ends. If the pre-allocated IP addresses
expire, you can rerun the API script to retrieve another set of pre-
allocated IP addresses.

You could receive an error if you attempt to pre-allocate IP addresses for locations that meet one of the
following criteria:
• You have already onboarded the location.
• You onboarded, then deleted the location.
In this case, enter the following text in the .txt file to retrieve the IP addresses for the location:

{
"serviceType": "gp_gateway",
"addrType": "all",
"location": "all"
}
• You have reached the maximum number of mobile user locations allowed by your license and cannot
add any more locations.
• You entered the location name incorrectly.
• You entered a serviceType other than gp_gateway.
• you entered an actionType other than pre_allocated.
• You previously requested egress IP addresses for a location that is also a #unique_36 and have not
yet onboarded it.

Be Notified of Changes to IP Addresses


To be notified of public IP address changes for remote networks and loopback IP address changes for
service connections, remote network connections, and mobile users, you can to specify a URL at which you
can be alerted of a change. Prisma Access uses an HTTP POST request to send the notification. This POST
request includes the following notification data in JSON format:

{"addrType": "public_ip", "addrChangeType": "add", "utc_timestamp":


"2019-01-31 23:08:19.383894", "text": "Address List Change Notification"}

{"addrType": "public_ip", "addrChangeType": "delete", "utc_timestamp":


"2019-01-31 23:13:35.882151", "text": "Address List Change Notification"}

{"addrType": "loopback_ip", "addrChangeType": "update", "utc_timestamp":


"2019-01-31 23:29:27.100329", "text": "2018-05-11 23:29:27.100329"}

38 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
When you receive a notification, you must follow a two-step process. First, you must manually or
programatically retrieve the IP or loopback addresses. Then, you must update the IP addresses in your
organization’s appropriate allow list to ensure that users do not experience any disruption in service.

Prisma Access sends this notification a few seconds before the new IP address becomes
active. We recommend that you use automation scripts to both retrieve and add the new IP
addresses to an allow list in your network.

To add an IP notification URL, complete the following task.

STEP 1 | Select Panorama > Cloud Services > Configuration > Service Setup.

STEP 2 | Add an IP Change Event Notification URL where you can be notified of IP address changes in
your Prisma Access infrastructure.

You can specify an IP address or an FQDN to an HTTP or HTTPS web service that is listening for change
notifications. Prisma Access sends these notifications from the internet using a public IP address.
You do not need to commit your changes for the notification URL to take effect.

Legacy Scripts Used to Retrieve IP and Loopback Addresses


The commands described in this section are superseded as of Prisma Access 1.5;
however, they are still supported for when you need to obtain the loopback address, or for
deployments that use them in scripts or other automated tools.

The following table shows the keywords and parameters that are available in the legacy API scripts used
with Prisma Access, and provides information and recommendations about which API to use for the type of
deployment you have.
These legacy commands retrieve two types of IP addresses, public IP and egress IP addresses. We provide
you with two different legacy API commands so that you can retrieve all the IP addresses you need to add
to an allow list.
• A public IP address is the source IP address that Prisma Access uses for requests made to an internet-
based source. Add the public IP address to an allow list in your network to give Prisma Access access to
internet resources such as SaaS applications or publicly accessible partner applications.
Mobile user, remote network, and clean pipe deployments use public IP addresses.
• An egress IP address is an IP address that Prisma Access uses for egress traffic to the internet, and you
must also add these addresses to an allow list to give Prisma Access access to internet resources.
Among other purposes, Prisma Access uses egress IP addresses so that users receive web pages in the
language they expect from a Prisma Access location. All locations have public IP addresses; however, not
all locations have egress IP addresses. The following locations do not use egress IP addresses:
• Any locations that you added before the release of Prisma Access 1.4.
• Bahrain
• Belgium
• France North
• France South

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 39


© 2020 Palo Alto Networks, Inc.
• Hong Kong
• Ireland
• South Korea
• Taiwan
• United Kingdom
Mobile user, remote network, and clean pipe deployments use egress IP addresses.

Commands Used in Mobile User Deployments

Command Name Comments

get_egress_ip_all=yes command This command retrieves all the IP addresses that you add to an
allow list to give Prisma Access access to internet resources such
curl -k -H header-api-
as SaaS applications or publicly accessible partner applications.
key:Current-API-Key"https://
This command has the following constraints:
api.gpcloudservice.com/
getAddrList/latest? • This command can retrieve a large number of addresses (more
get_egress_ip_all=yes than 200). If your enterprise cannot add this number of IP
addresses to an allow list, you can use the gpcs_gp_gw and
gpcs_gp_portal keywords to retrieve only the IP addresses
you are currently using; however you will have to rerun these
commands every time you add a location. In addition, if a
scaling event occurs, you will need to the new IP addresses to
an allow list.
• Prisma Access does not list the locations that are associated
with these IP addresses; therefore, we recommend that you
all the IP addresses that are returned with this command to an
allow list.
• This command does not give you loopback addresses.

gpcs_gp_gw and gpcs_gp_portal Use this command if your deployment limits the amount of
keywords IP addresses you can add to an allow list. You must add all IP
addresses returned with this command to an allow list in your
curl -k -H header-api-
network. You can also retrieve the loopback IP addresses with
key:Current-API-Key"https://
this command.
api.gpcloudservice.com/
getAddrList/latest? This command has the following limitations:
fwType=gpcs_gp_gw |
• It doesn’t list any of the reserved IP addresses used for scaling
gpcs_gp_portal&addrType=public_ip
events.
| egress_ip_list | loopback_ip"
• It doesn’t list any of the reserved IP addresses used for
locations that you haven’t yet added.

Commands Used In Remote Network Deployments

Command Name Comments

gpcs_remote_network keyword Use this command to find the IP addresses that you need to add
to an allow list for remote network deployments.
curl -k -H header-api-
key:Current-API-Key"https://
api.gpcloudservice.com/

40 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Commands Used In Remote Network Deployments

Command Name Comments


getAddrList/latest? You can also use this command to find the egress IP addresses for
fwType=gpcs_remote_network remote network deployments; the egress and IP addresses can be
&addrType=public_ip | different in some situations.
egress_ip_list | loopback_ip"

Commands Used in Clean Pipe Deployments

Command Name Comments

gpcs_clean_pipe keyword Use this command to find the IP addresses that you need to add
to an allow list for clean pipe deployments.
curl -k -H header-api-
key:Current-API-Key"https://
api.gpcloudservice.com/
getAddrList/latest?
fwType=gpcs_clean_pipe&addrType=public_ip
| egress_ip_list | loopback_ip"

Retrieve Public and Egress IP Addresses for Mobile User Deployments


If you are adding public IP addresses to allow lists to give mobile users access to SaaS or public applications,
Prisma Access provides two sets of public IP and egress IP addresses so that it can automatically add
locations during a scaling or other event (for example, when a large number of mobile users join a single
gateway):
• One set that is assigned to Prisma Access locations and portals that are currently active.
• Another set to reserve in case of a scaling event, infrastructure upgrade, or other event that causes
Prisma Access to add locations, portals, or both.
You can then add this reserved set of IP addresses to an allow list before they are used, preventing any
issues with mobile users being able to access SaaS or public applications during a scaling event. See IP
Address Allocation For Mobile Users for more information about the IP allocation process.
Retrieve these new addresses by completing the following task:

STEP 1 | Get the API key by selecting Panorama > Cloud Services > Configuration > Service Setup;
then, selecting Generate API Key.
You need this key to authenticate to Prisma Access and retrieve the list of IP addresses using the curl
command listed below. Only a Panorama administrator or Superuser can generate or access this API key.

STEP 2 | Enter the following command to retrieve the mobile user public IP addresses:

curl -k -H header-api-key:Current-API-Key "https://api.gpcloudservice.com/


getAddrList/latest?get_egress_ip_all=yes"

Where Current-API-Key is the Prisma Access API key.


For example, given an API key of 12345abcde, use the following API command to retrieve the public IP
address for all locations:

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 41


© 2020 Palo Alto Networks, Inc.
curl -k -H header-api-key:12345abcde "https://api.gpcloudservice.com/
getAddrList/latest?get_egress_ip_all=yes"

Every time Prisma Access uses the reserved set of public IP addresses, it allocates another set of
reserved IP addresses. If you think that Prisma Access has used the reserved set of public IP addresses
(for example, if a large number of mobile users have accessed a single location), you can run this API
command again to find the new set of reserved public IP addresses. All IP addresses persist after an
upgrade.

Retrieve Public, Loopback, and Egress IP Addresses


To retrieve public, loopback, and egress IP addresses, complete the following steps.

STEP 1 | Get the API key and add an IP Change Event Notification URL where you can be notified of IP
address changes in your Prisma Access infrastructure.
See Be Notified of Changes to IP Addresses for details.

STEP 2 | Retrieve the public IP addresses, loopback IP addresses, or both for Prisma Access.
Use the API key and the API endpoint URL either manually or in an automation script:

header-api-key:Current
API Key "https://api.gpcloudservice.com/getAddrList/latest?
fwType=$fwType&addrType=$addrType"

where you need to replace Current API Key with your API key and use one or both of the following
keywords and arguments:

Keyword Description

fwType keyword

gpcs_gp_gw Retrieves Prisma Access gateway IP addresses (for mobile user


deployments).

gpcs_gp_portal Retrieves Prisma Access portal IP addresses (for mobile user deployments).

gpcs_remote_network Retrieves Prisma Access remote network IP addresses (for remote network
deployments).

gpcs_clean_pipe Retrieves Prisma Access Clean Pipe IP addresses.

addrType keyword

public_ip Retrieves the source IP addresses that Prisma Access uses for requests
made to an internet-based source.
For mobile user locations, Prisma Access lists the IP addresses by location.
For remote networks, Prisma Access lists the IP addresses by remote
network name.

egress_ip_list Retrieves the IP addresses that Prisma Access uses with public IP addresses
for additional egress traffic to the internet.

42 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Keyword Description
For mobile user locations, Prisma Access lists the IP addresses by location.
For remote networks, Prisma Access lists the IP addresses by remote
network name.

loopback_ip Retrieves the source IP addresses used by Prisma Access for requests made
to an internal source (for example, a RADIUS or Active Directory server),
and is assigned from the infrastructure subnet.

If you don’t specify a keyword, Prisma Access retrieves all IP addresses.


For example, you can try the following Curl command to manually retrieve the list of public IP addresses
for all remote networks:

curl -k -H header-api-
key:1234y9ydxb__0UmxetVTbC8XTyFMaoT4RBZBKBjfX419YVufeFG7
"https://api.gpcloudservice.com/getAddrList/latest?
fwType=gpcs_remote_network&addrType=public_ip"

or use a simple python script to retrieve the list of all IP addresses, for example:

#!/usr/bin/python
import subprocess
import json
api_key = '1234y9ydxb__0UmxetVTbC8XTyFMaoT4RBZBKBjfX419YVufeFG7' # Replace
with your key
api_end_point = 'https://api.gpcloudservice.com/getAddrList/latest' # This
call retrieves IP addresses for all your Prisma Access firewalls
args = ['curl', '-k', '-H', 'header-api-key:' + api_key, api_end_point]
p = subprocess.Popen(args, stdout=subprocess.PIPE)
output = p.communicate()
dout = json.loads(output[0])
addrStrList = dout['result']['addrList']
addrList = []
for addr_str in addrStrList:
addrList.append(addr_str.split(":")[1])
print(addrList)

STEP 3 | Update the allow lists on your on-premises servers or SaaS application policy rules with the IP
addresses you retrieved.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 43


© 2020 Palo Alto Networks, Inc.
Plan for IP Address Changes for Mobile Users,
Remote Networks, and Service Connections
After you set up your Prisma Access deployment, it is useful to know when IP addresses change so that
you can pro-actively plan your infrastructure and add required IP addresses to allow lists accordingly.
The IP address changes can be the result of changes you made (for example, adding another mobile users
location) or changes that Prisma Access performs automatically (for example, a large number of mobile
users accesses a single Prisma Access gateway).
The following sections describe how IP addresses can change:
• IP Address Allocation For Mobile Users
• IP Address Changes For Remote Network Connections
• Remote Network Egress IP Allocation Changes After a Compute Region Change
• Loopback IP Address Allocation for Mobile Users

IP Address Allocation For Mobile Users


After you deploy Prisma Access for users for the first time, Prisma Access adds two sets of public and (if
applicable) egress IP addresses for each portal and gateway: one set that is in active use and another set
that is reserved for future use. These IP addresses are unique, not shared, and dedicated to your Prisma
Access deployment. If you have a multi-tenant setup, Prisma Access adds dedicated IP addresses for each
tenant.
Since the public IP address is the source IP address used by Prisma Access for requests made to an internet-
based source, you need to know what the public IP address are and add them to an allow list in your
network to provide your users access to resources such as SaaS applications or publicly-accessible partner
applications.
The public IP addresses can change, and Prisma Access can put the reserved public IP address sets into
active use, if the following events occur:
• A large number of mobile users access a location in the same location.
When a scaling event occurs, Prisma Access adds one or more gateways to accommodate the increased
number of users, assigns one or more of the reserved public IP addresses to the new gateways and
makes them active, and adds a new set of reserved IP addresses to the mobile user locations to replace
the ones that were used.
• You add one or more locations to your deployment.
When you add more locations, Prisma Access adds another gateway and a new set of active and
reserved IP addresses for each new location you add.
• Prisma Access upgrades its infrastructure, usually in conjunction with a new software release and an
upgrade to the Cloud Services plugin.
Prisma Access makes the reserved public IP addresses active, and makes the active public IP addresses
reserved.
Because Prisma Access adds more public IP addresses when you add a gateway, and can add more public
IP addresses after a scaling event, you should add an IP Change Event Notification URL, or use the API to
retrieve mobile user addresses, to be notified of IP address changes in your Prisma Access infrastructure.
You can then add any added or changed addresses to an allow list.

44 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Public IP Address Scaling Examples for Mobile Users
The following examples illustrate the mobile user public IP address allocation process that Prisma Access
uses during a scaling event or when you add a new location.
In the following example, you specified two locations in the Asia Pacific region for a new mobile user
deployment: Sydney and Seoul. Each location has an active and reserved set of public IP addresses. Prisma
Access reserves four sets of IP addresses for the gateways: two active and two reserved.

Then a large number of users log in to the Seoul location. To accommodate these extra users, Prisma Access
adds a second gateway for the Seoul location and takes the reserved address from the first Seoul gateway
(51.1.1.4) and makes this the active IP address for the second Seoul gateway. It then adds two additional
IP addresses (51.1.1.5 and 51.1.1.6 in this example) to use as reserved IP addresses for the two Seoul
gateways.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 45


© 2020 Palo Alto Networks, Inc.
Then you add another location, Tokyo, in the Asia Pacific region. Prisma Access creates two new IP
addresses for the new gateway (51.1.1.7 and 51.1.1.8).

46 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Each time you add a location or have a scaling event, you should Retrieve Public and Egress IP Addresses
for Mobile User Deployments that Prisma Access assigned and add them to an allow list in your network.
Prisma Access keeps two sets of IP addresses at all times for all active gateways in each location.

Mobile User Public IP Address Reassignment Example After an Infrastructure Upgrade


When Prisma Access upgrades its infrastructure, usually to prepare for a software upgrade for the Cloud
Services plugin, it changes the public IP addresses from active to reserved and vice versa. The following
example illustrates the process.

Subscribe to text or email notices for upcoming scheduled infrastructure upgrades at


status.paloaltonetworks.com.

The following graphic shows a sample deployment with three Prisma Access portals, three locations
(Sydney, Tokyo, and Seoul), and an active and reserved public IP address for each portal and location.

After an infrastructure upgrade, Prisma Access reverses the public IP addresses for each portal and location.
In this example, the Sydney location’s active public IP address changes from 51.1.1.1 to 51.1.1.2 and its
reserved public IP address changes from 51.1.1.2 to 51.1.1.1. Adding both the active and reserved public IP
addresses to allow lists ensures that users can still access the Prisma Access portals and gateways after an
infrastructure upgrade.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 47


© 2020 Palo Alto Networks, Inc.
IP Address Changes For Remote Network Connections
IP addresses for remote network connections are unique, not shared, and dedicated to your Prisma
Access deployment. These IP addresses do not change after Prisma Access creates them as part of remote
network onboarding, and the IP addresses persist after an upgrade. However, take care when increasing
the bandwidth of an existing connection, because the IP address of a remote network can change if that
increase causes the bandwidth in a location to exceed 300 Mbps.

In addition, egress IP addresses can change if Prisma Access creates a new compute region
and you decide to use this new compute region with locations you have already onboarded.
See Remote Network Egress IP Allocation Changes After a Compute Region Change for
details.

These bandwidth guidelines apply only when you upgrade an existing connection. A single remote network
connection, even a 500 Mbps (w/o SSL Decryption) or 1000 Mbps (Preview) connection, always receives a
single Service IP Address, regardless of its size.

The 1000 Mbps bandwidth option is in preview mode. The throughput during preview is
delivered on a best-effort basis and the actual performance will vary depending upon the
traffic mix. The 500 Mbps option supports SSL decryption, but Palo Alto Networks does not
guarantee 500 Mbps of throughput if it is enabled.

The following example shows three remote network connections in the same location, each with a
bandwidth of 100 Mbps. Since the total bandwidth is 300 Mbps, Prisma Access assigns a single IP address
for all connections in the location.

48 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
The following example shows the bandwidth of remote network connection A being increased from 100
Mbps to 150 Mbps. Since the total bandwidth of all connections is now more than 300 Mbps, Prisma
Access assigns a new service IP address for the connection with the additional bandwidth. The other service
IP addresses remain unchanged.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 49


© 2020 Palo Alto Networks, Inc.
Conversely, given five remote networks with a bandwidth of 50 Mbps, if you increase the bandwidth of
one of the remote networks to 100 Mbps, the Service IP address of that remote network does not change
because the total bandwidth is now 300 Mbps.

If you reduce the bandwidth of a remote network connection, the Service IP address does
not change.

To find the service IP addresses in Panorama, select Panorama > Cloud Services > Status > Network Details
tab and click the Remote Networks radio button to display the Service IP Address for the remote networks,
or use the API script.

Remote Network Egress IP Allocation Changes After a Compute Region Change


To optimize performance and improve latency, Prisma Access can introduce new compute regions
for existing remote network locations as part of a plugin upgrade. When you upgrade the plugin, you
can choose to take advantage of the new compute region. If you change the compute region, Prisma
Access changes the egress IP addresses for the location or locations to which the new compute region is
associated. If you use allow lists in your network to provide users at remote network locations access to
internet resources such as SaaS applications or publicly accessible partner applications, you need to add
these new egress IP addresses to your allow lists.
To upgrade to a new compute region after it becomes available, complete the following task.

Since the new compute region will have new egress IP addresses, Palo Alto Networks
recommends that you schedule a compute region change during a maintenance window or
during off-peak hours.

1. Delete the remote network location or locations associated with the new compute region.

50 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
2. Commit and push your changes.
3. Re-add the locations you just deleted.
4. Commit and push your changes.
5. Retrieve the new egress IP addresses for the remote network locations using the API script.
6. Make a note of the new egress IP addresses and add them to your allow lists.

Loopback IP Address Allocation for Mobile Users


Loopback IP addresses can change during for mobile users during an infrastructure upgrade.

Loopback IP addresses do not change for service connections or remote network


connections during an infrastructure upgrade; only mobile user loopback IP addresses can
change.

Prisma Access allocates the loopback IP addresses from the infrastructure subnet that you specify when
you enable the Prisma Access infrastructure. You can add the entire infrastructure subnet to an allow
list and avoid planning for mobile user loopback IP changes during an infrastructure upgrade. To find
the infrastructure subnet, select Panorama > Cloud Services > Status > Network Details > Service
Infrastructure and view the Infrastructure Subnet.
Retrieve these addresses using the Retrieve Public, Loopback, and Egress IP Addresses used to retrieve
public IP and loopback IP addresses.
The following example shows a Prisma Access deployment that has an infrastructure subnet of
172.16.0.0/16. Prisma Access has assigned loopback IP addresses 172.16.0.1 and 192.16.0.3 for mobile
users from the infrastructure subnet.

After in infrastructure upgrade (for example, to prepare for a new release of the Cloud Services plugin),
Prisma Access assigns two different IP addresses for mobile users from the infrastructure subnet
(172.16.0.1 is changed to 172.16.0.2 and 172.16.0.3 is changed to 172.16.0.4).

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 51


© 2020 Palo Alto Networks, Inc.
52 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview
© 2020 Palo Alto Networks, Inc.
Service IP and Egress IP Address Allocation for
Remote Networks
Prisma Access has more than 100 locations available to accommodate worldwide deployments and provide
a localized experience. Two locations might map to the same Service IP address, which you use as the peer
IP address when you set up the IPSec tunnel for the remote network connection. However, the locations
might use different egress IP addresses to make sure that the user gets the correct default language for the
region.
The following example shows a customer deployment with two remote network locations deployed in
Canada: Central Canada and Eastern Canada. Prisma Access assigned the same Service IP Address to both
locations. When you configure the remote network tunnel, use this IP address as the peer IP address when
you create the IPSec tunnel for the remote network connection.

However, Eastern Canada uses a different default language (French) than Central Canada (English). For this
reason, Prisma Access assigns them different egress IP addresses. If you run the API script for egress IP
addresses, you will receive two different IP addresses for these two locations.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 53


© 2020 Palo Alto Networks, Inc.
How to Calculate Remote Network Bandwidth
When you onboard a remote network, it is important to specify the correct remote network connection
bandwidth that meets the needs of your organization.
The number you specify for the bandwidth applies to both the egress and ingress traffic for the remote
network connection. If you specify a bandwidth of 50 Mbps, Prisma Access provides you with a remote
network connection with 50 Mbps of bandwidth on ingress and 50 Mbps on egress. Your bandwidth speeds
can go up to 10% over the specified amount without traffic being dropped; for a 50 Mbps connection, the
maximum bandwidth allocation is 55 Mbps on ingress and 55 Mbps on egress (50 Mbps plus 10% overage
allocation).
If you have an asymmetric internet connection, you should consider your organization’s requirements to
determine the bandwidth to specify. Use the following graphic and examples to size your remote network
connection.

• Site A has a 100 Mbps connection both upstream and downstream. For this site, specify a remote
network connection of 100 Mbps.
• Site B has an asymmetric connection, with 100 Mbps upstream and 25 Mbps downstream, and you want
to make sure that the remote network connection does not throttle the upstream traffic. In this case,
specify a remote network connection of 100 Mbps.
• Site C has an asymmetric connection, with 25 Mbps upstream and 100 Mbps downstream. For this
site, you want to make sure that the remote network connection does not throttle the upstream traffic,
but throttling the downstream traffic is acceptable. In this case, you can specify a remote network
connection of 25 Mbps, which ensures that Prisma Access delivers 25 Mbps reliably in both directions.

54 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview


© 2020 Palo Alto Networks, Inc.
Prisma Access APIs
In addition to the XML APIs that are available for configuration and management in Panorama, there are
XML APIs for the Cloud Services plugin that you can use to perform tasks specific to Prisma Access. Use
these APIs through a third-party service, application, or script to automate configuration and reporting tasks
for Prisma Access.
To access the API using the browser, log in to the Panorama that manages Prisma Access with administrator
privileges, then enter /api at the end of the URL.

The Prisma Access APIs are located in the following XML Path Language (XPath) nodes in the XML tree:
• Configuration Commands: XML API > Configuration Commands > devices >
entry[@name='localhost.localdomain'] > plugins > cloud_services
• Operational Commands: XML API > Operational Commands > request > plugins > cloud_services >
prisma-access
You can also use the web interface to find Prisma Access APIs. See the PAN-OS and Panorama API Usage
Guide for details.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview 55


© 2020 Palo Alto Networks, Inc.
56 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Overview
Activate and Install the Prisma Access
Components
After you determine what licenses you need and the bandwidth and mobile user quantity
that is required for your deployment, you activate and install the components as shown in the
following sections.
These sections describe the installation procedure for licenses that were available before
November 17, 2020; for an overview of the installation procedure for the licenses that are
available after November 17, 2020, see the Prisma Access 1.8 Administration Guide.

> Activate and Install Prisma Access


> Transfer or Update Prisma Access Licenses
> Configure Panorama Appliances in High Availability for Prisma Access

57
58 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
Activate and Install Prisma Access
Use the following workflow to activate your Prisma Access licenses and download and install the Cloud
Services plugin. If you are upgrading an existing Prisma Access deployment to a new version, use the
workflow in the Prisma Access Release Notes (Panorama Managed) to upgrade the Cloud Services plugin.

This section describes the installation procedure for licenses that were available before
November 17, 2020; for an overview of the installation procedure for the licenses that are
available after November 17, 2020, see the Prisma Access 1.8 Administration Guide.

Prisma Access does not support FIPS-CC mode.

STEP 1 | Before you begin, make sure that you have the following information and resources:
• Be sure that you have the order fulfillment email that contains the activation links that are required to
activate Prisma Access.
• If you are going to set up Prisma Access in High Availability (HA) mode with a primary and secondary
Panorama, Configure Panorama Appliances in High Availability for Prisma Access before you license
and activate Prisma Access.

STEP 2 | (Optional) If you will use an existing Panorama to manage Prisma Access, be sure you that the
Panorama on which you will install the Cloud Services plugin (which activates Prisma Access) is
running the minimum Panorama version.
During product activation, you can select an existing Panorama to manage Prisma Access, if that
Panorama has a valid support license. Alternatively, if you have a licensed Panorama that you have
not yet installed, you can select that Panorama during product activation. In either case, the activation
process allows the Panorama appliance you select to manage Prisma Access, and you must make sure
that the Panorama appliance is running the minimum software version.
You can manage Prisma Access with a Panorama appliance running one of the following versions:
• PAN-OS 9.0.4 or a later PAN-OS 9.0 version
• PAN-OS 9.1.1 or a later PAN-OS 9.1 version
• PAN-OS 10.0.0 or a later PAN-OS 10.0 version

Note the upgrade path to use if you are upgrading from PAN-OS 9.0 to 10.0.

The Prisma Access infrastructure supports PAN-OS features up to release 9.1. You must upgrade your
Panorama to a version of 9.1.1 or later to take advantage of PAN-OS 9.1 features.

Make a note of the serial number of the Panorama appliance; you use that serial number
in a later step.

STEP 3 | When you receive the activation email from Palo Alto Networks, click Activate to activate your
products.
Select any of the links in the email to activate all of your licensed Prisma Access and Cortex Data Lake
products. You will be prompted to sign in to the Hub if you are not signed in already.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 59
© 2020 Palo Alto Networks, Inc.
STEP 4 | Select the products you want to activate; then, click Start Activation.
In most cases, activate all products that display; however, if you want to associate Prisma Access with a
Cortex Data Lake you have already activated, deselect Cortex Data Lake.

STEP 5 | Assign the products you selected with a Customer Support Account; then, click Next.
If you have multiple support accounts associated with your email, select the account to which you want
to assign the products.

STEP 6 | Choose the Panorama appliance that will manage Prisma Access; then, click Next.
• To use an existing Panorama appliance, select Use existing Panorama and select the serial number of
the Panorama appliance that you want to use.

60 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
• If you want to register a new Panorama appliance, review the steps to register either a Panorama
virtual or hardware appliance.
Enter the serial number of the Panorama appliance in the Enter Serial # area.

STEP 7 | Choose the Cortex Data Lake options; then, click Confirm Selections.
• In the Cortex Data Lake Selection area, choose whether to activate a new Cortex Data Lake instance
(Activate New), or select an existing Cortex Data Lake instance.
• In the Region Selection area, select a region for Cortex Data Lake.

The progress bar can appear to pause during product activation. Wait until the progress bar reaches
100%. The activation process takes approximately 20 minutes.

STEP 8 | When setup is complete, copy the one-time password (OTP). You use this in a later step to
verify your account on Panorama.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 61
© 2020 Palo Alto Networks, Inc.
STEP 9 | Download and install the Cloud Services plugin.
See the Palo Alto Networks Compatibility Matrix for the Panorama versions that are supported with the
Cloud Services plugin.
You can either download the plugin from the Customer Support Portal, or you can check for plugin
updates directly from Panorama.
• To download and install the Cloud Services plugin by downloading it from the Customer Support
Portal, complete the following steps.
1. Log in to the Customer Support Portal and select Software Updates.
2. Find the Cloud Services plugin in the Panorama Integration Plug In section and download it.

Do not rename the plugin file or you will not be able to install it on Panorama.

3. Log in to the Panorama Web Interface of the Panorama you licensed for use with the Prisma
Access, select Panorama > Plugins > Upload and Browse for the plugin File that you downloaded
from the CSP.
4. Install the plugin.
• To download and install the new version of the Cloud Services plugin directly from Panorama,
complete the following steps:
1. Select Panorama > Plugins and click Check Now to display the latest Cloud Services plugin
updates.

2. Download the plugin version you want to install.


3. After downloading the plugin, Install it.
After you install the Cloud Services plugin, the plugin creates a Panorama administrative user with
a username of __cloud_services. This user account is required to enable communication between
Enterprise DLP on Prisma Access and the Prisma Access management infrastructure. Palo Alto Networks
recommends that you change the password for this administrative user in accordance with your
organization’s password policy.
If you delete the __cloud_services user, you must re-add the user manually. The account is used to
register and activate Enterprise DLP on Prisma Access, and for continued DLP scanning using the data
patterns and data filtering profiles referenced in security policy rules.

62 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
Installing a newer version of the Cloud Services plugin overwrites the previously installed version. If
you are installing the plugin for the first time, after you successfully install, Panorama refreshes and the
Cloud Services menu displays on the Panorama tab.

STEP 10 | Retrieve the Prisma Access license(s).


1. Select Panorama > Licenses and click Retrieve license keys from license server.
2. Verify that you have the licenses for the Prisma Access components you plan to use.

STEP 11 | Verify your account.


When you try to use the Cloud Services plugin for the first time after installing it, you will be prompted
to verify your account. This step ensures that the Panorama serial number is registered to use Prisma
Access and enables a secure communication path between the Prisma Access components and
Panorama.

You also have to re-verify your account every 3 months; complete these steps to re-verify
the account.

1. In Panorama, select Panorama > Cloud Services > Configuration and click Verify.
If Verify is disabled, check that you have configured a DNS server and NTP server on Panorama >
Setup > Services.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 63
© 2020 Palo Alto Networks, Inc.
2. Paste the One-time Password you copied from Step 8 and click OK.

You have ten minutes to enter the OTP before it expires.

STEP 12 | Apply device group changes in the Prisma Access infrastructure.


Prisma Access moves all device groups under the Shared hierarchy. This step applies the device group
changes to your configuration.
1. Select Panorama > Cloud Services > Configuration > Service Setup.
2. Click the gear icon to edit the Settings.
3. Make sure that Service_Conn_Device_Group is selected as the Device Group Name and Shared is
selected as the Parent Device Group.

64 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
4. Click OK.
Do not click Cancel, even if you did not make any changes to this page.

STEP 13 | Continue to configure your Prisma Access deployment by Enabling the Service Infrastructure.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 65
© 2020 Palo Alto Networks, Inc.
Transfer or Update Prisma Access Licenses
If you need to transfer your Prisma Access license from one Panorama appliance to another, or if you have
an evaluation Prisma Access license and you purchase a production license, use this workflow to transfer or
update your license.

If you are upgrading from an evaluation to a paid license, do not proceed with this workflow
until the order process is complete, the order has been fulfilled, and the support portal is
showing the newly purchased cloud service licenses.

Supported Update Paths


The procedure you use depends on the type of Prisma Access license you have. If you are upgrading from
an evaluation to a paid Prisma Access license, the update path differs depending on the type of license your
Panorama appliance has.
• If you are transferring a production (paid) Prisma Access license from one Panorama appliance to
another, use the workflow in Transfer or Update Prisma Access Licenses Between Panorama Appliances
to transfer the Prisma Access license.
• If you are upgrading from an evaluation Prisma Access license to a production Prisma Access license, use
one of the following workflows to transfer the license:
• If your Panorama is a production appliance with active, paid licenses, use the workflow in Reset Your
Prisma Access License to update your licenses to the production service. We recommend using this
update path because you do not have to migrate your existing configuration.
• If your Panorama is an evaluation appliance, you need to transfer your Prisma Access license to a
production appliance. Use the workflow in Transfer or Update Prisma Access Licenses Between
Panorama Appliances to update your license to the production service.
The following table shows the supported license update methods based on the type of Panorama
appliance used with the evaluation.

Reset Your Prisma Access License


Use this workflow if you need to modify one or more of your licenses; for example, if you update your
Prisma Access license from an evaluation to a production version.

If you are upgrading your Prisma Access license from evaluation to production, make sure
that your Panorama appliance has active, paid licenses before starting this procedure. If your

66 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
Panorama has an evaluation license, you need to transfer the Prisma Access license to a
Panorama with a production license.

STEP 1 | In the Panorama appliance, select Panorama > Licenses.

STEP 2 | Make a note or take a screenshot of the licenses you have, the quantity of licenses, and the
expiration date of each license.

STEP 3 | Remove the license that you need to modify.


For example, if you are upgrading from an evaluation to a production license, remove the evaluation
cloud service licenses you have installed.
1. Open a SSH console session to the Panorama appliance.
2. Enter the delete license key command, then press the Tab key to view all installed license
keys.
3. Delete all Prisma Access license keys, including the license keys for Cortex Data Lake (formerly
Logging Service), Prisma Access for Users, Prisma Access for Networks, and Prisma Access for Clean
Pipe, as applicable to your deployment.
The following is an example of the process:

admin-Panorama> delete license key [then click tab]


GlobalProtect_Cloud_Service_f_2017_11_07.key 2017/11/0712:32:51 0.3K
GlobalProtect_Cloud_Service_for_Mobile_Users_2017_11_07.key 2018/01/10
13:52:18 0.3K
GlobalProtect_Cloud_Service_for_Remote_Networks_2017_11_07.key 2018/01/10
13:52:18 0.3K
Logging_Service_2017_11_07.key 2018/01/10 13:52:18 0.3K

admin-Panorama> delete license key Logging_Service_2017_11_07.key


successfully removed Logging_Service_2017_11_07.key

admin-Panorama> delete license key


GlobalProtect_Cloud_Service_f_2017_11_07.key
successfully removed GlobalProtect_Cloud_Service_f_2017_11_07.key

admin-Panorama> delete license key


GlobalProtect_Cloud_Service_for_Remote_Networks_2017_11_07.key
successfully removed
GlobalProtect_Cloud_Service_for_Remote_Networks_2017_11_07.key

admin-Panorama> delete license key


GlobalProtect_Cloud_Service_for_Mobile_Users_2017_11_07.key
successfully removed
GlobalProtect_Cloud_Service_for_Mobile_Users_2017_11_07.key

STEP 4 | From the Panorama administration console, select Panorama > Licenses and click Retrieve
license keys from license server.
This step should refresh the licenses you already have, and the new licenses should reflect the new
quantity you purchased and the new expiration date.

STEP 5 | Delete any existing certificates using CLI from Panorama by entering the following command:

admin-Panorama> request plugins cloud_services panorama-certificate delete

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 67
© 2020 Palo Alto Networks, Inc.
STEP 6 | Enter the debug plugins cloud_services reset-endpoint command to reset the
Panorama appliance.

STEP 7 | Create the new certificate with the new OTP by entering the following command, where value
is the new OTP:

admin-Panorama> request plugins cloud_services panorama-certificate fetch


debug yes otp value

STEP 8 | Complete the one-time password (OTP) verification procedure and verify the Panorama
appliance.

STEP 9 | In Panorama, verify that you can make configuration changes and can successfully push the
configuration to Prisma Access.
If the licenses do not update correctly, or if you are not able to make configuration changes after the
refresh, contact Palo Alto Networks support.

Transfer or Update Prisma Access Licenses Between Panorama


Appliances
Use the following workflow if you need to transfer Prisma Access licenses from one Panorama appliance to
another, for example:
• If you need to transfer production (paid) licenses from one Panorama appliance to another.
• If you are running an evaluation license on a Panorama appliance that also has an evaluation license. In
this case, you must transfer the production Prisma Access license from an evaluation to a production
Panorama appliance.
Prisma Access automatically preserves all instances and public and loopback IP addresses during the license
transfer.

STEP 1 | (Optional) Export a snapshot of your Panorama configuration to a host external to Panorama or
to an on-premise firewall.
While Prisma Access saves all its infrastructure settings, including public and loopback IP addresses, you
need to transfer any Panorama-specific configuration to the new Panorama appliance. You can export
your configuration after the license transfer process is complete, but we recommend exporting it before
you transfer the licenses as a best practice.

STEP 2 | Log in to the Palo Alto Networks Customer Support Portal.

STEP 3 | Select Assets > Devices.

STEP 4 | Find the production Panorama appliance to which you will be transferring the production
Prisma Access plugin and complete these steps:
1. Verify that it has an active support license.
2. Make a note of this serial number; you use it in a later step.

STEP 5 | Search for the current Panorama appliance you are using to run Prisma Access by using the
serial number.
The model name should be in the format PAN-PRA-25-Exx.

68 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
STEP 6 | Click the Actions icon for the current Panorama appliance.

STEP 7 | Select Transfer Licenses and choose the Panorama appliance to which you will be migrating.

STEP 8 | Review the EULA and click Agree, then click Submit.

STEP 9 | Wait for a confirmation message in the Support Portal for a successful transfer.

STEP 10 | After the successful transfer of licenses, login to the administration console of your
production Panorama appliance.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 69
© 2020 Palo Alto Networks, Inc.
STEP 11 | Select Panorama > Support and verify that the Panorama appliance has a valid support
license.

STEP 12 | Click Dashboard and verify that the running software version is a minimum of 9.0.4.

STEP 13 | Verify that the Panorama appliance is configured to use NTP by selecting Panorama >
Setup > Services > NTP and setting a value, such as pool.ntp.org, for the NTP Server.

STEP 14 | Install the Cloud Services plugin.

STEP 15 | Select Panorama > Licenses and click Retrieve license keys from license server.
This should refresh the screen with recently transferred Prisma Access and Cortex Data Lake licenses
you purchased. If the cloud service licenses do not appear, contact Palo Alto Networks Support for
assistance.

STEP 16 | Complete the one-time password (OTP) verification procedure and verify the Panorama
appliance.

STEP 17 | Migrate the configuration from the previous Panorama appliance to the current Panorama
appliance.
• If the production Panorama appliance is completely new, export the configuration from the Panorama
appliance you used during the evaluation (if you have not done so already) and import it to this
Panorama appliance.
• If this is the Panorama appliance that you have been using to manage your existing VMs and devices,
load a partial configuration to this Panorama appliance.
You can now use this Panorama appliance to configure and manage Prisma Access.

70 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
Configure Panorama Appliances in High
Availability for Prisma Access
Deploying Panorama appliances in a high availability (HA) configuration provides redundancy in case of a
system or network failure and ensures that you have continuous connectivity to Prisma Access. In an HA
configuration, one Panorama appliance peer is the active-primary and the other is the passive-secondary.
In the event of a failover, the secondary peer becomes active and takes over the role of managing Prisma
Access.
• HA Prerequisites
• Configure HA

HA Prerequisites
To simplify the HA set up, configure the Panorama appliances in HA after you purchase Prisma Access and
Cortex Data Lake auth codes and components and associate the serial number of the primary Panorama
appliance on which you plan to install the Cloud Services plugin with the auth codes, but before you
Activate and Install Prisma Access. However, you can also use this process to configure existing Panorama
appliances that already have the plugin installed.
Whether you are just getting started with a new pair of Panorama appliances, or you have already set up
your standalone Panorama appliance and completed the licensing and installation procedures, make sure to
check the prerequisites before you enable HA:
You must register the Panorama appliance HA peers to the same customer account on the Customer
Support Portal (CSP).
The Panorama appliance peers must be of the same form factor (hardware appliances of the same
model or identical virtual appliances) and same OS version and must have the same set of licenses. The
premium support license is required for Prisma Access and Cortex Data Lake.
The serial number of the primary Panorama appliance is tied to your Prisma Access and Cortex Data
Lake auth codes. If you have installed and set up the plugin on a standalone Panorama appliance, ensure
that you use that Panorama appliance as the primary peer. If you need to assign this standalone peer as
the secondary Panorama appliance, contact Palo Alto Networks support for assistance with transferring
the license to the primary Panorama appliance peer before you continue.

Configure HA
Set up your Panorama appliances in an HA configuration.

STEP 1 | Set Up HA on Panorama.


Set the primary Panorama appliance as Primary and the secondary Panorama appliance as Secondary
and be sure that the serial number of your primary Panorama appliance is tied to your Prisma Access and
Cortex Data Lake auth codes.

STEP 2 | Make sure that the primary (active) and secondary (passive) Panorama appliances are
synchronized and that the HA link state between them is up.
1. Access the Dashboard on the primary Panorama appliance and select Widgets > System > High
Availability to display the HA widget.
2. Sync to peer, click Yes, and wait for the Running Config to display Synchronized.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 71
© 2020 Palo Alto Networks, Inc.
3. Make sure that the Local peer is active.
4. Access the Dashboard on the passive Panorama appliance and select Widgets > System > High
Availability to display the HA widget.
5. Verify that the Running Config displays Synchronized.
6. Make sure that the Local peer is passive.

STEP 3 | Install the Prisma Access components on the primary Panorama appliance.
1. Log in to the primary Panorama appliance and select Panorama > Licenses.
2. Click Retrieve the license keys from license server.
3. Activate and Install Prisma Access, including generating a one-time password (OTP) and verifying
your account.

STEP 4 | On the primary Panorama appliance, Access the CLI and enter the following operational
command:
tail follow yes mp-log plugin_cloud_services.log

STEP 5 | Check that HA is enabled.


1. Find the following text in the log output, where X is the serial number of the primary Panorama
appliance and Y is the serial number of the secondary Panorama appliance:

2017-11-06 15:14:07.790 -0800 INFO: [hainfo] Sending update to CSP for


HA peer serial information to https://updates.paloaltonetworks.com/
licensesvc/licenseservice.asmx/PanoramaHAInfo (https://
updates.paloaltonetworks.com/licensesvc/licenseservice.asmx/
PanoramaHAInfo)

2017-11-06 15:14:07.791 -0800 INFO: [hainfo] Data string is


primarypanoramasn=<varname>X</varname> &secondarypanoramasn=<varname>Y</
varname>

2017-11-06 15:14:17.595 -0800 INFO: [hainfo] HTTP_CODE 200, RESPONSE:


<?xml version="1.0" encoding="utf-8"?> <PanoramaHA xmlns:xsi="http://
www.w3.org/2001/XMLSchema-instance (http://www.w3.org/2001/XMLSchema-
instance)" xmlns:xsd="http://www.w3.org/2001/XMLSchema (http://
www.w3.org/2001/XMLSchema)" xmlns="http://www.paloaltonetworks.com/
(http://www.paloaltonetworks.com/)"> <success>true</success>
</PanoramaHA>

2017-11-06 15:14:17.596 -0800 INFO: [hainfo] Cached HA Peer's serial


number <varname>Y</varname>
2. Log in to the Customer Support Portal (CSP) and select Assets > Cloud Services to verify that both
Panorama peers are tied to your Prisma Access and Cortex Data Lake licenses.
3. Check the fields for the primary and secondary Panorama appliance.
The Auth Code, Model Name, License Description, and Expiration Date fields should be the same
for the primary and secondary Panorama appliance, because Palo Alto Networks has associated the
Prisma Access license automatically to the secondary Panorama appliance.

STEP 6 | Log in to the secondary Panorama appliance and Activate and Install Prisma Access.
When you log in to the Customer Support Portal (CSP) to generate the OTP, make sure that you specify
the serial number for the secondary Panorama appliance.

STEP 7 | Commit your changes on the primary and secondary Panorama appliance.
1. Commit > Commit and Push your changes.

72 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
© 2020 Palo Alto Networks, Inc.
2. Click OK and Push.

STEP 8 | Verify that the primary and secondary Panorama appliances are still in a synchronized state.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma Access
Components 73
© 2020 Palo Alto Networks, Inc.
74 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Activate and Install the Prisma
Access Components
Prepare the Prisma Access Infrastructure
and Service Connections
Use the sections in the following chapter to plan and begin configuration of your Prisma
Access deployment.

> Set Up Prisma Access


> Plan the Service Infrastructure and Service Connections
> Configure the Service Infrastructure
> Create a Service Connection to Allow Access to Your Corporate Resources
> Create a Service Connection to Enable Access between Mobile Users and Remote
Networks
> Deployment Progress and Status
> Use Traffic Steering to Forward Internet-Bound Traffic to Service Connections
> How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote
Network Connections
> Routing Preferences for Service Connection Traffic
> List of Prisma Access Locations

75
76 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Set Up Prisma Access
The following sections provide you with the summary steps that you take to install and configure Prisma
Access and information about proxy server support between Panorama, Prisma Access, and Cortex Data
Lake.
• Prisma Access Onboarding and Configuration Workflow
• Proxy Support for Prisma Access and Cortex Data Lake

Prisma Access Onboarding and Configuration Workflow


The following workflow provides you with the summary steps that you take to install and configure Prisma
Access

If you are setting up a deployment that includes multiple instances of Prisma Access on
a single Panorama (multi-tenancy), see Manage Multiple Tenants in Prisma Access. Most
organizations do not have a need to create and manage multiple tenants.

STEP 1 | Add the following URLs and ports to an allow list on any security appliance that you use with
the Panorama appliance that manages Prisma Access.
In addition, if your Panorama appliance uses a proxy server (Panorama > Setup > Service > Proxy
Server), or if you use SSL forward proxy with Prisma Access, be sure to add the following URLs and ports
to an allow list on the proxy or proxy server.
• api.gpcloudservice.com (for Prisma Access)
• api.paloaltonetworks.com (for Prisma Access)
• apitrusted.paloaltonetworks.com (for Prisma Access)
• The FQDNs and ports required for Cortex Data Lake

STEP 2 | Add the ports used by Panorama to allow lists in your network.

STEP 3 | Identify your license requirements; then Activate and Install the Prisma Access Components.
After you install the Cloud Services plugin, the plugin creates a Panorama administrative user with
a username of __cloud_services. This user account is required to enable communication between
Enterprise DLP on Prisma Access and the Prisma Access management infrastructure. Palo Alto Networks
recommends that you change the password for this administrative user in accordance with your
organization’s password policy.
If you delete the __cloud_services user, you must re-add the user manually. The account is used to
register and activate Enterprise DLP on Prisma Access, and for continued DLP scanning using the data
patterns and data filtering profiles referenced in security policy rules.

STEP 4 | Import your existing Panorama configuration to Prisma Access, or create new templates and
device groups to begin configuration of Prisma Access.
In order to push configuration—such as security policy, authentication policy, server profiles, security
profiles, address objects, and application groups—to Prisma Access, you must either create new
templates and device groups with the configuration settings you want to push to Prisma Access, or
leverage your existing device groups and templates by adding them to the template stacks and device
group hierarchies that get created when you onboard the service.
Configuration is simplified in Prisma Access because you do not have to configure any of the
infrastructure settings, such as interfaces and routing protocols. This configuration is automated and

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 77
© 2020 Palo Alto Networks, Inc.
pushed from Panorama in the templates and device groups that the service creates automatically. You
can configure any infrastructure settings that are required by the service, such as settings required
to create IPSec VPN tunnels to the IPSec-capable devices at your remote network locations, directly
from the plugin. Optionally, you can add templates and device group hierarchies to the configuration to
simplify the service setup.
To simplify the service setup, create or import the templates and device groups you need before you
begin the setup tasks for using Prisma Access.
When creating templates and device groups for Prisma Access, you do not need to assign managed
devices to it. Instead, you will add them to the template stacks and device group hierarchies created by
the service. Do not add any of the templates or device groups created by Prisma Access to any other
template stacks or device groups.

Also note that some settings that are available in a non-Prisma Access template or device
group may not be supported in Prisma Access. See What Features Does Prisma Access
Support? for a list of supported features.

STEP 5 | Enable the service infrastructure and service connections that allows communication between
Prisma Access elements.
1. Plan to enable the service infrastructure and service connections.
2. Enable the service infrastructure.
3. Create a service connection to allow access to your corporate resources.
If you don’t require access to your corporate resources, you should still create a service connection to
enable access between mobile users and remote networks.

STEP 6 | Plan To Deploy Prisma Access for Users and Configure Prisma Access for Users, if required for
your deployment.
We recommend using local authentication as a first step to verify that the service is set up and your
users have internet access. You can later switch to using your corporate authentication methods.
1. Configure Prisma Access for Users.
2. Configure zones for mobile users.
1. Create two zones in the Mobile User Template. For example, Mobile-Users and Internet.
2. Map the zones. You should map any zone that is not Prisma Access connected users or HQ or
branch offices to Untrust.
Under Panorama > Cloud Services > Configuration > Mobile Users, map Internet to Untrust;
Mobile-Users to Trust.
3. Configure Security policies for the device group.
To create a Security policy to allow traffic to the Internet, select the Mobile_User_Device_Group
Policies > Security > Prerules > Add a rule. For example: Mobile-Users to Internet.
4. Commit your changes to get started with the service.
1. Commit locally on Panorama.
2. Commit and Push to Prisma Access.
3. Select Panorama > Cloud Services > Status > Monitor > Mobile Users to view the Status and
verify that you can ping the Portal FQDN.
5. Validate that Prisma Access is securing Internet traffic for mobile users.
1. Download and install the GlobalProtect app.
2. Use the app to connect to the portal as a mobile user (local user).
3. Browse to a few websites on the internet and check the traffic logs on Panorama.

78 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
STEP 7 | Plan, create, and configure remote network connections.
1. Add one or more remote networks to Prisma Access.
You can onboard one location and then add additional locations using the bulk import capability.
2. Create a Security policy rule to allow traffic from the remote networks to HQ (For example: Trust to
Trust).
3. Validate the connectivity between the service connection, remote network connection, and mobile
users.

STEP 8 | Retrieve the IP Addresses for Prisma Access and Retrieve Public and Egress IP Addresses for
Mobile User Deployments.
You add these addresses to an allow list on your organization’s network to limit inbound access to your
enterprise network and applications.

STEP 9 | (Optional) Change the authentication method from local authentication to your organization’s
authentication method.
1. Create an authentication profile that meets your organization’s requirements (LDAP, RADIUS, etc).
2. If your organization uses an on-premise authentication server such as RADIUS or Active Directory,
add the IP addresses that Prisma Access uses as its source IP address for internal requests (Prisma
Access Infrastructure IP Addresses) to allow lists in your network, or allow the IP addresses of the
entire Infrastructure Subnet (Prisma Access takes the loopback IP address from this subnet).
3. Update the Authentication Profile for the Prisma Access portal and gateway to use this new
authentication profile.

STEP 10 | (Optional) Forward logs from Cortex Data Lake (formerly Logging Service) to an external
Syslog receiver by setting up the Log Forwarding app.

Proxy Support for Prisma Access and Cortex Data Lake


If you have deployed a proxy server between Panorama, the Prisma Access infrastructure, and Cortex Data
Lake, refer to the following table for details on the expected behavior:

Functionality Support through a Proxy Server Support through a Proxy Server


that does not perform SSL that performs SSL Decryption
Decryption

Initial onboarding to Cortex Supported Only pass-through proxies are


Data Lake with Certificate supported; any proxy using SSL
Revocation Status checks decryption is not supported.
using OCSP

Panorama Queries to Cortex If the proxy server is the default route on Panorama, you cannot view
Data Lake for Reports and the data on the ACC and Monitor > Logs pages.
Logs
You can view data on the ACC and Monitor > Logs pages if Panorama
has an alternate route to the Cortex Data Lake and you can bypass the
proxy server.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 79
© 2020 Palo Alto Networks, Inc.
Plan the Service Infrastructure and Service
Connections
Plan the Service Infrastructure
To Enable the Service Infrastructure in the cloud for your remote network locations and mobile users, you
must provide a subnet that Prisma Access uses to establish a network infrastructure between your remote
network locations, mobile users, and service connections to your headquarters/data center (if applicable).
The IP addresses in this subnet also enable Prisma Access to determine the service routes for services
such as LDAP, DNS, or SCEP, as well as enable other inter-service communication. Because a large number
of IP addresses will be required to set up the infrastructure, you must use a /24 subnet (for example,
172.16.55.0/24) at a minimum. This subnetwork will be an extension to your existing network or with the
IP address pools you assign for Prisma Access for users. If you have a large number of mobile users, branch
offices, or both, provide a larger infrastructure subnet.
Use the following recommendations and requirements when adding an infrastructure subnet:
• You can assign Prisma Access an infrastructure subnet from a existing supernet in your organization’s IP
address pool, but do not assign any of the IP addresses from the infrastructure subnet for any other use
in your existing network.
The following example shows a Prisma Access infrastructure subnet, 10.10.1.0/24, that you assigned
from an existing supernet, 10.0.0.0/8. After you assign 10.10.1.0/24 as the infrastructure subnet, your
organization cannot use any IP addresses from that subnet. For example, you can assign 10.10.2.1 to an
endpoint, but 10.10.1.1 is not allowed because that IP address is part of the infrastructure subnet.

• If you create a new subnet for the infrastructure subnet, use a subnet that does not overlap with other
IP addresses you use internally.
• We recommend using an RFC 1918-compliant subnet. While the use of non-RFC 1918-compliant
(public) IP addresses is supported, we do not recommend it, because of possible conflicts with internet
public IP address space.
• Do not specify any subnets that overlap with the 100.64.0.0/15 subnet range because Prisma Access
reserves that subnet for its internal use.

80 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
• The subnet cannot overlap with the IP address pools you plan to use for the address pools you assign for
your mobile users deployment.
• Because the service infrastructure can be very large, you must designate a /24 subnet at a minimum.

Service Connection Overview


We recommend always creating a service connection, because it allows Prisma Access to perform the
following tasks:
• A service connection allows access to the resources in your HQ or data center.
For example, if your security policy requires user authentication using an on-premise authentication
service, such as your Active Directory, you will need to enable Prisma Access to access the corporate
location where the service resides (and set up a service account that the service can use to access it).
Similarly, if you have corporate resources that your remote networks and mobile users will need to
access, you must enable Prisma Access to access the corresponding corporate network.
If you create service connections for this reason, you should plan for the service connections before
implementing them.
• A service connection allows remote networks and mobile users to communicate with each other.
Even if you don’t need access to your HQ or data center, you might have a need to allow your mobile
users to access your remote network locations. In this case, you can create a service connection with
placeholder values. This is required because, while all remote network connections are fully meshed,
mobile users connect to remote networks using the service connection in a hub-and-spoke network. For
this reason, you might also create a service connection with placeholder values if your existing service
connection is not in an ideal geographical location.
Your Prisma Access license includes the option to establish service connections to up to 100 of your
headquarters and/or data center sites. The first three service connections are included with no license cost;
each connection after the third uses 300 Mbps from your licensed remote networks bandwidth pool.

While each service connection provides approximately 1 Gbps of throughput, the actual
throughput is dependent on several factors, including:
• Traffic mix (for example, frame size)
• Latency and packet loss between the service connection and the headquarters location or
data center
• Service provider performance limits
• Customer termination device performance limits
• Other customer data center traffic

If you configure Prisma Access to manage multiple tenants, each tenant can use up
to 3 service connections with no cost to the license. You can add more than 3 service
connections to each tenant, however each additional service connection takes 300 Mbps
from your remote network license.

In order for Prisma Access to route users to the resources they need, you must provide the routes to the
resources. You can do this in one or more of the following ways:
• Define a static route to each subnetwork or specific resource that you want your users to be able to
access.
• Configure BGP between your service connection locations and Prisma Access.
• Use a combination of both methods.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 81
© 2020 Palo Alto Networks, Inc.
If you configure both static routes and enable BGP, the static routes will take precedence. While it might
be convenient to use static routes if you have just a few subnetworks or resources you want to allow
access to, in a large data center/HQ environment where you have routes that change dynamically, BGP
will enable you to scale easier. Dynamic routing also provides redundancy for your service connections.
If one service connection tunnel is down, BGP can dynamically route mobile user and remote network
traffic over the operational service connection tunnel.

Plan the Service Connections


If you use the service connection to access information from your headquarters or data center, gather the
following information for each of your HQ/data center sites that you want the cloud service to be able to
connect to:

If you are creating a service connection to allow mobile users access to remote network
locations, you do not need this information.

IPSec-capable firewall, router, or SD-WAN device connection.


IPSec settings for terminating the primary VPN tunnel from Prisma Access to the IPSec-capable device
on your corporate network.
IPSec settings for terminating the secondary VPN tunnel from Prisma Access to the IPSec-capable
device on your corporate network.

If you have an existing template that contains IPSec tunnel, Tunnel Monitoring, and IPSec
Crypto Profile configurations, you can add that template to the template stack to simplify
the process of creating the IPSec tunnels. Or, you can edit the Service_Conn_Template
that gets created automatically and create the IPSec configurations required to create
the IPSec tunnel back to the corporate site. Prisma Access also provides you with a set
of predefined IPSec templates for some commonly-used network devices, and a generic
template for any device that is not included in the predefined templates.
List of IP subnetworks at the site.
List of internal domains that the cloud service will need to be able to resolve.
IP address of a node at your network’s site to which Prisma Access can send ICMP ping requests for
IPSec tunnel monitoring.
Make sure that this address is reachable by ICMP from the entire Prisma Access infrastructure subnet.
Service account for your authentication service, if required for access.
Network reachability settings for the service infrastructure subnet.
We recommend that you make the entire service infrastructure subnet reachable from the HQ or Data
Center site. Prisma Access uses IP addresses for all control plane traffic, including tunnel monitoring,
LDAP, User-ID, and so on from this subnet.
Traffic over the service connections does not count towards the remote network bandwidth pool that you
purchased.

82 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Configure the Service Infrastructure
Before you can begin setting up Prisma Access to secure your remote networks and/or mobile users, you
must configure an infrastructure subnet, which Prisma Access will use to create the network backbone
for communication between your service connections, remote networks, and mobile users, as well as
with the corporate networks you plan to connect to Prisma Access over service connections. Because a
large number of IP addresses will be required to set up the infrastructure, you must use a /24 subnet (for
example, 172.16.55.0/24) at a minimum. See Plan the Service Infrastructure and Service Connections for
the requirements and guidelines to use when assigning an infrastructure subnet.

STEP 1 | Select Panorama > Cloud Services > Configuration > Service Setup and click the gear icon to
edit the Settings.

STEP 2 | On the General tab, specify an Infrastructure Subnet, for example, 172.16.55.0/24.
See Plan the Service Infrastructure and Service Connections for the requirements and guidelines to use
when assigning an infrastructure subnet.

STEP 3 | Enter the Infrastructure BGP AS you want to use within the Prisma Access infrastructure. If
you want to use dynamic routing to enable Prisma Access to dynamically discover routes to
resources on your remote networks and HQ/data center locations, specify the autonomous
system (AS) number. If you do not supply an AS number, the default AS number 65534 will be
used.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 83
© 2020 Palo Alto Networks, Inc.
STEP 4 | (Optional) Add one or more templates to the predefined template stack,
Service_Conn_Template_Stack.
The templates you add here can help simplify the process of adding new service connections. For
example, if you add a template containing existing IPSec configuration settings, such as IPSec tunnel,
Tunnel Monitoring, and IPSec Crypto Profile configurations, you can select these configurations
when defining the tunnel settings for each service connection rather than having to create the tunnel
configuration from scratch. You can optionally edit the predefined Service_Conn_Template with tunnel
settings that you can leverage when creating the tunnels from Prisma Access to your corporate network
sites.

STEP 5 | Enable Prisma Access to resolve your internal domains.


Use this step if you need Prisma Access to be able to resolve your internal domains to access services,
such as LDAP servers, on your corporate network via service connections. For example, if you want
a DNS lookup for your corporate domain to go exclusively to the corporate DNS server, specify the
corporate domain and the corporate DNS servers here.
1. Select the Internal Domain List tab.
2. Add the Domain Names, Primary DNS, and Secondary DNS servers that the cloud service can use to
resolve your internal domain names.
You can use a wildcard (*) in front of the domains in the domain list, for example *.acme.local or
*.acme.com.

STEP 6 | Enable Cortex Data Lake (formerly Logging Service).


1. Select the Cortex Data Lake tab.
2. Select a Cortex Data Lake Theater and click OK.

84 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
3. Configure the device groups you are using to push settings to Prisma Access with a Log Forwarding
profile that forwards the desired log types to Panorama/Logging Service.
The Cloud Services plugin automatically adds the following Log Settings (Device > Log Settings) after
a new installation or when removing non-Prisma Access templates from a Prisma Access template
stack:
• Log Settings for System logs (system-gpcs-default), User-ID logs (userid-gpcs-default), HIP Match
logs (hipmatch-gpcs-default), and GlobalProtect logs (gp-prismaaccess-default) are added to the
Mobile_User_Template.
• Log Settings for System logs (system-gpcs-default), User-ID logs (userid-gpcs-default), and
GlobalProtect logs (gp-prismaaccess-default) are added to the Remote_Network_Template.
• Log Settings for System logs (system-gpcs-default) and GlobalProtect logs (gp-prismaaccess-
default) are added to the Service_Conn_Template.
These Log Setting configurations automatically forward System, User-ID, HIP Match, and
GlobalProtect logs to Cortex Data Lake.
To apply log setting changes, perform the following steps, then commit and push your changes:
• To apply the log setting to the mobile user template, select Panorama > Cloud Services >
Configuration > Mobile Users, click the gear icon to edit the settings, and click OK.
• To apply the log setting to the remote network template, select Panorama > Cloud Services >
Configuration > Remote Networks, click the gear icon to edit the settings, and click OK.
• To apply the log setting to the service connection template, select Panorama > Cloud Services >
Configuration > Service Setup, click the gear icon to edit the settings, and click OK.

See Add Log Settings to Prisma Access (Panorama Managed) for a video that describes
the log settings process.

The way you enable log forwarding for other log types depends on the type. For logs that are
generated based on a policy match, use a log forwarding profile. See the Cortex Data Lake Getting
Started Guide for more information.

STEP 7 | (Optional) Change the routing preferences and enable HIP redistribution.
1. Specify the Routing Preference to use with service connections.
You can specify network preferences to use either your organization’s network, or the Prisma Access
network, to process the service connection traffic.
• Default—Prisma Access uses default routing in its internal network.
• Hot potato routing—Prisma Access hands off service connection traffic to your organization’s
WAN as quickly as possible.

Changing the Prisma Access service connection routing method requires a thorough
understanding of your organization’s topology and routing devices, along with an
understanding of how Prisma Access routing works. We recommend that you read the
Routing Preferences for Service Connection Traffic section carefully before changing
the routing method from the default setting.
2. Enable HIP Redistribution to have Prisma Access use service connections to redistribute HIP
information from mobile users and users at remote networks.
See Redistribute HIP Information with Prisma Access for more information about enabling HIP
redistribution.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 85
© 2020 Palo Alto Networks, Inc.
STEP 8 | Click OK to save the Service Setup settings.

STEP 9 | Commit all your changes to Panorama and push the configuration changes to Prisma Access.
1. Click Commit > Commit to Panorama.
2. Click Commit > Push to Devices and click Edit Selections.
3. On the Prisma Access tab, make sure Service setup is selected and then click OK.
Prisma Access should automatically select the components that need to be committed.

4. Click Push.

If there is a Palo Alto Networks next-generation firewall between the Panorama


appliance and the internet, you must add a security policy rule on the firewall to allow
the paloalto-logging-service and paloalto-shared-services App-IDs from the Panorama
appliance to the internet. These applications allow SSL-secured communication to
Prisma Access and to Cortex Data Lake that the Panorama appliance uses to query
logs. If the Panorama appliance is behind a legacy Layer 4 firewall, permit ports 443
and 444 outbound from the Panorama to allow this traffic from the Panorama. Note

86 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
that opening layer 4 ports instead of using Palo Alto Networks App-IDs is less secure
and not recommended.

STEP 10 | Verify that Prisma Access is successfully connected to Cortex Data Lake.
1. Select Panorama > Cloud Services > Status > Status > Cortex Data Lake and verify that the Status is
OK.

If the status is Error, click the details link to view any errors.

STEP 11 | Continue setting up Prisma Access:


• Create a Service Connection to Allow Access to Your Corporate Resources
• Configure Prisma Access for Networks
• Configure Prisma Access for Users

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 87
© 2020 Palo Alto Networks, Inc.
Create a Service Connection to Allow Access
to Your Corporate Resources
To create a service connection to allow access to your corporate resources, complete the following steps.

If you are creating a service connection to allow communication between mobile users
and remote networks, instead of enabling access to your corporate resources, follow the
instructions in Create a Service Connection to Enable Access between Mobile Users and
Remote Networks.

STEP 1 | Select Panorama > Cloud Services > Configuration > Service Connection.

STEP 2 | Add a new service connection to one of your corporate network sites.

STEP 3 | Specify a Name for the corporate site.

STEP 4 | Select the Location closest to where the site is located.


See this section for a list of Prisma Access locations.

STEP 5 | Select or add a new IPSec Tunnel configuration to access the firewall, router, or SD-WAN
device at the corporate location:
• If you have added a template to the Service_Conn_Template_Stack (or modified the predefined
Service_Conn_Template) that includes an IPSec Tunnel configuration, select that IPSec Tunnel
from the drop-down. Note that the tunnel you are creating for each service connection connects
Prisma Access to the IPSec-capable device at each corporate location. The peer addresses in the IKE
Gateway configuration must be unique for each tunnel. You can, however, re-use some of the other
common configuration elements, such as Crypto profiles.

The IPSec Tunnel you select from a template must use Auto Key exchange and IPv4
only.
• To create a new IPSec Tunnel configuration, click New IPSec Tunnel, give it a Name and configure
the IKE Gateway, IPSec Crypto Profile, and Tunnel Monitoring settings.
• If the IPSec-capable device at your HQ or data center location uses policy-based VPN, on the
Proxy IDs tab, Add a proxy ID that matches the settings configured on your local IPSec device to
ensure that Prisma Access can successfully establish an IPSec tunnel with your local device.
• Leave Enable Replay Protection selected to detect and neutralize against replay attacks.
• Select Copy TOS Header to copy the Type of Service (TOS) header from the inner IP header to the
outer IP header of the encapsulated packets in order to preserve the original TOS information.
• To enable tunnel monitoring for the service connection, select Tunnel Monitor.
• Enter a Destination IP address.
Specify an IP address at your HQ or data center site to which Prisma Access can send ICMP ping
requests for IPSec tunnel monitoring. Make sure that this address is reachable by ICMP from the
entire Prisma Access infrastructure subnet.
• If you use tunnel monitoring with a peer device that uses multiple proxy IDs, specify a Proxy ID or
add a New Proxy ID that allows access from the infrastructure subnet to your HQ or data center
site.

88 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
The following figure shows a proxy ID with the service infrastructure subnet (172.16.55.0/24
in this example) as the Local IP subnet and the HQ or data center’s subnet (10.1.1.0/24 in this
example) as the Remote subnet.

The following figure shows the Proxy ID you created being applied to the tunnel monitor
configuration by specifying it in the Proxy ID field.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 89
© 2020 Palo Alto Networks, Inc.
You must configure a static route on your CPE to the Tunnel Monitor IP Address for
tunnel monitoring to function. To find the destination IP address to use for tunnel
monitoring from your data center or HQ network to Prisma Access, select Panorama >
Cloud Services > Status > Network Details, click the Service Infrastructure radio
button, and find the Tunnel Monitor IP Address.

STEP 6 | BGP and hot potato routing deployments only—Select a service connection to use as the preferred
backup (Backup SC).
You can select any service connection that you have already added. Prisma Access uses the Backup
SC you select as the preferred service connection in the event of a link failure. Selecting a backup
service connection can prevent asymmetric routing issues if you have onboarded more than two service
connections. This choice is available in Hot potato routing mode only.

STEP 7 | If you have a secondary WAN link at this location, select Enable Secondary WAN and then
select or configure an IPSec Tunnel the same way you did to set up the primary IPSec tunnel.

90 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
If the primary WAN link goes down, Prisma Access detects the outage and establishes a tunnel to the
headquarters or data center location over the secondary WAN link. If the primary WAN link becomes
active, the link switches back to the primary link.
If you use static routes, tunnel failover time is less than 15 seconds from the time of detection,
depending on your WAN provider.
If you configure BGP routing and have enabled tunnel monitoring, the shortest default hold time to
determine that a security parameter index (SPI) is failing is the tunnel monitor, which removes all routes
to a peer when it detects a tunnel failure for 15 consecutive seconds. In this way, the tunnel monitor
determines the behavior of the BGP routes. If you do not configure tunnel monitoring, the hold timer
determines the amount of time that the tunnel is down before removing the route. Prisma Access uses
the default BGP HoldTime value of 90 seconds as defined by RFC 4271, which is the maximum wait
time before Prisma Access removes a route for an inactive SPI. If the peer BGP device has a shorter
configured hold time, the BGP hold timer uses the lower value.
When the secondary tunnel is successfully installed, the secondary route takes precedence until the
primary tunnel comes back up. If the primary and secondary are both up, the primary route takes
priority.

STEP 8 | Enable routing to the subnetworks or individual IP addresses at the corporate site that your
users will need access to.
Prisma Access uses this information to route requests to the appropriate site. The networks at each
site cannot overlap with each other or with IP address pools that you designated for the service
infrastructure or for the Prisma Access for users IP pools. You can configure Static Routes, BGP, or a
combination of both.
To configure Static Routes:
1. On the Static Routes tab, click Add and enter the subnetwork address (for example,
172.168.10.0/24) or individual IP address of a resource, such as a DNS server (for example,
10.32.5.1/32) that your remote users will need access to.
2. Repeat for all subnets or IP addresses that Prisma Access will need access to at this location.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 91
© 2020 Palo Alto Networks, Inc.
To configure BGP:
1. On the BGP tab, select Enable.
When you enable BGP, Prisma Access sets the time to life (TTL) value for external BGP (eBGP) to 8
to accommodate any extra hops that might occur between the Prisma Access infrastructure and your
customer premises equipment (CPE) that terminates the eBGP connection.

Prisma Access does not accept BGP default route advertisements for either service
connections or remote network connections.
2. (Optional) Select from the following choices:
• To prevent the Prisma Access BGP peer from forwarding routes into your organization’s network.
Don’t Advertise Prisma Access Routes.
By default, Prisma Access advertises all BGP routing information, including local routes and all
prefixes it receives from other service connections, remote networks, and mobile user subnets.
Select this check box to prevent Prisma Access from sending any BGP advertisements, but still use
the BGP information it receives to learn routes from other BGP neighbors.

Since Prisma Access does not send BGP advertisements if you select this option,
you must configure static routes on the on-premise equipment to establish routes
back to Prisma Access.
• To reduce the number of mobile user IP subnet advertisements over BGP to your customer
premises equipment (CPE), specify Prisma Access to summarize the subnets before it advertises
them by selecting Summarize Mobile User Routes before advertising.

92 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
By default, Prisma Access advertises the mobile users IP address pools in blocks of /24 subnets;
if you summarize them, Prisma Access advertises the pool based on the subnet you specified.
For example, Prisma Access advertises a public user mobile IP pool of 10.8.0.0/20 using the /20
subnet, rather than dividing the pool into subnets of 10.8.1.0/24, 10.8.2.0/24, 10.8.3.0/24, and so
on before advertising them. Summarizing these advertisements can reduce the number of routes
stored in CPE routing tables. For example, you can use IP pool summarization with cloud VPN
gateways (Virtual Private Gateways (VGWs) or Transit Gateways (TGWs)) that can accept a limited
number of routes.

If you have hot potato routing enabled and you enable route summarization, Prisma
Access no longer prepends AS-PATHs, which might cause asymmetric routing.
Be sure that your return traffic from the data center or headquarters location has
guaranteed symmetric return before you enable route summarization with hot
potato routing.
3. Enter the IP address assigned as the Router ID of the eBGP router on the data center/HQ network
for which you are configuring this service connection as the Peer Address.
4. Enter the Peer AS, which is the autonomous system (AS) to which the firewall virtual router or BGP
router at your data center/HQ network belongs.
5. (Optional) Enter an address that Prisma Access uses as its Local IP address for BGP.
Specifying a Local Address is useful where the device on the other side of the connection (such as
an Amazon Web Service (AWS) Virtual Private Gateway) requires a specific local IP address for BGP
peering to be successful. Make sure that the address you specify does not conflict or overlap with IP
addresses in the Infrastructure Subnet or subnets in the service connection.

You must configure a static route on your CPE to the BGP Local Address.

6. (Optional) Enter and confirm a Secret passphrase to authenticate BGP peer communications.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 93
© 2020 Palo Alto Networks, Inc.
STEP 9 | (Optional) If you configured a Secondary WAN and you need to change the Peer Address or
Local Address for the secondary (backup) BGP peer, deselect Same as Primary WAN and enter
a unique Peer and, optionally, Local IP address for the secondary WAN.
In some deployments (for example, when using BGP to peer with an AWS VPN gateway), the BGP peer
for the primary and secondary WAN might be different. In those scenarios, you can choose to set a
different BGP peer for the secondary WAN.

For BGP deployments with secondary WANs, Prisma Access sets both the primary and
secondary tunnels in an UP state, but follows normal BGP active-backup behavior for
network traffic. Prisma Access sets the primary tunnel as active and sends and receives
traffic through that tunnel only; if the primary tunnel fails, Prisma Access detects the
failure using BGP rules, sets the secondary tunnel as active, and uses only the secondary
tunnel to send and receive traffic.

STEP 10 | If required, enable Quality of Service for the service connection and specify a QoS profile or
add a New QoS Profile.
You can create QoS profiles to shape QoS traffic for remote network and service connections and apply
those profiles to traffic that you marked with PAN-OS security policies, traffic that you marked with an
on-premise device, or both PAN-OS-marked and on-premise-marked traffic. See Configure Quality of
Service in Prisma Access for details.

94 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
STEP 11 | Commit all your changes to Panorama and push the configuration changes to Prisma Access.
1. Click Commit > Commit to Panorama.
2. Click Commit > Push to Devices and select Edit Selections. On the Prisma Access tab, make sure
Service setup is selected, then click OK and Push.
Prisma Access should automatically select the components that need to be committed.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 95
© 2020 Palo Alto Networks, Inc.
STEP 12 | Add more service connections by repeating Step 2 through Step 11.
The first three service connections are included with no license cost; each connection after the third
uses 300 Mbps from your licensed remote networks bandwidth pool. After you Add your fourth and
subsequent network connection, Prisma Access displays a page informing you of your remaining licensed
remote networks bandwidth. To confirm your addition, Allocate 300 Mbps for an additional service
connection; then Allocate the bandwidth for the service connection.

STEP 13 | Configure the IPSec tunnel or tunnels from your IPSec-capable device on your corporate
network back to Prisma Access.
1. To determine the IP address of the tunnel within Prisma Access, select Panorama > Cloud Services >
Status > Network Details, click the Service Connection radio button, and note the Service IP Address
for the site.
The Service IP Address is the public-facing address that you will need to connect to when you create
the tunnel from your IPSec-capable device back to the service connection.

2. On your IPSec-capable device at the corporate location, configure an IPSec tunnel that connects to
the Service IP Address within Prisma Access and commit the change on that device so that the tunnel
can be established.

Verify Service Connection Status


To verify that the service connection has been successfully set up, select Panorama > Cloud Services >
Status > Status and check that the Status is OK.

96 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
The Deployment Status area allows you to view the progress of onboarding and deployment jobs before
they complete, as well as see more information about the status of completed jobs. See Deployment
Progress and Status for details.

If the status is not OK, hover over the Status icon to view any errors.
To see a graphical representation of the service connection along with status details, select Service
Connection on the Monitor tab.

Select a region to get more detail about that region.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 97
© 2020 Palo Alto Networks, Inc.
Click the tabs below the map to see additional information about the service connections.
Status tab:
• Location—The location where your service connection is deployed.
• Remote Peer—The corporate location to which this s service infrastructure is setting up an IPSec tunnel.
• Allocated Bandwidth—The number of service connections you have allocated multiplied by 300 Mbps.
This number does not reflect the available service connection bandwidth.

While each service connection provides approximately 1 Gbps of throughput, the actual
throughput is dependent on several factors, including:

Traffic mix (for example, frame size)

Latency and packet loss between the service connection and the headquarters
location or data center
• Service provider performance limits
• Customer termination device performance limits
• Other customer data center traffic
• ECMP—If you have equal cost multipath (ECMP) configured for this service connection. Since ECMP is
not used for service connections, this status is Disabled).
• Config Status—The status of your last configuration push to the service. If the local configuration and
the configuration in the cloud match, the Config Status is In sync. If you have made a change locally, and
not yet pushed the configuration to the cloud, this may display the status Out of sync. Hover over the
status indicator for more detailed information. After committing and pushing the configuration to Prisma
Access, the Config Status changes to In sync.
• BGP Status—Displays information about the BGP state between the firewall or router at your corporate/
headquarters location and Prisma Access where the service connection is established. Although you

98 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
might temporarily see the status pass through the various BGP states (Idle, Active, Open send, Open
pend, Open confirm, most commonly, the BGP status shows:
• Connect—The router at your data center/headquarters is trying to establish the BGP peer
relationship with Prisma Access.
• Established—The BGP peer relationship has been established.
This field will also show if the BGP connection is in an error state:
• Warning—There has not been a BGP status update in more than eight minutes. This may indicate an
outage on the firewall.
• Error—The BGP status is unknown.
• Tunnel Status—The operational status of the connection between Prisma Access and your service
connection.
Statistics tab:
• Location—The location where your service connection is deployed.
• Remote Peer—The corporate location to which the service connection is setting up an IPSec tunnel.
• Ingress Bandwidth (Mbps)—The bandwidth from the HQ/data center location to Prisma Access.
• Ingress Peak Bandwidth (Mbps)—The peak load from the HQ/data center location into the cloud service.
• Egress Bandwidth (Mbps)—The bandwidth from Prisma Access into the HQ/data center location.
• Egress Peak Bandwidth (Mbps)—The peak load from Prisma Access into the HQ/data center location.
• QoS—Select this button to display a graphic chart that shows a real-time and historical QoS statistics,
including the number of dropped packets per class. This chart displays only for service connections or
remote network connections that have QoS enabled.

Verify Service Connection BGP Status


If you configured BGP, you can check its status by selecting Panorama > Cloud Services > Status >
Network Details > Service Connection > Show BGP Status.

The BGP Status dialog displays. This table provides you with the following information:
• Peer—Routing information for the BGP peer, including status, total number of routes, configuration, and
runtime statistics and counters. The total number of routes display in the bgpAfiIpv4-unicast Counters
area, in the Incoming Total and Outgoing Total fields.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 99
© 2020 Palo Alto Networks, Inc.
• Local RIB—BGP routes that Prisma Access uses locally. Prisma Access selects this information from
the BGP RIB-In table, which stores the information sent by neighboring networking devices, applies
local BGP import policies and routing decisions, and stores the Local RIB information in the Routing
Information Base (RIB).
Note that only the first 256 entries are shown. To view additional entries, enter a subnet or IP address in
the Filter field and click Apply Filter to view a subset of the routing entries up to a maximum of 256.

• RIB Out—Routing information that Prisma Access advertises to its peers through BGP update messages.
See How BGP Advertises Mobile User IP Address Pools for an example of this table.

100 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Create a Service Connection to Enable Access
between Mobile Users and Remote Networks
We recommend always creating a service connection, even if you don’t need to access resources at your
organization’s HQ or data center. You must configure a service connection to allow network communication
between mobile users and remote network locations and between mobile users in different geographical
locations.
We recommend creating this type of service connection for the following environments:
• Your deployment includes both remote networks and mobile users and you do not already have a
service connection configured.
• You have mobile users in different geographical areas who need direct access to each other’s endpoints.
• You have already configured a service connection, but the existing service connection is not in an ideal
location between the remote networks and mobile users.
All remote network locations communicate to each other in a mesh network. Mobile users connect to
remote networks using the service connection in a hub-and-spoke network. In some cases, it might
improve network efficiency to place another service connection closer to the remote network or
networks that the mobile users most frequently access.
To configure a service connection to connect mobile users and remote networks, Add a service connection
using the following values:
• Specify a Region that is close to your mobile users.
• Add an IPSec Tunnel and IKE Gateway, using placeholder values.
• Add placeholder Corporate Subnets.
Since Prisma Access doesn’t route any traffic through this tunnel, any value that does not conflict or
overlap with other configured subnets is valid.
The following example shows a Prisma Access deployment with mobile users in different geographical areas
and remote networks. The remote network connections are connected in a mesh network in the Prisma
Access infrastructure, but the mobile users cannot connect to the remote networks. In addition, the mobile
users in different geographic areas cannot connect to each other without a service connection.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 101
© 2020 Palo Alto Networks, Inc.
After you add a service connection, the service connection connects the mobile users and the remote
networks in a hub-and-spoke network.

102 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Another case where a service connection of this type is useful is when the service connection is far from
the mobile users. The following figure shows an example of this network deployment.

Adding a second service connection that is closer to the mobile users creates a more efficient network
between the mobile users and remote networks.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 103
© 2020 Palo Alto Networks, Inc.
Deployment Progress and Status
When you configure and commit and push your changes for a service connection, remote network
connection, mobile user deployment, or clean pipe instance, Prisma Access begins a series of events to
complete the deployment process. To allow you to view the progress of onboarding and deployment
jobs before they complete, and to view the status of completed jobs, Prisma Access provides you with
deployment status information that is available on the Prisma Access status page.
Checking the progress of a job is useful if, for example, you need the Service IP Address of a service
connection or remote network connection to complete the IPSec tunnel connection to your customer
premises equipment (CPE). Since Prisma Access does not create the Service IP Address until onboarding
is complete, you can view the status of the onboarding job from the deployment status page, instead of
refreshing the Network Details page and waiting for the Service IP Address to display.
To view the status of deployment jobs, select Panorama > Cloud Services > Status > Status.

The Deployment Status area displays a graphic element (a bubble) showing the status of the deployment,
along with the following text:

Deployment Status Text Description

Started The deployment job has started.

In-Progress The deployment job is in progress.

Success The deployment job succeeded.

Failed The deployment job failed.

Timeout The deployment job timed out.

104 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Deployment Status Text Description

Warning The deployment job was partially successful; some commit


operations succeeded and some commit operations failed.

Click details to view the Job ID of the job, its status, and the percentage of its completion. The Job ID field
is the Job ID that is associated with the commit operation in Panorama.

To view more details of a specific deployment job, click the left arrow next to Job ID. The following
screenshot shows the deployment status of a commit that has the Panorama Job ID of 1555. The overall
status is Warning because two of the nodes failed during the commit stage.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 105
© 2020 Palo Alto Networks, Inc.
The first line of the job status shows the following information:
• The type of deployment job (either Service Connections, Remote Networks, Clean Pipe), or the type of
mobile user onboarding operation (GlobalProtect Gateways, GlobalProtect Portals, or both gateways
and portals).
• The Number of Nodes that are in the job.
Nodes represent the number of cloud firewalls, gateways, or portals that Prisma Access is configuring
for a specific job. The number of nodes do not always correspond to the number of Service Connections,
Remote Networks, mobile user locations, or Clean Pipe instances that you deployed; for example,
onboarding a location might cause configuration changes to both Prisma Access firewalls and portals.
• The number of nodes that are still being provisioned (Provisioning in Progress).
• The number of nodes that failed (Provisioning Failed).
• The number of nodes that completed provisioning (Provisioning Complete).
The next line in the table provides more granular information about the deployment job. The following
screenshot shows three mobile user locations (Australia Southeast, South Africa West, and Brazil East)
being successfully onboarded.

106 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Field Description

Name (Service Connection, The name of the service connection, remote network connection, or
Remote Network, and Clean clean pipe instance.
Pipe deployments only)

Location The location where the service connection, remote network connection,
mobile user, or clean pipe node was onboarded.

Node Status The status of the deployment operation.


• Validation Checks In Progress—The deployment job has started, and
preliminary checks are in progress.
• Validation Checks Succeeded—The deployment job has started, and
preliminary checks have succeeded.
• Validation Checks Failed—The job failed during validation. More
information about the failure is available in he Error Details area.
• Commit In Progress—Validation checks have completed, and the
commit job is complete.
• Commit Succeeded—Validation checks have completed, and the
commit job succeeded.
• Commit Failed—The job failed during the commit stage. More
information about the failure is available in he Error Details area.
• Deployment In Progress—Preliminary checks and commit operations
have completed for the job, and deployment is in progress.
• Deployment Succeeded—The job completed all stages and was
successful.
• Deployment Failed—Preliminary checks and commit operations
completed, but the job failed during the deployment stage. More
information about the failure is available in he Error Details area.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 107
© 2020 Palo Alto Networks, Inc.
Field Description

Action Needed If a job failed, provides additional information about the steps you can
perform to fix the issue (either Commit and push your changes from
Panorama again or Open a support case).

Prisma Access does not retain the details of jobs that you onboard and later delete. For example, job 42233
added the Australia Southeast, South Africa West, and Brazil East mobile user locations. If you delete those
locations later, clicking the left arrow next to Job ID for job 42233 does not provide any additional details
about the job.

108 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
How BGP Advertises Mobile User IP Address
Pools for Service Connections and Remote
Network Connections
If you enable BGP for service connections or remote network connections, after you Configure Prisma
Access for Users, Prisma Access allocates the mobile user IP address pools you specified using Class C
(/24) address blocks. BGP therefore advertises allocated mobile user subnets in blocks of /24, rather
than the entire pool(s) associated with that region. When Prisma Access adds a /24 subnet for a Prisma
Access gateway, it automatically sends a BGP advertisement. As subnets are added and removed, Prisma
Access automatically updates its BGP advertisements. This allocation method provides more flexibility
when advertising BGP routes, especially if you configured a Worldwide pool instead of allocating pools per
region. Dividing the IP address pool into smaller subnets allows the same subnet to be added, removed, or
deleted and then reused in different regions when allocated address space is exhausted.
The following screenshot, from Panorama > Cloud Services > Status > Network Details > Mobile Users,
shows three /20 IP pools for mobile users divided by region.

The RIB Out table, from Panorama > Cloud Services > Status > Network Details > Service Connection >
Show BGP Status (in the Branch AS and Router area), shows the mobile users address pool divided into
blocks of /24 subnets for BGP route advertisements. Note that the entire /20 subnets are not advertised.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 109
© 2020 Palo Alto Networks, Inc.
110 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Use Traffic Steering to Forward Internet-
Bound Traffic to Service Connections
Prisma Access allows you to create traffic steering rules to specify targets for internet-bound traffic from
mobile users and remote network connections. You can specify the traffic to be redirected to a service
connection before sending to the internet, or you can specify the traffic to directly egress to the internet.
This functionality is known as Traffic Steering.
Alternatively, you can configure Prisma Access to accept a default route from your CPE to Prisma Access
so that Prisma Access forwards internet-bound mobile user traffic to the best service connection in your
deployment.
The following sections provide an overview of default routes and traffic steering, as well as the steps you
take to configure it.
• Default Routes
• Traffic Steering
• Traffic Steering Requirements
• Traffic Steering Examples
• Traffic Forwarding Rule Guidelines
• Zone Mapping and Security Policies for Dedicated Connections
• Configure Traffic Steering

Default Routes
Starting with Prisma Access 1.7, you can configure Prisma Access to accept default routes being advertised
from your CPE to service connections. You can use BGP or static routes to advertise the default route.
Prisma Access uses BGP to advertise these routes over multiple service connections, which allows Prisma
Access to route mobile user traffic through the best service connection for a given mobile user location.
To enable service connections to accept default routes, specify Accept Default Route over Service
Connections when you configure global settings for service connections.
After you enable default routes, your internet-bound traffic will be steered to service connections instead
of egressing from the mobile user locations. This functionality can be useful if you want to redirect internet-
bound traffic to the data center; for example, if you have a third-party security stack in your data center and
you want the stack to perform additional screening or inspection.
Use the following guidelines when implementing default routes:
• Default routes apply to mobile user deployments only; remote network connections operate normally
with no change when you enable default routes.
• You do not need to specify target service connections or traffic steering rules when you allow default
routes, although they are supported for use with default routes. See Traffic Steering Examples for
examples of using default routes with traffic steering.
• When you specify the Accept Default Route over Service Connections setting, all Prisma Access service
connections, with the exception of dedicated service connections, accept default routes and will use the
routes in traffic forwarding decisions.
• Before you enable this setting, make sure that your data centers are sending default routes; otherwise,
routing through service connections will fail.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 111
© 2020 Palo Alto Networks, Inc.
• Palo Alto Networks recommends that all data centers advertise a default route; when Prisma Access
receives the routes, it can then select the best service connection to use for the remote network
location.
• When you create service connections, use either static routes only or BGP only for the connections. Palo
Alto Networks does not recommend mixing service connections that use BGP and static routes when
using default routes.
• Using default routes is supported with multi-tenant deployments.
• Prisma Access does not forward Clientless VPN, portal, or gateway SAML authentication traffic to a
public identity provider (IdP) using the default route.
For more information and examples of implementing default routes with traffic steering, see Traffic Steering
Examples.

Traffic Steering
In standard Prisma Access deployments, a service connection provides access to internal network resources,
such as authentication services and private apps in your headquarters or data center. Service connections
process internal traffic, where no internet access is required. In some cases, you might want to redirect
internet-bound traffic to the data center. Traffic steering allows you to redirect mobile user or remote
network traffic to a service connection before being sent to the internet.
You can use traffic steering with mobile user deployments, remote network deployments, or a combination
of both. Use traffic steering to direct internet-bound network traffic based on many criteria including IP
addresses, URLs, Custom URL categories, service type (HTTP or HTTPS), User-ID, Dynamic Address Groups
(DAGs) and IP-based External Dynamic Lists (EDLs).

Traffic steering is not supported with multi-tenant deployments.

There are two action types supported with traffic steering:


• Forward to the target—Use the criteria in traffic steering rules to forward internet-bound traffic through
a target you create that uses one or more service connections.
• Forward to the internet—Use the criteria in traffic steering rules to directly forward traffic from its
source (mobile user location or remote network connection) to the internet, without being forwarded to
a service connection.
If you forward to a target, you can choose to create two types of target groups: dedicated and non-
dedicated.
• A service connection that is used only for traffic steering-related traffic is a dedicated service
connection. To set a service connection to be used as a dedicated service connection, select Dedicated
for PBF Only when you configure traffic steering in Panorama.
You might want to configure a dedicated service connection if you use a third-party security stack that
is outside of your organization’s internal network to process traffic before it is sent to a public SaaS
application or the internet. Because the security stack is not a part of your organization’s network, you
don’t want this service connection to process any internal network traffic.
• A service connection that is used for traffic steering and for standard service connection-related
traffic (such as traffic going to an authentication server in the data center) is a non-dedicated service
connection.
Setting a service connection as a dedicated service connection causes the following changes to your
deployment:

112 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
• The service connections apply source NAT to the forwarded traffic. The source IP address is the
is the EBGP Router address of the service connection (Panorama > Cloud Services > Status >
Network Details > Service Connection > EBGP Router), which is taken from the Infrastructure Subnet
(Panorama > Cloud Services > Status > Network Details > Service Infrastructure).
• The zone for all service connections associated with this target changes from Trust to Untrust. Check
your zone mapping and security policies to make sure that your network reflects this change.
• Service connections that are configured as dedicated service connections do not participate in BGP
routing, either internally or externally.
• If your dedicated service connection uses BGP, the BGP status shows as Not Enabled when you
open the status page (Panorama > Cloud Service > Status > Monitor > Service Connection), select a
region, then select the Status tab. To check the BGP status of a service connection, check the service
connections configuration page (Panorama > Cloud Services > Configuration > Service Connection).

Traffic Steering Requirements


Before you implement traffic steering in your Prisma Access deployment, make sure that your network
environment has the following infrastructure requirements:
• Prisma Access must be able to connect to the IPSec-capable CPE (such as a router or SD-WAN device)
that your organization uses to terminate the service connection, and the IP address for the device must
be reachable from Prisma Access.
You create a service connection using standard IPSec and IKE cryptographic profiles between the stack
location and Prisma Access. You can use static routes, BGP, or a combination or both when you create
a service connection and use traffic steering. If you use default routes with traffic steering, Palo Alto
Networks recommends that you use either BGP only or static routes only. If you use static routing,
specify the public IP address used by the organization’s CPE as the Peer Address when you create an
IKE gateway.
• Prisma Access might not match the first few packets of a URL in a policy-based forwarding rule, which
means that the first few packets of a network session (for example, a TCP handshake) might not match
the rule. Palo Alto Networks recommends that, for URLs that you use in traffic steering rules, you create
a security policy rule to allow them through the Untrust zone so that the handshake can complete when
a new session begins.
• If you are using this configuration with a security stack, the stack location must be reachable from the
service connection by a standard IPSec tunnel configuration.
Use the following guidelines when configuring traffic steering:
• You can specify up to 1,000 URLs (aggregated) in a traffic steering configuration, including wild card
(*.example.com) URLs.
This number includes both manually entered URLs, wild card URLs, and URLs that are entered in a
custom URL category.
• Prisma Access prepends an asterisk to URLs in custom URL categories, if you use this category in a
traffic steering forwarding rule. If you use the same URL category policies for both traffic steering and
other security policy rules, these changes apply to both the traffic steering rules and other security
policy rules.
If you have custom URL categories that are not used in traffic steering forwarding rules, Prisma Access
does not change the URLs in those categories.
• Use all lower-case URLs when you enter URLs in a traffic forwarding rule and when you add URLs in a
custom URL category.
• You can configure a maximum of 100 traffic forwarding rules.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 113
© 2020 Palo Alto Networks, Inc.
• Traffic steering is not supported in a multi-tenant deployment.
• If you have primary and backup tunnels configured, traffic steering using policy-based forwarding rules
will not work after a failover from the primary (active) to the backup tunnel. Default routing works in a
failover scenario with primary and backup tunnels.

Traffic Steering Examples


The following sections describes different types of traffic steering deployments.

Default Route Example


The following example shows a sample Prisma Access deployment the following components:
• Two Prisma Access mobile user locations; one in the United States (US) and one in Europe (EU).
• Two Prisma Access service connections; one in the US and one in the EU, with both data centers
sending default routes to the service connections (Accept Default Route over Service Connections is
enabled).
• Two data centers; one in the US and one in the EU.
Each data center has a 3rd-party security stack; for this reason, you want all internet-bound traffic to go
through the data center before egressing to the internet.
When a mobile user sends data center traffic, Prisma Access checks its routing tables, determines the
closest service connection, and forwards the traffic to that service connection. In the following example,
Prisma Access sends data center traffic from the mobile users in the US to Service Connection and traffic
from the mobile users in the EU to Service Connection 2.

Use non-dedicated service connections with default routes; dedicated service connections
do not participate in BGP routing, so they cannot receive BGP advertisements from the HQ
or data center.

114 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
To enable default routes, select Accept Default Route over Service Connections when you configure traffic
steering settings. After you configure this setting and commit and push your changes, Prisma Access sends
internet-bound traffic over the service connections.

Default Routes with Traffic Steering Direct to Internet Example


The following example shows you using more granular control for external SaaS application-bound traffic.
In this case, you want to send Office 365 traffic to egress to the internet directly from the mobile user
location, instead of sending it to the data center for further processing. Use traffic steering along with
default routes for this configuration.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 115
© 2020 Palo Alto Networks, Inc.
To allow Prisma Access to route Office 365 traffic directly to the internet, perform the following actions:
• Create an EDL (Object > External Dynamic Lists) with IP addresses that match the Office 365 addresses.
• Create a Custom URL category (Objects > Custom Objects > URL Category) with URLs that match
Office 365 URL.
• create create traffic forwarding rules and specify the EDL and URL category you created as destination
match criteria with an Action of Forward to the internet.
This configuration sends Office 365 traffic directly to the internet, while other internet-bound traffic is sent
to the data center for further processing before egressing to the internet.

Default Routes with Traffic Steering and Dedicated Service Connection


Example
In this example, in addition to the previous configuration, you have a third-party internet security service,
and you want to send traffic from box.com to be processed by the security service before egressing to the
internet. You do not want to send any other internet-bound traffic to the security service; for this reason,
you create a dedicated service connection for the box.com traffic. After your configuration is complete,
Prisma Access sends *.box.com destination traffic to the stack.

116 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
To enable this deployment, you perform the following actions in the Traffic Steering tab:
• Create a Target Service Connection group that assigns one or more service connections to the target
and select Dedicated for PBF Only, which makes the target service connection or connections
dedicated.

If you create a target with more than one service connection, Prisma Access chooses the
best service connection to forward the internet-bound traffic.

• Create a policy-based-forwarding rule that forwards traffic to the URL. The following screenshot shows
the traffic destination being assigned a wildcard URL *.box.com.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 117
© 2020 Palo Alto Networks, Inc.
• Create an Action in the forwarding rule of Forward to the target and specify the target group name you
created (dedicated in this case).

Traffic Forwarding Rule Guidelines


Traffic steering can process a wide variety of possible configurations; however, it is important to understand
how Prisma Access processes rules, so you can create rules are easy to maintain and manage. To help you
create the rules that work best for your deployment, follow these guidelines:
• Prisma Access evaluates rules in the order that you create them (from top to bottom). Specify more
specific rules at the top and more general rules at the bottom.
• Palo Alto Networks recommends that you create multiple rules with fewer matching criteria, instead of
creating fewer rules with multiple types of criteria. Creating simpler rules both speeds up rule creation
and makes it easier to modify a rule.
• Since you cannot move a rule up or down in a list after you create it, carefully plan your rule order
before you create the rules.
• Rules that specify Any source address and User, Any source destination, URL, and URL Category, and
Any service are not supported. Use more specific rules; for example, specify a rule with Any source or
destination traffic and a service of service-http and service-https.
• You can specify destination IP addresses, URLs, and URL categories in the same rule. If you do, Prisma
Access uses a logical OR to process the destination criteria in the rule, but processes the URLs and URL
category traffic based on TCP ports 80 and 8080 for HTTP and TCP port 443 for HTTPS.
For a rule with IP addresses, URLs and URL categories, traffic matches the rule if either the IP address,
the URL, or the URL category matches, but processes the URL and URL category traffic based on ports
80, 443, and 8080 only. Palo Alto Networks does not recommend creating a rule of this type; instead,
create simpler rules.

118 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
For example, you want to enforce the following rules for your network traffic:
• You have an internal HTTP server with an IP address of 10.1.1.1 in the data center, and you want to
direct internal HTTP and HTTPS traffic to this server. The IP address of the server is 10.1.1.1.
Traffic to this server should not go to the internet and should be processed internally; therefore, choose
a non-dedicated target for this traffic, because this type of target processes both internal and internet-
bound traffic.
• You want office365.com traffic to be routed directly to the internet.
• You want traffic from *.example.com or any traffic defined in a custom URL category of custom-social-
networking to be routed to a dedicated connection.
• You want any other HTTP and HTTPS traffic to use the same non-dedicated service connection target as
that used for the internal HTTP server.
For this example, create the rules from the most specific to the least specific, as shown in the following
screenshot. Do not add the rule that allows all HTTP and HTTPS traffic first, or Prisma Access would direct
all HTTP and HTTPS traffic to the non-dedicated connection without evaluating any of the other rules.

Zone Mapping and Security Policies for Dedicated Connections


If you create a target that uses a dedicated service connection, the zone for the dedicated service
connection changes from Trust to Untrust (non-dedicated service connection targets do not change their
zones). Since you cannot create zones or configure zone mapping for service connections, you make zone
mapping and security policy changes for dedicated service connections to the mobile users and device
groups instead. Complete the following steps to configure zone mapping for dedicated connections.

These steps show a sample configuration; you can tailor this example to suit your
deployment.

STEP 1 | Select Network > Zones.

STEP 2 | Select the correct Template from the drop-down list (either Mobile_User_Template for mobile
users or Remote_Network_Template for remote networks).
If you have a mobile user and a remote network deployment, you need to perform these steps twice;
once in the Mobile_User_Template and once in the Remote_Network_Template.

STEP 3 | Add two zones for your trusted and untrusted zones.
This example creates two zones called Trust and Untrust.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 119
© 2020 Palo Alto Networks, Inc.
STEP 4 | Create default policies for the zones you created.
1. Select Policies > Security > Post Rules.
2. Select the correct Device Group from the drop-down list (either Mobile_User_Device_Group for
remote networks or Remote_Network_Device_Group for mobile users).
If you have a mobile user and remote network deployment, you need to perform these steps twice;
once in the Mobile_User_Device_Group and once in the Remote_Network_Device_Group.
3. Add a default policy to use for Trust zone-to-Trust zone traffic.
This policy allows Any traffic to pass for all Source, User, Destination, Application, and Service/URL
Category traffic.

120 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
4. Add a default policy to use for Trust zone-to-Untrust zone traffic, using the same parameters you
used for the Trust-to-Trust policy.
When complete, you have two security policies, one for Trust-to-Trust traffic and one for Trust-to-
Untrust traffic.

STEP 5 | Define Zone Mapping for the remote networks, mobile users, or both, as required for your
deployment.
1. Set the zone mapping for the remote networks, mobile users, or both.
• For mobile users, select Panorama > Cloud Services > Configuration > Mobile Users.
• For remote networks, select Panorama > Cloud Services > Configuration > Remote Networks.
2. Click the gear icon next to Zone Mapping to edit the settings.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 121
© 2020 Palo Alto Networks, Inc.
3. Set the Zone Mapping for your deployment, moving the zone for trusted traffic to the Trusted Zones
and the zone for untrusted traffic to the Untrusted Zones; then, click OK.

Configure Traffic Steering


Configure traffic steering for your deployment by completing the following steps.

STEP 1 | (Existing Traffic forwarding deployments only) If you were using rules to forward traffic to service
connections before the Cloud Services 1.7 was released, make a note of the changes that
Prisma Access applies after you upgrade the plugin.
• For URLs in rules, including URLs in custom URL categories, Prisma Access makes the following
changes during the upgrade to 1.7:
• Prisma Access no longer supports URLs with wildcards using the format *example.com,
*fqdn.example.com, or fqdn.example.*. If you have any URLs in this format, Prisma Access notes
them after the upgrade and asks you to change them.
• Prisma Access prepends existing URLs in rules with *. For example, Prisma Access prepends a URL
of example.com with *.example.com, which means that URLs of example.com, www.example.com,
and fqdn.example.com match a URL of example.com.
• Prisma Access prepends an asterisk to URLs in custom URL categories, if you use this category
in a traffic steering forwarding rule. If you use the same URL category policies for both traffic
steering and other security policy rules, these changes apply to both the traffic steering rules and
other security policy rules.
If you have custom URL categories that are not used in traffic steering forwarding rules, Prisma
Access does not change the URLs in those categories.
• For existing URLs in rules with wildcards, Prisma Access adds a URL with no wildcards. For
example, for a URL of *.example.com, Prisma Access adds a URL of example.com so that URLs of
example.com match as well as www.example.com and fqdn.example.com.
• Prisma Access adds service-http and service-https in the Service tab to URLs. Prisma Access
continues to use only TCP ports 80 and 8080 for HTTP and TCP port 443 for HTTPS to process
URLs.
• Prisma Access moves custom URL categories from the URL area to the URL Category area.
• Service connections that are part of a traffic forwarding target group with configuration set to
Dedicated for PBF only no longer participate in static and BGP routing. You must ensure that there
are no routable networks behind the service connections that are included in this type of target
group.

STEP 2 | Onboard your service connections, mobile users and remote networks, as applicable to your
deployment.

STEP 3 | Select Panorama > Cloud Services > Configuration > Traffic Steering.

122 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
STEP 4 | (Optional, mobile user deployments only) Allow Prisma Access to accept and install the default
route advertised over one or more service connections from the CPE by clicking the gear icon
to open the Settings and selecting Accept Default Route over Service Connections.

Default routes have specific guidelines that you must follow when using them; for example, default
routes are supported for mobile user deployments only and have no effect on remote network
deployments. Be sure to review these guidelines before implementing default routes with traffic
steering.

STEP 5 | (Optional) Create a target group and assign a service connection to it.
1. In the Target Service Connections for Traffic Forwarding area, Add a group and give it a Group
Name.
2. Add a Target for the traffic, specifying the Service Connection to use with the target; then, click OK.
You can specify multiple service connections for a single target as long as they are in different
locations and Prisma Access will select the best service connection to use. However, a given service
connection can only exist in one target and you cannot add a single service connection to two
different targets.

3. Choose whether to make the service connections associated with this target a dedicated service
connection.
• You can use a dedicated service connection to steer traffic to a third-party security stack or
cloud that is not on your premises and does not need to participate in routing. To set a service
connection to be used as a dedicated service connection, select Dedicated for PBF Only.

Dedicated service connections change their zones; see Traffic Steering for details.

• Deselect Dedicated for PBF Only if you will send both normal service connection-related and
traffic steering traffic through the service connection; with this choice, the zone for the service
connection remains as Trust.

STEP 6 | Create rules for the target you created and apply them to the target.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 123
© 2020 Palo Alto Networks, Inc.
1. In the Traffic Forwarding Rules area, Add a traffic forwarding rule.
2. in the General tab, Name the traffic forwarding rule.
3. In the Source tab, specify rules for source traffic.
• In the Source Address field, specify one or more of the following objects, or select Any to have
traffic from any source go to this target:
• An IP address
• An address object that you created in Panorama (Objects > Addresses)
• A Dynamic Address Group (DAG)
• An IP address-based External Dynamic List (EDL) (URLs are not supported in EDLs)
• In the Source User field, specify rules for source user traffic. You can specify the following user
information:
• Users
Enter users in either the domain/user or the user@domain format.
• User groups
Use full distinguished names (DNs) when entering user groups.
• Users configured on Panorama (Device > Local User Database > Users)
• User groups configured on Panorama (Device > Local User Database > User Groups)
If you use address objects, DAGs, EDLs, users, or user groups, specify them as Shared to share them
with all device groups in Prisma Access.

Prisma Access automatically populates users from the mobile users device group
only.
4. In the Destination tab, specify the following values:
• In the Destination area, specify one of the following criteria, or select Any to have traffic
processed by the rules in the URL and URL Category fields:
• An IP address or prefix
• An address object that you created in Panorama (Objects > Addresses)
• A Dynamic Address Group (DAG)
• An IP address-based External Dynamic List (EDL)

Do not enter 0.0.0.0/0 in address objects, DAGs, or EDLs; instead, enter


0.0.0.0/0 directly in the rule.
Leave Any selected to pass all traffic to be processed by the rules in the URL and URL Category
areas. If you specify rules in the Destination, URL, and URL Category areas, Prisma Access
processes the rules in the following order:
1. Destination
2. URL
• In the URL area, enter URLs. Enter URLs in all lower case. Prisma Access uses only TCP ports 80
and 8080 for HTTP and TCP port 443 for HTTPS to process URLs.
You can use wildcards with URLs. The following wildcard formats are supported:
• *.example.com
• *.fqdn.example.com
The following formats are not supported:
• *example.com
• *fqdn.example.com

124 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
• fqdn.example.*
URLs entered in the URL area for traffic forwarding rules do not use the same URL pattern
matching that is used by next-generation firewalls. Instead, they use the pattern matching as
described in the following table.

URL Entered in URL Area URL Matches the Following Patterns

example.com • example.com
• www.example.com
• *.example.com

*.example.com • example.com
• www.example.com
• *.example.com

fqdn.example.com • fqdn.example.com
• www.fqdn.example.com
• *.fqdn.example.com

*.fqdn.example.com • fqdn.example.com
• www.fqdn.example.com
• *.fqdn.example.com
• In the URL Category field, enter a custom URL category (Objects > Custom Objects > URL
Category) When you create a custom URL category, enter URLs in all lower case. Traffic steering
supports custom URL categories only.
Wildcards for URL categories follow next-generation firewall guidelines. If you create a URL
Category, make sure that you configure it as Shared.
Use the following guidelines when configuring destination options:
• Selecting Any in the URL area of the Destination tab overrides any selections you make in the
Destination area and changes those selections to Any.
• If you specify a URL or URL category, Prisma Access only matches HTTP and HTTPS traffic, even
when service is set to Any.

5. In the Service tab, specify a service type.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 125
© 2020 Palo Alto Networks, Inc.
Specify service-http to forward HTTP traffic and specify service-https to specify HTTPS traffic.
Select Any to forward traffic of any service type.
6. In the Action tab, select the Target Group Name that you want to apply to the traffic forwarding rule.
7. Forward traffic to the specified service connection target, or send the traffic directly to the internet
without going through the service connection.
• To have Prisma Access forward traffic to a service connection target, select Forward to the target;
then select the Target Group Name.
• To have Prisma Access forward traffic directly to the internet without first sending it to a service
connection, select Forward to the internet.

8. Click OK to save your changes.

STEP 7 | Optional Specify additional traffic steering rules.


Prisma Access processes multiple rules in the order that you create them (from top to bottom).

STEP 8 | Commit your changes locally to make them active in Panorama.


You only have to perform this step if your configuration includes mobile users; skip this step if your
configuration only includes Prisma Access for remote networks with no mobile user configuration.
1. Select Commit > Commit to Panorama.
2. Make sure that the device groups, templates, and template stacks are part of the Commit Scope.
3. Click OK to save your changes to the Push Scope.
4. Commit your changes.

STEP 9 | Commit and push your changes to make them active in Prisma Access.
1. Select Commit > Commit and Push and Edit Selections in the Push Scope.
2. Select Prisma Access, then select Service Setup, Remote Networks, and Mobile Users.

3. Click OK to save your changes to the Push Scope.


4. Commit and Push your changes.

126 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Routing Preferences for Service Connection
Traffic
Prisma Access uses BGP for dynamic routing, and uses BGP path selection to install routes in the route
table. When Prisma Access routes traffic to your headquarters or data center using service connections, it
uses routing methods that direct that traffic effectively. Prisma Access uses a default routing model that
was designed to fit the majority of network deployments; however, not all organization’s networks are the
same. To fit a wider range of deployments, Prisma Access allows you choose another mode for service
connection routing. The following sections describe the BGP routing methods that Prisma Access uses,
along with the factors you need to consider in your organization’s network before changing Prisma Access’
default method of service connection routing.

Changing the Prisma Access service connection routing method requires a thorough
understanding of your organization’s topology and routing devices, along with an
understanding of how Prisma Access routing works as described in this section. We
recommend that you read this section carefully before changing the routing method from the
default setting.

Prisma Access supports static routing and dynamic routing using BGP for service and remote network
connections; this section assumes that you use BGP routing for your Prisma Access deployments. When
you select BGP routing, your organization’s network learns BGP information from Prisma Access.
• Routing Modes for Service Connections
• Mobile User and Remote Network Routing to Service Connections Overview
• Prisma Access Default Routing
• Hot Potato Routing
• Configure Routing Preferences

Routing Modes for Service Connections


You can choose from the following routing modes with Prisma Access:
• Default routing—This is the current routing model that Prisma Access uses.
Use this routing mode if you want Prisma Access to use BGP best path-selection mechanisms without
adjusting any of the BGP attributes. In this mode, Prisma Access will honor any attribute advertised by
the customer premises equipment (CPE).
• Hot Potato Routing—Prisma Access hands off the traffic as quickly as it can to your organization’s
network.
Use this routing method if you want your organization’s network to perform the majority of routing
decisions.

Mobile User and Remote Network Routing to Service Connections


Overview
It is useful to understand how Prisma Access routes traffic between mobile users, remote networks, and
service connections, because the routing used by mobile user traffic and remote network traffic between
service connections is different.
Mobile User-service connection routing—The mobile user connection forms an IPSec tunnel with the
nearest service connection. Prisma Access uses iBGP for internal routing and eBGP to peer with the

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 127
© 2020 Palo Alto Networks, Inc.
customer premises equipment at the data center. The following diagram shows mobile users in Regions
1 and 2 being routed to the respective service connections in that region. Mobile users in Region 1 are
accessing applications A and B located at Data Center 1. If your organization’s network uses BGP routing
for their service connections and a service connection experiences an ISP failure at Data Center 1, Prisma
Access detects the failure and routes the traffic for applications A and B to Data Center 2 after BGP
convergence, providing redundancy to your network’s data centers.

Prisma Access uses the following timing with BGP when it detects a failure: If you configure
BGP routing and have enabled tunnel monitoring, the shortest default hold time to determine
that a security parameter index (SPI) is failing is the tunnel monitor, which removes all
routes to a peer when it detects a tunnel failure for 15 consecutive seconds. In this way, the
tunnel monitor determines the behavior of the BGP routes. If you do not configure tunnel
monitoring, the hold timer determines the amount of time that the tunnel is down before
removing the route. Prisma Access uses the default BGP HoldTime value of 90 seconds
as defined by RFC 4271, which is the maximum wait time before Prisma Access removes
a route for an inactive SPI. If the peer BGP device has a shorter configured hold time, the
BGP hold timer uses the lower value. When the secondary tunnel is successfully installed,
the secondary route takes precedence until the primary tunnel comes back up. If the primary
and secondary are both up, the primary route takes priority.

Remote Network-service connection routing—Prisma Access creates a full mesh network with other
remote networks and service connections. As with mobile users, Prisma Access uses iBGP for its internal
routing and eBGP to peer with customer premises equipment to exchange routes. If a user in Branch 1 is
accessing application A from Data Center 1 in your organization’s data center and the link between Branch
1 and Data Center 1 goes down, Prisma Access routes the traffic for application A to Data Center 2 after
BGP convergence.

128 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Prisma Access Default Routing
The following figure shows an example of Prisma Access routing service connection traffic in default routing
mode. The organization’s network has three separate networks in three data centers and does not have a
backbone connecting the networks. In default routing mode, mobile user pools are advertised equally on
the three networks, as shown at the bottom of the figure.
Note that, when Prisma Access advertises mobile user routes, it divides the subnets into Class C /24
address blocks before advertising them; thus, it advertises the /20 mobile user subnets in chunks of /24 as
prefixes are consumed by the gateways.
Make a note of how Prisma Access uses BGP route advertisements:
• Prisma Access does not adjust the default BGP attributes for mobile user advertised routes (Prisma
Access adds its AS number to the route advertisements).
• Prisma Access advertises mobile user routes in blocks of /24 subnets and adds BGP community values
in the routes it advertises through the service connection. The following figure shows a mobile user
deployment with three service connections and three different IP address blocks specified for the mobile
user IP address pool: 192.168.64.0/20 for the Asia, Australia & Japan region, 192.168.72.0/20
for the Africa, Europe & Middle East region, and 192.168.48.0/20 for the North America & South
America region. Prisma Access divides these routes into block of /24 and advertises them with an
Prisma Access’ AS number of 65534, but also appends the BGP community values to the advertisements
(Z for Asia, Y for EU, and X for US). Those routes are shown in the middle of the figure. In this way, you
can differentiate service connections in your network, even though Prisma Access assigns the same AS
number to them.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 129
© 2020 Palo Alto Networks, Inc.
You can view the community string by selecting Panorama > Cloud Services > Status > Network Details >
Service Connection > Show BGP Status and find the Community field in the Peer tab.

The following figure shows a more common network with a full-mesh eBGP backbone. The figure shows
the routes that Prisma Access has learned from your organization’s network on the top right. Note the extra
routes that Prisma Access has learned through the Prisma Access backbone (iBGP) and your organization’s
backbone (eBGP).
For traffic between mobile users in the North America & South America region (US in the diagram) and the
data center in your organization’s Africa, Europe & Middle East region (EU in the diagram), Prisma Access
chooses the path through the EU service connection because it prefers routes with a shorter AS-PATH.

130 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
In deployments with a full-mesh eBGP backbone, asymmetry can arise when Prisma Access cannot reach a
particular data center due to an ISP/CPE failure at the customer’s data center. The following figure shows
what could happen when the link to the EU service connection goes down. Your network detects the link
failure and builds a new route table for AS 200. Traffic from the US service connection to AS 200 uses the
path through AS 100 because the eBGP route for your backbone between AS 200 and AS 100 is preferred
to the iBGP route between service connections EU and US. However, return traffic is not guaranteed
through the same path because the on-premise CPE can choose either path (shown in red) to return the
traffic.

The previous examples show a network whose routes have not been aggregated (that is, you have not
performed route summarization before you send the BGP route advertisements to Prisma Access). The
following example shows a network that summarizes its routes to 10.0.0.0/8 before sending to Prisma
Access. If you select default routing, this configuration can lead to asymmetric routing issues, because
Prisma Access cannot determine the correct return path from the summarized routes.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 131
© 2020 Palo Alto Networks, Inc.
If your Prisma Access deployment has Remote Networks, Palo Alto Networks does not
recommend the use of route summarization on Service Connections. Route summarization
on service connections is for Mobile Users deployments only.

If you use route aggregation for mobile users, we strongly recommend that you enable hot potato
routing instead of default routing, where Prisma Access hands off the traffic as quickly as possible to
your organization’s network; in addition, we recommend that you select a Backup SC as described in the
following section for each service connection to have a deterministic routing behavior.

Hot Potato Routing


When you select Hot Potato Routing, Prisma Access egresses the traffic bound to service connections/data
centers from its internal network as quickly as possible.
With hot potato routing, Prisma Access prepends the AS path (AS-PATH) to the BGP prefix advertisements
sent from gateways. This prepending is performed when the prefixes are advertised out of the service
connection to your organization’s on-premise CPE. Prisma Access prepends the AS-PATHs so that your CPE
gives the correct preference to the primary and secondary tunnels, so that if the primary tunnel goes down,
your CPE chooses the secondary tunnel as the backup.
If you specified a different IP address for the secondary (backup) BGP peer, Prisma Access adds more
prepends based on the tunnel type, as shown in the following table.

Prefix Type Service Connection Tunnel Type Number Total AS-


of As-Path PATHs Seen
Prepends on the CPE

Gateway prefixes from primary Primary or Secondary tunnel with 0 1


service connection the same BGP peer IP address

Gateway prefixes from backup Primary or Secondary tunnel with 3 4


service connection the same BGP peer IP address

Gateway prefixes from all other Primary or Secondary tunnel with 6 7


service connections the same BGP peer IP address

132 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Prefix Type Service Connection Tunnel Type Number Total AS-
of As-Path PATHs Seen
Prepends on the CPE

Gateway prefixes from primary Secondary tunnel with a different 1 2


service connection BGP peer IP address

Gateway prefixes from backup Secondary tunnel with a different 4 5


service connection BGP peer IP address

Gateway prefixes from all other Secondary tunnel with a different 7 8


service connections BGP peer IP address

In hot potato routing mode, Prisma Access allows you to specify a backup service connection (Backup SC)
during onboarding. Specifying a Backup SC informs Prisma Access to use that service connection as the
backup when a service connection link fails.
The following figure shows a hot potato routing configuration for traffic between the US service connection
and AS 200, with the EU service connection configured as the Backup SC of the US connection. Using hot
potato routing, Prisma Access sends the traffic from its closest exit path through the US service connection.
The return traffic takes the same path through AS100 because this path has a shorter AS-PATH to the
mobile user pool in the US location. Prisma Access prepends the AS-PATH to its prefix advertisements
depending on whether the tunnel is a primary tunnel, a backup tunnel, or not used for either primary or
backup.

Because you have set up a backup service connection, if the link to the US service connection goes down,
hot potato routing sends the traffic out using its shortest route through the EU service connection. This
routing scenario also applies to networks that use route aggregation.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 133
© 2020 Palo Alto Networks, Inc.
You can also use backup service connections for multiple service connections in a single region. The
following figure shows a Prisma Access deployment with two service connections in the North America
region. In this case, you specify a Backup SC of US-E for the US-W service connection, and vice versa, to
ensure symmetric routing.

Configure Routing Preferences


To enable routing preferences, complete the following steps.
• To change the routing defaults, choose between Default and Hot Potato Routing when you configure
the Service Setup for service connections.
• To specify a preferred service connection to use if a link fails, configure a Backup SC when you create a
service connection.

134 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
List of Prisma Access Locations
The following table lists the available locations for Prisma Access.
The locations are sorted by an alphabetical list and by regions. When you onboard service connections or
remote network connections, the locations appear alphabetically in the drop-down. When you onboard
mobile users, the locations are sorted by region. If you are in North America, we provide a map you can use
as a reference.
• List of Locations
• List of Locations by Region
• Map of North America Locations

List of Locations
The following table provides an overall list of locations.

Locations

Andorra

Argentina

Australia East

Australia South

Australia Southeast

Austria

Bahrain

Bangladesh

Belarus

Belgium

Bolivia

Brazil Central

Brazil East

Brazil South

Bulgaria

Cambodia

Canada Central

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 135
© 2020 Palo Alto Networks, Inc.
Locations

Canada East

Canada West

Chile

Colombia

Costa Rica

Croatia

Czech Republic

Denmark

Ecuador

Egypt

Finland

France North

France South

Germany Central

Germany North

Germany South

Greece

Hong Kong

Hungary

India North

India South

India West

Indonesia

Ireland

Israel

Italy

136 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Locations

Japan Central

Japan South

Jordan

Kenya

Kuwait

Liechtenstein

Lithuania

Luxembourg

Malaysia

Mexico Central

Mexico West

Moldova

Monaco

Myanmar

Netherlands Central

Netherlands South

New Zealand

Nigeria

Norway

Pakistan South

Pakistan West

Panama

Papua New Guinea

Paraguay

Peru

Philippines

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 137
© 2020 Palo Alto Networks, Inc.
Locations

Poland

Portugal

Romania

Russia Central

Russia Northwest

Saudi Arabia

Singapore

Slovakia

Slovenia

South Africa Central

South Africa West

South Korea

Spain Central

Spain East

Sweden

Switzerland

Taiwan

Thailand

Turkey

UK

Ukraine

United Arab Emirates

US Central

US East

US Northeast

US Northwest

138 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Locations

US South

US Southeast

US Southwest

US West

Uzbekistan

Venezuela

Vietnam

List of Locations by Region


The following table provides you with a list of locations separated by region.

Locations

Africa Region

Kenya

Nigeria

South Africa Central

South Africa West

Asia Region

Bangladesh

Cambodia

Hong Kong

India North

India South

India West

Indonesia

Malaysia

Myanmar

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 139
© 2020 Palo Alto Networks, Inc.
Locations

Pakistan South

Pakistan West

Papua New Guinea

Philippines

Singapore

South Korea

Taiwan

Thailand

Vietnam

ANZ Region

Australia East

Australia South

Australia Southeast

New Zealand

Europe Region

Andorra

Austria

Belarus

Belgium

Bulgaria

Croatia

Czech Republic

Denmark

Finland

France North

France South

140 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Locations

Germany Central

Germany North

Germany South

Greece

Hungary

Ireland

Italy

Liechtenstein

Lithuania

Luxembourg

Moldova

Monaco

Netherlands Central

Netherlands South

Norway

Poland

Portugal

Romania

Russia Central

Russia Northwest

Slovakia

Slovenia

Spain Central

Spain East

Sweden

Switzerland

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 141
© 2020 Palo Alto Networks, Inc.
Locations

UK

Ukraine

Uzbekistan

Japan Region

Japan Central

Japan South

Middle East Region

Bahrain

Egypt

Israel

Jordan

Kuwait

Saudi Arabia

Turkey

United Arab Emirates

North America Region

Canada Central

Canada East

Canada West

Costa Rica

Mexico Central

Mexico West

Panama

US Central

US East

US Northeast

142 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
© 2020 Palo Alto Networks, Inc.
Locations

US Northwest

US South

US Southeast

US Southwest

US West

South America Region

Argentina

Bolivia

Brazil Central

Brazil East

Brazil South

Chile

Colombia

Ecuador

Paraguay

Peru

Venezuela

Map of North America Locations


To assist you with onboarding service connections, remote networks, and mobile user locations in North
America, use the following map as a reference.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access Infrastructure and
Service Connections 143
© 2020 Palo Alto Networks, Inc.
144 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prepare the Prisma Access
Infrastructure and Service Connections
Secure Mobile Users with Prisma Access
Securing mobile users from threats and risky applications is often a complex mix of procuring
and setting up the security and IT infrastructure and then ensuring bandwidth and uptime
requirements in multiple locations around the globe while staying within your budget.
However, with Prisma Access for users (formerly GlobalProtect cloud service for mobile users),
the infrastructure is deployed for you and scales based on the number of active users and
their locations. Users then connect to Prisma Access for mobile users to receive their VPN
configuration, which routes them to the closest Prisma Access gateway for policy enforcement.
This enables you to enforce consistent security for your users even in locations where you do
not have a network infrastructure and IT presence.
To configure this service, you must supply an IP address pool that will be used to assign IP
addresses for the client VPN tunnels. The addresses in this pool must not overlap with other
address pools you use internally or the IP subnet you assign when you Enable the Service
Infrastructure.

> Plan To Deploy Prisma Access for Users


> Configure Prisma Access for Users
> Zone Mapping
> Specify IP Address Pools for Mobile Users
> How the GlobalProtect App Selects a Prisma Access Location for Mobile Users
> View Logged In User Information and Log Out Current Users
> Quick Configs for Mobile User Deployments
> Report Website Access Issues

145
146 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Plan To Deploy Prisma Access for Users
To ensure that you will be able to successfully enable the service and enforce consistent policy for your
mobile users (protecting users with the GlobalProtect app installed on their endpoints and allowing users to
securely access applications using Clientless VPN), make sure you account for the following configuration
requirements before you begin to Configure Prisma Access for Users.
Use this checklist to make sure that you have everything ready to deploy your Prisma Access for users.
Pre-Installation checklist:
• IP address pool—To configure Prisma Access for users, you need to provide an IP address pool
that does not overlap with other IP addresses you use internally or with the IP address pool you
designated for the Infrastructure Subnet.

We recommend using an RFC 1918-compliant IP address pool. While the use of non-
RFC 1918-compliant (public) IP addresses is supported, we do not recommend it
because of possible conflicts with internet public IP address space. In addition, do not
specify any subnets that overlap with the 100.64.0.0/15 subnet range because Prisma
Access reserves that subnet for its own internal use.

Prisma Access uses this IP address pool to assign IP addresses to the virtual network adapters
of endpoints when they connect to Prisma Access using the GlobalProtect app. Each device that
connects to a Prisma Access mobile user gateway requires its own IP address. You specify the
IP address pools that Prisma Access uses for the IP address allocation during the mobile user
onboarding process. We recommend that the number of IP addresses in the pool is 2 times the
number of mobile user devices that will connect to Prisma Access. If your organization has a bring
your own device (BYOD) policy, or if a single user has multiple user accounts, make sure that you
take those extra devices and accounts into consideration when you allocate your IP pools. If the IP
address pool reaches its limit, additional mobile user devices will not be able to connect.
When mobile user devices connect to a gateway, Prisma Access takes IP addresses from the pools
you specified and allocates them to the gateway in /24 blocks. When a /24 block reaches its limit
as more user devices log in, Prisma Access allocates more /24 blocks from the pool to the gateway.
Prisma Access advertises these /24 subnets into its backbone as they are allocated based on their
gateway assignments.
• Template—Prisma Access for users automatically creates a template stack and a top-level template
for the cloud service. If you are already running GlobalProtect on premise and you want to
leverage your existing configuration, you can add additional templates to the stack to push existing
GlobalProtect portal, GlobalProtect gateway, User-ID, server profile (for example, for connecting
to your authentication service), certificate, and SSL/TLS service profile configurations to Prisma
Access for users. If you do not have templates with existing configuration settings, you can manually
enter the required configuration settings when you Configure Prisma Access for Users. Additionally,
any template(s) you add to the stack must contain the zone configuration for the zones you use to
enforce Security policy for your mobile users.
• Parent Device Group—When you configure Prisma Access for users, you must specify a parent
device group to use when you push your address groups and Security policy, Security profiles, other
policy objects (such as application groups and objects), HIP objects and profiles, and authentication
policy that the service requires to enforce consistent policy for your remote users.
• Locations to Onboard—Prisma Access provides you with worldwide locations where you can
Configure Prisma Access for Users. Before you onboard your locations, view this list to determine
which locations you should onboard for your mobile users deployment.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 147
© 2020 Palo Alto Networks, Inc.
Choose locations that are closest to your users or in the same country as your users. If a location is
not available in the country where your mobile users reside, you can pick a location that uses the
same language as your mobile users.
You can also divide the locations by geographical region. Keeping all locations in a single region
allows you to specify an IP address pool for that region only, which can be useful if you have a limited
number of IP addresses that you can allocate to the pool. A single regional IP address pool also
provides more granular control over deployed regions and allows you to exclude regions as required
by your policy or industry regulations.
• Portal Hostname—Prisma Access for users enables you to quickly and easily set up the portal
hostname using a default domain name (.gpcloudservice.com). In this case, the cloud service
automatically publishes the hostname to public DNS servers and handles all certificate generation.
However, you can opt to use your own company domain name in the portal hostname. If you plan to
use your company domain name, you must obtain your own certificates for the portal and configure
an SSL/TLS service profile to point to the certificate before you configure the service. Additionally, if
you use your own domain name in the portal hostname, you also need to configure your DNS servers
to point to the portal DNS CNAME, which is provided during the configuration process.
• Service Connection—You must create and configure a service connection if you want to enable
your mobile users to access resources, such as authentication servers, on your internal network (for
example, an authentication server in your data center or HQ location) or enable your mobile users to
access your remote network locations.
Even if you don’t plan to use the connection to provide access to your internal resources, you must
configure at least one service connection with placeholder values if you want your mobile users
to be able to connect to your remote network locations or if you have mobile users in different
geographical areas who need direct access to each other’s endpoints.
• IPv6 Usage in Your Network—Determine whether you want to perform any mitigation for IPv6
traffic in your network to reduce the attack surface. In a dual stack endpoint that can process both
IPv4 and IPv6 traffic, mobile user IPv6 traffic is not sent to Prisma Access by default and is sent to
the local network adapter on the endpoint instead. For this reason, Palo Alto Networks recommends
that you configure Prisma Access to sinkhole IPv6 traffic.
Post-Installation checklist:
• Add the Public IP Addresses to an allow list in Your Network—After you onboard your locations, you
need to Retrieve Public and Egress IP Addresses for Mobile User Deployments used by each location
and add these locations’ IP addresses to an allow list in your network to allow mobile users access
to SaaS or public applications. If you add more locations, you will also need to retrieve the new IP
addresses that Prisma Access allocates for the newly-added location or locations.

148 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Configure Prisma Access for Users
When you configure Prisma Access for users, you will need to define the settings to configure the portal
and gateways in the cloud. For example, you will define a portal hostname, set up the IP address pool for
your mobile users, and configure DNS settings for your internal domains. You may be able to leverage
using existing configurations for some of the required settings, such as what authentication profile to use
to authenticate mobile users. If you already have a template with your authentication profiles, certificates,
certificate profiles, and server profiles, you can add that template to the predefined template stack during
onboarding to simplify the setup process.
While it is not necessary to push your Security policy settings and objects to the cloud during the
onboarding process, if you already have device groups and templates with the configuration objects you
need (for example, Security policy, zones, User-ID configuration, and other policy objects) go ahead and add
them when you onboard. This way you can to complete the zone mapping that is required to enable Prisma
Access to map the zones in your policy to the appropriate interfaces and zones within the cloud. However,
if you don’t have your policy set yet, you can go back later and push it to Prisma Access for users.
In addition, if you want your mobile users to be able to connect to your remote network locations, or if
you have mobile users in different geographical areas who need direct access to each other’s endpoints,
you must configure at least one service connection with placeholder values, even if you don’t plan to
use the connection to provide access to your data center or HQ locations. The reason this is required is
because, while all remote network locations are fully meshed, Prisma Access gateways (also known as
locations) connect to the service connection in a hub-and-spoke architecture to provide access to the
internal networks in your Prisma Access infrastructure.

STEP 1 | Select Panorama > Cloud Services > Configuration > Mobile Users.

STEP 2 | Configure the template stack and device group hierarchy that the cloud service will push to the
portal and gateway.
1. Edit the Settings.

2. In the Templates section of the Settings tab, Add the template that contains the configuration you
want to push to Prisma Access for users.

Although you can add existing templates to the stack from the plugin, you cannot
create a new template from the plugin. Instead, use the workflow to add a new
template.

You can Add more than one existing template to the stack and then order them appropriately using
Move Up and Move Down. This is important because Panorama evaluates the templates in the
stack from top to bottom and settings in templates that are higher in the stack take priority over
the same settings specified in templates that are lower in the stack. You cannot move the default

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 149
© 2020 Palo Alto Networks, Inc.
Mobile_User_Template from the top of the stack; this prevents you from overriding any settings that
Prisma Access requires to create the network infrastructure in the cloud.

If you want to customize the agent configuration that the Prisma Access for users
pushes to clients from the portal, you must edit the GlobalProtect Portal configuration
in the Mobile_User_Template to add a new agent configuration. After configuring
the Agent configuration, move it above the DEFAULT agent configuration that is
predefined in the template to ensure that your settings take precedence over the
default settings. When editing this template, do not remove or change the External
Gateway entry.

3. In the Device Group section, select the Parent Device Group that contains the configuration settings
you want to push to Prisma Access for users, or leave the parent device group as Shared to use the
Prisma Access device group shared hierarchy.
You will push all of the configuration—including the address groups, Security policy, Security profiles,
and other policy objects (such as application groups and objects), HIP objects and profiles and
authentication policy—that Prisma Access for users needs to enforce consistent policy to your mobile
users using the device group hierarchy you specify here. In addition, you must make sure that you
have configured a Log Forwarding profile that forwards the desired log types to Panorama/Logging
Service in a device group that gets pushed to Prisma Access for users; this is the only way that the
cloud service knows which logs to forward to Cortex Data Lake.

150 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
STEP 3 | (Optional) Configure Prisma Access to use the Directory Sync service to retrieve user and group
information.
You must configure Directory Sync to retrieve user and group information from your Active Directory
(AD) before you enable and configure Directory Sync integration in Prisma Access using the settings in
the Group Mapping Settings tab. See Get User and Group Information Using Directory Sync for details.

STEP 4 | Click OK to save the mobile user settings.

STEP 5 | Map the zones configured within the selected template stack as trusted or untrusted.
On a Palo Alto Networks next-generation firewall, Security policy is enforced between zones, which map
to physical or virtual interfaces on the firewall. However, with Prisma Access for users, the networking
infrastructure is automatically set up for you, which means you no longer need to configure interfaces
and associate them with zones. However, to enable consistent security policy enforcement, you must
map the zones you use within your organization as trust or untrust so that Prisma Access for users can
translate the policy rules you push to the cloud service to the internal zones within the networking
infrastructure.
1. Edit the Zone Mapping settings.
By default, all of the zones in the Mobile_User_Template_Stack are classified as Untrusted Zones.
2. For each zone you want to designate as trusted, select it and click Add to move it to the list of
Trusted Zones.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 151
© 2020 Palo Alto Networks, Inc.
3. Click OK to save your changes.

STEP 6 | Configure the GlobalProtect portal and external gateway settings.


You can configure Prisma Access gateways as external gateways only—not as internal gateways.
1. In the Onboarding section, click Configure.
2. On the General tab, specify the Portal Name Type:
• Use Default Domain—If you select this option, your portal hostname uses the default domain
name: .gpcloudservice.com. In this case, simply enter a Portal Hostname to append to the
default domain name. Prisma Access for users will automatically create the necessary certificates
and publish the hostname to public DNS servers.

If you already have a GlobalProtect deployment with an existing portal name


and you want to continue to use that portal name, add a CNAME entry that
maps Prisma Access portal name to your existing portal name. For example,
if you have an existing portal named portal.acme.com and you want to map
the new Prisma Access portal to this same name, you would add a CNAME of
gpcs2.gpcloudservice.com to the DNS entry for your existing portal.
• Use Company Domain—Select this option if you want the domain in the portal hostname to
match your company domain name (for example, myportal.mydomain.com). If you want to use this
option, you must first obtain your own certificate and configure an SSL/TLS service profile that
points to it. Then you can configure the portal name by selecting the SSL/TLS Service Profile and
entering the Portal Hostname. If you use this option, you must point your internal DNS servers to
the Portal DNS CNAME, which is the hostname of the portal with the .gpcloudservice.com

152 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
domain. For example, if you specified a DNS hostname of acme-portal.acme.com, you would need
to create a DNS CNAME entry that maps that hostname to acme-portal.gpcloudservice.com on
your internal DNS servers.

3. Select an Authentication Profile that specifies how Prisma Access should authenticate mobile users
or create a new one.
If you added a parent device group that contains an authentication profile configuration, you should
see it on the list of available profiles. If you did not push the profile in the device group, you can
create an authentication profile now.
4. Select an Authentication Override Certificate to encrypt the secure cookies that mobile users
authenticate to the portal and gateway.
If you added a parent device group that contains the certificate you want to use to encrypt
authentication cookies, you should see it on the list of available certificates. If you did not push a
certificate in the device group, you can import or generate one now.
5. (Optional) If you do not require GlobalProtect endpoints to have tunnel connections when on the
internal network, enable Internal Host Detection.
1. Select the Internal Host Detection check box.
2. Enter the IP Address of a host that users can reach only from the internal network.
3. Enter the DNS Hostname for the IP address you entered. Clients that try to connect perform
a reverse DNS lookup on the specified address. If the lookup fails, the client determines that it
needs a tunnel connection to Prisma Access for users.

Prisma Access copies the internal host detection settings you specify here to the
settings in your GlobalProtect portal configuration (Network > GlobalProtect >
Portals > <portal-config> > Agent > <agent-config> > Internal). If you change your
portal configuration settings through Network > GlobalProtect > Portals at a later time,
those changes are not reflected in the settings you specify here. For this reason, Palo
Alto Networks recommends that you either enter the internal host detection settings
here or configure the same settings in both places.

STEP 7 | Select the Locations and the regions associated with those locations where you want to deploy
your mobile users.
The Locations tab displays a map. Highlighting the map shows the global regions (Americas, Europe,
and Asia Pacific) and the locations available inside each region. Select a region, then select the locations
you want to deploy in each region. Limiting your deployment to a single region provides more granular

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 153
© 2020 Palo Alto Networks, Inc.
control over deployed regions and allows you to exclude regions as required by your policy or industry
regulations. See List of Prisma Access Locations for the list of regions and locations. You can select a
location in a region that is closest to your mobile users, or select a location as required by your policy or
industry regulations.
Specify a single region to reduce the minimum IP address pool that you need in Step 8. See Specify IP
Address Pools for Mobile Users for more information.

Prisma Access uses the Hong Kong, Netherlands Central, and US Northwest locations
as fallback mobile user locations if other locations are not available. For this reason, Palo
Alto Networks strongly recommends that you enable at least one of these locations during
mobile user onboarding.

1. Click the Locations tab and select a region.

2. Select one or more Prisma Access gateways within your selected region using the map.
Hovering your cursor over a location highlights it. White circles indicate an available location; green
circles indicate that you have selected that location.

154 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
In addition to the map view, you can view a list of regions and locations. Choose between the map
and list view from the lower left corner. In the list view, the list displays regions sorted by columns,
with all locations sorted by region. You can select All sites within a region (top of the dialog).

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 155
© 2020 Palo Alto Networks, Inc.
STEP 8 | Set up the IP address pools that Prisma Access for users uses to assign IP addresses to
GlobalProtect endpoints by selecting the IP Pools tab and Add and IP address pool.

• Region—Select Worldwide to use a single IP address pool for all GlobalProtect clients using the cloud
service or select an available region.
You can use a single IP address pool for all GlobalProtect endpoints Worldwide, you can set separate
pools for each region where you have mobile users, or you can specify both Worldwide and region-
specific IP pools. For example, you can add an pool for a specific region and then add a Worldwide
pool to use for all other regions. Prisma Access then uses the Worldwide IP addresses to scale as you
onboard additional gateways in other regions to accommodate more mobile users. If you specify a
pool for a region, and you exhaust the available IP addresses in that pool, Prisma Access will take IP
addresses from the Worldwide pool to use in that region.
• IP Pool—Enter an IP address pool to assign to the endpoints in the selected region. The addresses
in this pool must not overlap with other networks you use internally or with the pools you assigned
when you Enable the Service Infrastructure.
If you deploy locations in a single region, the minimum required subnet is /23 (512 IP addresses)
per location. Additional locations require a minimum /23 subnet. If you specify a Worldwide subnet,
the minimum required subnet is /23 but we recommend providing enough subnets to allocate a
number of IP addresses that is equal to or greater than the number of licensed mobile users so that
they can log in at the same time. Do not use the 100.64.0.0/15 subnet, because Prisma Access
reserves this subnet for its internal use. See how to Specify IP Address Pools for Mobile Users for
more information.

We recommend using an RFC 1918-compliant IP address pool. While we support the


use of non-RFC 1918-compliant (public) IP addresses for mobile users, we do not
recommend using these non-compliant IP addresses due to possible conflicts with
internet public IP address space.

STEP 9 | To specify the DNS resolution settings that Prisma Access uses for mobile users, select
Network Services tab and then click Add.
GlobalProtect endpoints with an active tunnel connection use their virtual network adapters rather than
their physical network adapters and therefore require separate DNS resolution settings. You can use a
DNS settings for all GlobalProtect endpoints Worldwide, you can set separate pools for each geographic
region where your users are located, or you can specify both a Worldwide and regional pools.
• For Internal Domains:
• Select a Region (North America & South America, Africa, Europe & Middle East, or Asia, Australia
& Japan), or specify Worldwide to apply the DNS settings globally.

156 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
You must specify at least one DNS proxy with a Region of Worldwide, or your commit will fail.
You can also specify a DNS proxy for one or more regions and specify another Worldwide DNS
proxy for the rest of the world. If you specify multiple proxy settings with a mix of regional and
worldwide regions, Prisma Access uses the regional settings for the Locations in the region you
specify; otherwise, Prisma Access uses the worldwide settings.
• Specify the IP addresses of the Primary DNS and Secondary DNS servers that your mobile users
should use to resolve internal domains.
• (Optional) If you want your internal DNS server to only resolve the domains you specify, enter the
domains to resolve in the Domain List.
You can use a wildcard (*) in front of the domains in the domain list, for example *.acme.local
or .acme.com. You can specify a maximum of 1,024 domain entries.
• For Public Domains:
• Enter a Primary DNS choice.
To use the default Prisma Access DNS server, select Use Cloud Default. To use the same server
that you use to resolve internal domains, select Same as Internal Domains. To use a third-party or
public DNS server, select Custom DNS Server, then specify the IP address of the DNS server.
• Enter a Secondary DNS choice, choosing from the same options you chose for the Prisma DNS.

• (Optional) Add a Client DNS Suffix Search List to specify the suffix that the client should use
locally when an unqualified hostname is entered that it cannot resolve, for example, acme.local.
Do not enter a wildcard (*) character in front of the domain suffix. You can add multiple suffixes.
You can also create a .csv file that has the list of domain suffixes and Import them, rather
than manually adding them. Separate multiple entries with commas or semicolons such as
www.example1.com,www.example2.com,www.example3.com. There is no limit to the
number of DNS suffixes you can enter.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 157
© 2020 Palo Alto Networks, Inc.
STEP 10 | (Optional) If your deployment uses Windows Internet Name Service (WINS) based, you can
specify WINS servers to resolve NetBIOS name-to-IP address mapping by selecting WINS
Configuration; selecting a region for the WINS server or selecting Worldwide to apply the
WINS configuration worldwide, then specifying a Primary WINS and, optionally, Secondary
WINS server address.
After you enable WINS, Prisma Access can push WINS configuration to mobile users’ endpoints over
GlobalProtect.

STEP 11 | (Optional) If you allow your mobile users to manually select gateways from the GlobalProtect
app, select the Manual Gateway Locations that the users can view from their GlobalProtect
app.
Choosing a subset of onboarded locations reduces the number of available gateways that mobile users
can view in their GlobalProtect app for manual gateway selection.
If you do not select manual gateways in this tab, Prisma Access selects the following list of gateways by
default.
• Australia Southeast
• Belgium
• Brazil South
• Canada East
• Finland

158 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
• France North
• Germany Central
• Hong Kong
• India West
• Ireland
• Israel
• Japan Central
• Netherlands Central
• Saudi Arabia
• Singapore
• South Africa Central
• South Korea
• Taiwan
• UK
• US East
• US West
Prisma Access lets you select only gateways that you have onboarded. For example, if you don’t choose
UK when you select locations, you cannot select UK as a manual gateway (the location is grayed out).

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 159
© 2020 Palo Alto Networks, Inc.
If you allow users to manually choose more than 25 gateways, we recommend using
version 5.0.3 or later of the GlobalProtect app for the best end user experience.

STEP 12 | Click OK to save the Onboarding settings.

STEP 13 | To secure traffic for your mobile users, you must create security policy rules.
1. Select the Device Group in which to add policy rules. You can select the Mobile_User_Device_Group
or the parent device group that you selected when setting up Prisma Access for mobile users.
2. Create security policy rules. Make sure that you do not define security policy rules to allow traffic
from any zone to any zone. In the security policy rules, use the zones that you defined in the
template stack you are pushing to the cloud service.

STEP 14 | Configure logs to forward to Cortex Data Lake.


The Cloud Services plugin automatically adds the following Log Settings (Device > Log Settings) after a
new installation or when removing non-Prisma Access templates from a Prisma Access template stack:
• Log Settings for System logs (system-gpcs-default), User-ID logs (userid-gpcs-default), HIP Match
logs (hipmatch-gpcs-default), and GlobalProtect logs (gp-prismaaccess-default) are added to the
Mobile_User_Template.
• Log Settings for System logs (system-gpcs-default), User-ID logs (userid-gpcs-default), and
GlobalProtect logs (gp-prismaaccess-default) are added to the Remote_Network_Template.
• Log Settings for System logs (system-gpcs-default) and GlobalProtect logs (gp-prismaaccess-default)
are added to the Service_Conn_Template.
These Log Setting configurations automatically forward System, User-ID, and HIP Match logs to Cortex
Data Lake.

STEP 15 | (Optional) Forward logs for other log types to Cortex Data Lake.
To do this, you must create and attach a log forwarding profile to each policy rule for which you want to
forward logs. See the Cortex Data Lake Getting Started Guide for more information.
1. Select the Device Group in which you added the policy rules.
2. Select Objects > Log Forwarding and Add a profile. In the Log Forwarding Profile Match List, Add
each log type that you want to forward.
The following example enables forwarding of Traffic, Threat Prevention, WildFire Submission, URL
Filtering, Data Filtering, and Authentication logs.
3. Select Panorama/Logging Service as the Forward Method. When you select Panorama, the logs
are forwarded to Cortex Data Lake. You will be able to monitor the logs and generate reports from
Panorama. Cortex Data Lake provides a seamless integration to store logs without backhauling them
to your Panorama at the corporate headquarters, and Panorama can query Cortex Data Lake as
needed.

160 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
4. Select Policies > Security and edit the policy rule. In Actions, select the Log Forwarding profile you
created.

STEP 16 | Commit all your changes to Panorama and push the configuration changes to Prisma Access.
1. Click Commit > Commit to Panorama.
2. Click Commit > Push to Devices and click Edit Selections.
3. On the Prisma Access tab, make sure Prisma Access for users is selected and then click OK.
4. Click Push.

STEP 17 | To verify that Prisma Access for users is deployed and active, select Panorama > Cloud
Services > Status > Status.
After the provisioning completes, the mobile users Status and Config Status should show OK.
The Deployment Status area allows you to view the progress of onboarding and deployment jobs before
they complete, as well as see more information about the status of completed jobs. See Deployment
Progress and Status for details.

To view the number of unique users who are currently logged in, or to log out a logged in user, click the
hyperlinked number next to Current Users. See View Logged In User Information and Log Out Current
Users for details.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 161
© 2020 Palo Alto Networks, Inc.
To view historical information of previously-logged in users for a 90-day time period, click the number
next to Users (Last 90 days).
To export the list of users to a csv file, select Export to CSV. Note that a maximum of 45,000 users can
be exported to a CSV file.

To display a map that shows the locations of Prisma Access portals and gateways running in the regions
you have selected, select Monitor; then, select Mobile Users.

162 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Select a region to get more detail about that region.

STEP 18 | If you chose to Use Company Domain for your portal hostname, you must add a DNS entry
on your internal DNS servers to map the portal hostname you defined to the Portal DNS
CNAME displayed on the Cloud Services > Configuration > Mobile Users > Onboarding >
General tab (for example, <portal_hostname>.gpcloudservice.com).

STEP 19 | Deploy the GlobalProtect app software to your end users.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 163
© 2020 Palo Alto Networks, Inc.
For Mac OS or Windows users, you can direct users to the Prisma Access portal address, where they can
download the GlobalProtect app from the portal.

Prisma Access manages the version of the GlobalProtect app on the portal and this is not
configurable; however, you can Manage Upgrade Options for the GlobalProtect App in
Panorama to control the availability of an app version and control the ability of users to
download it.

Alternatively, you can host GlobalProtect app software on a web server for your Mac OS and Windows
users. Prisma Access is compatible with any GlobalProtect app versions that are not listed as end of life.
Mobile app users can download and install the GlobalProtect mobile app from the appropriate app store
for their operating systems.

164 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Zone Mapping
On a firewall, zones are associated with interfaces. But within Prisma Access, the networking infrastructure
is automatically set up for you. This means that you no longer need to worry about configuring interfaces
and associating them with the zones your create. However, to enable consistent security policy
enforcement, you must create zone mappings so that Prisma Access will know whether to associate a zone
with an internal (trust) interface or an external (untrust) interface. This will ensure that your security policy
rules are enforced properly. By default, all of the zones you push to Prisma Access are set to untrust. You
should leave any zones associated with internet-bound traffic, including your sanctioned SaaS applications,
set to untrust. However, for all zones that enable access to applications on your internal network or in your
data center, you must map them to trust. Notice in the example below, all sanctioned SaaS applications—
Office 365 and Salesforce in this case—are segmented into the sanctioned-saas zone to enable visibility
and policy enforcement over the use of these applications. To enable Prisma Access to associate the
sanctioned-saas zone with an external-facing interface, you must map this zone to untrust. Similarly, the
eng-tools and dc-apps zones provide access to applications in the corporate office and you must therefore
designate them as trusted zones.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 165
© 2020 Palo Alto Networks, Inc.
Specify IP Address Pools for Mobile Users
You need to make sure that you have specified an IP address pool that allows enough coverage for the
mobile users in your organization. It is important to remember that each unique user can use multiple
devices to connect to Prisma Access at the same time, and each connected device requires a unique IP
address from the pool. We recommend that the number of IP addresses in the pool is 2 times the number
of mobile user devices that will connect to Prisma Access. If your organization has a bring your own device
(BYOD) policy, or if a single user has multiple user accounts, make sure that you take those extra devices
and accounts into consideration when you allocate your IP pools. If your pool space is limited, you can
specify a smaller address pool; however, if your IP address pool reaches its limit, additional mobile user
devices will not be able to connect.
In Panorama, the UI validates that you enter valid IP subnets (for example, if you enter a pool with a subnet
of less than /23, it will prompt you to change it). However, it does not check to ensure that you have
allocated sufficient IP addresses for your deployment.

This validation is not available if you configure locations using CLI. If you deploy all locations
using CLI, we recommend that you add a /18 address in the Worldwide pool for mobile
users.

Prisma Access checks your configuration to make sure that you have specified the following minimum IP
address pool:
• A minimum of /23 (512 IP addresses) is required for either a Worldwide or regional address pool.
• If you do not onboard any Prisma Access gateways in a region, an IP address pool for that region is
not required. For example, if you specify gateways in the US East, US Northwest, and US Northeast
locations, you need to only specify an IP address pool for the North America & South America region.
Conversely, if you enable mobile user locations in Europe without specifying either a Worldwide address
pool or an IP address pool in Africa, Europe, & Middle East, your deployment will fail.
• If you specify a mix of Worldwide and regional pools, Prisma Access uses the IP pools in the region first.
If regional pools are exhausted, Prisma Access will take IP address blocks from the Worldwide pool,
which allows you to configure extra IP addresses in the Worldwide IP address pool to function as a
fallback pool.
If you specify more than one block of IP address pools, Prisma Access uses the pools in the order that
you entered them during mobile user setup.

166 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
How the GlobalProtect App Selects a Prisma
Access Location for Mobile Users
When a mobile user connects to a Prisma Access location, the app uses the following selection process to
determine to which location it connects.

You enable the mobile user locations where you want Prisma Access to be present during
mobile user onboarding. If you do not select the location during onboarding, Prisma Access
does not use it in your deployment.

• If the mobile user connects in a country that has a Prisma Access location, the user connects to the
location in that country.
• If the mobile user cannot connect to an in-country location for any reason, Prisma Access selects from
one or more of the following mobile user locations to connect the user based on region:
• Asia, Australia & Japan: Taiwan, Singapore, Japan Central, India West
• Africa, Europe & Middle East: Finland, UK, Netherlands Central, Germany Central
• North America & South America: US Central, US Northeast, Brazil South, Canada East
Palo Alto Networks recommends that you add these locations in their respective regions during mobile
user onboarding to provide redundancy.
• Prisma Access has designated the following locations as alternative (fallback) locations. If mobile users
cannot access in-country or in-region locations, Prisma Access connects mobile users to one of the
following locations:
• Hong Kong
• Netherlands Central
• US Northwest
Palo Alto Networks strongly recommends that you enable at least one of these locations during
mobile user onboarding.
• If you use on-premise gateways with Prisma Access locations, you can specify priorities in Prisma Access
to let mobile users connect to either a specific on-premise GlobalProtect gateway or a Prisma Access
location. See Manage Priorities for Prisma Access and On-Premise Gateways for details.
• When mobile users connect, the GlobalProtect app does not use the following Prisma Access locations
in the automatic gateway selection process, even if you selected the Prisma Access locations in the
plugin during onboarding. However, mobile users can still manually select one of these locations and set
it as a preferred location (gateway) as long as you allow them to manually select those locations during
mobile user onboarding:
• Australia: Australia East and Australia South
• Brazil: Brazil East and Brazil Central
• Canada: Canada Central
• France: France South
• Germany: Germany North and Germany South
• India: India North and India South
• Japan: Japan South
• Mexico: Mexico West
• Netherlands: Netherlands South
• Pakistan: Pakistan West
• Russia: Russia Northwest
• South Africa: South Africa West

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 167
© 2020 Palo Alto Networks, Inc.
• Spain: Spain East

168 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
View Logged In User Information and Log Out
Current Users
There are several locations in Panorama where you can view the list of logged-in users. You can view
unique users, the location in which the users are logged in, and tables that provide additional information. It
is also important to understand how Prisma Access counts the number of users in each location.
You can get a detailed view of users from several locations:
• To see an overall view of users and to open a table that allows you to view and log out logged-in users,
select Panorama > Cloud Services > Status > Status.
• To see a graphic view of users in a map view, and to view users by region and location, select
Panorama > Cloud Services > Status > Service Stats > Mobile Users.
• To learn how Prisma Access counts users in each of these areas, see How Prisma Access Counts Users.

View Mobile Users from the Status Tab


To view the total number of unique users who are currently logged in across all locations, select
Panorama > Cloud Services > Status > Status.

To view more details about the users who are currently logged in, click the hyperlinked number next to
Current Users to display the Current Users table.

The total number of users that display in the Status page, and the number that displays in
the pop-up table, might be different; the number that displays in the table might be larger.
See How Prisma Access Counts Users for details.

You can log out active users from the Current Users table; to do so, select the user and click Logout. Note
that you might have to close and then re-open the screen to have Prisma Access remove the logged-out
user from the Current Users page.
The following screen shows users who logged in with the GlobalProtect app and with Clientless VPN.
The screen shows the users’ username, public IP, and last login time. If the user is logged in with the
GlobalProtect app, it also shows their client OS, private IP address, and computer name.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 169
© 2020 Palo Alto Networks, Inc.
View Mobile Users from the Monitor Tab
To view the number of unique users that are logged in per region, select Panorama > Cloud Services >
Status > Service Stats > Mobile Users.

To view details about locations in a region, click the region.

The number of users that displays in the global map view page and the number that displays
in the table per region might be different; the number that displays in the table might be
larger. See How Prisma Access Counts Users for details.

170 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
How Prisma Access Counts Users
The number of total users that display in the status areas might be different than the number that displays
in the associated tables. The following section describes the differences.
• Status tab (Panorama > Cloud Services > Status > Status)—The number of users that displays in the main
page, in the Mobile Users area, might be different than the number that displays in the table when you
click the Current Users hyperlink. The number that displays in the Mobile Users area counts the number
of unique users; the list of users in the Current Users table counts all users per login or connection. If a
single user is logged in to more than one gateway or is connected with multiple devices, the number in
the table might be larger.
For example, a user user1 is logged into two gateways in the United Kingdom location; this condition
might have occurred because Prisma Access automatically added gateways when a large number of
users logged in to the same location. In this case, Prisma Access counts user1 once in the Mobile Users
area, but twice in the Current Users table.
• Monitor tab (Panorama > Cloud Services > Status > Service Stats > Mobile Users)—The number of
Users you see in the global map might be different than the number that displays in the table when you
select a region. A user that is logged in to more than one gateway or is connected with multiple devices
might show up multiple times in the table.
The following screenshots provide an example. There are 23 unique users logged into the Asia region, as
shown in the global map.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 171
© 2020 Palo Alto Networks, Inc.
If you select the Asia region, Prisma Access gives the number of unique users (23) on the top left of the
region page. However, two users are connected via multiple devices in the South Korea location (for
example, a smart phone and a computer). Because the users have two separate connections, Prisma
Access counts them twice in the table, giving a total number count in the table of 25.

172 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Quick Configs for Mobile User Deployments
The following topics show some common Prisma Access deployment scenarios for remote networks and
provide instructions for how to configure them.
For information about integrating Prisma Access with third-party authentication providers, refer to the
Prisma Access Integration Guide.
• Prisma Access with On-Premise Gateways
• Manage Priorities for Prisma Access and On-Premise Gateways
• DNS Resolution for Mobile Users and Remote Networks
• Sinkhole IPv6 Traffic From Mobile Users
• Collect User and Group Information Using the Directory Sync Service
• Configure Quality of Service in Prisma Access

Prisma Access with On-Premise Gateways


Prisma Access enables you to extend the Palo Alto Networks security platform out to your remote network
locations and your mobile users without having to build out your own global security infrastructure and
expand your operational capacity. In cases where you have already deployed GlobalProtect gateways
in regions where you already have the infrastructure to manage it, you can leverage this investment by
configuring Prisma Access to direct mobile users to your existing external gateways when appropriate.
You can Manage Priorities for Prisma Access and On-Premise Gateways, which allow you to specify
priorities for on-premise and Prisma Access gateways. Administrators cannot specify mobile users to
connect to a specific Prisma Access gateway; however administrators can Allow Mobile Users to Manually
Select Specific Prisma Access Gateways using the GlobalProtect app.

You cannot use your own portal with Prisma Access. You can only use the portal that is
deployed when your Prisma Access for mobile users is provisioned.

To configure one of these hybrid Prisma Access deployments, you must edit the GlobalProtect_Portal
configuration within the Mobile_User_Template to add your on-premise gateways to the appropriate
regions:

STEP 1 | Edit the Prisma Access portal configuration.


1. To add an existing gateway to the list of available gateways, select Network > GlobalProtect >
Portals.
2. Select Mobile_User_Template from the Template drop-down.
3. Select GlobalProtect_Portal to edit the Prisma Access portal configuration.

STEP 2 | Add your on-premise gateway to the list of gateways in the agent configuration.
1. Select the Agent tab and select the DEFAULT agent configuration or Add a new one.
2. Select the External tab and Add your on-premise gateway.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 173
© 2020 Palo Alto Networks, Inc.
If you add a new agent configuration and you want to add the Prisma Access
gateways to the list of external gateways in that configuration, you must set the Name
to GP cloud service and the Address to gpcloudservice.com. You must enter these
values exactly as shown, and you cannot use either of these values for non-Prisma
Access gateways.
3. Enter the Name of the gateway and specify either the FQDN or IP address of the gateway in the
Address field; this value must exactly match the common name (CN) in the gateway certificate.
4. (Optional) If you want mobile users to only connect to the gateway when they are in the
corresponding region, Add the Source Region to restrict the gateway to. For example, if you have a
gateway in France, you would select FR (France). If you have a gateway in Sweden, you would select
(SE) Sweden.
One benefit of this is that users will then be able to access a gateway that enables access to internet
resources in their own language.
5. Configure other agent settings as necessary to complete the agent configuration.
6. Click OK to save the portal configuration.

STEP 3 | Commit all your changes to Panorama and push the configuration changes to Prisma Access.
1. Click Commit > Commit to Panorama.
2. Click Commit > Push to Devices and click Edit Selections.
3. On the Prisma Access tab, make sure Prisma Access for users is selected and then click OK.

174 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
4. Click Push.

Manage Priorities for Prisma Access and On-Premise Gateways


Prisma Access enables you to extend the Palo Alto Networks security platform out to your mobile users.
In a hybrid deployment where your enterprise uses Prisma Access with On-Premise Gateways, you can
set priorities in Prisma Access to let mobile users connect to either a specific on-premise GlobalProtect
gateway or a Prisma Access gateway.
You can select an on-premise gateway that is physically closest to your mobile users and allow users to
connect to a different gateway (either on-premise or cloud) to ensure secure access for mobile users if they
change locations. You can also specify priority for gateways that are in the same country or same linguistic
area as your mobile users.

If you add on-premise gateways to your Prisma Access deployment, check to see if the
priority for the Prisma Access gateways is set to None and, if it is, change the priority. If
the priority is set to None, the service will not select a gateway. See Configure Priorities
for Prisma Access and On-Premise Gateways to change the priority of your Prisma Access
gateways.

If you require users to connect to a specific Prisma Access gateway, you can Allow Mobile Users to
Manually Select Specific Prisma Access Gateways. Mobile users choose one of the Prisma Access gateways
using the GlobalProtect app that is installed on their endpoint.
Complete the following workflow to configure gateway priorities in Prisma Access.
• Set Equal Gateway Priorities for On-Premise and Prisma Access Gateways
• Set a Higher Gateway Priority for an On-Premise Gateway
• Set Higher Priorities for Multiple On-Premise Gateways

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 175
© 2020 Palo Alto Networks, Inc.
• Configure Priorities for Prisma Access and On-Premise Gateways
• Allow Mobile Users to Manually Select Specific Prisma Access Gateways

Set Equal Gateway Priorities for On-Premise and Prisma Access


Gateways
To enable secure access for your mobile workforce no matter where they are located, you can set equal
priorities for the on-premise GlobalProtect gateways and the Prisma Access gateways. The GlobalProtect
app uses Gateway Priority in a Multiple Gateway Configuration to determine the preferred gateway.
You can use this configuration if your mobile users are most often closer to an on-premise gateway. When
users change locations, the GlobalProtect app chooses another gateway (either on-premise or Prisma
Access gateway) based on the highest priority and lowest response time.
The following figure shows a sample configuration with two mobile users in North America. You set the
gateway priority to Highest for both the Prisma Access gateways and the on-premise gateways.
In this example, User 1’s GlobalProtect app determines that the Prisma Access gateway has a lower
response time than the on-premise gateway, and user 2’s GlobalProtect app determines that the on-premise
gateway has a lower response time. Since all gateways have the same priority, User 1 connects to the
Prisma Access gateway and User 2 connects to the on-premise gateway, based on the lower response time.

Set a Higher Gateway Priority for an On-Premise Gateway


In situations where you want to direct mobile users to use an on-premise gateway instead of the Prisma
Access gateways, specify the on-premise gateways with a source region and a higher priority than the
Prisma Access gateway.
The following figure shows a sample configuration for mobile users in Indonesia. To avoid the possibility
of mobile users being connected to the nearest Prisma Access gateway in Singapore, you set the gateway
priority to Highest for the on-premise gateway in Indonesia and set the priority to Medium for the Prisma
Access gateways.

176 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
This example also specifies a source region of Indonesia for the on-premise gateway. We recommend
specifying a source region for the following reasons:
• Specifying a source region for an on-premise gateway allows users in a region to access that gateway
and prevents users outside of that region from connecting to that gateway. In this example, only mobile
users in Indonesia can connect to the on-premise gateway with the source region of Indonesia, and the
higher priority means that the on-premise gateway has priority over the Prisma Access gateways.
• If you set a source region of Any for the on-premise gateway in Indonesia, every mobile user in your
organization would prefer the on-premise gateway in Indonesia, because of its higher priority and
worldwide accessibility. This configuration means that mobile users might never connect to the Prisma
Access gateways.

Set Higher Priorities for Multiple On-Premise Gateways


To ensure that traffic to the internet stays in language-specific regions, you can configure multiple gateways
in multiple source regions, setting the priority of the on-premise gateways to Highest and the priority of the
Prisma Access gateways to Medium.
The following figure shows a sample configuration for mobile users in Scandinavia. Using this configuration,
when the mobile users access internet websites, the websites use the character encoding set that is specific
to their languages.
In this example, you configure on-premise gateways with source regions in Denmark, Norway, and Sweden.
You set the priority of those gateways to Highest and set the priority of the Prisma Access gateways to

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 177
© 2020 Palo Alto Networks, Inc.
Medium. Specifying a source region for the on-premise gateways allows users in those regions to access
those gateways, and prevents users outside of those regions from connecting to those gateways.
In this example, the GlobalProtect app for mobile users in Sweden selects the on-premise gateway in
Sweden because of the source region and higher gateway priority.

Configure Priorities for Prisma Access and On-Premise Gateways


Use this workflow to configure priorities for a deployment that uses on-premise gateways with Prisma
Access.

STEP 1 | Log in to Prisma Access.

STEP 2 | Select Network > GlobalProtect > Portals in the Mobile_User_Template template.

STEP 3 | Click the portal name in the Name field.

STEP 4 | Click the Agent tab.

178 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
STEP 5 | Click the name of the agent to configure.
The default agent is named DEFAULT.

STEP 6 | Click the External tab.

STEP 7 | Set the priority of the Prisma Access gateways.


1. Click GP cloud service.
2. Set the priority for your preferred configuration.
• To Set Equal Gateway Priorities for On-Premise and Prisma Access Gateways, change the priority
from None to Highest.
• To Set a Higher Gateway Priority for an On-Premise Gateway or Set Higher Priorities for Multiple
On-Premise Gateways, change the priority from None to Medium.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 179
© 2020 Palo Alto Networks, Inc.
3. Be sure that the Manual check box is selected.
Checking the Manual check box ensures that mobile users can select a specific Prisma Access
gateway if it is required.

Do not add a source region for the Prisma Access gateways; any region you specify is
not applied to the configuration.
4. Click OK.

STEP 8 | Add one or more on-premise external gateways to your configuration.


1. Enter a descriptive Name for the gateway.
The name you enter should match the name you defined when you configured the gateway, and it
should be descriptive enough for users to know the location of the gateway to which they connect.
2. Enter the FQDN or IP address of the interface where the gateway is configured in the Address field.
You can configure an IPv4 address. The address you specify must exactly match the Common Name
(CN) in the gateway server certificate.
3. Add one or more Source Regionsfor the on-premise gateway, or select Any to make the gateway
available to all regions.

If you set the priority of on-premise external gateways higher than Prisma Access
gateways, we recommend that you specify source regions for the external gateways.
If you specify Any for the region, the GlobalProtect app might never select Prisma
Access gateways over on-premise gateways because of the higher priority for the on-
premise gateways.
4. Select the Manual check box to allow users to manually switch to the gateway.
5. Set the Priority of the on-premise gateway to Highest (the default).

180 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
6. Click OK.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 181
© 2020 Palo Alto Networks, Inc.
STEP 9 | (Optional) Set the priority for additional gateways by repeating Step 8.

Be sure to specify the correct source regions.

The following figure shows a sample configuration with multiple gateways that have source regions
in Norway, Sweden, and Denmark. Note that the Manual check box is selected, which indicates that a
mobile user can manually select any of these gateways.

182 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Allow Mobile Users to Manually Select Specific Prisma Access Gateways
When system administrators specify priorities for gateways in Panorama, they can only specify priorities for
all Prisma Access gateways as a whole.

When configuring the Prisma Access gateways, do not specify a source region. Any region
you specify is not applied to the configuration.

To choose a specific Prisma Access gateway, mobile users can select the gateway on their endpoint from
the drop-down list in their GlobalProtect app.

This configuration requires that you configure Manual selection of the gateway when you
Configure Priorities for Prisma Access and On-Premise Gateways.

The following figure shows a user choosing a list of Prisma Access gateways from the endpoint’s
GlobalProtect app.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 183
© 2020 Palo Alto Networks, Inc.
The tasks you perform to connect to a specific gateway are based on the operating system of your
endpoint. For details, see the following sections from the GlobalProtect App User Guide:
• Download and Install the GlobalProtect App for Windows
• Download and Install the GlobalProtect App for Mac
• Use the GlobalProtect App for Chrome OS
• Use the GlobalProtect App for Linux

DNS Resolution for Mobile Users and Remote Networks


Prisma Access provides you with different ways to resolve DNS queries for mobile users and remote
networks. The following sections describe the different types of DNS resolution that Prisma Access
supports for mobile users and remote networks, along with the steps you use to configure it.
• DNS Resolution for Prisma Access
• DNS Resolution for Mobile Users
• DNS Resolution for Remote Networks

DNS Resolution for Prisma Access


Prisma Access allows you to specify DNS servers to resolve both domains that are internal to your
organization and external domains. Prisma Access proxies the DNS request based on the configuration
of your DNS servers. The following table shows the supported DNS resolution methods for internal and
external domains and indicates when Prisma Access proxies the DNS requests.

Internal DNS Resolution Method External DNS Resolution Method Prisma Access Proxies
the DNS Request (Yes/
No)

Customer’s DNS server (same server Customer’s DNS server No


used for the external DNS resolution)

184 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Internal DNS Resolution Method External DNS Resolution Method Prisma Access Proxies
the DNS Request (Yes/
No)

To disable the proxy, you must specify the same server to resolve external domains as
the one that you use to resolve internal domains by selecting Same as Internal Domains
during mobile user or remote network onboarding.

Customer’s DNS server Prisma Access Cloud Default Yes

Customer’s DNS server Third-party or public DNS server Yes

No DNS resolution specified (default No DNS resolution specified No


configuration is present, which uses
Cloud Default)

The source IP address of the DNS request depends on whether or not Prisma Access proxies the DNS
request.
• When Prisma Access does not proxy the DNS requests, the source IP address of the DNS request
changes to the IP address of the device that requested the DNS lookup. This source IP address allows
you to enforce source IP address-based DNS policies or identify endpoints that communicate with
malicious domains. This behavior applies for both mobile users and remote network deployments.
• When Prisma Access proxies the DNS requests, the source IP address of the DNS request changes to
the following addresses:
• Mobile User deployments—The source IP address of the DNS request is an IP address taken from the
mobile user IP address pool for internal requests and the mobile user location’s gateway IP address
for external requests.
• Remote Network deployments—The source IP address of the DNS request is the EBGP Router
Address for internal requests and the Service IP Address of the remote network connection for
external requests.

DNS Resolution for Mobile Users


The following section provides examples of how Prisma Access processes the source IP address of the DNS
requests after you configure DNS resolution for mobile users and for remote networks.
The following figure show a deployment where you have assigned an internal DNS server to resolve both
internal and external domains. In this case, Prisma Access does not proxy the DNS requests, and the DNS
server sees the request coming from 10.10.10.1 (the IP address of Mobile User 1’s device).

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 185
© 2020 Palo Alto Networks, Inc.
The following figure shows the DNS requests for internal domains being resolved by the DNS server in the
headquarters or data center location, while requests for external domains are resolved by Prisma Access’
Cloud Default DNS server. In this case, Prisma Access proxies the requests, and the source IP address
of the DNS request changes to an IP address from the mobile user IP address pool (172.16.55.0/24) for
internal requests and to the mobile user location’s gateway IP address (15.1.1.1 in this example) for external
requests.

The following figure shows the organization using a third-party or public DNS server accessible through
the internet for requests to external domains. Prisma Access proxies these requests as well, and the source

186 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
IP address changes to an IP address from the mobile user IP address pool (172.16.55.0/24) for internal
requests and to 15.1.1.1 for external requests.

DNS Resolution for Remote Networks


If you have an existing remote network deployment, you can continue to use the DNS resolution methods
that you already have in place, or you can use Prisma Access to proxy the DNS request. Proxying the DNS
requests allows you to send DNS requests for public domains to one server and send DNS request for
internal domains to another server.
The following figure shows a DNS request to a deployment where an internal DNS server is used to process
requests for both internal and external domains. The remote network IP address is 35.1.1.1 and the EBGP
Router IP address is 172.1.1.1. In this case, Prisma Access does not proxy the requests and, if the internal
DNS server does not use NAT, the source IP of the DNS request is 10.1.1.1 (the IP address of Client 1’s
device in the remote network site).

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 187
© 2020 Palo Alto Networks, Inc.
If Prisma Access proxies the DNS request, the source IP addresses of the proxied DNS requests changes
to the EBGP Router Address for internal requests and the Service IP Address of the remote network
connection for external requests, as shown in the following figure.

When you configure the DNS address in your network to use for Prisma Access proxied
external requests, specify the Remote Network DNS Proxy IP Address (Panorama > Cloud
Services > Status > Service Infrastructure > Remote Network DNS Proxy IP Address). In the
following example, you would specify 172.1.255.254 in your network for the DNS server.

188 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
Sinkhole IPv6 Traffic From Mobile Users
In a dual stack endpoint that can process both IPv4 and IPv6 traffic, the GlobalProtect app sends mobile
user IPv4 traffic to be protected through the GlobalProtect VPN tunnel to Prisma Access. However, mobile
user IPv6 traffic is not sent to Prisma Access by default and is sent to the local network adapter on the
endpoint instead. To reduce the attack surface for IPv6-based threats, Palo Alto Networks recommends
that you configure Prisma Access to sinkhole IPv6 traffic. Because endpoints can automatically fall back to
an IPv4 address, you can enable a secure and uninterrupted user experience for mobile user traffic to the
internet.
In addition, Palo Alto Networks recommends that you configure GlobalProtect to completely disable
network traffic on the local network adapter. If you have a hybrid Prisma Access deployment with on-
premise next-generation firewalls configured as GlobalProtect gateways, you can configure IPv6 sinkhole
functionality on the on-premise GlobalProtect gateway.
• Configure Prisma Access to Sinkhole IPv6 Traffic
• Configure GlobalProtect to Disable Direct Access to the Local Network
• Set Up an IPv6 Sinkhole On the On-Premise Gateway

Configure Prisma Access to Sinkhole IPv6 Traffic


You can configure Prisma Access so that it sinkholes all mobile user IPv6 traffic. When you enable this
functionality, Prisma Access assigns an IPv6 address to the connecting endpoint in addition to an IPv4
address; then, it routes the IPv6 traffic to Prisma Access and discards it using a built-in security policy, as
shown in the following figure.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 189
© 2020 Palo Alto Networks, Inc.
To configure Prisma Access so that it sinkholes all mobile user IPv6 traffic, complete the following steps.

STEP 1 | Open a secure CLI session with admin-level privileges, using the same IP address that you use
to log in to the Panorama that manages Prisma Access.

STEP 2 | Enter configure to enter configuration mode.

STEP 3 | Enter the set plugins cloud_services mobile-users ipv6 yes command.
If you need to disable this command in the future, enter set plugins cloud_services mobile-
users ipv6 no.

STEP 4 | Enter Commit to save your changes locally.

STEP 5 | Enter exit to exit configuration mode.

STEP 6 | Enter commit-all shared-policy include-template yes device-group


Mobile_User_Device_Group to commit and push your changes and make them active in
Prisma Access.

Configure GlobalProtect to Disable Direct Access to the Local Network


To make sure that all mobile user traffic is sent to Prisma Access, you can completely disable outgoing
connections, including local subnet traffic, from being sent to the local adapter. You can deactivate all
outgoing connections to the local adapter by making configuration changes to the GlobalProtect gateway.
You can perform these steps on Panorama or on an on-premise firewall that has been configured as a
GlobalProtect gateway.

Disabling local network access causes all traffic, including IPv4 and IPv6 traffic, from being
sent to the local adapter. In addition, you won't be able to access resources on your local
subnet, such as printers.

190 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
STEP 1 | Select Network > GlobalProtect > Gateways.

STEP 2 | Select an existing GlobalProtect gateway or Add a new one.

STEP 3 | Select Agent > Client Settings.

STEP 4 | Select the DEFAULT configuration or Add a new one.

STEP 5 | Select Split Tunnel; then, select No direct access to local network.

STEP 6 | (Panorama and Prisma Access deployments only) Commit your changes locally to make them active
in Panorama.
1. Select Commit > Commit to Panorama.
2. Make sure that your change is part of the Commit Scope.
3. Click OK to save your changes to the push scope.
4. Commit your changes.

STEP 7 | Commit and Push your changes to make them active in Prisma Access.

Set Up an IPv6 Sinkhole On the On-Premise Gateway


If you have a hybrid deployment that uses next-generation firewalls configured as gateways with Prisma
Access, perform the following task on the on-premise gateway to drop the IPv6 traffic.

STEP 1 | Add IPv6 IP pools to your GlobalProtect agent configuration.


1. Select Network > GlobalProtect > Gateways.
2. Select an existing GlobalProtect gateway or Add a new one.
3. Select Agent > Client Settings.
4. Select the agent configuration to modify or Add a new one.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 191
© 2020 Palo Alto Networks, Inc.
5. Select IP Pools; then, Add an IPv6 pool to assign to the virtual network adapter on the endpoints that
connect to the GlobalProtect gateway uses for mobile network traffic and click OK.

STEP 2 | Enable IPv6 on the interface.


1. Select Device > Interface > Tunnel and select the tunnel Interface that you use for the mobile user’s
traffic.
2. Select IPv6; then, select Enable IPv6 on the interface.

STEP 3 | Add a security policy to set a TCP reset action that will terminate sessions with IPv6 source
traffic that matches the IP pools you configured in Step 1.
1. Select Policies > Security and Add a new security policy.
2. Set the Source Address in the rule to match the IP pools you configured in Step 1.

192 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
© 2020 Palo Alto Networks, Inc.
3. Select Actions; then, select an Action Setting of Reset Client and click OK.

STEP 4 | Commit your changes.

STEP 5 | (Optional) Perform this task on all the gateway firewalls in your deployment.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with Prisma Access 193
© 2020 Palo Alto Networks, Inc.
Report Website Access Issues
Some websites such as stubhub.com, ticketmaster.com, or dollartree.com, block traffic from the cloud IP
address range. When users who are secured by Prisma Access attempt to access these websites, they can
be denied access with the following message on the web browser:
Access Denied.
You don't have permission to access "http://www.dollartree.com/" on this server. Reference
#18.7f955b8.1509600370.44eb7c8
To report this problem, enter https://reportasite.gpcloudservice.com/ from a web browser
and provide the URL of the website that is inaccessible. After 24-48 hours, return to https://
reportasite.gpcloudservice.com/ and enter the same URL to see its status.

Palo Alto Networks reviews all reported sites. If an access issue is found, Palo Alto Networks
categorizes the site and adds an egress policy which changes the IP address of the
site. When users access a site using a different IP address, their first attempt might be
unsuccessful because the client is expected to receive a TCP RST packet, which causes
modern browsers to auto-retry the connection and successfully load the site.

If, after 48 hours, the website continues to be blocked even after a retry operation, verify that you have
configured security policy to allow the user to access the specific website/web category. After confirming
that your acceptable use policy allows the requested web content, open a Support Case with Palo Alto
Networks Technical Support for assistance with the impacted traffic flow, specifying the steps taken to
isolate the issue.

194 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Secure Mobile Users with
Prisma Access
Use Remote Networks to Secure Branches
As you business scales and your office locations become geographically distributed, Prisma
Access for networks allows you to speedily onboard your remote network locations and
deliver best-in-breed security for your users. It offers a convenient option that removes the
complexity in configuring and managing devices at every remote location. The service provides
an efficient way to easily add new remote network locations and minimize the operational
challenges with ensuring that users at these locations are always connected and secure, and it
allows you to manage policy centrally from Panorama for consistent and streamlined security
for your remote network locations.
To connect your remote network locations to Prisma Access, you can use the Palo Alto
Networks next-generation firewall or a third-party, IPSec-compliant device including SD-WAN,
that can establish an IPSec tunnel to the service.

> Plan to Deploy Prisma Access for Networks


> Configure Prisma Access for Networks
> Quick Configs for Remote Network Deployments

195
196 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Plan to Deploy Prisma Access for Networks
Prisma Access for networks allows you to pick the geographic locations where you want to deploy Prisma
Access to secure your remote network locations.

Before you begin to Configure Prisma Access for Networks, make sure you have the following configuration
items ready to ensure that you will be able to successfully enable the service and enforce policy for users in
your remote network locations:
Service Connection—If your remote network locations require access to infrastructure in your corporate
headquarters to authenticate users or to enable access to critical network assets, you must create a
service connection so that headquarters and the remote network locations are connected. If the remote
network location is autonomous and does not need to access to infrastructure at other locations, you do
not need to set up the service connection (unless your mobile users need access).
Template—Prisma Access automatically creates a template stack (Remote_Network_Template_Stack)
and a top-level template (Remote_Network_Template) for Prisma Access for networks. To Configure
Prisma Access for Networks, you will either need to configure the top-level template from scratch
or leverage your existing configuration, if you are already running a Palo Alto networks firewall on
premise. The template requires the settings to establish the IPSec tunnel and Internet Key Exchange
(IKE) configuration for protocol negotiation between your remote network location and Prisma Access
for networks, zones that you can reference in security policy, and a log forwarding profile so that you
can forward logs from the Prisma Access for remote networks to Cortex Data Lake.
Parent Device Group—Prisma Access for networks requires you to specify a parent device group that
will include your security policy, security profiles, and other policy objects (such as application groups
and objects, and address groups), as well as authentication policy so that Prisma Access for networks
can consistently enforce policy for traffic that is routed through the IPSec tunnel to Prisma Access for

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 197
© 2020 Palo Alto Networks, Inc.
networks. You will need to either define policy rules and objects on Panorama or use an existing device
group to secure users in the remote network location.

If you use an existing device group that references zones, make sure to add the
corresponding template that defines the zones to the Remote_Network_Template_Stack.
Doing so will allow you to complete the zone mapping when you Configure Prisma Access
for Networks.
IP Subnets—In order for Prisma Access to route traffic to your remote networks, you must provide
routing information for the subnetworks that you want to secure using Prisma Access. You can do this
in several ways. You can either define a static route to each subnetwork at the remote network location,
or configure BGP between your service connection locations and Prisma Access, or use a combination
of both methods. If you configure both static routes and enable BGP, the static routes take precedence.
While it might be convenient to use static routes if you have just a few subnetworks at your remote
network locations, in a large deployment with many remote networks with overlapping subnets, BGP will
enable you to scale more easily.

198 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Configure Prisma Access for Networks
For each remote network that you want to secure using Prisma Access for networks, you must use the
following workflow to push the required policy configuration to the cloud service and onboard each remote
network so that you can start sending traffic from the remote site through the IPSec tunnel to Prisma
Access.
Before you begin onboarding your remote networks, be sure you go through the steps to Plan to Deploy
Prisma Access for Networks.
If you need to onboard many remote network locations, onboard a remote network using this workflow and
then import the remote network configuration.

STEP 1 | Select Panorama > Cloud Services > Configuration > Remote Networks and edit the settings
by clicking the gear icon in the Settings area.
1. In the Templates section, Add any templates that contain configuration you want to push to
Prisma Access for networks. For example, if you have existing templates that contain your zone
configurations, or IPSec tunnel, IKE Gateway, or crypto profile settings, you can add them to the
predefined Remote_Network_Template_Stack to simplify the onboarding process.
You can Add more than one template to the stack and then order them appropriately using Move
Up and Move Down. This is important because Panorama evaluates in the stack from top to bottom,
with settings in templates higher in the stack taking priority over the same settings specified in
templates lower in the stack. Note that you cannot move the default template from the top of the
stack.

Although you can add existing templates to the stack from the plugin, you cannot
create a new template from the plugin. Instead, use the workflow to add a new
template.
2. Select the Parent Device Group for Prisma Access for remote networks. You can select an existing
device group or use Shared.
You will push all of the configuration—including the security policy, security profiles, and other policy
objects (such as application groups and objects, and address groups), HIP objects and profiles and
authentication policy—that Prisma Access for networks needs to enforce consistent policy to your
remote network users using the device group hierarchy you specify here.

You don’t need to define all of the policy that you will push to the remote network
yet. Instead, configure the settings to onboard the remote site. You can then go back
and add the templates and device groups with the complete configurations to push
consistent policy out to your remote networks.
3. If you will be configuring remote networks that have overlapping subnets, select the Overlapped
Subnets check box to enable outbound internet access for those locations.
While configuring Remote Network Locations with Overlapping Subnets introduces some limitations,
it is acceptable in some cases (for example, if you want to add a guest network at a retail store
location).

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 199
© 2020 Palo Alto Networks, Inc.
STEP 2 | (Optional) Configure DNS Proxy settings for your remote network.
Prisma Access allows you to specify DNS servers to resolve both domains that are internal to your
organization and external domains. If you do not specify any settings, Prisma Access does not proxy DNS
requests for remote networks.
1. In the Remote_Network_Device_Group device group, select Policies > Security and Add a security
policy rule with an Application of DNS and an Action of Allow to allow DNS traffic.
Without a security policy rule to allow DNS traffic, DNS resolution does not occur.

2. If you configure Prisma Access to proxy the DNS requests from your remote networks, update the
DNS settings on all the endpoints in that network to use the Prisma Access Remote Network DNS
Proxy IP Address as the primary DNS server and use your DNS server as secondary DNS server. You
can get this DNS proxy IP from Panorama > Cloud Services > Status > Network Details > Service
Infrastructure.

3. Add one or more DNS proxy settings, entering the following values:

200 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
• For Internal Domains:
• Select a Region (North America & South America, Africa, Europe & Middle East, or Asia,
Australia & Japan), or specify Worldwide to apply the DNS settings globally.
You can add multiple region-specific DNS proxy settings, or specify a DNS proxy for one
or more regions and specify another worldwide DNS proxy for the rest of the world. If you
specify only a regional setting and onboard remote networks in that region only, Prisma Access
does not proxy the DNS requests, and the source IP address of the DNS request is the remote
network’s EBGP Router IP address. If you specify multiple proxy settings with a mix of regional
and worldwide regions, Prisma Access uses the regional settings for the Locations in the region
you specify; otherwise, Prisma Access uses the worldwide settings.
• Specify the IP addresses of the Primary DNS and Secondary DNS servers that your remote
network should use to resolve internal domains.
• (Optional) If you want your internal DNS server to only resolve the domains you specify, enter
the domains to resolve in the Domain List.
You can use a wildcard (*) in front of the domains in the domain list, for example *.acme.local
or .acme.com. You can specify a maximum of 1,024 domain entries.
• For External Domains:
• Enter a Primary DNS choice.
To use the default Prisma Access DNS server, select Use Cloud Default. To use the same
server that you use to resolve internal domains, select Same as Internal Domains. To use third-
party or public DNS server, select Custom DNS Server, then specify the IP address of the DNS
server.
• Enter a Secondary DNS choice, choosing from the same options you chose for the Prisma
DNS.

STEP 3 | (Optional) Configure Prisma Access to use the Directory Sync service to retrieve user and group
information.
You must configure Directory Sync to retrieve user and group information from your Active Directory
(AD) before you enable and configure Directory Sync integration in Prisma Access using the settings in
the Group Mapping Settings tab. See Get User and Group Information Using Directory Sync for details.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 201
© 2020 Palo Alto Networks, Inc.
STEP 4 | Create new zones in the one of the templates in the stack (Network > Zones> Add) or map
the zones referenced in existing templates you added to the stack as trusted or untrusted.
On Panorama, policy rules are defined in device groups, and zones are defined in templates.
Therefore, you need to make sure that you add the templates that reference the zones
included in your policy rules to the template stack.
On a Palo Alto Networks® next-generation firewall, security policy is enforced between zones, which
map to physical or virtual interfaces on the firewall. But as Prisma Access for networks has only two
zones, trust and untrust, you need to map any zone with traffic bound to the Internet (including your
sanctioned SaaS applications) as untrust and all internal zones as trust.
1. (Optional) Edit the zone mapping settings.
By default, all of the zones in Prisma Access for networks template stack a are classified as Untrusted
Zones. If you have not yet defined zones or if the templates in the Remote_Network_Template_Stack
do not have zone configurations, you can come back and add them when you push policy to Prisma
Access for networks.
2. For each zone you want to designate as trusted, select it and click Add to move it to the list of
Trusted Zones.
3. Click OK to save the mappings.

STEP 5 | Click Add in the Onboarding settings, and specify a Name to identify the infrastructure that
will secure the remote network location you are onboarding.

You cannot change the name of the remote network location after you enter it. Make sure
you know your naming scheme for your remote networks before you begin onboarding.

STEP 6 | (BGP deployments only) Create a configuration so that your remote network connection can use
up to four IPSec tunnels for its traffic (ECMP Load Balancing).
Note that QoS is not supported with ECMP load balancing, and static routes are not supported (BGP is
required). If your deployment uses one IPSec tunnel for its remote network connection or uses static
routes, select None for ECMP Load Balancing and continue to Step 9.
Specify a minimum Bandwidth of 50 Mbps.
Prisma Access divides the bandwidth you select by the number of tunnels; for example, if you specify
300 Mbps and add four tunnels, each tunnel carries 75 Mbps. If one of the tunnels goes down, your
network connection will now carry 225 Mbps instead of 300 Mbps.
1. Select one of the choices to enable or disable ECMP load balancing.
• None—Do not use ECMP load balancing (use a single remote network tunnel for this remote
network connection). This is the only choice you can make for static routes; BGP is required for
ECMP load balancing.
• Enabled with Symmetric Return—Specify up to four IPSec tunnels for this remote network
connection and force Prisma Access to use the same link for the return traffic as it used to send
the traffic.
Select this option if you use one or more tunnels as a backup tunnel to be used only if one of the
primary tunnels go down. If a link fails, Prisma Access uses one of the other tunnels to send and
receive traffic symmetrically.

202 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
2. Add an IPSec tunnel for the remote network connection and specify the following values:
• Enable—Enables BGP for the IPSec tunnel.
This selection is not configurable; you must enable BGP to configure ECMP.
• Summarize Mobile User Routes before advertising—Reduces the number of mobile user IP subnet
advertisements over BGP to your customer premises equipment (CPE) by summarizing them.
By default, Prisma Access advertises the mobile users IP address pools in blocks of /24 subnets;
if you summarize them, Prisma Access advertises the pool based on the subnet you specified.
For example, Prisma Access advertises a public user mobile IP pool of 10.8.0.0/20 using the /20
subnet, rather than dividing the pool into subnets of 10.8.1.0/24, 10.8.2.0/24, 10.8.3.0/24, and so
on before advertising them. Summarizing these advertisements can reduce the number of routes
stored in CPE routing tables. For example, you can use IP pool summarization with cloud VPN
gateways (Virtual Private Gateways (VGWs) or Transit Gateways (TGWs)) that can accept a limited
number of routes.

If you enable route summarization for a location that uses ECMP, you must enable
route summarization on all links to that location, or you will receive an error during
commit.

Prisma Access sets the community string for aggregated mobile user routes to 0xFFFE:0xFFF0.
• Advertise Default Route—Allows Prisma Access to advertise a default route for the remote
network using eBGP.

You must publish your default routes before you make this selection to advertise
them. In addition, be sure that your network does not have another default route
being advertised by BGP, or you could introduce routing issues in your network.
• Don’t Advertise Prisma Access Routes—Prevents the Prisma Access BGP peer from forwarding
routes into your organization’s network.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 203
© 2020 Palo Alto Networks, Inc.
By default, Prisma Access advertises all BGP routing information, including local routes and all
prefixes it receives from other service connections, remote networks, and mobile user subnets.
Select this check box to prevent Prisma Access from sending any BGP advertisements, but still use
the BGP information it receives to learn routes from other BGP neighbors.
Since Prisma Access does not send BGP advertisements if you select this option, you must
configure static routes on the on-premise equipment to establish routes back to Prisma Access.

• Peer AS—Specify the autonomous system (AS) to which the firewall, virtual router, or BGP router
at your remote network belongs.
• Peer IP Address—Enter the IP address assigned as the Router ID of the eBGP router on the
remote network for which you are configuring this connection.
• Local IP Address (Optional)—Enter an address that Prisma Access uses as its Local IP address for
BGP.Specify the IP address to use on the Prisma Access side of the tunnel.
Specifying a Local Address is useful where the device on the other side of the connection (such
as an Amazon Web Service (AWS) Virtual Private Gateway) requires a specific local IP address for
BGP peering to be successful. Make sure that the address you specify does not conflict or overlap
with IP addresses in the Infrastructure Subnet or subnets in the remote network.
• Secret and Confirm Secret (Optional)—Enter and confirm a passphrase to authenticate BGP peer
communications.
3. Repeat the previous step to add up to four tunnels to use with the remote network connection.

204 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 7 | Select the Location in which Prisma Access will deploy the infrastructure required to secure
your remote network location. This region should be geographically located close to your
remote network location.
See this table for a list of Prisma Access locations.

STEP 8 | Select the Bandwidth you want to allocate to this remote network location. The bandwidth
you select cannot exceed the total amount of bandwidth you have licensed. Use this setting to
define the amount of the total licensed bandwidth you want to allocate to this location.
To help you determine how much bandwidth a specific site needs, consider the bandwidth available
from your ISP at each location. See How to Calculate Remote Network Bandwidth for more details and
suggestions. If you enable ECMP Load Balancing, you must specify a minimum of 50 Mbps.

You can change the bandwidth of a remote network connection after you onboard it, with
the exception of the 500 Mbps (w/o SSL Decryption) or 1000 Mbps (Preview) bandwidth
choices. If you select either of these preview choices and then need to change the
bandwidth, you must first add an identical network with the only change being the lower,
non-Preview bandwidth choice, commit your changes, make a note of the Service IP
address and reconfigure your IPSec tunnel to use that address, then delete the existing
remote network with the preview bandwidth choice.

STEP 9 | (Static routing or single-tunnel deployments only) Select or add a new IPSec Tunnel configuration
to access the firewall, router, or SD-WAN device at the corporate location:
• If you have added a template to the Remote_Network_Template_Stack (or modified the predefined
Remote_Network_Template) that includes an IPSec Tunnel configuration, select that IPSec Tunnel
from the drop-down. Note that the tunnel you are creating for each remote network connection
connects Prisma Access to the IPSec-capable device at each branch location.
User the following guidelines when configuring an IPSec tunnel:
• The peer addresses in the IKE Gateway configuration must be unique for each tunnel. You can,
however, re-use some of the other common configuration elements, such as crypto profiles.
• The IPSec Tunnel you select from a template must use Auto Key exchange and IPv4 only.
• If you onboard multiple remote networks to the same location with dynamic IKE peers, you must
use the same IKE crypto profile for all remote network configurations.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 205
© 2020 Palo Alto Networks, Inc.
• To create a new IPSec Tunnel configuration, click New IPSec Tunnel, give it a Name and configure
the IKE Gateway, IPSec Crypto Profile, and Tunnel Monitoring settings.
• If the IPSec-capable device at your branch location uses policy-based VPN, on the Proxy IDs tab,
Add a proxy ID that matches the settings configured on your local IPSec device to ensure that
Prisma Access can successfully establish an IPSec tunnel with your local device.
• Leave Enable Replay Protection selected to detect and neutralize against replay attacks.
• Select Copy TOS Header to copy the Type of Service (TOS) header from the inner IP header to the
outer IP header of the encapsulated packets in order to preserve the original TOS information.
• To enable tunnel monitoring for the service connection, select Tunnel Monitor.
• Enter a Destination IP address.
Specify an IP address at your branch location to which Prisma Access can send ICMP ping
requests for IPSec tunnel monitoring. Make sure that this address is reachable by ICMP from the
entire Prisma Access infrastructure subnet.
• If you use tunnel monitoring with a peer device that uses multiple proxy IDs, specify a Proxy ID or
add a New Proxy ID that allows access from the infrastructure subnet to your branch location.
The following figure shows a proxy ID with the service infrastructure subnet (172.16.55.0/24 in
this example) as the Local IP subnet and the branch location’s subnet (10.1.1.0/24 in this example)
as the Remote subnet.

The following figure shows the Proxy ID you created being applied to the tunnel monitor
configuration by specifying it in the Proxy ID field.

206 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
You must configure a static route on your CPE to the Tunnel Monitor IP Address for
tunnel monitoring to function. To find the destination IP address to use for tunnel
monitoring from your branch location to Prisma Access, select Panorama > Cloud
Services > Status > Network Details, click the Service Infrastructure radio button, and
find the Tunnel Monitor IP Address.

STEP 10 | If you have a secondary WAN link at this location, select Enable Secondary WAN.

Be sure to create a unique IPSec tunnel for each remote network’s secondary WAN;
Prisma Access does not support reusing the same IPSec tunnel for secondary WANs in
multiple remote networks.

If you use static routes, tunnel failover time is less than 15 seconds from the time of detection,
depending on your WAN provider.
If you configure BGP routing and have enabled tunnel monitoring, the shortest default hold time to
determine that a security parameter index (SPI) is failing is the tunnel monitor, which removes all routes
to a peer when it detects a tunnel failure for 15 consecutive seconds. In this way, the tunnel monitor
determines the behavior of the BGP routes. If you do not configure tunnel monitoring, the hold timer
determines the amount of time that the tunnel is down before removing the route. Prisma Access uses
the default BGP HoldTime value of 90 seconds as defined by RFC 4271, which is the maximum wait
time before Prisma Access removes a route for an inactive SPI. If the peer BGP device has a shorter
configured hold time, the BGP hold timer uses the lower value.
When the secondary tunnel is successfully installed, the secondary route takes precedence until the
primary tunnel comes back up. If the primary and secondary are both up, the primary route takes
priority.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 207
© 2020 Palo Alto Networks, Inc.
STEP 11 | Enable routing to the subnetworks or individual IP addresses at the remote network site that
your users will need access to.
Prisma Access uses this information to route requests to the appropriate site. The networks at each
site cannot overlap with each other or with IP address pools that you designated for the service
infrastructure or for the Prisma Access for users IP pools. You can configure Static Routes, BGP, or a
combination of both.
• To configure Static Routes:
1. On the Static Routes tab, click Add and enter the subnetwork address (for example,
172.168.10.0/24) or individual IP address of a resource, such as a DNS server (for example,
10.32.5.1/32) that your remote users will need access to.
2. Repeat for all subnets or IP addresses that Prisma Access will need access to at this location.

• To configure BGP:
1. Select the BGP tab.
2. Select the ECMP Load Balancing choices. See Step 6.
3. If you select None for ECMP Load Balancing, enter the BGP choices.

208 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
4. To enable BGP for the remote network connection, select Enable.
When you enable BGP, Prisma Access sets the time to life (TTL) value for external BGP (eBGP) to
8 to accommodate any extra hops that might occur between the Prisma Access infrastructure and
your customer premises equipment (CPE) that terminates the eBGP connection.
5. To reduce the number of mobile user IP subnet advertisements over BGP to your customer
premises equipment (CPE) by summarizing them, select Summarize Mobile User Routes before
advertising.
By default, Prisma Access advertises the mobile users IP address pools in blocks of /24 subnets;
if you summarize them, Prisma Access advertises the pool based on the subnet you specified.
For example, Prisma Access advertises a public user mobile IP pool of 10.8.0.0/20 using the /20
subnet, rather than dividing the pool into subnets of 10.8.1.0/24, 10.8.2.0/24, 10.8.3.0/24, and so
on before advertising them. Summarizing these advertisements can reduce the number of routes
stored in CPE routing tables. For example, you can use IP pool summarization with cloud VPN
gateways (Virtual Private Gateways (VGWs) or Transit Gateways (TGWs)) that can accept a limited
number of routes.
Prisma Access sets the community string for aggregated mobile user routes to 0xFFFE:0xFFF0.
6. To allow Prisma Access to advertise a default route for the remote network using eBGP, select
Advertise Default Route.
If you select Advertise Default Route, be sure that your network does not have another default
route being advertised by BGP, or you could introduce routing issues in your network.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 209
© 2020 Palo Alto Networks, Inc.
You must publish your default routes before you make this selection to advertise
them. In addition, be sure that your network does not have another default route
being advertised by BGP, or you could introduce routing issues in your network.
7. To prevent the BGP peer on the Prisma Access firewall from forwarding routes into your
organization’s network, select Don’t Advertise Prisma Access Routes.
By default, Prisma Access advertises all BGP routing information, including local routes and all
prefixes it receives from other service connections, remote networks, and mobile user subnets.
Select this check box to prevent Prisma Access from sending any BGP advertisements, but still use
the BGP information it receives to learn routes from other BGP neighbors.
Since Prisma Access does not send BGP advertisements if you select this option, you must
configure static routes on the on-premise equipment to establish routes back to Prisma Access.
8. Enter the Peer AS, which is the autonomous system (AS) to which the firewall, virtual router, or
BGP router at your remote network belongs.
9. Enter the IP address assigned as the Router ID of the eBGP router on the remote network for
which you are configuring this connection as the Peer Address.
10.(Optional) Enter an address that Prisma Access uses as its Local IP address for BGP.
Specifying a Local Address is useful where the device on the other side of the connection (such
as an Amazon Web Service (AWS) Virtual Private Gateway) requires a specific local IP address for
BGP peering to be successful. Make sure that the address you specify does not conflict or overlap
with IP addresses in the Infrastructure Subnet or subnets in the remote network.

You must configure a static route on your CPE to the BGP Local Address.

11.(Optional) Enter and confirm a passphrase to authenticate BGP peer communications.


12.(Optional) If you configured a Secondary WAN and you need to change the Peer Address or Local
Address for the secondary (backup) BGP peer, deselect Same as Primary WAN and enter a unique
Peer and, optionally, Local IP address for the secondary WAN.
In some deployments (for example, when using BGP to peer with an AWS VPN gateway), the BGP
peer for the primary and secondary WAN might be different. In those scenarios, you can choose
to set a different BGP peer for the secondary WAN.

For BGP deployments with secondary WANs, Prisma Access sets both the primary
and secondary tunnels in an UP state, but follows normal BGP active-backup
behavior for network traffic. Prisma Access sets the primary tunnel as active and
sends and receives traffic through that tunnel only; if the primary tunnel fails,
Prisma Access detects the failure using BGP rules, sets the secondary tunnel as
active, and uses only the secondary tunnel to send and receive traffic.

210 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 12 | If required, enable Quality of Service for the remote network connection and specify a QoS
profile or add a New QoS Profile.
You can create QoS profiles to shape QoS traffic for remote network and service connections and apply
those profiles to traffic that you marked with PAN-OS security policies, traffic that you marked with an
on-premise device, or both PAN-OS-marked and on-premise-marked traffic. See Configure Quality of
Service in Prisma Access for details.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 211
© 2020 Palo Alto Networks, Inc.
STEP 13 | Commit the configuration changes to Panorama and push the configuration out to Prisma
Access for networks.
1. Click Commit > Commit to Panorama.
2. Click Commit > Commit and Push. Click Edit Selections > Prisma Access, and select both Prisma
Access for networks and Prisma Access for service setup to push the configuration out to the service.

3. Click OK and Push.

STEP 14 | Configure the IPSec-capable device at the remote network location to set up an IPSec
connection with Prisma Access for networks.
1. Find the Service IP Address for this remote network connection by selecting Panorama > Cloud
Services > Status > Network Details, clicking the Remote Networks radio button, and viewing the

212 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Service IP Address field. Prisma Access for networks infrastructure has assigned this IP address for
the Prisma Access remote network connection, and you must configure this as the peer IP address to
set up the IPSec tunnel between the remote network location and Prisma Access for networks.

2. Check the Local IP address for the device at the remote network location on the Panorama > Cloud
Services > Status > Network Details > Remote Networks page. If you are performing NAT at the
remote network location, the Local IP address displays the IP address of the device after NAT.

STEP 15 | To secure traffic at the remote network location you must create security policy rules.
1. Select Policies.
2. Select the Device Group in which to add policy rules. You can select the
Remote_Network_Device_Group or the parent device group that you selected for defining policies to
secure the remote network location.
3. Create security policy rules. Make sure that you do not define security policy rules to allow traffic
from any zone to any zone. In the security policy rules, use the zones that you defined in your
template.
If a user on your network is denied access to a website, report website access issues before you open
a ticket with Palo Alto Networks.

STEP 16 | Enable logging to Cortex Data Lake. You must create and attach a log forwarding profile to
each policy rule for which you want to forward logs.
1. Select Objects > Log Forwarding.
2. Select the Device Group in which you added the policy rules, for example,
Remote_Network_Device_Group.
3. Add a Log Forwarding profile. In the log forwarding profile match list, Add each Log Type that you
want to forward.
4. Select Panorama/Logging Service as the Forward Method to enable Prisma Access to forward the
logs to Cortex Data Lake. You will be able to monitor the logs and generate reports from Panorama.
Cortex Data Lake provides a seamless integration to store logs without backhauling them to your
Panorama at the corporate headquarters, and Panorama can query Cortex Data Lake as needed.
The following example enables forwarding of Traffic, Threat Prevention, WildFire Submission, URL
Filtering, Data Filtering, and Authentication logs to Cortex Data Lake.

5. Select Policies > Security and edit the policy rule. In Actions, select the Log Forwarding profile you
created.

STEP 17 | Commit all your changes to Panorama and push the configuration changes to Prisma Access.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 213
© 2020 Palo Alto Networks, Inc.
1. Click Commit > Commit to Panorama.
2. Click Commit > Push to Devices and click Edit Selections.
3. On the Prisma Access tab, make sure Prisma Access for networks is selected and then click OK.
4. Click Push.

Verify Remote Network Connection Status


Select Panorama > Cloud Services > Status > Status to verify that the remote network connections have
been successfully deployed.
The Deployment Status area allows you to view the progress of onboarding and deployment jobs before
they complete, as well as see more information about the status of completed jobs. See Deployment
Progress and Status for details.

To display a map that shows the locations of the remote networks in the regions you have selected, select
Panorama > Cloud Services > Status > Monitor and click the Remote Networks tab.

Select a region to get more detail about that region.

214 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Click the tabs below the map to see additional remote network statistics.
Status tab:
• Location—The location where your remote network is deployed.
• Remote Peer—The peer to which the remote network has an IPSec tunnel connection.
• Allocated Bandwidth (Mbps)—The amount of bandwidth you allocated for the remote network location.

To enable traffic peaks, the service allows you to go 10% over the allocated bandwidth for
each site; traffic overages above this peak limit is dropped.
• ECMP—Whether you have enabled ECMP Load Balancing on this remote network connection.
• Config Status—The status of your last configuration push to the service. If you have made a change
locally, and not yet pushed the configuration to the cloud, the status shows Out of sync. Hover over the
status indicator for more detailed information. After committing and pushing the configuration to Prisma
Access, the Config Status changes to In sync.
• BGP Status—Displays information about the BGP state between the firewall or router at the remote
network location and Prisma Access. Although you might temporarily see the status pass through the
various BGP states (idle, active, open send, open pend, open confirm, most commonly, the BGP status
shows:
• Connect—The router at the remote network location is trying to establish the BGP peer relationship
with Prisma Access.
• Established—The BGP peer relationship has been established.
This field will also show if the BGP connection is in an error state:
• Warning—There has not been a BGP status update in more than eight minutes. This may indicate an
outage on the firewall.
• Error—The BGP status is unknown.
• Tunnel Status—The operational status of the connection between Prisma Access and the remote
network.
• Inbound Access—Whether you have configured this remote network to provide secure inbound access
for internet-connected users.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 215
© 2020 Palo Alto Networks, Inc.
Statistics tab:
• Location—The location where your remote network is deployed.
• Remote Peer—The corporate location to which this remote network is setting up an IPSec tunnel.
• Allocated Bandwidth (Mbps)—The amount of bandwidth you allocated for the remote network location.
• Ingress Bandwidth (Mbps)—The bandwidth from the remote network location to Prisma Access.

For the Ingress Bandwidth, Ingress Peak Bandwidth, Egress Bandwidth, and Egress
Peak Bandwidth fields, when the bandwidth consumption on a remote network goes
beyond 80% of the allocated bandwidth, the numbers display in a red color.
• Ingress Peak Bandwidth (Mbps)—The peak load from the remote network location into the cloud
service.
• Egress Bandwidth (Mbps)—The bandwidth from Prisma Access into the remote network location.
• Egress Peak Bandwidth (Mbps)—The peak load from Prisma Access into the remote network location.
• QoS—Select this button to display a graphic chart that shows a real-time and historical QoS statistics,
including the number of dropped packets per class. This chart displays only for service connections or
remote network connections that have QoS enabled.

Verify Remote Connection BGP Status


If you configured BGP, you can check its status by selecting Panorama > Cloud Services > Status >
Network Details > Remote Networks > Show BGP Status.

The BGP Status dialog displays. This table provides you with the following information:
• Peer—Routing information for the BGP peer, including status, total number of routes, configuration, and
runtime statistics and counters. The total number of routes display in the bgpAfiIpv4-unicast Counters
area, in the Incoming Total and Outgoing Total fields.

216 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
• RIB In—Routing information that has been received from different peers and is stored in the Routing
Information Base (RIB).

• RIB Out—Routing information that Prisma Access advertises to its peers through BGP update messages.
See How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network
Connections for an example of this table and for information about how BGP utilizes the IP address pool
you create for mobile users.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 217
© 2020 Palo Alto Networks, Inc.
Quick Configs for Remote Network
Deployments
The following topics show some common Prisma Access deployment scenarios for remote network
deployments and provide instructions for how to configure them:
• Remote Network Locations with Overlapping Subnets
• Remote Network Locations with WAN Link
• Use Predefined IPSec Templates to Onboard Service and Remote Network Connections
• Onboard Remote Networks with Configuration Import
• Configure Quality of Service in Prisma Access
• Create a High-Bandwidth Network for a Remote Site
• Provide Secure Inbound Access to Remote Network Locations
• Configure User-ID and User-Based Policies with Prisma Access
• DNS Resolution for Mobile Users and Remote Networks
• Collect User and Group Information Using the Directory Sync Service

Remote Network Locations with Overlapping Subnets


As a general rule, you cannot have any overlapping subnets within a Prisma Access deployment. That is,
the subnets for all remote network locations, your service connections, and your Prisma Access for mobile
users IP address pool cannot overlap. However, in some circumstances you cannot avoid having overlapping
subnets; for example:
• Your organization has two WAN links that you want to combine for a higher bandwidth throughput in a
single remote network location (an active/active WAN deployment).
• You want to configure an overlapping subnet deployment by design (for example, your organization uses
the same network topology and IP assignments across multiple retail locations).
• Your organization has one fast WAN link and a slower WAN link, and you want to add both of them to a
remote network and designate the WAN link for traffic based on the subnet or application. For example,
you might want to route all guest Wi-Fi traffic over one WAN and all other traffic over the other WAN,
or you might want to send all web traffic over one WAN and all other traffic over the other WAN.
• You acquired a company that uses subnets that overlap with your existing subnets you have in use.
Prisma Access allows you to onboard remote network locations with overlapping subnets, as long as you
select Overlapped Subnets check box in the remote network settings when you Configure Prisma Access
for Networks.

Remote network connections with overlapped subnets support outbound internet only. Refer
to the table in the following figure for more details. You can bypass these limitations by
configuring source NAT on the on-premise Palo Alto Networks next-generation firewall (if
present) or networking device (router, switch, or SD-WAN device) that connects to the IPSec
tunnel used for the remote network connection with overlapped subnets.

218 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
If you add a location with overlapping subnets, it has no effect on locations that don’t use overlapping
subnets; those sites retain their existing functionality.

Remote Network Locations with WAN Link


If you have a deployment where the HQ and remote network location(s) are directly connected over a WAN
link and each of these locations is secured by Prisma Access, to ensure optimal routing (with eBGP) you
must:
• Add a static route to the eBGP router address. In addition to the default route that sends all traffic to
Prisma Access, you must add a static route locally on the IPSec-capable device or router at the remote
network(s).
• Filter the routes that are advertised from the IPSec capable device or router at HQ to the eBGP peers at
other directly connected locations. As a best practice, configure the BGP router at HQ to only advertise
routes that you want to allow across the WAN link; you ensure that the eBGP router at HQ does not
advertise the routes it learns from Prisma Access to other remote network location(s) secured by Prisma
Access. In this example, the eBGP router at HQ only advertises routes that employees from the branch
office will need to connect to the servers (subnets) at HQ.
The following illustration shows a retail business with two paths to the servers at the HQ location. One
path is a WAN link that provides direct connectivity for employees accessing servers at HQ, and the other
path secures traffic generated by other users at this location. For example, traffic generated by customers
accessing the retailer’s website over Wifi or using the kiosk at the branch office to check inventory. This
traffic is sent through the tunnel to the remote network and on to HQ.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 219
© 2020 Palo Alto Networks, Inc.
To set up this configuration, create a remote network connection and create a service connection
to onboard the remote network and HQ locations. The details below show how to set up the router
configuration at each location to ensure optimal routing:

STEP 1 | Add the static routes on your router or on-premises IPSec capable device at the remote
network location.
If you have a Palo Alto Networks firewall at the edge of the WAN link, on Network > Virtual Routers >
Static Routes, Add the static routes:

220 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 2 | Configure the routes that you want to advertise to another directly connected location over
the WAN link.
In this example, you need to configure this on the at HQ location. If you have an on-premises Palo Alto
Networks firewall at the edge of the WAN link, you can set up route redistribution and configure which
BGP routes to export on Network > Virtual Routers > BGP.

Use Predefined IPSec Templates to Onboard Service and Remote


Network Connections
Prisma Access includes predefined IPSec templates for common third-party IPSec and SD-WAN devices.
These profiles expedite and simplify the onboarding of service connections and remote network
connections that use one of these devices to terminate the connection.
Sharing a common template also allows you to Onboard Multiple Remote Network Connections of the
Same Type with commonly-shared cryptos, pre-shared keys, and Peer identifiers.
• Template Names and Types
• Onboard a Service Connection or Remote Network Connection Using Predefined Templates
• Onboard Multiple Remote Network Connections of the Same Type
• Supported IKE and IPSec Cryptographic Profiles for Common SD-WAN Devices

Template Names and Types


Prisma Access provides you with the following predefined templates that you can use to set up IPSec
tunnels between your on-premise device and Prisma Access:
• IPSec Tunnels (Network > IPSec Tunnels) under Remote_Network_Template and
Service_Conn_Template.
• IKE Gateways (Network > Network Profiles > IKE Gateways) under Remote_Network_Template and
Service_Conn_Template.
• IPSec Crypto Profiles (Network > Network Profiles > IPSec Crypto) under Remote_Network_Template
and Service_Conn_Template.
• IKE Crypto Profiles (Network > Network Profiles > IKE Crypto) under Remote_Network_Template and
Service_Conn_Template.
Currently, templates for the following vendors are available:

In addition to the following templates, we provide a Generic template that you can use with
any on-premise device that is not listed here.

• Cisco appliances:
• Cisco Integrated Services Routers (ISRs)
• Cisco Adaptive Security Appliances (ASAs)

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 221
© 2020 Palo Alto Networks, Inc.
• Citrix
• CloudGenix
• Riverbed
• Silver Peak
Use the following workflows to onboard service connections or remote network connections using the
predefined IPSec templates.

Onboard a Service Connection or Remote Network Connection Using


Predefined Templates
To onboard a service connection or remote network connection using the templates provided by Prisma
Access, complete the following task.

STEP 1 | In Panorama, perform configuration so that the templates display in Panorama.


When you upgrade the Cloud Services plugin, the new templates do not automatically display. Complete
this step once after upgrading to have the templates permanently display. New installations perform this
initial configuration as part of their first-time setup and this extra step is not required.

You can also complete this step if you delete these templates and need to retrieve them.

• For service connections, select Panorama > Cloud Services > Configuration > Service Setup, click the
gear icon in the Settings area to open the Settings, then click OK.
• For remote network connections, select Panorama > Cloud Services > Configuration > Remote
Networks, click the gear icon in the Settings area to open the Settings, then click OK.

STEP 2 | Select Network, then select the correct Template (either Remote_Network_Template if you
are creating a remote network connection or Service_Conn_Template if you are creating a
service connection).

STEP 3 | Determine the type of device that is used to terminate the service connection or remote
network connection, and find a template to use with that device.

If your SD-WAN or IPSec device is not on the list, use the generic profiles.

STEP 4 | Select Network > Network Profiles > IKE Gateways and make the following changes to the
IKE gateway profile for your device:
You can use the IPSec crypto and IKE crypto profiles with no changes; however, you must make specific
changes to the IKE gateway profile to match the network settings.
• (Optional) If you know the public IP address of the on-premise device that will be used to set up the
IPSec tunnel with Prisma Access, set a static IP address by specifying a Peer IP Address Type of IP
and enter the Peer Address for the IPSec tunnel.
• If using a pre-shared key for the IPSec tunnel, specify a Pre-shared Key.
• Specify a Peer Identification of either IP Address or User FQDN.
Be sure that you match the settings you specify here when you configure the device used to
terminate the other side of the IPSec tunnel.

222 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 5 | Onboard the service connection or remote network connection, specifying the IPSec tunnel
configuration that matches the device on the other side of the IPSec tunnel.

STEP 6 | (Optional) If you need to add a backup tunnel (Secondary WAN) for a service connection or
remote connection, perform the following additional configuration steps.
1. Create a new IKE Gateway for the backup tunnel, copying the settings from the predefined template
you want to duplicate.
The following example creates a backup tunnel configuration for generic networking devices.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 223
© 2020 Palo Alto Networks, Inc.
2. Under Advanced Options, specify the IKE Crypto Profile for the predefined template you want to
use.

Palo Alto Networks recommends that you use GCM ciphers instead of CBC ciphers for
IPSec tunnels.

3. Create a new IPSec Tunnel, specifying the new IKE gateway you created, but copying all the other
settings from the default template.

224 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
4. When you onboard the service connection or remote network connection, Enable Secondary WAN
and specify the tunnel you created for the backup WAN.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 225
© 2020 Palo Alto Networks, Inc.
STEP 7 | Complete the configuration of the service connection or remote network connection by
matching the cryptos, pre-shared key, and Peer identifiers on the device that is used to
terminate the other side of the IPSec tunnel.

STEP 8 | (Optional) If you need to onboard multiple remote network connections that use the same types
of networking devices, Export the configuration of the remote network, edit the settings, then
Import that configuration.
See Onboard Multiple Remote Network Connections of the Same Type for details.

Onboard Multiple Remote Network Connections of the Same Type


To streamline the process to Configure Prisma Access for Networks, you can onboard a single remote
network connection that uses a networking device that is common to your network deployment, then
Export those settings to a Comma Separated Value (CSV) text file. The CSV file includes the values of IPSec
tunnel and IKE gateway settings for the network you selected for export. After you export the common
configuration settings, you can edit these settings and make them unique for each new remote network you
want to onboard, retain the settings that are common to each device, then Import that configuration.

226 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
For more information, including a description of all editable fields in the CSV table, see Onboard Remote
Networks with Configuration Import.

Supported IKE and IPSec Cryptographic Profiles for Common SD-WAN


Devices
This section provides you with the supported cryptographic profiles for many common SD-WAN devices. If
you are configuring an SD-WAN device, use these profiles as a guideline as to what you can configure for
the remote network in Prisma Access.
• Aruba SD-WAN supported IKE and IPSec crypto profiles
• Aryaka SD-WAN supported IKE and IPSec crypto profiles
• Citrix SD-WAN supported IKE and IPSec crypto profiles
• CloudGenix SD-WAN device supported IKE and IPSec crypto profiles
• Nuage Networks SD-WAN supported IKE and IPSec crypto profiles
• Riverbed SteelConnect SD-WAN supported IKE and IPSec crypto profiles
• Silver Peak SD-WAN supported IKE and IPSec crypto profiles
• Viptela SD-WAN supported IKE and IPSec crypto profiles

Onboard Remote Networks with Configuration Import


To streamline the process to Configure Prisma Access for Networks, you have the option to onboard at
least one remote network and then export those settings to a Comma Separated Value (CSV) text file. The
CSV file includes the values of IPSec tunnel and IKE gateway settings for the network you selected for
export, and you can then edit these settings and make them unique for each new network you may want to
onboard. You can modify the CSV file to include 1000 new remote networks and then import the CSV file
back to speed up the process of onboarding new remote network locations.
The CSV file does not include keys or passwords, such as the BGP shared secret, the IKE preshared key,
Proxy ID, IKE crypto profile, IPSec crypto profile. Therefore, any keys and passwords required for the IPSec
tunnel and IKE gateway settings are inherited from the network you select when you initiate the CSV file
import.
When using this bulk import process, you must wait for Prisma Access to deploy the infrastructure for
securing these locations.

STEP 1 | Select Panorama > Cloud Services > Configuration > Remote Networks (in the Onboarding
section).

STEP 2 | Select a region, then Export the configuration of a remote network that you have previously
onboarded.
You must select a remote network and click Export. A CSV file that includes the settings is downloaded
to your computer.

STEP 3 | Modify the CSV file to add configuration for remote networks.
See Fields in the Remote Networks Table for a description of the fields and the possible values in this
file.
You must rename the network(s) listed in the exported file. If the file has duplicate names the import will
fail.

STEP 4 | Import the CSV file.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 227
© 2020 Palo Alto Networks, Inc.
The configuration from the file are displayed on screen. The remote network you selected to import the
file will serve as a model configuration, and the remote networks listed in the file will inherit the keys
and any missing values that do not have to be unique from there.

STEP 5 | Commit your changes.


1. Commit > Commit and Push your changes.
2. Click OK and Push.

Fields in the Remote Networks Table


The following table provides a description of the fields in the remote networks table. Fields marked as Y in
the Required row are required fields and fields marked as N are optional.

Field Description Required? (Y/N)

name The name of the remote network. Y

bandwidth The allocated bandwidth of the remote network. Acceptable Y


values are:
• 2 Mbps
• 5 Mbps
• 10 Mbps
• 20 Mbps
• 25 Mbps
• 50 Mbps
• 100 Mbps
• 150 Mbps
• 300 Mbps
• 500 Mbps
• 1000 Mbps

The 1000 Mbps bandwidth option is in


preview mode. The throughput during
preview is delivered on a best-effort basis
and the actual performance will vary
depending upon the traffic mix. The 500
Mbps option supports SSL decryption, but
Palo Alto Networks does not guarantee 500
Mbps of throughput if it is enabled.

region The remote network’s region. See the list of Prisma Access Y
locations for the values to enter.
Enter the locations exactly as they are in this document (for
example, US West, or Japan South).

subnets Statically routed subnets on the LAN side of the remote N


network. Separate multiple subnets with commas.

bgp_peer_as The BGP Autonomous System Number (ASN) of the remote N


network peer device.

228 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Field Description Required? (Y/N)

bgp_peer_address The BGP peer address of the remote network peer device. N

tunnel_name The name of the IPSec tunnel configuration. A unique value Y


is required.

gateway_name The name of the IKE Gateway configuration. A unique value Y


is required.

peer_ip_address The IP address of the Prisma Access peer device. N

local_id_type The type of IKE ID that Prisma Access presents to the peer N
device. If you use certificates in the remote network to
which you import this file, all imported types specified will
refer to the Configured Certificate values.

local_id_value The value of the IKE ID that Prisma Access presents to the N
peer device. If you use certificates in the remote network to
which you import this file, all imported types specified will
refer to the Configured Certificate values.

peer_id_type The value of the IKE ID that the peer presents to Prisma N
Access. If you use certificates in the remote network to
which you import this file, all imported types specified will
refer to the Peer Certificate values.

peer_id_value The value of the IKE ID that Prisma Access presents to the N
peer device. If you use certificates in the remote network to
which you import this file, all imported types specified will
refer to the Peer Certificate values.

monitor_ip The tunnel monitoring IP address the cloud will use to N


determine that the IPSec tunnel is up and the peer network
is reachable.

You cannot export a proxy-ID value for the


tunnel monitor.

proxy_ids The proxy IDs that are configured for the peer. For route- N
based VPNs, leave this field blank. Specify the Proxy ID in
the following CSV configuration format:
[{"name":"proxyidname", "local":"1.2.3.4/32",
"remote":"4.3.2.1/32", "protocol":{"udp":
{"local-port":123, "remote-port":234}}},
{"name":"proxyidname2", "local":"2.3.4.5/32",
"remote":"3.4.5.6/32", "protocol":{"tcp": {"local-
port":234,"remote-port":345}}}]

sec_wan_enabled Specifies whether or not you enable a secondary IPSec N


tunnel. Acceptable values are yes and no.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 229
© 2020 Palo Alto Networks, Inc.
Field Description Required? (Y/N)

sec_tunnel_name The name of the secondary IPSec tunnel configuration. A N


unique value is required if you specify a secondary tunnel.

sec_gateway_name The name of the secondary IKE Gateway configuration. A N


unique value is required if you specify a secondary tunnel.

sec_peer_ip_address The IP address of the Prisma Access peer device for the N
secondary IPSec tunnel.

sec_local_id_type The type of IKE ID that Prisma Access presents to the N


peer device for the secondary IPSec tunnel. If you use
certificates in the remote network to which you import this
file, all imported types specified will refer to the Configured
Certificate values.

sec_local_id_value The value of the IKE ID that Prisma Access presents to N


the peer device for the secondary IPSec tunnel. If you use
certificates in the remote network to which you import this
file, all imported types specified will refer to the Configured
Certificate values.

sec_peer_id_type The value of the IKE ID that the peer presents to Prisma N
Access for the secondary IPSec tunnel. If you use certificates
in the remote network to which you import this file, all
imported types specified will refer to the Peer Certificate
values.

sec_peer_id_value The value of the IKE ID that Prisma Access presents to N


the peer device for the secondary IPSec tunnel. If you use
certificates in the remote network to which you import
this file, all imported types specified will refer to the Peer
Certificate values.

sec_monitor_ip The tunnel monitoring IP address the cloud will use for the N
secondary IPSec tunnel to determine that the IPSec tunnel is
up and the peer network is reachable.

You cannot export a proxy-ID value for the


tunnel monitor.

sec_proxy_ids The proxy IDs that are configured for the peer for the N
secondary IPSec tunnel. For route-based VPNs, leave
this field blank. Specify the Proxy ID in the following CSV
configuration format:
[{"name":"proxyidname", "local":"1.2.3.4/32",
"remote":"4.3.2.1/32", "protocol":{"udp":
{"local-port":123, "remote-port":234}}},
{"name":"proxyidname2", "local":"2.3.4.5/32",
"remote":"3.4.5.6/32", "protocol":{"tcp": {"local-
port":234,"remote-port":345}}}]

230 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Configure Quality of Service in Prisma Access
Quality of Service (QoS) is a set of technologies that work on a network to guarantee its ability to
dependably run high-priority applications and traffic under limited network capacity. You can configure QoS
in Prisma Access to prioritize business-critical traffic or traffic that requires low latency, such as VoIP or
videoconferencing. You can also reserve a minimum amount of bandwidth for business-critical applications.
Prisma Access uses the same QoS profiles and supports the same Differentiated Services Code Point
(DSCP) markings as next-generation Palo Alto Networks firewalls. However, the configuration process is
different than configuring QoS on next-generation firewalls.
Prisma Access can either mark ingress traffic using a security policy or it can honor DSCP markings set by
your organization's on-premise device.

QoS Configuration Overview


Use the following workflow to configure QoS in Prisma Access. See Configure QoS in Prisma Access for the
detailed steps.
1. Mark the ingress traffic using a security policy or using marking from an on-premise device.
You can create PAN-OS security policies to mark traffic destined to Prisma Access for mobile users and
for remote network connections. For service connections, Prisma Access will honor traffic marking from
your organization’s on-premise devices. Optionally, you can also use on-premise devices to mark traffic
for remote networks.

To ensure predictable results, we recommend marking traffic using either security


policies in Prisma Access or your on-premise device, but not both. If there are differences
between the security policies in Prisma Access and the on-premise device, the security
policy in Prisma Access overrides the policy in the on-premise device.
2. Map the traffic to classes using a QoS policy rule.
3. Shape the traffic using a QoS profile.
You can create QoS profiles to shape QoS traffic for service connections and for remote network
connections and apply those profiles to traffic that you marked with PAN-OS security policies, traffic
that you marked with an on-premise device, or both PAN-OS-marked and on-premise-marked traffic.
4. Enable QoS on the service connection or remote network connection and bind the QoS profile to the
connection.
The following figure shows the available QoS deployments in Prisma Access.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 231
© 2020 Palo Alto Networks, Inc.
QoS Examples
The following examples show how Prisma Access marks and shapes traffic.
In the following example, the administrator created a security policy on the Mobile_User_Device_Group to
mark incoming mobile user traffic. These policies assign traffic an IP precedence value of AF11.
The administrator also created QoS profiles with QoS policy rules, enabled QoS on the service connection
and remote network connection, and applied the profiles to those connections to shape the traffic at the
traffic’s egress point based on the QoS markings.

Prisma Access marks traffic at its ingress point based on security policies or honors marking
set by your on-premise devices, and shapes the traffic on egress to your service connections
or remote network connections using QoS profiles.

232 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
The following example shows the QoS traffic flow from a branch office to an HQ/data center. The
administrator creates a security policy on the Remote_Network_Device_Group to mark the incoming traffic
from the remote network connection and enabled QoS and applied a QoS profile on the service connection
to shape the outgoing traffic.

The following example shows a hybrid deployment with an on-premise firewall at a branch that is
connected by Prisma Access with a remote network connection, and the on-premise firewall marks the
traffic. This deployment honors the marking set on the on-premise firewall. You must enable QoS and apply
a QoS profile on the service connection, so that Prisma Access can shape the traffic at egress.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 233
© 2020 Palo Alto Networks, Inc.
Prisma Access honors all DSCP marking from the on-premise device as long as that traffic does not match
an overriding security policy on Prisma Access.

Configure QoS in Prisma Access


Configure Quality of Service in Prisma Access by completing the following task.

STEP 1 | Add one or more security policy rules for remote networks and mobile users to mark the
ingress traffic for QoS.
You use these policies to match a traffic flow and assign it a selected DSCP value.
1. Select Policies > Security > Pre Rules.
Alternatively, select Policies > Security > Post Rules to add a rule at the bottom of the rule order that
is evaluated after a pre-rule.

Be sure that you select the correct Device Group. To create a security rule for
a remote network, select the device group for the remote network (for example,
Remote_Network_Device_Group); for mobile users, select the device group for the
mobile users (for example, Mobile_User_Device_Group).
2. Add a security policy rule.
3. Enter a Name for the rule.
4. Define the matching criteria for the source or destination fields in the packet.
See Create a Security Policy Rule for details.
5. Click Actions, then select a QoS Marking of either IP DSCP or IP Precedence.
6. Enter the QoS value in binary form, or select the value from the drop-down.
The following screenshot shows a security policy rule that matches traffic marked with an IP DSCP
value of af11.

234 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 2 | Add one or more QoS policy rules.
You use QoS policies to bind DSCP marking to one of eight available classes. You use these classes later
when you create one or more QoS profiles.
1. Select Policies > QoS > Pre Rules.
Alternatively, select Policies > QoS > Post Rules to add a rule at the bottom of the rule order that is
evaluated after a pre-rule.

Be sure that you select the correct Device Group for the service connection (for
example, Service_Conn_Device_Group) or remote network connection (for example,
Remote_Network_Device_Group). If a rule in a Shared device group has defined
values other than the values in the General, DSCP/ToS, and Other settings areas,
Prisma Access does not apply the rule on the remote network and service connection.
2. Add a QoS policy rule.
3. Click General and enter a name for the policy rule.
4. Click the DSCP/ToS tab, then click Codepoints and Add one or more new codepoints.
5. Specify a Name for the DSCP/ToS rule, then select a Type and Codepoint.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 235
© 2020 Palo Alto Networks, Inc.
Alternatively, keep the default value (Any) to allow the policy to match to traffic regardless of the
Differentiated Services Code Point (DSCP) value or the IP Precedence/Type of Service (ToS) defined
for the traffic.
6. Click the Other Settings tab, then Choose the QoS Class to assign to the rule.
You define class characteristics in the QoS profile.
7. Click OK.

STEP 3 | Create one or more QoS profiles to shape QoS traffic on egress for service connections and
remote network connections.
You use profiles to shape the traffic at egress point by defining QoS classes and assigning a bandwidth
to them. You must select either an existing QoS profile or create a new QoS profile when you enable
QoS for Prisma Access.
1. Select the correct template the profile you want to create (Remote_Network_Template or
Service_Conn_Template); then, select Network > Network Profiles > QoS Profile and
2. Add a profile.
3. Enter a profile Name.
4. Set the overall bandwidth limits for the QoS profile rule.
• Enter an Egress Max that represents the maximum throughput (in Mbps) for traffic leaving the
service connection or remote network connection.
• For service connections, specify a number of up to 1 Gpbs (1,000 Mbps).

236 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Do not enter a number greater than 1 Gbps; Prisma Access calculates service
connection bandwidth per service connection IPSec tunnel and not cumulatively
across multiple tunnels.
• For remote network connections, specify a number up to the maximum licensed bandwidth of
your remote network connection.
• Enter an Egress Guaranteed bandwidth that is the guaranteed bandwidth for this profile (in
Mbps).
Any traffic that exceeds the Egress Guaranteed value is best effort and not guaranteed.
Bandwidth that is guaranteed but is unused continues to remain available for all traffic.
5. In the Classes section, Add one or more classes and specify how to mark up to eight individual QoS
classes.
• Select the Priority for the class (either real-time, high, medium, or low).
• Enter the Egress Max for traffic assigned to each QoS class you create.
The Egress Max for a QoS class must be less than or equal to the Egress Max for the QoS profile.
• Enter the Egress Guaranteed bandwidth in Mbps for each QoS class.
Guaranteed bandwidth assigned to a class is not reserved for that class—bandwidth that is unused
continues to remain available to all traffic. When a class of traffic exceeds the egress guaranteed
bandwidth, Prisma Access passes that traffic on a best-effort basis.

6. Click OK.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 237
© 2020 Palo Alto Networks, Inc.
STEP 4 | Enable QoS for the service connection, remote network connection, or both, and apply the
QoS profile to the connection.
1. Enable QoS.
• For service connections, select Panorama > Cloud Services > Configuration > Service Setup,
select a Connection Name, click the QoS tab, and Enable QoS.
• For remote network connections, select Panorama > Cloud Services > Configuration > Remote
Networks, select the hypertext for a remote network connection Name, click the QoS tab, and
Enable QoS.
2. Select the QoS profile you created in Step 3 and click OK.

STEP 5 | Check the QoS status.


1. Select Panorama > Cloud Services > Status > Monitor > Service Connection or Panorama > Cloud
Services > Status > Monitor > Remote Networks, then Monitor the Statistics.
2. Click QoS to view a page with QoS statistics.

238 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
This page displays a chart with real-time and historical QoS statistics, including the number of
dropped packets per class. This chart displays only for service connections or remote network
connections that have QoS enabled, shows the last five minutes of the connection’s network activity,
and refreshes every 10 seconds.
The following figure shows traffic being passed for classes 1,2,3, and 4. The data below the figure
shows the number of packets dropped based on the QoS configuration for classes 2, 3, and 4.

Create a High-Bandwidth Network for a Remote Site


If you want to secure your branch office or site for outbound internet access with a high-bandwidth
connection to Prisma Access, you can load balance traffic from your branch office or site using multiple
IPSec tunnels by completing the steps in this chapter.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 239
© 2020 Palo Alto Networks, Inc.
Topology for High-Bandwidth Remote Network
The following diagram shows a sample topology for a branch location using multiple IPSec remote network
tunnels between the site and Prisma Access. In this diagram, we use four 300 Mbps remote network
tunnels to create a 1.2 Gbps throughput to traffic egressing to the internet. The CPE devices can be Palo
Alto Networks next-generation firewalls or other devices that are capable of creating multiple IPSec tunnels
and performing load balancing between these tunnels. One of the methods to achieve this is by enabling
ECMP with session stickiness. The CPE must maintain session affinity per tunnel while applying ECMP over
multiple tunnels.

This example shows four tunnels. The maximum number of tunnels you can use for a high-
bandwidth connection in Prisma Access is based on the maximum number of IPSec tunnels
your CPE devices support with the load balancing protocol you use (ECMP in this example).

Consider the following restrictions and recommendations before you deploy this configuration:
• Use BGP routing for the IPSec tunnels; static routing is not supported.
• Use this configuration for outbound internet access only.
• Do not use tunnel monitoring on either Prisma Access or the CPE devices. Availability of the IPSec
tunnel is determined by BGP peering between the CPE and Prisma Access’ remote network. If an IPSec
tunnel goes down and BGP connection is interrupted, the routes learned over BGP on that tunnel are
automatically removed from ECMP.
• Because you use BGP to determine when a tunnel goes down, consider the HoldTime value you have
configured on your CPE devices. The hold timer determines the amount of time that the tunnel is down
before removing the route. Prisma Access uses the default BGP HoldTime value of 90 seconds as
defined by RFC 4271. If you configure a lower hold time for the BGP CPE devices in the remote network
site, BGP uses the lower hold time value. Palo Alto Networks recommends a KeepAlive value of 10
seconds and a HoldTime value of 30 seconds for your CPE devices with this deployment.

240 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Create a High-Bandwidth Remote Network Connection
To create a high-bandwidth remote network connection, complete the following task.

STEP 1 | in Panorama, configure the Prisma Access remote network tunnels.


1. (Optional) if you haven’t already, set up IKE gateways, IKE crypto and IPSec crypto profiles, and IPSec
tunnels for the remote network connections you create.
Make a note of the IKE and IPSec cryptographic profiles; you specify the same settings on the CPE
you use to terminate the remote network connection in the remote network location.
2. Select Panorama > Cloud Services > Configuration > Remote Networks and create four remote
network connections, specifying the following settings:
• Select a Bandwidth of 300 Mbps.
• Select the same Location for each connection.
• Enable BGP and Advertise Default Route.
• Specify the same Peer AS for all remote network connections.
This example shows a Peer AS of 2000; in this example, you select a Peer AS of 2000 for all four
connections.
• (Optional) if you want to create a backup remote network, create one by selecting Enable
Secondary WAN; then, select the IPSec Tunnel you created for the backup tunnel.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 241
© 2020 Palo Alto Networks, Inc.
When complete, you have four 300 Mbps remote network connections for the same location. If you
configured backup tunnels, you also have four secondary tunnels to be used for failover purposes.

3. Select Panorama > Cloud Services > Status > Network Details > Remote Networks and make a note
of the Service IP Address and EBGP Router addresses.

242 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
You use the Service IP Address as the peer IP address when you configure the IPSec tunnel on
the CPE devices in the remote network site, and you use these addresses and the EBGP Router
addresses when you create static routes on the CPE devices.

STEP 2 | On the CPE devices in the remote network site, configure the remote network tunnels.

The configuration in these steps use Palo Alto Networks next-generation firewalls; you
can use any CPE device that supports IPSec tunnels and ECMP for this deployment.

1. Create four active tunnels from the active CPE to each of the four network connections. For the Peer
IP address, enter the Service IP Address of the remote network you received from Prisma Access in
Step 1.c.

2. (Optional) If you create backup tunnels, create them from the active CPE to each of the four network
connections. For the Peer IP address, enter the Service IP Address of the remote network you
received from Prisma Access in Step 1.c.

STEP 3 | Configure ECMP on the CPE devices in the remote network site.
1. Select Network > Virtual Routers.
2. Select the default virtual router, or Add a new virtual router.
3. Select Router Settings > Enable > ECMP, then Enable ECMP with a Max Path of 4 and a load balance
Method of Balanced Round Robin.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 243
© 2020 Palo Alto Networks, Inc.
STEP 4 | On the CPE devices in the remote network site, create static routes to the Prisma Access
Service IP Address and EBGP Router IP addresses you retrieved in Step 1.c.
As previously stated, dynamic routing with BGP is required for this configuration. To facilitate BGP
connection between the CPE and Prisma Access’ eBGP router, you need to add a static route for the
eBGP router IP address on the CPE, and the next-hop must be the tunnel interface on the CPE. You
must repeat this step for all other Remote Network eBGP router IP addresses on remaining tunnels.
The following example shows the route on the active CPE. If you created backup tunnels on a standby
CPE, create the same routing on the standby CPE.
If you are configuring a Palo Alto Networks next-generation firewall, select Static Routes > IPv4 to add
the static routes.

244 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 5 | Enable route redistribution on the CPE devices by selecting Redistribution Profile > IPv4, then
Add an IPv4 route redistribution profile.

STEP 6 | Select BGP > Peer Group, Enable BGP on the virtual router instance, then Add Remote
Network BGP peers.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 245
© 2020 Palo Alto Networks, Inc.
STEP 7 | Select BGP > Redist Rules, then attach the route redistribution profile you created in Step 5.

STEP 8 | Validate that the CPE is passing traffic on all four of its tunnels.

STEP 9 | Check the status of the ECMP-enabled connections from Prisma Access.
• Select Panorama > Cloud Services > Monitor > Remote Networks, select the region where you
deployed the ECMP connections, then select Status.

In this area, ECMP displays as No. This is expected because you are not configuring
the Prisma Access ECMP load balancing feature.

246 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
• Select Statistics to see that traffic is passing through each remote network tunnel.

When you have completed this workflow, you have created a high-bandwidth configuration for the
remote network. Keep in mind that this solution is supported for outbound traffic only.

Provide Secure Inbound Access to Remote Network Locations


If your organization hosts internet-accessible applications at a remote network site, providing access to
those applications exposes your network to all the threats posed by an open internet. This section describes
how Prisma Access provides a way to provide secure access to those applications, when you should
implement it, and how to configure it.
• Secure Inbound Access for Remote Network Sites
• Secure Inbound Access Examples
• Guidelines for Using Secure Inbound Access
• Configure Secure Inbound Access for Remote Network Sites

Secure Inbound Access for Remote Network Sites


Prisma Access for remote networks allows outbound access to internet-connected applications. In some
cases, your organization might have a requirement to provide inbound access to an application or website at
a remote site, and provide secure access to that application for any internet-connected user—not just users
who are protected by Prisma Access. For example:
• You host a public-facing custom application or portal at a remote network site.
• You have a lab or staging environment for which you want to provide secure access.
• You have a need to provide access to an application or website to users who are not members or an
organizational domain.
• You have IoT devices that require access to an internal asset management, tracking, or status
application.
To do this, create a remote network that allows secure inbound access. If you require outbound access as
well as inbound access for a remote network site, create two remote network sites in the same location—
one for inbound access and one for outbound access.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 247
© 2020 Palo Alto Networks, Inc.
While this solution can provide access for up to 50,000 concurrent inbound sessions per
remote network, Palo Alto Networks does not recommend using this solution to provide
access to a high-volume application or website.

To make internet-accessible applications available from a remote network site, you first make a list of
the applications to which you want to provide access, and assign a private IP, port number, and protocol
combination for each application. If you use the same IP address for multiple applications, the port/protocol
combination must be unique for each application; if you use the same port/protocol combination for
multiple applications, each IP address must be unique.
To begin configuration, you choose how many public IP addresses you want to associate for the
applications. You can specify either 5 or 10 public IP addresses per remote network site. Each public IP
allocation takes bandwidth from your Remote Networks license, in addition to the license cost for the
remote network. 5 IP addresses take 150 MB from your remote network license allocation, and 10 IP
addresses take 300 MB. The following table provides examples of bandwidth cost.

Use the following examples as a guide; you can use any remote network bandwidth to
implement secure inbound access.

Number of IP Addresses Remote Network Bandwidth Allocation from Remote Network


Bandwidth Bandwidth Pool

5 IP addresses (Cost 150 150 MB 300 MB (150 MB for 5 inbound access


MB from Remote Network IP addresses + 150 MB remote network
bandwidth pool) bandwidth)

10 IP addresses (Cost 300 150 MB 450 MB (300 MB for 10 inbound access


MB from Remote Network IP addresses + 150 MB remote network
bandwidth pool) bandwidth)

5 IP addresses (Cost 150 300 MB 450 MB (150 MB for 5 inbound access


MB from Remote Network IP addresses + 300 MB remote network
bandwidth pool) bandwidth)

10 IP addresses (Cost 300 300 MB 600 MB (300 MB for 10 inbound access


MB from Remote Network IP addresses + 300 MB remote network
bandwidth pool) bandwidth)

After you choose the number of public IP addresses, you then enter the application, along with its
associated private IP/port number/protocol combination, for which you want secure inbound access.
You can decide how you want to map your application to the public IP addresses. By default, Prisma Access
assigns the public IP addresses to the applications you specify, and multiple applications can be assigned
to a single IP address. If you need to map a single application to a single public IP address, you can select
Dedicated IP during system configuration. You can configure up to 100 inbound applications for each group
of provisioned public IP addresses (either 5 or 10).

Secure Inbound Access Examples


This section provides inbound access examples, along with the IP addresses that Prisma Access assigns in
various deployments.

248 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
The following example shows a sample configuration to enable inbound access for an application
(www.example.com) at a remote network site. You assign an IP address of 10.10.10.2, a port of 443, and
a protocol of TCP to the application. You then enter these values in Prisma Access when you configure
inbound access. After you save and commit your changes, Prisma Access assigns a public IP address to the
application you defined, in this case 52.1.1.1.
Prisma Access performs source network address translation (source NAT) on the packets by default. If the
IPSec-capable device at your remote network site is capable of performing symmetric return (such as a Palo
Alto Networks next-generation firewall), you can disable source NAT.
The following figure shows the traffic flow from users to applications. Since source NAT is enabled, the
source IP address in the routing table changes from the IP of the user’s device (34.1.1.1) to the remote
network’s EBGP Router address (Panorama > Cloud Services > Status > Network Details > Remote
Networks > EBGP Router). (172.1.1.1).

The following figure shows the return path of traffic with source NAT enabled.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 249
© 2020 Palo Alto Networks, Inc.
If you disable source NAT, Prisma Access still performs destination NAT, but the source IP address of the
request is unchanged.

For return traffic, SNAT is disabled, and the destination address for all routing tables is user’s IP address
(34.1.1.1).

250 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Guidelines for Using Secure Inbound Access
Use the following guidelines and restrictions when you configure a remote network to use secure inbound
access:
• The following locations are supported:
• Australia Southeast
• Belgium
• Brazil South
• Canada East
• Finland
• Germany Central
• Hong Kong
• India West
• Japan Central
• Netherlands Central
• Singapore
• Switzerland
• Taiwan
• UK
• US Central
• US East
• US Northwest
• US Southeast
• US Southwest
• You cannot modify an existing remote network to provide secure inbound access; instead, create a new
remote network.
• The inbound access feature is not available on remote networks that use ECMP load balancing.
• Application port translation is not supported.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 251
© 2020 Palo Alto Networks, Inc.
• The bulk import feature to onboard remote networks does not support inbound access. Use Panorama
to onboard new inbound access remote networks.
• Do not use remote network inbound access with traffic forwarding rules with service connections.
• Outbound traffic originating at the branch is not allowed on the inbound remote network.
• User-ID and application authentication are not supported.
• Prisma Access enforces the following rate limiting thresholds to provide flood protection, and measures
the rate in connections per second (CPS):

Flood Protection Type Alarm Rate in CPS Activate Rate in CPS

SYN Flood 10000 15000

ICMP Flood 20 20

• Remote networks that are configured for secure inbound access can only be used for that purpose.
If you require outbound access as well as inbound access for a remote network site, create two
remote network sites in the same location—one for inbound access and one for outbound access—as
shown in the following figure. In this example, User 1 uses Remote Network 1 for inbound access to
www.example.com, while User 2 uses Remote Network 2 for outbound internet access from the remote
network location.

• If you have a custom Prisma Access deployment where one of the cloud providers is excluded, inbound
access might not be supported because you cannot choose the locations during remote network
onboarding.
• Secure inbound access is not supported with evaluation licenses.

Configure Secure Inbound Access for Remote Network Sites


To create a remote network sites that allows secure inbound access, complete the following steps.

STEP 1 | Select Panorama > Cloud Services > Configuration > Remote Networks and Add a connection.
Any bandwidth is supported for secure inbound access.

252 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 2 | Select Inbound Access and Enable secure inbound access.

If Palo Alto Networks has created a custom Prisma Access deployment for your
organization where one of the cloud providers is excluded, inbound access features may
not be configurable due to non-availability of the supported locations; in this case, no
locations display in the Location area, as shown in the following screenshot.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 253
© 2020 Palo Alto Networks, Inc.
STEP 3 | When prompted, click Close and select or re-select, a supported location.
Prisma Access prompts you with a verification window when you enable secure inbound access, to make
sure that you select a supported location.

STEP 4 | (Optional) To disable source NAT, deselect Enable Source NAT.


By default, source NAT is enabled. If the IPSec-capable device at your remote network site is capable of
performing symmetric return (such as a Palo Alto Networks next-generation firewall), deselect Enable
source NAT.

STEP 5 | Select the Number of Public IPs that you want to allocate for secure inbound access (5 or 10).
The IP addresses you use for inbound secure access take bandwidth from your remote network license.
5 public IP addresses use 150 MB from your remote networks license; 10 public IP addresses use 300
MB from your remote network license.

STEP 6 | Add the applications to provide secure inbound access.


You can configure up to 100 inbound applications for each group of provisioned public IP addresses
(either 5 or 10). Enter a unique Private IP address, Protocol, and Port combination for each application.
It is acceptable to use duplicate private IP addresses and ports for two applications, as long as you select
TCP for one application and UDP for another application.

254 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
Provide the following values:
• Specify the name of the Application.
• Specify the Private IP address to use with this application.
• Specify the Protocol to use with the application (TCP or UDP).
• Specify the Port to user with the application.
• Choose whether you want to dedicate a single public IP address to a single application; to do so,
select Dedicated IP.

STEP 7 | Click OK to save your changes.

STEP 8 | (Optional) If you selected an unsupported location, a window prompts you to a supported
location. If required, select a supported location, then click OK.

STEP 9 | Save and Commit your changes.

STEP 10 | Wait approximately 30 minutes for Prisma Access to generate the public IP addresses; then
select Panorama > Cloud Services > Status > Network Details > Remote Networks and
make a note of the Public Address that is associated with the App Name for application you
created.
If you selected Dedicated IP, find the single application that is associated with the Public Address.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 255
© 2020 Palo Alto Networks, Inc.
STEP 11 | Create security policies to allow traffic from the inbound internet users.
Because Prisma Access’ default security policy only allows untrust-to-untrust traffic, you need to
configure security polices to allow untrust-to-trust (external-to-internal) traffic for your inbound access
applications. Palo Alto Networks recommends that you limit the type of access you permit to inbound
applications. The following examples provide access to SSH servers, web portals, and RDP servers.
1. Select Policies > Security and Add a policy.
Be sure to create this policy under the Remote_Network_Device_Group device group.
2. Select the Source traffic as external.

3. Create a policy to allow SSH server traffic by selecting the Destination Zone for destination traffic as
Internal and specifying a Destination Address of SSH-server-public.

256 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
4. Select an Application of ssh.

5. Select a Service/URL Category of application-default to allow or deny applications based only their
default ports as defined by Palo Alto Networks.
6. In Actions, select Allow.
7. Click OK to save the policy.
8. Create a policy to allow web portal access by creating a policy in the previous steps but substituting
the following settings in the Destination and Application tabs:
• Select a Destination Address of Web-Portal-Public.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 257
© 2020 Palo Alto Networks, Inc.
• Select an Application of web-browsing.

9. Create a security policy for RDP server access, using the same settings as you did for the other
policies but substituting RDP-Server-Public as the Destination Address and webrdp as the
Application.
When complete, you have three different policies to allow SSH server access, web portal access, and
RDP server access.

258 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
© 2020 Palo Alto Networks, Inc.
STEP 12 | Save and Commit your changes.

STEP 13 | Check that the remote network connection is operational and correctly processing inbound
traffic.
1. Select Panorama > Cloud Services > Status > > Status > Remote Networks and hover over the
Status and Config Status areas to see the tunnel’s status.

2. If you find issues, select Panorama > Cloud Services > Status > > Monitor > Remote Networks,
select the location of the remote network tunnel in the map, and hover over the Tunnel Status area
to determine the cause of the error.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to Secure
Branches 259
© 2020 Palo Alto Networks, Inc.
260 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use Remote Networks to
Secure Branches
Configure User-ID and User-Based Policies
with Prisma Access
Prisma Access requires that you configure IP address-to-username mapping to consistently
enforce user-based policy for mobile users and users at remote network locations. In addition,
you need to configure username to user-group mapping if you want to enforce policy based on
group membership.
You can then configure your deployment to allow Panorama to get the list of user groups
retrieved from the group mapping, which allows you to easily select these groups from a drop-
down list when you create and configure policies in Panorama.
The following sections provide an overview and the steps you perform to configure and
implement User-ID in Prisma Access.

> Configure User-ID in Prisma Access


> Configure User-ID for Remote Network Deployments
> Configure Your Prisma Access Deployment to Retrieve Group Mapping
> Redistribute User-ID Information Between Prisma Access and On-Premise Firewalls
> Collect User and Group Information Using the Directory Sync Service

261
262 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
Configure User-ID in Prisma Access
This section provides the steps you perform to configure User-ID for Prisma Access.

STEP 1 | Configure IP address-to-username mapping for your mobile users and users at remote network
locations.
• For mobile users, the GlobalProtect agent in Prisma Access automatically performs User-ID mapping.
• For users at remote networks, configure User-ID for your remote network locations to map IP
addresses to User IDs.

STEP 2 | Configure username to user-group mapping for your mobile users and users at remote network
locations.
To configure username-to-user group mapping for all users, enable group mapping for mobile users and
for users at remote networks using an LDAP server profile.

We recommend using a Group Include List in the LDAP server profile, so that you can
specify which groups you want to retrieve, instead of retrieving all group information.

STEP 3 | Allow Panorama to use group mappings in security policies by configuring one or more next-
generation on-premise or VM-series firewalls as a Master Device.
If you don’t configure a Master Device with a Prisma Access User-ID deployment, use long-form
distributed name (DN) entries instead.

STEP 4 | Redistribute HIP information to Panorama.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 263
© 2020 Palo Alto Networks, Inc.
Configure User-ID for Remote Network
Deployments
The process for retrieving User-ID information for Prisma Access is similar to configuring User-ID for on-
premise Palo Alto Networks next-generation firewalls. To configure User ID-to-IP address mapping for
Prisma Access, use the following workflow.

STEP 1 | Map IP addresses to users in Prisma Access.


• To use a Windows-based User-ID Agent for IP address-to-username mapping, create a dedicated
service account for the User-ID agent, then configure user mapping using the Windows User-ID
agent.
• To use the PAN-OS integrated User-ID Agent for IP address-to-username mapping, Create a
dedicated service account for the User-ID Agent, then configure User-ID using the PAN-OS
integrated User-ID agent.
If you use either a Windows or PAN-OS User-ID Agent, use the User-ID Agent Address (Panorama >
Cloud Services > Status > Network Details > Service Connection) from Prisma Access in your User-
ID agent configuration to configure your on-premise firewalls to retrieve User-ID mappings from
the Prisma Access infrastructure. For more information about User-ID redistribution from Prisma
Access to an on-premise firewall, see Redistribute User-ID Information From Prisma Access to an On-
Premise Firewall.

By default, the User-ID agent uses port 5007 to listen for User-ID information requests. Make sure
that you implement security policies that allow User-ID traffic from this port between Prisma Access
and the Active Directory server or User-ID Agent.

You can also use the paloalto-userid-agent App ID to retrieve the information from the
Windows domain controller; however, if you do this, you must decrypt the SSL traffic
for User-ID.
• To enable IP address-to-username mapping for users with client systems that aren’t logged in to your
domain servers—for example, users running Linux clients that don’t log in to the domain—you can
Map IP Addresses to Usernames Using Captive Portal.
To authenticate users using MFA, SAML, or Captive Portal, we recommend mapping a hostname to
the Captive Portal Redirect IP Address in Prisma Access and associating it with your internal DNS
servers. If you choose to use Kerberos single sign-on (SSO) with the captive portal, the hostname is
required. Alternatively, you can use the Captive Portal Redirect IP Address by itself to redirect users.
To find the Captive Portal Redirect IP Address, select Panorama > Cloud Services > Status >
Network Details > Service Infrastructure. Prisma Access assigns this IP address from the
infrastructure subnet IP address pool.

264 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
• To enable IP address-to-username mapping using syslog listening, Configure User-ID to Monitor
Syslog Senders for User Mapping.
• To enable IP address-to-username mapping for users on Windows-based terminal servers, Configure
User Mapping for Terminal Server Users.
• To enable IP address-to-username mapping using an XML API, Send User Mappings to User-ID Using
the XML API.
• To enable IP address-to-username mapping without using an agent, Configure User-ID for Prisma
Access Using the PAN-OS Integrated User-ID Agent.

STEP 2 | Allow Panorama to use group mappings in security policies.


• To allow Panorama to retrieve group mapping information, add one or more next-generation firewalls
to your deployment and then configure the firewall as a Master Device.
We recommend using a Master Device in Prisma Access User-ID deployments, because it allows you
to select groups from drop-down lists in policies that you create and configure in Panorama, which
simplifies group-based policy configuration.
• If you don’t use a master device, you can configure group-based policy by specifying the full
distinguished name (DN) of the group.

Configure User-ID for Prisma Access Using the PAN-OS


Integrated User-ID Agent
The following procedure shows how to configure the PAN-OS integrated User-ID agent on the firewall for
IP address-to-username mapping. The integrated User-ID agent performs the same tasks as the Windows-
based agent with the exception of NetBIOS client probing. While we support WMI probing, we do not
recommend it.

STEP 1 | Create the User-ID service account in the Windows Active Directory (AD) server that is being
used by the authentication server.
Be sure that the user you create is part of the following groups:
• Distributed COM Users
• Event Log Readers
• Server Operators

Server Operator membership is only required if you enable monitoring of user


sessions (Enable Session) when you configure server monitoring in Panorama in Step
5.b.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 265
© 2020 Palo Alto Networks, Inc.
We recommend only making these group associations. You do not have to configure
Domain Admin or Enterprise Admin privileges for the User-ID service account to work
correctly. Giving privileges to the account that aren’t required can give your network a
larger attack surface.

STEP 2 | Configure Windows Management Instrumentation (WMI) on the AD server.


The device uses WMI Authentication and you must modify the CIMV2 security properties on the AD
server that connects to the device.
1. Open a command prompt window and run the wmimgmt.msc command.
2. In the WMI Control pane, right-click WMI Control, choose Properties, and select the Security tab.

STEP 3 | Make the following changes in the CIMV2 folder:

266 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
1. Select the CIMV2 folder.
2. Click Security.
3. Click Add
4. Select the service account you created in Step 1.
This example uses the UserID user with the email of [email protected].
5. Check Allow for the Enable Account and Remote Enable for the account you created.
6. Click Apply.
7. Click OK.

STEP 4 | In Panorama, select Device > User Identification > User Mapping and click the gear icon to
edit the settings.
Be sure that you have selected the Remote_Network_Template at the top of the page.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 267
© 2020 Palo Alto Networks, Inc.
STEP 5 | Make the following changes to the Palo Alto Networks User-ID Agent Setup settings:
1. Select WMI Authentication and enter the domain and username (in the format domain/username)
for the User-ID service account, along with a valid password.

2. (Optional) Select Server Monitor and change the default settings, if required.
• To disable security log monitoring on Windows servers, deselect Enable Security Log.
• To enable monitoring of user sessions on the monitored servers, select Enable Session.
3. (Optional) Select Client Probing and select Enable Probing to enable WMI probing.
4. Click OK to exit from the Palo Alto Networks User-ID Agent Setup.

STEP 6 | If you have not done so already, click Add in the Server Monitoring area and add a Name,
Description, Type, and Network Address for the server you need to monitor.

268 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
Configure Your Prisma Access Deployment to
Retrieve Group Mapping
After you configure User-ID mapping in Prisma Access, you need to be able to retrieve the current IP
address-to-username and username-to-user group information for mobile users and users at remote
networks. To allow the Panorama that manages your deployment to retrieve group mapping information,
you must add one or more next-generation firewalls to your deployment and then designate the firewall as
a Master Device. You then create policies in Panorama and enforce the policies using the list of user groups
that Panorama retrieved from the Master Device.
Panorama cannot retrieve group mapping information in Prisma Access deployments without next-
generation firewalls, because Prisma Access does not have any devices in its device groups that you can
specify as a Master Device. If you have a standalone Prisma Access deployment, you can still implement
User-ID mapping in policies by using long-form Distinguished Name (DN) entries.
• Retrieve Group Mappings Using a Master Device
• Configure an On-Premise or VM-Series Firewall as a Master Device
• Implement User-ID in Security Policies For a Standalone Prisma Access Deployment

Retrieve Group Mappings Using a Master Device


To allow Panorama to collect group mappings, you need to add a device group, then designate one or more
next-generation firewalls as a Master Device. You can configure either an on-premise firewall or a VM-
series firewall as a master device.
• To allow Panorama to collect group mapping information from mobile users, create a device group that
specifies the on-premise or VM-series firewall as the Master Device and specify this device group as a
Parent Device Group of the Mobile_User_Device_Group device group.
• To allow Panorama to collect group mapping information from users connected to remote networks,
create a device group that specifies the on-premise or VM-series firewall as the Master Device and
specify this device group as a Parent Device Group of the Remote_Network_Device_Group device
group.
• To allow Panorama to collect group mapping information from users or resources available
through a service connection, create a device group that specifies the on-premise or VM-series
firewall as the Master Device and specify this device group as a Parent Device Group of the
Service_Conn_Device_Group device group.

Auto-population of users and groups is only applicable to the parent device group that is
associated with the master device. Auto-Population of users/groups is not applicable to the
child device groups (the Mobile_User_Device_Group, Remote_Network_Device_Group, or
Service_Conn_Device_Group, device groups). See Configure an On-Premise or VM-Series
Firewall as a Master Device for details.

The Master Devices can serve as the termination point of a remote network connection or service
connection, but this connection method is not required for the process to work, as shown in the following
example. The following figure shows a User-ID deployment where the administrator has configured an on-
premise device as a Master Device. Callouts in the figure show the process.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 269
© 2020 Palo Alto Networks, Inc.
1. A next-generation on-premise or VM-series firewall that the administrator has configured as a Master
Device retrieves the latest User-ID information from the LDAP server and User-ID agent in the data
center.
2. Panorama gets the list of usernames, user group names, and group mapping information from the Master
Device.

We recommend using a Group Include List in the LDAP server profile, so that you can
specify which groups you want to retrieve, instead of retrieving all group information.

Configure an On-Premise or VM-Series Firewall as a Master Device


Use the following procedure to configure an on-premise or VM-series firewall as a Master Device.

STEP 1 | Create device groups for mobile users, remote networks, and service connection device groups
as required, and specify the on-premise device as the Master Device.
1. Select Panorama > Managed Devices > Device Groups.
2. Add a new device group.
3. Enter a Name for the device group.
4. Leave the Parent Device Group as Shared.
5. In the Devices area, select the Name of the on-premise or VM-Series device that you want to set as
the Master Device.
6. Select Store user and groups from Master Device if Reporting and Filtering on Groups is enabled in
Panorama Settings.
This option allows Panorama to locally store usernames, user group names, and group mapping
information that it receives from the Master Device.
7. Click OK.
The following screenshot creates a Master Device to be used for the service connection.

270 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
STEP 2 | Associate the device groups you created for your Prisma Access mobile user, remote network,
or service connection deployment.
• To associate the device group with a mobile user deployment, select Panorama > Cloud Services >
Configuration > Mobile Users and edit the settings by clicking the gear icon in the Settings area and
associate the device group you created for the service connection with the Parent Device Group.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 271
© 2020 Palo Alto Networks, Inc.
• To associate the device group with a remote network connection, select Panorama > Cloud
Services > Configuration > Remote Networks and edit the settings by clicking the gear icon in the
Settings area and associate the device group you created for the remote network connection with
the Parent Device Group.

272 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
• To associate the device group with a service connection, select Panorama > Cloud Services >
Configuration > Service Setup and edit the settings by clicking the gear icon in the Settings area and
associate the device group you created for the service connection with the Parent Device Group.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 273
© 2020 Palo Alto Networks, Inc.
After you create a parent device group, Prisma Access automatically populates
group mapping for the device group that is associated with the master device only.
For the previous examples, the auto-population would occur only in the User-
ID DG Mobile Users, User-ID DG Remote Connection, and User-ID DG Service
Connection device groups, and would not populate to the Mobile_User_Device_Group,
Remote_Network_Device_Group, or Service_Conn_Device_Group device groups,
respectively.

STEP 3 | Click OK.

Implement User-ID in Security Policies For a Standalone Prisma


Access Deployment
In a standalone Prisma Access deployment without a Master Device, you can use group-based policy using
long-form DN entries in Panorama. Prisma Access uses the DN entries to evaluate the User-ID-based
policies you have configured in Panorama.

274 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
For example, given a User named Bob Alice who works in IT for Organization Hooli in the United States,
a matching security policy may have ou=IT Staff,O=Hooli,C=US if the policy is to be applied to all IT
staff, or CN=Bob Alice,ou=IT Staff,O=Hooli,C=US if the policy is only to be applied to Bob Alice.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 275
© 2020 Palo Alto Networks, Inc.
Redistribute User-ID Information Between
Prisma Access and On-Premise Firewalls
After you configure User-ID, you consistently enforce user-based policy for all mobile users and users at
remote network locations by configuring User-ID redistribution to redistribute the User-ID mapping from
Prisma Access to all next-generation firewalls that secure access to network resources.
Use one the following methods to redistribute User-ID mapping to mobile users and users in remote
networks from an on-premise next-generation firewall and vice versa, depending on the direction in which
you want to redistribute the User-IDs:
• Redistribute User-ID Information From Prisma Access to an On-Premise Firewall
• Redistribute User-ID Information From an On-Premise Firewall to Prisma Access

Redistribute User-ID Information From Prisma Access to an On-


Premise Firewall
In cases where mobile users need to access a resource on a remote network location or HQ/data center
and the resource is secured by an on-premise next-generation firewall with user-based policies, you must
redistribute User-ID mappings from the Prisma Access mobile users and users at remote networks to the
on-premise firewall. When the user connects to Prisma Access, it collects this user-to-IP address mapping
and stores it.
The following figure shows two mobile users that have an existing IP address-to-username mapping in
Prisma Access. Prisma Access then redistributes this mapping by way of a service connection to the on-
premise firewall that secures the HQ/data center.

276 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
To redistribute User-ID mappings from Prisma Access to an on-premise firewall, complete the following
steps.

Before you start this task, find the User-ID Agent Address in Prisma Access by selecting
Panorama > Cloud Services > Status > Network Details, selecting the Service Connection
radio button, and viewing the information in the User-ID Agent Address field.

STEP 1 | Configure Prisma Access as a User-ID agent that redistributes user mapping information.
1. In the Panorama that manages Prisma Access, select Device > User Identification > User Mapping >
Palo Alto Networks User-ID Agent Setup.
Make sure that you have selected the Service_Conn_Template in the Templates drop-down at the
top of the page. The User-ID agent in Prisma Access receives its User-ID mapping from the domain
controller in the data center by way of the service connection.
2. Click the gear icon to edit the settings.
3. Select Redistribution.
4. Provide a User-ID Collector Name and a User-ID Collector Pre-Shared Key to identify Prisma Access
as a User-ID agent.
5. Click OK to save your changes.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 277
© 2020 Palo Alto Networks, Inc.
STEP 2 | Configure the on-premise firewall to collect the User-ID mapping from Prisma Access.
1. From the on-premise firewall, select Device > User Identification > User-ID Agents.
2. Add a User-ID Agent and give it a Name.
3. Select Host and Port.
4. Enter the User-ID Agent Address from Prisma Access in the Host field.
5. Enter the User-ID Collector Name and User-ID Collector Pre-Shared Key for the Prisma Access
collector you created in Step 1.
6. Click OK.

STEP 3 | Repeat these steps for each service connection.

Redistribute User-ID Information From an On-Premise Firewall to


Prisma Access
In cases where users are at a branch location or HQ that is secured by an on-premise next-generation
firewall with user-based policies, and they need to access resources at another branch location that you
have secured with Prisma Access, you must redistribute User-ID mappings from the on-premise firewall to
Prisma Access.
The following figure shows an HQ/Data center with an on-premise next-generation firewall with existing
IP address-to-username mapping. Prisma Access connects to the firewall with a service connection, and the
on-premise firewall redistributes the mapping to Prisma Access.

278 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
To redistribute User-ID mappings from an on-premise firewall to Prisma Access, complete the following
steps.

STEP 1 | Configure the on-premise firewall to redistribute User-ID information to Prisma Access.
1. From the on-premise firewall, select Device > User Identification > User Mapping > Palo Alto
Networks User-ID Agent Setup.
2. Click the gear icon to edit the settings.
3. Select Redistribution.
4. Provide a User-ID Collector Name and a User-ID Collector Pre-Shared Key to identify the on-
premise firewall as a User-ID agent.
5. Click OK to save your changes.

STEP 2 | Configure Prisma Access to collect the User-ID mapping from the on-premise firewall.
1. From the Panorama that manages Prisma Access, select Device > User Identification > User-ID
Agents.
Make sure that you have selected the Remote_Network_Template in the Templates drop-down at
the top of the page.
2. Add a User-ID Agent and give it a Name.
3. Select Host and Port.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 279
© 2020 Palo Alto Networks, Inc.
4. Enter the IP address of the MGT interface or service route that the firewall uses to send user
mappings in the Host field.
For the MGT interface, you can enter a hostname instead of the IP address.
5. Enter the User-ID Collector Name and User-ID Collector Pre-Shared Key, using the values for the
collector you created for the on-premise firewall in Step 1.
6. Click OK.

280 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
Get User and Group Information Using
Directory Sync
Prisma Access retrieves user and group information from your organization’s Active Directory (AD) to
enforce user- and group-based policy. You can simplify the retrieval of user and group information by using
Palo Alto Networks’ Directory Sync service.
In addition to simplifying user and group information retrieval, integrating Directory Sync with Prisma
Access can free up the bandwidth and load on your AD. Without Directory Sync integration, all the remote
networks and mobile users’ nodes individually communicate with your AD using the service connection.
You can use Directory Sync to retrieve user and group information for Prisma Access for mobile users,
remote networks, or both, by completing the following steps.
The Directory Sync integration with Prisma Access has the following implementation restrictions:
• Azure AD Directory Sync integration is not supported with Prisma Access.
• Make sure that the groups you use with Directory Sync do not have any of the following special
characters, because Prisma Access does not support the use of following special characters in groups
and commit operations will fail:
• " (Double quotes)
• ' (Apostrophe)
• < (less than sign)
• > (greater than sign)
• & (ampersand)
• If you associate Directory Sync with Prisma Access, your user and group names must use the NetBIOS
format that includes the domain.
• The username format must use either the email format (username@domain) or be in NetBIOS
\sAMAccountName format.
• Group names must be in the distinguishedName format (for example,
CN=Users,CN=Builtin,DC=Example,DC=com).
• Directory Sync does not apply any settings you specify in the group include list (Device > User
Identification > Group Mapping Settings > Group Include List); instead, it retrieves user and group
information from your entire configuration, including groups used in all device groups and templates.

STEP 1 | Create a Directory Sync instance for Prisma Access, and make a note of the instance name.
When you activate Directory Sync, it creates an instance. You use the instance name when you
associate Directory Sync with Prisma Access in a later step. Optionally, if you need to create a separate
instance for Prisma Access, create it and make a note of the instance name.

STEP 2 | Set up Directory Sync on your AD.


This process includes installing and configuring a Directory Sync Agent to communicate with your on-
premises Active Directory and configuring mutual authentication between the Directory Sync service
and the agent.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 281
© 2020 Palo Alto Networks, Inc.
STEP 3 | Associate the Panorama that manages Prisma Access with Directory Sync in the hub.
Directory Sync integration with Prisma Access is not supported in a multi-tenant environment.
1. Find the serial number of the Panorama that manages Prisma Access by selecting the Dashboard and
noting the Serial # that displays.

2. Log in to the Palo Alto Networks hub and select Panorama.

3. Find the serial number of the Panorama that manages Prisma Access, select it, then select Add
Directory Sync.

282 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
4. Enter the Directory Sync instance you retrieved in Step 1.
You do not need to select the Region; Directory Sync uses the same region that Prisma Access uses
for Cortex Data Lake.

5. Click OK when complete.


6. (Optional) If you need to edit an existing Directory Sync instance after you create it, select Prisma
Access - DirSync Mapping, select the Panorama’s serial number, select Edit, and enter the following
information in the window that displays:
• Enter a Name for the Directory Sync - Prisma Access mapping.
• Optionally, enter a Description for the mapping.
• Select the Directory Sync instance name that you noted in Step 1.
The Region and Serial Number fields populate automatically.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 283
© 2020 Palo Alto Networks, Inc.
STEP 4 | Enable Directory Sync on Prisma Access.
1. On the Panorama that manages Prisma Access, select one of the following tabs:.
• To configure Directory Sync for Prisma Access for mobile users, select Panorama > Cloud
Services > Configuration > Mobile Users, select the gear icon to edit the settings, then select
Group Mapping Settings.

284 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
© 2020 Palo Alto Networks, Inc.
• To configure Directory Sync for Prisma Access for remote networks, select Panorama > Cloud
Services > Configuration > Remote Networks, select the gear icon to edit the settings, then select
Group Mapping Settings.

2. Select Enable Directory Sync Integration to enable Directory Sync with Prisma Access.
3. Enter the following information:
• Enter the Primary Username (the logon name attribute for the user, such as userPrincipalName or
sAMAccountName). This field is required.
• (Optional) Enter the E-Mail attribute (such as mail).
• (Optional) If you use alternate name attributes for the user, enter them. You can enter up to three
alternate user names (Alternate User Name 1, Alternate User Name 2, and Alternate User Name
3).
4. Click OK when complete.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-Based Policies with
Prisma Access 285
© 2020 Palo Alto Networks, Inc.
STEP 5 | Commit and push (Commit > Commit and Push) your changes.

286 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Configure User-ID and User-
Based Policies with Prisma Access
Redistribute HIP Information and View HIP
Reports
Use the topics in this section to understand how HIP redistribution works in Prisma Access,
including some example use cases, and learn how to configure HIP redistribution and view HIP
reports from Panorama.

> Redistribute HIP Information with Prisma Access


> View HIP Reports from Panorama

287
288 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information
and View HIP Reports
© 2020 Palo Alto Networks, Inc.
Redistribute HIP Information with Prisma
Access
To ensure consistent Host Information Profile (HIP) policy enforcement and to simplify policy management,
you can redistribute HIP information received from mobile users and users at remote networks that use
the GlobalProtect app from Prisma Access to other gateways, firewalls, and Panorama appliances in your
enterprise, including the Panorama that manages Prisma Access. To do so, you enable and configure HIP
redistribution in Prisma Access.
• HIP Redistribution Overview
• Use Cases for HIP Redistribution
• Configure HIP Redistribution in Prisma Access

HIP Redistribution Overview


When a mobile user whose endpoint has the GlobalProtect app installed connects to Prisma Access, Prisma
Access collects the user’s HIP information from the endpoint’s GlobalProtect app, which makes the HIP
report available in Prisma Access.

To use HIP redistribution, users must have the GlobalProtect app installed on their endpoint.
While Prisma Access supports Clientless VPN, you cannot redistribute HIP information for
Clientless VPN users.

HIP redistribution is applicable to both mobile users and users at remote networks. However, for users at
remote networks, an on-premise gateway must detect that the user is internal to the organization’s network
using internal host detection before the on-premise gateway can send HIP information to Prisma Access.

In Prisma Access, you configure internal host detection when you configure your mobile user
deployment.

To assure consistent policy enforcement, you can use HIP redistribution to allow Prisma Access to
distribute users’ HIP information to other Panorama appliances, gateways, firewalls, and virtual systems
in your deployment, as well as distribute HIP information from those devices to Prisma Access in some
cases. This ability allows you to consistently apply HIP-based policy enforcement for users’ traffic, including
policies for internet-bound traffic or for traffic that is accessing an internal application or resource in your
organization’s headquarters or data center. Redistributing HIP information to the Panorama appliance also
lets you view detailed HIP information for Prisma Access users from that appliance.

Use Cases for HIP Redistribution


The following section describes some common Prisma Access deployments where HIP redistribution is
useful for consistent policy enforcement and HIP report viewing.
• HIP redistribution from Prisma Access to a next-generation firewall—If you have a next-generation
firewall in your organization’s data center or headquarters location, and have configured that firewall
with HIP-based security policies, you cannot enforce those policies for Prisma Access mobile users until
you redistribute HIP redistribution from Prisma Access to the firewall.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information and View HIP
Reports 289
© 2020 Palo Alto Networks, Inc.
The following figure shows a mobile user whose endpoint is protected with the GlobalProtect app.
The user attempts to access an internal app at an HQ/data center whose access is controlled by a
next-generation firewall with HIP-based security policies. When the user logs in to the GlobalProtect
app, the app collects HIP information and sends it to Prisma Access; however, Prisma Access does not
redistribute this information to the on-premise firewall. Since the firewall does not have the user’s HIP
information, it blocks the user’s access to the app.

HIP redistribution allows you to distribute the mobile users’ HIP information to the on-premise firewall.
The firewall can then check the user’s HIP information against its configured security policies and grant
the user access to the app.

290 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information
and View HIP Reports
© 2020 Palo Alto Networks, Inc.
To redistribute HIP information from Prisma Access to the firewall, you allow Prisma Access to
redistribute HIP information, then Add a User-ID Agent (Panorama > User Identification > User-ID
Agents) on the firewall, and specify the Prisma Access User-ID Agent Address (Panorama > Cloud
Services > Status > Network Details > Service Connection > User-ID Agent Address) as the Host
(10.1.1.1 in the following example) and 5007 as the Port.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information and View HIP
Reports 291
© 2020 Palo Alto Networks, Inc.
• HIP redistribution from Prisma Access to Panorama—If you have multiple firewalls or gateways in your
organization with HIP-based security policies, you can redistribute the HIP information from Prisma
Access to the Panorama that manages Prisma Access by creating a User-ID agent in Panorama and
specifying the Prisma Access User-ID Agent Address as the User-ID Host. You can then redisribute HIP
reports from that Panorama appliance to the other managed Panorama appliances, gateways, firewalls,
and virtual systems in your enterprise, using the same workflow that you use to redistribute User-
ID information to managed firewalls and enforce consistent policy for internal apps and resources, as
shown in the following figure.

Alternatively, you can configure each internal firewall or gateway in your enterprise to directly collect
HIP information from Prisma Access, without using Panorama as a central location, by creating a User-
ID Agent in each device. Note, however, that Prisma Access uses service connections to send HIP
information, and service connection bandwidth consumption might increase if Prisma Access sends a
large number of HIP reports.
• HIP redistribution from a user at a remote network to Prisma Access—The previous use cases showed
Prisma Access collecting HIP information from mobile users. If you want to apply HIP-based policies in
Prisma Access for a user at a remote network location, you need a way to distribute the HIP information
from the remote network user’s GlobalProtect app to Prisma Access.
The following example shows a user at a remote network location whose internet access is located on
the remote network connection. In Prisma Access, you control the user’s internet access at the remote
network location with security policies created in the Remote_Network_Device_Group or in a shared
device group. To properly enforce the policies at the remote network location for the user, you need to
configure Prisma Access to retrieve the user’s HIP information from the internal gateway.
In this example, the GlobalProtect gateway at the HQ/data center that is configured as an internal
gateway using internal host detection checks the user’s HIP information from the user’s GlobalProtect
app. The internal gateway detects that the user is inside the remote network location and collects both
User-ID and HIP information from the user.

292 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information
and View HIP Reports
© 2020 Palo Alto Networks, Inc.
To distribute this HIP information from the internal gateway to Prisma Access, create a User-ID agent in
Panorama and specify the IP address of the internal gateway as the host.

• View detailed HIP logs from Panorama—When mobile users log in using the GlobalProtect app, the app
sends the HIP information to Prisma Access. Panorama retrieves the log results from Cortex Data Lake
to view the results of the HIP Match logs (Monitor > Logs > HIP Match); however, you cannot view
detailed HIP reports until you configure Panorama to redistribute HIP report details from Prisma Access
to Panorama.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information and View HIP
Reports 293
© 2020 Palo Alto Networks, Inc.
To redistribute detailed HIP information from mobile users to Panorama, create a User-ID agent in
Panorama and specify the User-ID Agent Address (Panorama > Cloud Services > Status > Network
Details > Service Connection > User-ID Agent Address) as the User-ID host. See Configure HIP
Redistribution in Prisma Access for details.
If you have configured an on-premise gateway as an internal gateway at a remote user location, you can
also send the HIP information for users at remote networks to Panorama by creating a User-ID agent
in Panorama and specifying the remote network EBGP Router address (Panorama > Cloud Services >
Status > Network Details > Remote Networks > EBGP Router) as the User-ID host. See Configure HIP
Redistribution in Prisma Access for details.

294 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information
and View HIP Reports
© 2020 Palo Alto Networks, Inc.
Configure HIP Redistribution in Prisma Access
To allow Prisma Access to collect and redistribute HIP information, complete the following task.

STEP 1 | Allow Prisma Access to redistribute HIP information.


1. In Panorama, select Panorama > Cloud Services > Configuration > Service Setup.
2. Click the gear icon to edit the settings.
3. In the Advanced tab, select Enable HIP Redistribution.
Enabling HIP Redistribution enables Prisma Access to redistribute the HIP reports received from the
GlobalProtect app to internal firewalls and to Panorama.

STEP 2 | Configure Panorama to receive HIP reports from Prisma Access.


1. Select Panorama > Setup > Interfaces.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information and View HIP
Reports 295
© 2020 Palo Alto Networks, Inc.
2. Select the Management interface.
3. Select User-ID.

STEP 3 | Configure Panorama to collect the User-ID mapping from Prisma Access.
1. From the Panorama that manages Prisma Access, select Panorama > User Identification > User-ID
Agents.
2. Add a User-ID Agent and give it a Name.
3. Enter one of the following values in the Host field, depending on the types of HIP information you
want to collect.
• To collect HIP information for mobile users, enter the User-ID Agent Address (Panorama > Cloud
Services > Status > Network Details > Service Connection > User-ID Agent Address).
• To collect HIP information from users at a remote network locations with an internal gateway,
enter the IP address of the internal gateway.
• To collect HIP information from users are a remote network connection, enter the EBGP Router
address (Panorama > Cloud Services > Status > Network Details > Remote Networks > EBGP
Router as the User-ID host.
4. Enter 5007 in the port field.
By default, the User-ID agent uses port 5007 to listen for HIP information requests.

Make sure that your network does not block access to this port between Prisma
Access and the Active Directory server or User-ID Agent.
5. Select Enabled to enable Panorama to communicate with the User-ID agent.
6. Select HIP Report to enable Panorama to receive HIP reports from all mobile user locations.
7. Click OK.

296 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information
and View HIP Reports
© 2020 Palo Alto Networks, Inc.
STEP 4 | Repeat Step 3 for each service connection to which you want to configure HIP report
collection.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information and View HIP
Reports 297
© 2020 Palo Alto Networks, Inc.
View HIP Reports from Panorama
After you configure Prisma Access to collect and redistribute HIP information to Panorama, use the
following workflow to view HIP information in Panorama.

STEP 1 | Select Monitor > Logs > HIP Match to view HIP information.

STEP 2 | Click the icon to the left of a record to view detailed HIP information.

To view detailed HIP information, the Panorama that manages Prisma Access must be
running a minimum PAN-OS version of 9.0.5.

298 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information
and View HIP Reports
© 2020 Palo Alto Networks, Inc.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information and View HIP
Reports 299
© 2020 Palo Alto Networks, Inc.
300 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Redistribute HIP Information
and View HIP Reports
Manage Multiple Tenants in Prisma Access
To allow you to create and manage multiple Prisma Access instances, Prisma Access offers
multitenancy, which enables you to create up to 200 instances (tenants) on a single Panorama
appliance (or 2 appliances in in high availability (HA) mode), with each tenant having their own
separate templates and template stacks, device groups, and access domains.
Existing or future non-multitenant deployments are not affected by multitenancy and will
continue to function normally. We recommend that you enable multitenancy only if your
organization has a need to manage multiple tenants in Prisma Access.
Follow this workflow to create multiple tenants in Panorama for Prisma Access:

> Multitenancy Overview


> Multitenancy Configuration Overview
> Plan your Multitenant Deployment
> Enable Multitenancy and Migrate the First Tenant
> Add Tenants to Prisma Access
> Delete a Tenant
> Create Administrative Users for a Single Tenant
> Control Role-Based Access for Tenant-Level Administrative Users
> Sort Logs by Device Group ID for External Logging

This section only provides the tasks you perform to configure tenants for remote networks,
mobile users, or a combination of remote network and mobile user deployments. To configure
the Clean Pipe service, see Create and Configure Prisma Access for Clean Pipe.

301
302 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
Multitenancy Overview
Enabling multitenancy allows you to host multiple instances of Prisma Access on a single Panorama
appliance. Each instance is known as a Tenant.
Prisma Access tenants get their own dedicated Prisma Access instances and they are not shared between
tenants.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 303
© 2020 Palo Alto Networks, Inc.
Multitenancy Configuration Overview
Use the following workflow to enable and configure the ability to manage multiple tenants in a single
Panorama appliance.

STEP 1 | Enable multitenancy. If you have an existing Prisma Access instance, enabling multitenancy
automatically migrates your existing Prisma Access configuration to the first tenant.
You give the first (migrated) tenant a name and specify an access domain. Prisma Access migrates the
templates, template stacks, and device groups associated with the existing configuration and associates
them with the access domain you create.
After you migrate your initial configuration, the administrative user in Panorama becomes a superuser
with the ability to create and manage all Prisma Access tenants.

STEP 2 | Then, add tenants to Prisma Access.


If you deploy Prisma Access for remote networks in multi-tenancy mode, you must have a minimum
of 200 Mbps available in your license for each tenant. If you deploy Prisma Access for mobile users in
multi-tenancy mode, you must have a minimum of 200 mobile users available in your license for each
tenant. In both types of Prisma Access configurations, you can add additional licensing (above these

304 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
minimums) of either type. You can increase or decrease the bandwidth or mobile user allocation for
any tenants after onboarding, as long as you keep the minimum required allocation per tenant, and the
overall licensed capacity is not exceeded.
You can set up a multi-tenant configuration for only remote networks, only mobile users, or both. You
allocate licenses accordingly to each tenant when you enable multi-tenancy.
If you have a license for remote networks and mobile users, you can set up an individual tenant with
only mobile users or only remote networks. For example, if your Prisma Access deployment has a license
for mobile users and remote networks, you could set up a tenant for mobile users only, as long as you
specify a minimum of 200 mobile users for the tenant.
For each tenant you create after the first, Prisma Access automatically creates templates, template
stacks, and device groups for each tenant and associates them to the access domain you create. Prisma
Access creates this environment to allow you to create a tenant-level administrative user using an
administrative role based on the tenant’s device groups and templates, then creating an administrative
user based on that role. In this way, you create an administrative user that has access to a single tenant
without allowing that user access to the other tenants that are managed by the Panorama appliance.
Prisma Access creates template stacks, templates, and device group using the following naming
convention:
• A service connection template stack with the name of sc-stk-tenant, where tenant is the tenant’s
name.
• A service connection template with the name of sc-tpl-tenant.
• A service connection device group with the name of sc-dg-tenant.
• A mobile user template stack with the name of mu-stk-tenant.
• A mobile user template with the name of mu-tpl-tenant.
• A mobile user device group with the name of mu-dg-tenant.
• A remote network template stack with the name of rn-stk-tenant.
• A mobile user template with the name of rn-tpl-tenant.
• A mobile user device group with the name of rn-dg-tenant.
• A Clean Pipe template stack with the name of cp-stk-tenant.
• A Clean Pipe template with the name of cp-tpl-tenant.
• A Clean Pipe device group with the name of cp-dg-tenant.
Prisma Access creates template stacks, templates, and device groups for all Prisma Access types, even
those for which you might not be licensed. For example, if you purchase a license for remote networks,
Prisma Access automatically creates template stacks, templates, and device groups for remote networks,
mobile users, and Clean Pipe.
If you add custom templates, they cannot take precedence over the Prisma Access-created templates.
You allocate remote network and mobile user license resources for each tenant based on the license that
is associated with the Cloud Services plugin in Panorama.
The following figure shows a sample Prisma Access deployment using a license with a 20,000 Mbps
remote network bandwidth pool and 20,000 mobile users. The administrator allocated 5,000 Mbps
in remote network bandwidth and 5,000 mobile users for the existing configuration. After the
administrator enabled multitenancy, the license allocation migrated along with all other configuration to
the first tenant. The administrator then created additional tenants, each with a 5,000 Mbps bandwidth
pool for remote networks and 5,000 mobile users for each tenant. Prisma Access allocates the license
resources from the overall license allocation. After you complete this configuration, there is 5,000 Mbps
of remote network bandwidth and 5,000 mobile users available in the license.

Each tenant can use up to 3 service connections with no cost to the license. You can
add more than 3 service connections to each tenant, however each additional service
connection takes 300 Mbps from your remote network license.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 305
© 2020 Palo Alto Networks, Inc.
306 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
Plan Your Multitenant Deployment
Before you enable multitenancy, migrate the first tenant, and create additional tenants, make sure that you
have all required information and resources to do so by completing the following tasks:
If you are migrating an existing single-tenant deployment to a multi-tenant deployment, make a note of
the following Prisma Access features that are not supported:
• DLP on Prisma Access
• Directory Sync integration
• Traffic steering (using traffic forwarding rules with service connections)
Make a note of your license allocation for remote networks and mobile users.
Open your license (Panorama > Licenses) and find the Prisma Access Total Mbps (remote networks
bandwidth pool) for remote networks and User Limit (total number of licensed users) for mobile users.
When you create tenants, you assign resources for remote networks and mobile users from this license
allocation. If you run out of the minimum required licensed Mbps for remote networks or mobile users,
you cannot create additional tenants.

You should also make a note of the bandwidth and mobile users allocation for your
existing configuration. After you migrate your configuration to the first tenant, check these
values to verify that the first tenant migrated correctly.
Make a list of the names you will use to identify each tenant.

When you create tenant names, avoid using names like Tenant-1, Tenant-2, Tenant-3,
and so on. The system logs reserve a small number of characters for the tenant name in
the log output and, if tenants have similar names, it can be difficult to associate the tenant
with the logs. We recommend using a unique and short name for tenants (for example,
Acme or Hooli).
Make a list of the administrative users you will create and assign for each tenant, and note the maximum
number of administrative users that can be logged in concurrently.
When administrative users are performing normal multi-tenant operations such as configuration changes
and commit operations, we recommend having a maximum of 12 administrative users logged in to
Panorama concurrently.
An administrative user who can manage multiple tenants can provision up to 200 tenants at the same
time with a single commit operation.
Be sure that you have sufficient license resources to enable multiple tenants.
The minimum license allocation for each tenant is 200 Mbps for each remote network or 200 mobile
users. You can also create a tenant with only remote networks or mobile users, and can configure
tenants in differing configurations on the same Panorama. For example, you could create a tenant with
remote networks only, a tenant with mobile users only, or a tenant with both mobile users and remote
networks, as long as each tenant meets the minimum license allocation and the relevant licenses are
activated and associated with the Panorama where you configure the tenants.
When configuring a tenant in multitenancy mode, create a unique name for each IPSec tunnel and IKE
gateway for service connections and remote network connections, and try to use a name that will not be
duplicated by another tenant. While there is no effect to functionality, you cannot delete an IPSec tunnel
or IKE gateway if another tenant is using a tunnel or gateway with the same name.
Note that single-tenant users cannot view system logs; only superusers can. You can, however, sort logs
by tenant.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 307
© 2020 Palo Alto Networks, Inc.
Note that, when using the multitenancy feature and logged in as a tenant-level administrative user,
opening the Panorama Task Manager (clicking Tasks at the bottom of the Panorama web interface)
shows all tasks for all tenants, including any tasks done at the superuser (Admin) level.

308 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
Enable Multitenancy and Migrate the First
Tenant
Use the following workflow to enable multitenancy and migrate your existing configuration to the first
tenant you create.
When you enable multitenancy, Prisma Access automatically migrates the following components of your
configuration:
• The amount of licensed bandwidth for remote networks and mobile users.
• All service connection and remote network tunnel onboarding information, including tunnel
configuration.
• Existing mobile users onboarding information.
• Cortex Data Lake information.
• The templates, template stacks, and device groups for service connections, remote networks, and mobile
users.
Because of these device group changes, you create an access domain and add the migrated device groups,
templates, and template stacks, as shown in the following workflow.

If you don’t have an existing Prisma Access configuration, and you are creating an all-
new multi-tenant deployment, do not use this workflow; instead, complete the steps in Add
Tenants to Prisma Access to create the first tenant.

STEP 1 | Select Panorama > Cloud Services > Configuration.

STEP 2 | Select Enable Multitenancy (located on the upper right of the page).

After you enable multitenancy, Panorama displays a notification informing you that the existing Prisma
Access configuration will be moved to the first tenant.

After you enable multitenancy, we recommend not disabling it. Clearing the Enable
Multitenancy option removes all the tenants that you have created except the first one,
including all configuration for those tenants, and reverts the first tenant’s configuration
back to a non-multitenant Prisma Access deployment.

STEP 3 | Click OK to migrate the existing configuration to the first tenant.


The Tenants page displays. Three pie charts in the center of the window shows the available licensed
bandwidth remaining for remote networks and clean pipe and the remaining licensed number of
available mobile users. If you do not have a license for remote networks or mobile users, those choices
are dimmed.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 309
© 2020 Palo Alto Networks, Inc.
STEP 4 | Choose the type of deployment you want to use for the tenant.
• For a remote network, mobile user deployment, or to configure both deployment types for a tenant,
select Remote Networks/Mobile Users.
• For a clean pipe deployment, select Clean Pipe.
This section only describes how to configure tenants for remote network, mobile user, or both
remote network and mobile user deployment types. To configure the clean pipe service, see Create
and Configure Prisma Access for Clean Pipe.

STEP 5 | Migrate the existing configuration to the first tenant.


1. Specify a Name for the first tenant.
2. Create a new Access Domain by clicking the down arrow selecting New Access Domain.
3. Enter a Name for the access domain and click OK.
Prisma Access adds the Mobile_User_Device_Group, Remote_Network_Device_Group, and
Service_Conn_Device_Group Device Groups to the new access domain.

310 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
4. (Optional) Click Templates to verify that Prisma Access added the following templates and template
stacks:
• Mobile_User_Template
• Mobile_User_Template_Stack
• Remote_Network_Template
• Remote_Network_Template_Stack
• Service_Conn_Template
• Service_Conn_Template_Stack
These are the default template stacks and templates for a standard Prisma Access deployment; if
you added other templates, be sure that Prisma Access added them.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 311
© 2020 Palo Alto Networks, Inc.
5. (Optional) If you have other templates associated with this configuration, select them.
6. Click OK to close the Access Domain page and return to the Tenants page.

STEP 6 | Make sure that the values in Bandwidth (Mbps) for remote networks and Users for mobile
users are correct.
These values automatically migrate from your existing configuration.

312 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
STEP 7 | Click OK.
The Panorama > Cloud Services > Configuration page shows the first tenant successfully migrated, and
a Tenants drop-down is added above the Tenants area.

STEP 8 | Select the tenant you just created in the Tenants drop-down to verify that all settings were
onboarded.

STEP 9 | Commit your changes locally to make them active in Panorama.


You only have to perform this step if your configuration includes mobile users; skip this step if your
configuration only includes Prisma Access for remote networks with no mobile user configuration.
1. Select Commit > Commit to Panorama.
2. Make sure that the device groups, templates, and template stacks are part of the Commit Scope.
3. Click OK to save your changes to the Push Scope.
4. Commit your changes.

STEP 10 | Commit and push your changes to make them active in Prisma Access.
1. Select Commit > Commit and Push and Edit Selections in the Push Scope.
2. Select Prisma Access, then select the tenant you created, Service Setup, Remote Networks, and
Mobile Users.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 313
© 2020 Palo Alto Networks, Inc.
3. Click OK to save your changes to the Push Scope.
4. Commit and Push your changes.

STEP 11 | Select Panorama > Cloud Services > Status.


The status page shows the status of all tenants. Because you have created only one tenant, that tenant is
the only one that is shown. If you select that tenant from the drop-down, you show a detailed status of
that tenant.

Selecting a tenant from the drop-down list returns you to the Status page for that tenant.

STEP 12 | Continue to add more tenants to Prisma Access.

314 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
Add Tenants to Prisma Access
After you migrate the existing information as a first tenant, you can create and configure additional tenants.
For each tenant you create after the first, Prisma Access creates a separate access domain with its own set
of template stacks and templates and its own domain groups.
Use this workflow to add more tenants to Prisma Access.

If you are creating an all-new multi-tenant deployment, use this workflow to add the first
tenant as well as additional tenants.

STEP 1 | Log in to Panorama as a superuser.

STEP 2 | Add and configure the tenant.


1. Select Panorama > Cloud Services > Configuration, then Add a new tenant.
Be sure that you select Remote Networks/Mobile Users; to create and configure a Clean Pipe
deployment, see Create and Configure Prisma Access for Clean Pipe.
2. Specify a descriptive Name for the tenant.
3. Add a new Access Domain, give it a descriptive Name, and click OK to return to the Tenants
window.
After you click OK, Prisma Access automatically creates templates, template stacks, and device
groups and associates them to the access domain you create.

STEP 3 | Specify the amount of Bandwidth (Mbps) to allocate for the Remote Networks and the
number of Users to allocate for the Mobile Users.

STEP 4 | Make sure that Prisma Access applied the template stack, template, and device group service
settings to the service connection settings of the tenant you just created.
1. Select the tenant you created from the Tenant drop-down.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 315
© 2020 Palo Alto Networks, Inc.
2. Select Panorama > Cloud Services > Configuration > Service Setup.
3. Click the gear icon to the right of the Settings area to edit the settings.
4. Make sure that Prisma Access has associated the template stack (sc-stk-tenant), template (sc-
tpl-tenant), and device group (sc-dg-tenant) to your service connection settings.
5. Make sure that the Parent Device Group is set to Shared and click OK.

STEP 5 | Make sure that Prisma Access applied the template stack, template, and device group to the
remote network settings.
1. Select Panorama > Cloud Services > Configuration > Remote Networks and click the gear icon to the
right of the Settings area to edit the settings.
2. Make sure that the Prisma Access has associated the template stack (rn-stk-tenant), template (rn-
tpl-tenant), and device group (rn-dg-tenant) to your remote network settings.
3. Make sure that the Parent Device Group is set to Shared and click OK.

316 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
STEP 6 | Make sure that Prisma Access applied the template stack, template, and device group to the
mobile user settings.
1. Select Panorama > Cloud Services > Configuration > Mobile Users and click the gear icon to the right
of the Settings area to edit the settings.
2. Make sure that the Prisma Access has associated the template stack (mu-stk-tenant), template (mu-
tpl-tenant), and device group (mu-dg-tenant) to your remote network settings.
3. Make sure that the Parent Device Group is set to Shared and click OK.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 317
© 2020 Palo Alto Networks, Inc.
STEP 7 | Mobile User deployments only—Commit your changes locally to make them active in Panorama.
A local commit is required for the mobile user changes to take effect.
1. Select Commit > Commit to Panorama.
2. Make sure that the device groups, templates, and template stacks are part of the Commit Scope.
3. Click OK to save your changes to the Push Scope.
4. Commit your changes.

STEP 8 | Continue the configuration of your tenant.


1. Configure the Service Infrastructure.
2. Create a Service Connection to Allow Access to Your Corporate Resources.
3. Configure Prisma Access for Networks if you are licensed for remote networks.
4. Configure Prisma Access for Users if you are licensed for remote users.

318 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
Delete a Tenant
To delete a tenant, complete the following task.

STEP 1 | Select Panorama > Cloud Services > Configuration, select the tenant, then Delete it.

Deleting a tenant also deletes all configuration for the tenant, including permanently removing any IP
addresses Prisma Access has assigned for service connections, remote networks, and mobile users.

When you delete a tenant, Prisma Access deletes the template and device group set for
which you are licensed, but does not delete the unlicensed set. For example, if you have
a Prisma Access for Users license and delete a tenant, Prisma Access deletes the mobile
user-related template stacks, templates, and device groups but does not delete the set it
created for the unlicensed Prisma Access for Networks. You can manually delete these
unused template and device group sets after you delete the tenant.

STEP 2 | Select Commit > Commit to Panorama and Commit your changes.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 319
© 2020 Palo Alto Networks, Inc.
Create a Tenant-Level Administrative User
You should create an administrative user for each tenant. In that way, a tenant-level administrator can
view and make changes to their tenant configuration but doesn’t have access to other tenants. To create
an administrative user for a specific tenant, complete the following task. For more information about role-
based access control (RBAC) for tenant-level administrative users, see Control Role-Based Access for
Tenant-Level Administrative Users.

Users who manage single tenants cannot see the system logs because the Monitor > Logs >
System choice is not available. This limitation applies to all Administrators who have an
administrative role of Device Group and Template. Only superusers can view system logs in
multitenancy mode.

STEP 1 | Create an administrative role with a type of Device Group and Template.
1. Select Panorama > Admin Roles.
2. Add an Admin Role Profile with a Role of Device Group and Template.
3. Click OK.
You can create a single Admin Role Profile and share it across multiple tenants; however, you must
create a separate administrator for each tenant.

While you tailor the administrative role for the needs of your organization, we
recommend deselecting Commit for Other Admins. Deselecting this choice allows a
tenant-level user to commit only the changes they have made, and prevents them
from unintentionally committing other changes that other tenant-level administrative
users have made that are not yet committed.

320 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
STEP 2 | Create and configure an Administrator for the tenant.
1. Select Panorama > Administrators.
2. Add an Administrator.
3. Enter and confirm a Password for the new Administrator.
4. Specify an Administrator Type of Device Group and Template Admin.
5. Specify the Access Domain that is associated with the device groups for that tenant.
6. Specify the Admin Role that you created in Step 1 for the tenant.

STEP 3 | Click OK.

STEP 4 | Repeat Steps 2 and 3 to add additional users to manage your tenants as required.

STEP 5 | Select Commit > Commit to Panorama and Commit your changes.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 321
© 2020 Palo Alto Networks, Inc.
Control Role-Based Access for Tenant-Level
Administrative Users
If you manage a multi-tenant deployment, you can use role-based access control (RBAC) to create tenant-
level administrative users.
To modify RBAC-level access for tenant-level administrative users in Panorama, you create a tenant-level
administrative user, use an Admin Role Profile with a Role of Device Group and Template, and Enable,
Disable, or give Read Only access to areas of the Panorama Web UI. Use this method to manage access to
all Panorama components for tenant-level users, with the exception of access to the Cloud Services plugin
where you manage Prisma Access.
If you want to restrict a tenant-level user from configuring the Prisma Access components in Panorama, you
cannot use Admin Roles. To disallow users from configuring Prisma Access-specific configuration tasks, you
must prevent the user from accessing the Cloud Services plugin, which also prevents them from viewing it.
Using this method, you can create an administrative user for a security professional who has permissions
to make changes to security policies and push those changes to Panorama, but cannot view or make any
changes to Prisma Access configuration.

You can either enable or disable access to the Cloud Services plugin for a user, but you
cannot give a user read-only access; if a user has access to view the Cloud Services plugin,
the user can also make configuration changes to its components, including Prisma Access.

The following table shows sample tenant-level administrative roles and the steps you perform to create
those roles.

Sample Tenant-Level Configuration Configuration Task

Create a networking-focused user who: Create a tenant-level administrative user, enabling Save and
Commit permissions in the Admin Role Profile, and disabling
• Can edit plugin configurations
or making Read Only any permissions that you don’t want
• Can commit to Panorama
the tenant-level administrative user to have.
• Can push configuration to Prisma
Access

Create a security-focused user who: To prevent a tenant-level administrative user from viewing
or accessing the plugin, remove plugin access for a
• Can view and make changes to
tenant-level administrator. For all other Panorama-related
security policies
permissions, change the Admin Role permissions for the
• Can commit to Panorama user.
• Cannot view, or make changes to, the
Cloud Services plugin
• Cannot push configuration to Prisma
Access (requires the superuser to
push the configuration)

Create a hybrid user who: You cannot make the Cloud Services plugin read-only. You
can either view it or disable it.
• Has read-only access to the Cloud
Services plugin

322 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
Sample Tenant-Level Configuration Configuration Task
• Has read-write access to the security
policy
• Cannot push the configuration to
Prisma Access (requires the superuser
to push the configuration)

Remove Plugin Access for a Tenant-Level Administrative User


In normal multi-tenant configurations, you use access domains Add Tenants to Prisma Access and associate
each access domain with a tenant. To prevent a tenant-level administrative user from viewing or making
configuration changes to Prisma Access, you create an access domain, but you do not associate it with a
tenant.
Because you associated the access domain to the device groups and template stacks for the tenant, the
tenant-level administrative user has RBAC access at the tenant level and is able to perform configuration
for that tenant only. Because you did not associate the access domain with a tenant in Prisma Access, the
access domain is unable to view the Cloud Services plugin, which provides access to Prisma Access. In this
way, you create a user who can perform tenant-level configuration tasks without being able to access, view,
or make configuration changes to Prisma Access.
To remove Prisma Access access for an administrative-level user, complete the following task.

This task assumes that you have Add Tenants to Prisma Access templates, template stacks,
and device groups for the tenant; you’ll be associating them to the tenant-level administrative
user.

STEP 1 | Create an administrative role with a type of Device Group and Template.
1. Select Panorama > Admin Roles.
2. Add an Admin Role Profile with a Role of Device Group and Template.
3. Click OK.
You can create a single Admin Role Profile and share it across multiple tenants.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 323
© 2020 Palo Alto Networks, Inc.
STEP 2 | Select Panorama > Access Domain and Add an Access Domain.

STEP 3 | Specify the Device Groups and Templates associated with the tenant.

If you created any device groups that are children or grandchildren of other device
groups under the Shared parent device group, select only the device group at the lowest
hierarchical level (child or grandchild); do not select the parent or you will have errors on
commit.

324 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 325
© 2020 Palo Alto Networks, Inc.
STEP 4 | Create and configure an Administrator for the tenant-level administrative user, specifying the
Access Domain you just created.
1. Select Panorama > Administrators.
2. Add an Administrator.
3. Enter and confirm a Password for the new Administrator.
4. Specify an Administrator Type of Device Group and Template Admin.
5. Specify the Access Domain that is associated with the device groups for that tenant.
6. Specify the Admin Role that you created in Step 1 for the tenant.
When you complete this example, the abcd-tenant-no-plugin-access Administrative user will have
permissions based on what you defined in the Admin Role profile, but will not be able to view or
configure the Cloud Services plugin (including Prisma Access). Note, however, that they will not be
able to push any changes that they make to the cloud.

STEP 5 | Select Commit > Commit to Panorama and Commit your changes.

326 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
Sort Logs by Device Group ID for External
Logging
To sort the logs manually by tenant in Panorama, select Monitor > Logs and choose the Device Group
associated with that tenant to display the logs for that device group. However, if you are forwarding your
logs to an external device, you might have a need to sort those logs at the tenant level. To do so, find the
device group ID in the logs that is associated with the device group and use that group ID-to-device group
mapping to associate the logs with a tenant.
There are four fields associated with the device group in the logs: DG Hierarchy Level 1, DG Hierarchy
Level 2, DG Hierarchy Level 3, and DG Hierarchy Level 4. These fields show the device group IDs in its
hierarchy. The shared device group (level 0) is not included in this structure.
DG Hierarchy Level 1 refers to the first device group level in the hierarchy. If you added children or
grandchildren device groups, the DG Hierarchy Level 2 through DG Hierarchy Level 4 fields show the
hierarchy from the child group to the great-grandchild group, respectively.
To find logs by tenant, complete the following task.

STEP 1 | Find the device group IDs associated with the device group.
• To find this information using a CLI command, log into Panorama as a superuser (admin-level user),
enter the show readonly command in configuration mode, and view the values in the device-
group heading. The IDs for the device groups display under the device group name. The following
example shows that the device ID for the acme-sc device group is 20.
Note that these device groups are at the first level in the hierarchy (DG Hierarchy Level 1); you use
that information in the query in the next step.

admin# show readonly


...
device-group {
acme-sc {
id 20;
}
acme-rn {
id 39;
}
acme-mu {
id 40;
}
hooli-rn {
id 56;
}
hooli-sc {
id 57;
}
hooli-mu {
• To use an API query, enter the following API command:

/api/?type=op&cmd=<show><dg-hierarchy></dg-hierarchy></show>

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 327
© 2020 Palo Alto Networks, Inc.
For more information about using APIs with logs, see Retrieve Logs (API).

STEP 2 | Use the device group ID-to-device group name mapping to associate the logs with a tenant.
The following example shows an administrator retrieving the logs for Acme using the Log Forwarding
App to create a Syslog Forwarding Profile. Since the mapping example in Step 1 retrieves the device
group-to-device ID of 20 for Acme and the hierarchy is at Level 1, you use that in the query, along with
the following parameters:
• A descriptive Name for the profile.
• The Syslog Server IP address (you can also specify an FQDN).
• The Port on which the server is listening.
The default port for Syslog messages over TLS is 6514.
• The Facility selected from the drop-down.

STEP 3 | Add the Forwarding parameters that select the logs you want to forward.
The following example shows the administrator creating a Traffic log using a Custom filter with a Query
that selects the logs for Acme, based on the hierarchy level (DG Hierarchy Level 1) and the device group
(20) you retrieved in Step 1.

328 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
© 2020 Palo Alto Networks, Inc.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in Prisma
Access 329
© 2020 Palo Alto Networks, Inc.
330 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Manage Multiple Tenants in
Prisma Access
Use DLP on Prisma Access
Enforce your organization’s data security standards to prevent accidental data misuse, loss, or
theft with Data Loss Prevention (DLP) on Prisma Access.

> DLP on Prisma Access


> What is Enterprise DLP?
> What’s Supported with DLP on Prisma Access?
> Register and Activate DLP on Prisma Access
> Enable DLP on Prisma Access
> Create a Data Pattern
> Create a Data Filtering Profile
> View DLP Logs and File Snippets

331
332 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
DLP on Prisma Access
Data loss prevention (DLP) is a set of tools and processes that allow you to protect sensitive information
against unauthorized access, misuse, extraction, or sharing. DLP on Prisma Access enables you to use
Prisma Access to enforce your organization’s data security standards and prevent the loss of sensitive data
across mobile users and remote networks.
DLP on Prisma Access, also known as Enterprise DLP, is a cloud-based service that uses supervised
machine learning algorithms to sort sensitive documents into Financial, Legal, Healthcare, and other
categories for document classification to guard against exposures, data loss and data exfiltration. These
patterns can identify the sensitive information in your cloud apps and protect them from exposure.
While Enterprise DLP resembles the Data Filtering implementation that you use with next-generation
firewalls or with Panorama appliances, be sure to follow the steps in this document to implement DLP with
Prisma Access; the configuration tasks are different.

DLP is an add-on license on Prisma Access. You can either start with a 60-day trial or
purchase a license to use Enterprise DLP on Prisma Access.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 333
© 2020 Palo Alto Networks, Inc.
What is Enterprise DLP?
DLP on Prisma Access allows you to protect sensitive file data in the following ways:
• Prevent file uploads from leaking to unsanctioned web applications—Discover and conditionally stop
sensitive data from being leaked to untrusted web applications.
• Monitor uploads to sanctioned web applications—Discover and monitor sensitive data when it is
uploaded to sanctioned corporate apps.
To help you inspect content and analyze the data in the correct context so that you can accurately identify
what is sensitive data and secure it to prevent incidents, Enterprise DLP is enabled through a cloud service.
Enterprise DLP offers over 380 data patterns and many predefined data filtering profiles, and it is designed
to automatically make new patterns and profiles available to you for use in Data Filtering policies, as soon as
they are added to the cloud service. Use the following tools to configure DLP on Prisma Access:
• Data Patterns—Help you detect sensitive content and how that content is being shared or accessed on
your network.
Predefined data patterns and built-in settings make it easy for you to protect files that contain certain
file properties (such as a document title or author), credit card numbers, regulated information from
different countries (such as driver’s license numbers), and third-party DLP labels. To improve detection
rates for the sensitive data in your organization supplement the predefined data patterns, you can define
custom data patterns that are specific to your content inspection and data protection requirements. In a
custom data pattern, you can also define regular expressions and file properties to look for metadata or
attributes in the file's custom or extended properties and use it in a data filtering profile.
• Data Filtering Profiles—Power the data classification and monitoring capabilities available on Prisma
Access to prevent data loss and mitigate business risk.
Data filtering profiles are a collection of data patterns that are grouped together to scan for a specific
object or type of content. To perform content analysis, the predefined data profiles have data patterns
that include industry-standard data identifiers, keywords, and built-in logic in the form of machine
learning, regular expressions, and checksums for legal and financial data patterns. When you use the
data filtering profile in a Data Filtering policy rule, the firewall can inspect the content for a match and
take action.
After you utilize the data patterns (either predefined or custom), you manage data filtering profiles in
Panorama. You can use a predefined data filtering profile, or create a new profile and add data patterns
to it. You then create security policies and apply the profiles you added to the policies you create. If a
user uploads a file, and data in that file matches the criteria in the policies, Prisma Access either creates
an alert notification or blocks the file upload.
When you apply the profile to a policy, and a data pattern was matched that caused an alert or block
notification for a file, Prisma Access extracts a snippet of the sensitive data that caused the alert or block
notification. A snippets enables forensics by allowing you to verify why an uploaded file generated an alert
notification or was blocked. You view the snippets in the Data Filtering logs. By default, Prisma Access
uses data masking to partially mask the snippets to prevent the sensitive data from being exposed. You
can configure Prisma Access to completely mask the sensitive information, unmask the snippets, or disable
snippet extraction and viewing.
The data patterns and data filtering profiles are designed to work across Prisma SaaS and Prisma Access to
provide consistent data security at all locations—either in the cloud or across various enforcement points
in the SaaS applications, remote networks, and mobile users. When you create a new data pattern or data
filtering profile on Prisma Access, it becomes available for enforcement on Prisma SaaS so that you can
identify and protect data uniformly across connected applications.
To improve detection accuracy and reduce false positives, you can also specify:

334 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
• Proximity keywords—An asset is assigned a higher accuracy probability when a keyword is within a
200-character distance of the expression. If a document has a 16-digit number immediately followed
by Visa, that's more likely to be a credit card number. But if Visa is the title of the text and the 16-digit
number is on the last page of the 22-page document, that's less likely to be a credit card number.
You can also use more than one keyword in a keyword group and include or exclude keywords to find
when occurrences of specific words appear or do not appear within 200 characters of the expression.
• Confidence levels—Along with proximity keywords, confidence levels allow you to specify the
probability of the occurrence of proximity keywords in a pattern match. With a Low confidence Prisma
Access does not use proximity keywords to identify a match; with a High confidence Prisma Access
looks for the proximity keywords within 200 characters of the regular expressions in the pattern before
it considers the data pattern in a file to be a match.
• Basic and weighted regular expressions—A regular expression (regex for short) describes how to search
for a specific text pattern and then display the match occurrences when a pattern match is found. There
are two types of regular expressions—basic and weighted.
• A basic regular expression searches for a specific text pattern. When a pattern match is found, the
service displays the match occurrences.
• A weighted regular expression assigns a score to a text entry. When the score threshold is exceeded,
the service returns a match for the pattern.
To reduce false-positives and maximize the search performance of your regular expressions, you can
assign scores using the weighted regular expression builder when you create data patterns to find
and calculate scores for the information that is important to you. Scoring applies a match threshold,
and when a score threshold is exceeded, such as enough expressions from a pattern match an asset,
the asset will be indicated as a match for the pattern.
For more information, including a use case and best practices, see Configure Regular Expressions in
the Prisma SaaS Administrator’s Guide.

List of Predefined Data Filtering Profiles


The following table describes the predefined data filtering profiles provided with DLP on Prisma Access:

Predefined Data Filtering Profile Scans For

Bulk CCN Credit card numbers or Voyager Credit card numbers (more than
100).

CCPA California Consumer Privacy Act compliance.

Corporate financial docs Financial accounting and generic financial information.

Financial Information Bank statements, bank routing numbers, credit card numbers (strict
checking), bankruptcy filings.

GDPR Driver's License numbers, Tax IDs, National IDs, Passport numbers.

Gramm-Leach-Bliley Act (GLBA) Credit card numbers, Voyager credit card numbers, Magnetic stripe
information, Tax Id-US (TIN), National ID-US, Social Security Number
(SSN).

Healthcare Clinical Laboratory Improvement Amendments (CLIA) numbers, Drug


Enforcement Administration (DEA) numbers, and other healthcare
documents.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 335
© 2020 Palo Alto Networks, Inc.
Predefined Data Filtering Profile Scans For

Intellectual Property Source code, AWS secret keys, access keys, company confidential.
There are two types of intellectual property. The Intellectual
Property - Basic data filtering profile contains a subset of the data
patterns that are included in the Intellectual Property data filtering
profile.

Legal Legal documents including lawsuits, M&A, standard business


agreements, patents, bankruptcy filings.

Malware All Microsoft Office documents, PDF, and portable executable files,
and known threats against WildFire. The verdict is based on a hash,
which is a unique fingerprint of a file.

Personally-Identifiable Tax IDs, National IDs, Passport numbers, and Driver’s License
Information (PII) numbers.

Profanity Censored, personal, includes/excludes, homophobic, sexual.

Self Harm Suicidal intentions.

Sensitive content National ID, Bank information, AWS Secret keys or access keys,
company confidential, CCN.

U.K. PIOCP Tax IDs or National IDs.

336 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
What’s Supported with DLP on Prisma Access?
Here are the supported applications and operational parameters that you can use with DLP on Prisma
Access.

Web pdf doc/docx ppt/pptx xls/xlsx rtf csv Multi-File File size
Application uploads

Web Yes Yes Yes Yes Yes Yes Yes 20 MB


browsing

Onedrive Yes Yes Yes Yes Yes Yes Yes 20 MB


Web App

Sharepoint Yes Yes Yes Yes Yes Yes Yes 20 MB


Web App

Gmail Web Yes Yes Yes Yes Yes Yes Yes 20 MB


App

Box Web Yes Yes Yes Yes Yes Yes Yes 20 MB


App

Slack Web Yes Yes Yes Yes Yes Yes Yes 20 MB


App

• Applications—You can enforce DLP for web-based (HTTP- or HTTPS-based) uploads for the following
applications:
• Box (App-ID is boxnet-uploading)
• Gmail (App-ID is gmail-uploading)
• Microsoft OneDrive (App-ID is sharepoint-online-uploading)
• Microsoft SharePoint (App-ID is sharepoint-online-uploading)
• Slack (App-ID is slack-uploading)
• Web browsing (App-ID is web-browsing)
• File operations—You can upload files using HTTP and HTTPS (no FTP or SMTP) using HTTP/1.1.

Some applications, such as SharePoint and OneDrive, use HTTP/2 by default. To use
HTTP/2 files with HTTP/1.1, you need to create a decryption profile and a security policy
to strip out the ALPN headers. See Enable DLP on Prisma Access for instructions.
• Data flow—File uploads are supported (downloads are not supported).
• Concurrent file uploads—You can upload up to 25 files at a time.
• File size—Files of up to 20 MB are supported.
Enterprise DLP does not support machine learning pattern detection for files whose extracted file sizes
are larger than 1 MB.
• File types—Microsoft Office (.doc, .docx, .ppt, .pptx, .xls, .xlsx) .csv, .pdf, and .rtf.
• Response—Block and Alert actions are supported for HTTP and HTTPS files. The Block page does not
display the name of the file that Prisma Access blocked.
• Data Patterns and Data Filtering Profiles—Use predefined data patterns and data filtering profiles, or
create your own data patterns and data filtering profiles. You cannot clone data patterns; however, you

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 337
© 2020 Palo Alto Networks, Inc.
can clone predefined data filtering profiles if you want to add, remove, or modify data identifiers in the
existing profile.
For each data filtering profile, DLP on Prisma Access allows a maximum of 10 data patterns for a Block
rule and 50 data patterns for an Alert rule.
• Multi-tenancy—DLP on Prisma Access is not supported in a mulit-tenant deployment.

338 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
Register and Activate DLP on Prisma Access
DLP on Prisma Access enables you to secure remote networks and users, and requires an add-on license.
You can either purchase a license or try the 60-day trial.
When you request a trial from the web interface, you must wait 24 hrs for the request to be processed.
After the 60-day trial is approved, Palo Alto Networks lets you try the product for 60 days, along with a
30-day grace period to allow you to purchase the license. Palo Alto Networks deactivates DLP on Prisma
Access 90 days after the start of the trial if you do not purchase a license.
When you purchase a license, all you need to do it activate it in this workflow. The welcome email that
you receive when you purchase Enterprise DLP includes an auth code. Please disregard the auth code in
the email. The auth code in the email is automatically processed for you, all you need to do is follow the
instructions in this workflow.
To register and activate DLP on Prisma Access, complete the following steps.

If you have existing data patterns and data filtering profiles in a Prisma Access-specific
device group (Service_Conn_Device_Group, Remote_Network_Device_Group, or
Mobile_User_Device_Group), the patterns and profiles will be removed after you register and
activate DLP on Prisma Access.

STEP 1 | Check the minimum Panorama and content version on the Panorama appliance on which you
will install DLP on Prisma Access, and upgrade your Panorama or content version if required.
The minimum required Panorama version is 9.0.4, and the minimum required content version is 8190.

If you have DLP on Prisma Access enabled for more than one Prisma Access instance
in a single Customer Service Portal (CSP) account, data filtering profiles are synchronized
across all instances. This behavior can result in unexpected consequences; for example,
the deletion of a custom data pattern or data filtering profile for one instance does not
delete that pattern or profile for other instances in the CSP account. For this reason, Palo
Alto Networks recommends that you move each Prisma Access instance to its own CSP
account.

STEP 2 | Activate and install Prisma Access and configure your settings for the Prisma Access service
infrastructure; then, configure your mobile users deployment, your remote networks
deployment, or both, depending on your Prisma Access license.
Skip this step if you’ve already configured Prisma Access.

STEP 3 | Perform the following pre-checks to make sure that your environment is ready to request
Enterprise DLP on Prisma Access:
• Be sure that Panorama can access the dss.paloaltonetworks.com URL.
Add this URL to the allow list on any security appliance that you use with the Panorama
appliance. In addition, if your Panorama appliance uses a proxy server (Panorama > Setup >
Service > Proxy Server), or if you use SSL forward proxy with Prisma Access, be sure to add
dss.paloaltonetworks.com to the allow list on the proxy server.
• If you are using the same parent device group for on-premise firewalls and Prisma Access firewalls,
and would like to use the parent device group to configure security policy rules, open a command-
line interface (CLI) session in Prisma Access and enter the request plugins cloud_services

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 339
© 2020 Palo Alto Networks, Inc.
prisma-access dlp-enable-config-in-shared command. This command makes a copy of
the data filtering profile in the Shared device group that can be read by the on-premise firewalls.
If you do not enter this command, you cannot refer to the data filtering profiles with Enterprise
DLP in non-Prisma Access device groups, because the Enterprise DLP data filtering profiles are only
available in the Prisma Access device group.
• Select Panorama > Administrators and verify that the __cloud_services user is present.
After you install the Cloud Services plugin, the plugin creates a Panorama administrative user with
a username of __cloud_services. This user account is required to enable communication between
Enterprise DLP on Prisma Access and the Prisma Access management infrastructure. Palo Alto
Networks recommends that you change the password for this administrative user in accordance with
your organization’s password policy.
If you delete the __cloud_services user, you must re-add the user manually. The account is used to
register and activate Enterprise DLP on Prisma Access, and for continued DLP scanning using the
data patterns and data filtering profiles referenced in security policy rules.

STEP 4 | Log in to Prisma Access and select Panorama > Cloud Services > Configuration > Service
Setup.

STEP 5 | In the Service Operations area, select Activate Enterprise DLP or Request a Trial.
If you have purchased an add-on Enterprise DLP license, when you click the link the Enterprise DLP
capabilities are ready for use. Please disregard the auth code in the welcome email you received with
your purchase. The auth code in the email is automatically processed for you.

A page displays indicating that your existing data filtering settings will be removed after your DLP on
Prisma Access request is approved.

After you register and active DLP on Prisma Access, the Cloud Services plugin enables DLP-specific
features in the following areas in Panorama.

340 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
If you have any existing data patterns, they will be removed when you register and
activate the DLP on Prisma Access.

• Device > Data Filtering Settings—Allows you to specify global settings for data filtering based on
latency, file size, and logging for files that are not scanned.
• Objects > Custom Objects > Data Patterns—Specifies patterns that you use with the data filtering
profile.
• Objects > Security Profiles > Data Filtering—Adds a data pattern to a data filtering profile and specify
additional parameters to send an alert or block action for files that match the patterns you specify.
• Device > Response Pages > Data Filtering Block Page—Adds a customizable page that displays to
users when Prisma Access blocks a file using a DLP-based security policy.

STEP 6 | For a trial, select Yes to request DLP on Prisma Access.


A page displays indicating that your request was received and is being evaluated. Do not open a case
during this evaluation period.

STEP 7 | Wait 24-48 hours; then select Panorama > Cloud Services > Configuration > Service Setup
and reselect Activate Enterprise DLP or Request a Trial to see the results of your request.
• If the DLP on Prisma Access request was approved, a pop-up window displays indicating that
Enterprise DLP has been activated and the Panorama appliance displays a banner indicating that DLP
configuration has changed and a push is required. If you see this page and banner, Commit and Push
your changes, then enable DLP on Prisma Access.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 341
© 2020 Palo Alto Networks, Inc.
• If you receive a page that indicates that your request was received and is being evaluated, either your
request is still being processed or it wasn’t approved; you can retry the request in 24 hours to see its
status. Do not open a case when this request is being evaluated.

• If you receive a message that Enterprise DLP activation was unsuccessful, the request is approved,
but Prisma Access has not yet provisioned the infrastructure. If you see this message, open a support
case on the Customer Service Portal (CSP).

342 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
Enable DLP on Prisma Access
Complete these steps to use DLP on Prisma Access successfully.

STEP 1 | Create a decryption profile and a decryption policy rule to remove ALPN headers from
uploaded files.
DLP on Prisma Access supports HTTP/1.1. Some applications, such as SharePoint and OneDrive,
support HTTP/2 for uploads by default. To make uploaded files from applications that use HTTP/2
compatible with DLP on Prisma Access, complete these steps.
1. Select Objects > Decryption > Decryption Profile.
Choose any device group in the Device Group drop-down at the top of the page; decryption profiles
are shared across device groups.
2. Add a new profile and give it a Name.
3. Select SSL Forward Proxy, then select Strip ALPN in the Client Extension area.

4. Select Policies > Decryption.


5. Add a decryption policy and give it a Name.
6. Select Options, then select the Decryption profile you created.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 343
© 2020 Palo Alto Networks, Inc.
STEP 2 | Disable the QUIC protocol by adding services and security policies.
Many supported web applications, such as Gmail, require that you disable the QUIC protocol for DLP on
Prisma Access to function correctly.
1. Select Policies > Security and Add a security policy that denies traffic using the quic application.
2. Select Objects > Services and Add two services: One for UDP on port 80 and one for UDP on port
443.
Newer versions of QUIC might be misidentified as unknown-udp. For this reason, Palo Alto
Networks recommends adding services for UDP port 80 and UDP port 443 and creating an additional
security policy to block UDP traffic on those ports.

3. Select Policies > Security and Add a security policy that includes the services you created to deny
traffic to UDP ports 80 and 443.
When complete, you will have two security policies: One that blocks the QUIC protocol and one that
blocks traffic on UDP ports 80 and 443.

STEP 3 | (Optional) Review the default values for snippets and data masking, and change the default
settings if required by your organization’s compliance or policy rules, by opening a command-
line interface (CLI) session with admin-level privileges on the Panorama that is running DLP on
Prisma Access and entering the following commands.
By default, Prisma Access retrieves snippets and puts them in the Data Filtering logs (Monitor > Logs >
Data Filtering. Prisma Access stores these snippets in the logs for 90 days. The default data masking
level is partial, which means that Prisma Access displays the last four digits of the value in clear text.
• Check the current configuration of snippets and data masking by entering the following command:

admin@Panorama> request plugins cloud_services prisma-access dlp-get-


snippets-config

344 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
The following command output shows the default setting for snippets and data masking:

admin@Panorama> request plugins cloud_services prisma-access dlp-get-


snippets-config
pass{"id": "7997000089575537664", "enable_snippets": true, "mask_level":
"partial_mask"}
• Enable or disable snippets by entering the following command:

admin@Panorama> request plugins cloud_services prisma-access dlp-


configure-snippets enable [ no | yes ]

For example, to disable snippets, enter request plugins cloud_services prisma-access


dlp-configure-snippets enable no.
• Change the data masking level by entering the following command:

admin@Panorama> request plugins cloud_services prisma-access dlp-


configure-snippets masking-level [ full_mask | no_mask | partial_mask ]

• A keyword of partial_mask displays only the last four digits in clear text.
• A keyword of no_mask displays all the values in clear text.
• A keyword of full_mask does not display any values.

When a file is scanned, DLP on Prisma Access stores snippets of data for every data
pattern match. These snippets are masked (full mask, partial mask, or no mask) based
on the settings you configured. If DLP detects that a file was previously scanned and the
file's contents were unchanged, scanning is skipped, and the verdict and snippets are
returned based on the earlier scan.

STEP 4 | Identify what content is sensitive in your environment and determine the types of data
patterns or data filtering profiles you require.
1. Determine the type of data pattern you need.
Prisma Access includes more than 380 predefined data patterns that contain many commonly-
used data patterns. If your data requirements need a custom data pattern, create a data pattern
and specify data detection techniques; otherwise, use one of the predefined data patterns for your
sensitive content.
2. Determine the type of data filtering profile you need.
Prisma Access includes many predefined data filtering profiles for specific types, such as financial
and healthcare-specific profiles. If your data requirements need a custom data filtering profile, create
a data filtering profile, add a data pattern to it, and specify matching criteria and confidence levels;
otherwise, use one of the existing data filtering profiles in the security policy you create.

STEP 5 | Attach the data filtering profile to a security policy rule.


1. Select Policies > Security > Pre Rules.
Select the correct Device Group from the drop-down list (either Mobile_User_Device_Group for
remote networks or Remote_Network_Device_Group for mobile users).
2. Add a new policy, or select an existing policy to modify it.
3. Select Actions, then select a Profile Setting of Profiles.
4. Attach the Data Filtering profile you created earlier to the security policy rule.
5. Click OK.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 345
© 2020 Palo Alto Networks, Inc.
STEP 6 | Commit and Push your changes to make them active in Prisma Access.
After you configure DLP, you can view the DLP logs, including the snippets that Prisma Access retrieved
as the result of an Alert or Block action.

STEP 7 | (Optional) Test the functionality of Prisma Access.


1. Create a document with a supported file type and enter sensitive data in the file.
For example, if you use the predefined data filter profile of Sensitive Content in a security policy,
create a Microsoft Word .docx file and enter data in the format of a United States Social Security
Number (SSN).
2. Connect to Prisma Access with the GlobalProtect app.
3. Use a supported upload method (such as OneDrive) to upload the file.

You can upload multiple files; however, if you use Box to upload multiple files, and one
or more of the files are larger than 5 MB, the upload of all files do not complete. To
continue, find the files in Box that are larger than 5 MB and click X to stop the upload
of those files.

346 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
4. View the DLP logs to verify that DLP on Prisma Access correctly applied the action you specified in
the security policy.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 347
© 2020 Palo Alto Networks, Inc.
Create a Data Pattern
Data patterns enable you to specify the match criteria and identify patterns using regular expressions, file
properties, or keywords that represent sensitive information on your network.

STEP 1 | Select Objects > Custom Objects > Data Patterns.


Prisma Access shares the data pattern across Prisma Access device groups; you can select any
Device Group from the drop-down at the top of the page and Prisma Access will share it across the
Service_Conn_Device_Group, Mobile_User_Device_Group, and Remote_Network_Device_Group.

STEP 2 | Add a Pattern.

STEP 3 | Specify a Type and criteria for the data pattern and give it a Name.
Use one of the following data pattern types:
• Regular Expression—Create regular expressions to use in the data pattern.
You can choose Basic or Advanced data patterns. Use the Advanced data pattern to create a basic
or weighted regular expression. With weighted regular expressions, each text entry is assigned a
score, and when the score threshold is exceeded, such as enough expressions from a pattern match
an asset, the asset will be indicated as a match for the pattern.
You then use the query builder in the Regular Expressions area to add expressions, either regular
(Basic) or weighted (Advanced).
You can enter one or more Proximity Keywords to use with the Data Filtering pattern. Use proximity
keywords in a data filtering profile with a High Confidence. When you upload a file, Prisma Access
looks for the proximity keywords you specify within 200 characters of the regular expressions before
it considers the specified data pattern to be a match in the file.
• File Property—Add a file property pattern to match.
For data governance and protection of information, if you use classification labels or embed tags in
MS Office and PDF documents to include more information for audit and tracking purposes, you
can create a file property data pattern to match on the metadata or attributes that are a part of the
custom or extended properties in the file. Regardless of whether you use an automated classification
mechanism such as Titus or require users to add a tag, you can specify a name-value pair to match on
a custom or extended property embedded in the file.
DLP on Prisma Access supports file property data patterns in MS Office and PDF documents. Both
the OLE (.doc/.ppt) or XML (.docx/.pptx) formats of MS Office are supported.
You then add a Tag Name and Tag Value.
A Tag Name and Tag Value are an associated pair that specifies the property that you want to look
for (for example, you can specify a Tag Name of Label and a Tag Value of Confidential). You can add
as many file properties as you’d like. When you later reference the file property data pattern in a data
filtering profile, a boolean OR match is used in the match criteria.

STEP 4 | Click OK to save the data pattern.

348 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
Create a Data Filtering Profile
Use a data filtering profile to add data patterns and specify matches and confidence levels.

STEP 1 | Select Objects > Security Profiles > Data Filtering.


Select the correct Device Group from the drop-down list (either Mobile_User_Device_Group for remote
networks or Remote_Network_Device_Group for mobile users).

STEP 2 | Add a data filtering profile and give it a Name.

STEP 3 | (Optional) Change the pattern options.


• If you select Basic options, enter the following information:
• Primary Pattern—Add one or more patterns to specify as the match criteria.
If you specify more than one data pattern, Prisma Access uses a boolean OR match in the match
criteria.
If you created a data pattern, be sure to add it.
• Match—Select whether the pattern you specify should match (include) or not match (exclude) the
specified criteria.
• Operator—Select an Operator to use with the Threshold parameter. Specify Any to ignore the
threshold.
• Threshold—Specify a value to use with the Operator you specify.
For example, to match a pattern that appears 3 times or more in a file, select an Operator of
more_than_or_equal_to and a Threshold of 3.
• Confidence—Use this with the proximity keywords you specified in the data pattern you created.
Specifying a Confidence of Low means that Prisma Access does not use proximity keywords.
Specifying a Confidence of High means that Prisma Access looks for the proximity keywords in
the pattern within 200 characters of the regular expressions in the pattern before it considers the
data pattern in a file to be a match.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 349
© 2020 Palo Alto Networks, Inc.
• If you select Advanced options, create expressions by dragging and dropping data patterns,
Confidence levels, Operators, and Occurrence values into the field in the center of the page.
Specify the values in the order that they are shown in the following screenshot (data pattern,
Confidence, and Operator or Occurrence values).

STEP 4 | Select an Action (Alert or Block) to perform on the file.

You can create a profile with both Alert and Block actions; to do so, create the primary
pattern with an Alert action and a secondary pattern with a Block action as shown in Step
8.

STEP 5 | Specify a File Type.


Leave the file type as any to match any of the supported file types.

STEP 6 | Select a Direction of upload.


Downloads are not supported.

STEP 7 | (Optional) Set the Log Severity recorded for files that match this rule.
The default severity is Informational.

STEP 8 | (Optional) Create a secondary pattern for this data filtering profile with a different action (alert
and block mode).
You can attach one data filtering profile per security policy rule. To create both Alert and Block actions
for a security policy rule, create a primary pattern with an Alert action and a secondary pattern with an
Block action.

You must specify a Primary Pattern with an Action of Alert and a Secondary Pattern with
an Action of Block to use alert and block mode.

1. Create a data filtering profile with an Action of Alert.


2. Select Add Second Data Pattern Match.

350 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
3. Specify an Action of Block for the secondary pattern and Add more data patterns and match criteria.

STEP 9 | Click OK to save the data filtering profile.

STEP 10 | (Optional) Modify the response page that displays when Prisma Access blocks a file.
When Prisma Access blocks a file, it sends text to the browser of the user who requested the file,
informing them that the file has been blocked. You can change the text of this page by completing the
following steps.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 351
© 2020 Palo Alto Networks, Inc.
1. Select Device > Response Pages > Data Filtering Block Page.
2. Select Shared, then select Export to download the data-filter-block-page.txt file.

Leave the Data Filtering Block Page open; you upload the file after you edit it.
3. Open the .txt file in a text editor and edit the text that displays in the Block page.
4. In Panorama, Import the data-filter-block-page.txt file you just edited.

352 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
View DLP Logs and File Snippets
When DLP on Prisma Access detects sensitive content during a file upload, and you have created an Alert
or Block action, it generates a log. You can then view the sensitive content, called a snippet, from the
Data Filtering logs. A snippet is evidence or identifiable information associated with a pattern match. For
example, if you specified a data pattern of Credit Card Number, Prisma Access returns the user’s social
security number as the snippet that was matched. By default, Prisma Access returns snippets.
Prisma Access uses data masking to mask the data in the snippets. By default, Prisma Access displays the
last four digits of the value in clear text (partial masking). For example, Prisma Access displays a snippet of a
credit card number as XXXX-XXXX-XXXX-1234. You can also specify the data to be completely displayed
in clear text, or fully mask the data to hide all the values. You enable or disable snippet retrieval and specify
data masking levels when you enable DLP.
To view the DLP-specific logs, including file snippets, complete the following steps.

STEP 1 | Enable DLP on Prisma Access.

STEP 2 | View the DLP-specific Data Filtering logs by selecting Monitor > Logs > Data Filtering and, in
the Filter area, entering ( subtype eq data ).

You cannot search the logs by profile name. To search by profile, find the profile ID in the data filtering
logs. The profile ID is listed in the ID column in the logs.

STEP 3 | (Optional) View more details about the file, including file snippets.
1. Click the magnifying glass next to the file to view its details.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 353
© 2020 Palo Alto Networks, Inc.
2. Click the DLP tab; then, select a Pattern to view the pattern details.

3. (Optional) View the snippets associated with the pattern match.


The following screenshot shows social security numbers with a partial data masking level.

354 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
© 2020 Palo Alto Networks, Inc.
PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access 355
© 2020 Palo Alto Networks, Inc.
356 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Use DLP on Prisma Access
Create and Configure Prisma Access for
Clean Pipe
Use Prisma Access for Clean Pipe to quickly and easily configure multiple instances of clean
outbound internet connections.

> Prisma Access for Clean Pipe Overview


> Configure Prisma Access for Clean Pipe

357
358 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma
Access for Clean Pipe
© 2020 Palo Alto Networks, Inc.
Prisma Access for Clean Pipe Overview
To allow organizations that manage the IT infrastructure of other organizations, such as service providers,
MSSPs, or Telcos, to quickly and easily protect outbound internet traffic for their tenants, Palo Alto
Networks provides Prisma Access for Clean Pipe. A service provider, MSSP, or Telco can route their
customers (configured as tenants) to Prisma Access for Clean Pipe using a Partner Interconnect. After the
traffic crosses the Partner Interconnect, it will be sent to a tenant-dedicated instance of the Clean Pipe for
security, and then routed to the Internet.
Prisma Access for Clean Pipe also provides an API that you can use to quickly and easily create Clean Pipes
for your tenants.
• Clean Pipe Use Cases
• Clean Pipe Examples
• Clean Pipe and Partner Interconnect Requirements

Clean Pipe Use Cases


Use Prisma Access for Clean Pipe if you meet all of the following use cases:
• You manage a network deployment with a large number of tenants.
For example, you are a service provider, Telco, or MSSP who manages and maintains the networks of
many different organizations (up to tens of thousands).
• You want a way for each tenant in your deployment to have their outbound internet traffic secured.
• You need a fast and scalable way to onboard Clean Pipes for the organizations whose networks you
manage.
• With the exception of outbound internet security, you do not have additional requirements to protect
the mobile users, headquarters, or branch locations of the networks you manage.
If you have additional security requirements, we recommend creating multiple tenants in Prisma Access
instead of implementing Clean Pipe, which allows you to create and enforce security profiles for
separate groups of remote networks and mobile users.

Clean Pipe Examples


The following figure provides an example of Clean Pipes configured for a single tenant, with multiple Clean
Pipes configured for the tenant.
In this example, the service provider manages the internet connectivity for four organizations and wants
to protect outbound internet access for them. The service provider creates a Google Cloud Platform (GCP)
Partner Interconnect and creates a VLAN attachment for each tenant. The service provider configures
Prisma Access for Clean Pipe using Panorama to create security for the VLAN attachment.
This example shows a single Clean Pipe per tenant. You can also create multiple Clean Pipes in a single
tenant. Make sure that each Clean Pipe you specify for a tenant uses a different location.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma Access for Clean
Pipe 359
© 2020 Palo Alto Networks, Inc.
The following figure shows a single Clean Pipe in more detail for a tenant who wants a clean connection
to the internet. The Customer Edge (CE) router provides WAN connectivity for the tenant. The CE router
connects to a cloud router, and the cloud router provides connectivity for the Partner Interconnect. The
service provider creates a VLAN attachment for the tenant, and configures Prisma Access for Clean Pipe in
Panorama to provide security for the VLAN attachment, which protects the tenant’s internet-based traffic.

Clean Pipe and Partner Interconnect Requirements


Before you start, be aware of the following Clean Pipe deployment requirements, and be aware of the
following differences between Prisma Access for Clean Pipe and other Prisma Access deployments:
• You must have a Prisma Access for Clean Pipe license.
The Prisma Access for Clean Pipe license is a separate license from other Prisma Access products.
However, the same requirements for purchasing and installing Panorama and Cortex Data Lake licenses
apply to Clean Pipe.
• Prisma Access for Clean Pipe has the following GCP Partner Interconnect requirements:
• You must be able to create a Partner Interconnect in GCP.
• You must have the ability to create VLAN attachments in GCP.
• For Layer 2 (L2) partner interconnects, you must have access to the customer edge (CE) router on the
MSSP side and be able to make configuration changes to it.
For more information about GCP configuration, refer to the GCP documentation.
• Be aware of the minimum bandwidth requirements for the Clean Pipe deployment.
The minimum license you can purchase is 1000 Mbps. The minimum bandwidth allocation for each Clean
Pipe tenant is 100 Mbps.

360 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma
Access for Clean Pipe
© 2020 Palo Alto Networks, Inc.
After you create a tenant, you can create clean pipes in that tenant. Each clean pipe must be a minimum
of 100 Mbps. Each Clean Pipe shares the tenant’s access domain, templates and template stack, and
device group.
• If configuring multiple Clean Pipes for a single tenant, each Clean Pipe is required to be a unique
location. If you want to configure two VLAN attachments for a single Clean Pipe location in an active/
backup configuration for intra-zone redundancy, specify the REDUNDANT choice when you add a new
Clean Pipe instance.
• When creating a connection within a Clean Pipe tenant, match the bandwidth allocation to that of the
VLAN attachment. Do not create a VLAN attachment that has a bandwidth that is higher or lower than
the connection's bandwidth.
• After you enable multi-tenancy, do not configure your Clean Pipe deployment with any of the other
tabs in the Configuration area, with the exception of the Generate API key link in the Service Setup
tab, which lets you generate an API key to retrieve Clean Pipe IP addresses. All configuration is unique
to Prisma Access for Clean Pipe and separate from other Prisma Access deployments, such as Prisma
Access for Networks or Prisma Access for Users.
• Do not make changes to a Clean Pipe configuration after you commit it. If you change a Clean Pipe
after it’s been committed, you will receive a commit error when you re-commit it. Instead, delete the
existing Clean Pipe and add a new one. Schedule this change during a system downtime window. If you
already made changes and have not yet committed, you can revert the changes by editing the Clean Pipe
configuration back to their previous values.
• Note that the locations used by Clean Pipe differ from other Prisma Access deployments. Prisma Access
for Clean Pipe supports the following locations:
• asia-east1
• asia-east2
• asia-northeast1
• asia-south1
• asia-southeast1
• australia-southeast1
• europe-north1
• europe-west2
• europe-west3
• europe-west4
• northamerica-northeast1
• southamerica-east1
• us-central1
• us-east1
• us-east4
• us-west1
• us-west2
• Note the following networking restrictions for Clean Pipe:
• ICMP is not supported.
• QoS is supported on ingress (from internet to Clean Pipe direction) only.
• User-ID is not supported.
• Clean Pipe supports session affinity based on source and destination IP addresses and is not
configurable.
• Trust-to-Trust policies are invalid for Clean Pipe, because the traffic is always internet-bound. Only
use Trust-to-Untrust policies.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma Access for Clean
Pipe 361
© 2020 Palo Alto Networks, Inc.
Configure Prisma Access for Clean Pipe
To set up Prisma Access for Clean Pipe for your tenants, complete the following steps.
• Enable Multitenancy and Create a Tenant
• Complete the Clean Pipe Configuration

Enable Multitenancy and Create a Tenant


To begin the Clean Pipe configuration, you create a multi-tenant deployment in Panorama and create one or
more tenants.

STEP 1 | Install and activate Prisma Access for Clean Pipe.


Prisma Access for Clean Pipe requires a separate license, and activating it creates Clean Pipe-specific
tabs in the Cloud Services plugin. The procedure you use to install Prisma Access for Clean Pipe is
the same as the procedure you use to activate and install a standard Prisma Access license, including
installing the Cloud Services plugin.

STEP 2 | Enable multitenancy if you have not done so already.


1. Select Panorama > Cloud Services > Configuration.
2. Select Enable Multitenancy (located on the upper right of the page).
3. Click OK.
The Tenants page displays.
4. In the Options area, select Clean Pipe.
To configure a tenant for remote networks, mobile users, or both, see Manage Multiple Tenants in
Prisma Access.

5. Enter a Name for the first tenant.


6. Create and configure a new Access Domain for the first tenant and click OK.

362 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma
Access for Clean Pipe
© 2020 Palo Alto Networks, Inc.
7. In the Clean Pipe area, enter a Bandwidth (Mbps) for This Tenant.
Enter a minimum of 100 Mbps for each tenant you create.
8. Click OK.

STEP 3 | Create zones for the tenant and map those zones for the tenant.
1. Select Network > Zones.
Make sure that selected the Clean Pipe Template for the tenant you created (cp-tpl-tenant).
2. Create zones for the tenant (for example, Trust and Untrust).
3. Select Panorama > Cloud Services > Configuration and select the Tenant from the drop-down list.
4. Select the Clean Pipe tab.
5. Click the gear icon next to Zone Mapping to edit the settings.
6. Add and Remove the zones you created to map them to trusted and untrusted zones.

STEP 4 | Onboard a new Clean Pipe for the tenant you created.
1. Select Panorama > Cloud Services > Configuration > Clean Pipe.
2. Add a new Clean Pipe instance for the tenant, entering the following information:
• Name—Specify a name for the clean pipe.
• Bandwidth—Select the Bandwidth to allocate for the clean pipe.
You can onboard Clean Pipe instances in increments of 100 Mbps, 200 Mbps, 300 Mbps, 400
Mbps, 500 Mbps, 1000 Mbps, 2000 Mbps, 5000 Mbps, and 10000 Mbps. The amount of
bandwidth you specify must be within the licensed bandwidth allocation, and it must match the
bandwidth of the VLAN attachment you create in the Partner Interconnect.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma Access for Clean
Pipe 363
© 2020 Palo Alto Networks, Inc.
• Edge Availability Domain—Select the availability domain you want for the clean pipe. You can
choose 1, 2, ANY, or REDUNDANT.
• Specify ANY for a non-redundant Clean Pipe deployment.
Make sure that your cloud provider supports this choice; you must also select ANY on the
cloud provider side of the partner interconnect. If that choice is not available for your cloud
provider, make another choice.
• To specify two VLAN attachments in the same location in an active/backup configuration in
the same location, select REDUNDANT.
Prisma Access creates two pairing keys for a REDUNDANT configuration (one for each
availability zone), and appends the clean pipe name with zone1 for the first availability
zone and zone2 for the second availability zone. For example, if you specify a Name of San
Francisco, Prisma Access creates two zones named San Francisco-zone1 and San Francisco-
zone2.

Prisma Access assigns a BGP Multi-Exit Discriminator (MED) value of 100 for
zone1 and 200 for zone2. You must configure the same MED values for these
zones on your network’s customer premises equipment (CPE).
You can also build a pair of clean pipes for a single tenant redundancy in different locations; to do
so, specify 1 for the first clean pipe in one location and 2 for the second clean pipe in a different
location.
• BGP Peer ASN—Enter the BGP Autonomous System Number (ASN).
You can specify either a private or public BGP ASN.
Make a note of this value; you configure it on the customer edge (CE) router when you complete
the Clean Pipe configuration.
• Location—Select the location.
We recommend that you use the same location that you use when you create the VLAN
attachment for the partner interconnect.
• To enable QoS, select QoS, then select the QoS Profile to use with the clean pipe. Clean Pipe QoS
shapes on ingress.

STEP 5 | Add more Clean Pipe instances as required by repeating Step 4.


Be sure that each additional Clean Pipe uses a different location.

364 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma
Access for Clean Pipe
© 2020 Palo Alto Networks, Inc.
STEP 6 | Commit your changes locally to make them active in Panorama.

Do not make changes to a Clean Pipe configuration after you commit it. If you change a
Clean Pipe after it’s been committed, you will receive a commit error when you re-commit
it. Instead, delete the existing Clean Pipe and add a new one. Since it takes some time
(up to 30 minutes) to create a new Clean Pipe, schedule this change during a system
downtime window. If you already made changes and have not yet committed, you can
revert the changes by editing the Clean Pipe configuration back to their previous values.

1. Select Commit > Commit to Panorama.


2. Make sure that the device groups, templates, and template stacks are part of the Commit Scope.
3. Click OK to save your changes to the Push Scope.
4. Commit your changes.

STEP 7 | Commit and push your changes to make them active in Prisma Access.
1. Select Commit > Commit and Push and Edit Selections in the Push Scope.
2. Select Prisma Access, then select Clean Pipe.

3. Click OK to save your changes to the Push Scope.


4. Commit and Push your changes.

STEP 8 | Check that your Clean Pipe has been provisioned.


1. Select Panorama > Cloud Services > Status.
2. Select the Tenant from the drop-down list at the top of the page.
3. Click Status.
The Clean Pipe status displays.
4. Hover over the Clean Pipe Config Status and wait until the status changes from Provisioning in
Progress to Provisioned.
This provisioning can take up to 30 minutes.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma Access for Clean
Pipe 365
© 2020 Palo Alto Networks, Inc.
STEP 9 | Click the Network Details tab, click the Clean Pipe radio button, and make a note of the
Pairing Key.
The MSSP CE and Cloud Router IP fields are blank when you start to configure the Clean Pipe. These
fields populate after you create the VLAN Attachment when you complete the Clean Pipe configuration.
If you specified a REDUNDANT connection, Prisma Access creates two pairing keys, one for each
availability zone, and appends the clean pipe name with zone1 for the first availability zone and zone2
for the second availability zone. The following screenshot shows the SanFrancisco clean pipe with a
redundant configuration; Prisma Access has created two pairing keys, one for SanFrancisco-zone1 and
one for SanFrancisco-zone2. In addition, Prisma Access assigns a BGP MED value of 100 for zone1 and
200 for zone2; make sure that you use those same values in your network’s CPE.

STEP 10 | Complete the Clean Pipe configuration.

Complete the Clean Pipe Configuration


To complete configuration of Prisma Access for Clean Pipe, you perform configuration in the Partner
Interconnect and in Panorama.

Make sure that you can access and configure the CE and cloud routers on the Partner
Interconnect (non-Prisma access) side of the Partner Interconnect.

STEP 1 | In the Partner Interconnect side of the configuration, create a VLAN attachment, using the
Pairing Key that you retrieved from Panorama.
For more information about creating VLAN attachments with Partner Interconnects and configuring
customer edge (CE) routers to communicate with cloud routers, refer to the Google Cloud
documentation at https://cloud.google.com/interconnect/docs/
Make sure that the location and bandwidth you select matches the Location you specified in Panorama.
The service provider you use for the Partner Interconnect uses the pairing key, along with your
requested connection location and capacity, to complete the configuration of your VLAN attachment.

STEP 2 | After the connection comes up, return to Panorama, select Panorama > Cloud Services >
Status > Network Details > Clean Pipe and make a note of the MSSP CE and Cloud Router IP
addresses.

366 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma
Access for Clean Pipe
© 2020 Palo Alto Networks, Inc.
These values populate after you enter the Pairing Key on the other side of the VLAN attachment.

STEP 3 | Log in to the CE router and perform the following configuration.


1. Enter the MSSP CE address as the local IP address.
2. Enter the Cloud Router IP address as the peer IP address.
3. Enter a BGP ASN that matches the BGP Peer ASN you entered when you configured the Clean Pipe
in Panorama.
Make sure that you enter these values correctly; you cannot change them.

STEP 4 | Check the Clean Pipe status.


1. In Panorama, select Panorama > Cloud Services > Status, select the Tenant from the drop-down, and
check the Clean Pipe’s Status.
See the list of Prisma Access locations for acceptable values.
The Deployment Status area allows you to view the progress of onboarding and deployment jobs
before they complete, as well as see more information about the status of completed jobs. See
Deployment Progress and Status for details.

2. Select Panorama > Cloud Services > Status > Clean Pipe, and click the Monitor tab to see a map with
the status of the deployed Clean Pipes.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma Access for Clean
Pipe 367
© 2020 Palo Alto Networks, Inc.
Click the tabs below the map to see additional statistics for the Clean Pipes.
Status tab:
• Compute Region—The compute region where your cloud service infrastructure is deployed for the
clean pipe instance.
• Name—The name of the clean pipe instance.
• Allocated Bandwidth (Mbps)—The amount of bandwidth you allocated for the clean pipe instance.
• Config Status—The status of your last configuration push to the service. If you have made a
change locally, and not yet pushed the configuration to the cloud, the status shows Out of sync.
Hover over the status indicator for more detailed information. After committing and pushing the
configuration to Prisma Access, the Config Status changes to In sync.
• BGP Status—Displays information about the BGP state between the firewall or router at the clean
pipe instance and Prisma Access. Although you might temporarily see the status pass through the
various BGP states (idle, active, open send, open pend, open confirm, most commonly, the BGP
status shows:
• Connect—The router at the clean pipe instance is trying to establish the BGP peer relationship
with the cloud firewall.
• Established—The BGP peer relationship has been established.
This field will also show if the BGP connection is in an error state:
• Warning—There has not been a BGP status update in more than eight minutes. This may
indicate an outage on the firewall.
• Error—The BGP status is unknown.
• Status—The operational status of the connection between Prisma Access and the clean pipe
instance.
Statistics tab:
• Region—The region where your cloud service infrastructure is deployed for the clean pipe
instance.
• Name—The name of the clean pipe instance.
• Allocated Bandwidth (Mbps)—The amount of bandwidth you allocated for the remote network
location.
• QoS— Select QoS to display a page that contains graphical QoS statistics.
• Avg Egress Bandwidth 5 Min (Mbps)—The average amount of clean pipe egress bandwidth
averaged over 5 minutes.
• Avg Egress Bandwidth 60 Min (Mbps)—The average amount of clean pipe egress bandwidth
averaged over 60 minutes.
• Avg Ingress Bandwidth 5 Min (Mbps)—The average amount of clean pipe ingress bandwidth
averaged over 5 minutes.
• Avg Ingress Bandwidth 60 Min (Mbps)—The average amount of clean pipe ingress bandwidth
averaged over 60 minutes.
• Egress Peak Bandwidth 1 Hour (Mbps)—The amount of peak egress bandwidth for the clean pipe
instance for the last 1 hour.
• Egress Peak Bandwidth 24 Hour (Mbps)—The amount of peak egress bandwidth for the clean
pipe instance for the last 24 hours.
• Egress Peak Bandwidth 7 Days (Mbps)—The amount of peak egress bandwidth for the clean pipe
instance for the last 7 days.
• Egress Peak Bandwidth 30 Days (Mbps)—The amount of peak egress bandwidth for the clean
pipe instance for the last 30 days.
• Ingress Peak Bandwidth 1 Hour (Mbps)—The amount of peak ingress bandwidth for the clean
pipe instance for the last 1 hour.

368 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma
Access for Clean Pipe
© 2020 Palo Alto Networks, Inc.
• Ingress Peak Bandwidth 24 Hour (Mbps)—The amount of peak ingress bandwidth for the clean
pipe instance for the last 24 hours.
• Ingress Peak Bandwidth 7 Days (Mbps)—The amount of peak ingress bandwidth for the clean
pipe instance for the last 7 days.
• Ingress Peak Bandwidth 30 Days (Mbps)—The amount of peak ingress bandwidth for the clean
pipe instance for the last 30 days.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma Access for Clean
Pipe 369
© 2020 Palo Alto Networks, Inc.
370 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Create and Configure Prisma
Access for Clean Pipe
Prisma Access Insights
Continuously monitor the health and performance of your Prisma Access environment with the
new Insights app. All Prisma Access users can access and explore Insights—just visit the hub to
get started.

> Take a First Look at Prisma Access Insights


> Go to the Insights App
> Give the Right People Access to Insights
> Learn About Insights Alerts
> Choose a Preferred Window for Certain Prisma Access Upgrades
> Release Updates

371
372 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights
© 2020 Palo Alto Networks, Inc.
First Look at Prisma Access Insights
The Prisma Access Insights app gives you a way to continuously monitor your Prisma Access environment.
When an event or status requires your attention, Insights sends you alert notifications so you can quickly
pinpoint issues that you can fix and so that you have visibility into the fixes the Prisma Access team is
working on.
Insights is available to all Prisma Access users. You can find it on the hub—no need to activate or set it up.
For every Prisma Access instance your organization owns, a corresponding Insights instance is available.
When you first log in to Insights, you’ll see a bird’s-eye view of your entire environment:

Multiple dashboards give you focused views of your different deployments, your alerts, and the Prisma
Access infrastructure. You can adjust and toggle your view to evaluate trends over time or examine
data from a different angle. Drilldown for details on specific users, sites, connections, or Prisma Access
infrastructure components.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights 373
© 2020 Palo Alto Networks, Inc.
Go to the Insights App to start exploring Prisma Access Insights.

374 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights
© 2020 Palo Alto Networks, Inc.
Go to the Insights App
The hub is a single place where you can access the Palo Alto Networks cloud services and apps for your
organization. The Insights app is available to all Prisma Access users. You can find the app on the hub—no
need to activate the app or set it up. When you log in to the hub, even if you’re logging in for the first time,
you’ll see the Prisma Access Insights app tile displayed on the hub homepage:

To login to the hub, and then to the Insights app:


• Use the credentials associated with your Palo Alto Networks support account to log in to the hub.
• Confirm that you—and any other users you’d like to access Prisma Access Insights or receive alerts—
have the hub role required to access the app. If you are not able to log in to the app, it might be because
you are not assigned one of the hub roles that would grant you access.
If you’re using Panorama to manage Cloud Managed Prisma Access, you can also access Insights directly
from Panorama:

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights 375
© 2020 Palo Alto Networks, Inc.
Give the Right People Access to Insights
The hub is a single place where you can access the Palo Alto Networks cloud services and apps for your
organization. The Insights app available to Prisma Access users,, and you can find it on the hub. To access
the Insights app, you—and any others you’d like to use the app—must be assigned the required hub role.
Additionally, users to whom you want to send Prisma Access alert notifications must also have a hub role
that grants them access to Insights.
Only one of these roles is needed to use Insights and to receive Prisma Access alerts. The role you assign
depends on the level of access the user requires and the management interface you’re using for Prisma
Access (Panorama or the Prisma Access app).
Account Administrator—The account administrator role on the hub is automatically assigned to the first
user from your organization to register on the Palo Alto Networks customer support portal. However,
other users can also have this role; there’s no limit to the number of users to which you can assign this
or any other role. Account administrators can access any of your organization’s apps (including Insights),
and you must be an account administrator to assign roles to other users.
(Panorama Managed Prisma Access) A Panorama role—A Panorama app administrator and instance
administrator can access and use the Insights app.
Granting a user a Panorama role on the hub does not affect or impact Panorama access permissions.
Right now, the Panorama hub role only controls access to the Insights app.
(Cloud Managed Prisma Access only) A Prisma Access role—A Prisma Access app administrator and
instance administrator can access and use the Insights app. If you can log in to the Prisma Access app,
you already have one of these roles; they’re the same roles required to use the Prisma Access app for
cloud management.
Here’s how to view your hub role assignments and assign hub roles for Insights to other members of your
support account:

• View hub role assignments.


1. Use the credentials associated with your Palo Alto Networks support account to log in to the hub.
2. Click the settings gear that’s located on the top right of the page, and select Access Management.

3. The Access Management page lists all the users in your organization and the roles to which they’re
assigned.
Account administrators have access to all of your organization’s apps. Other roles are specific to apps
or even app instances.

• Assign a user one of the roles required for Insights.

376 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights
© 2020 Palo Alto Networks, Inc.
1. On the hub Access Management page, search for and select the user to whom you want to assign a
role.

2. Click Assign Roles.


3. Assign roles at the account level, app level, or instance level.

• Account—Assign the Account Administrator role to the user. Account administrators can access
all apps associated with this account.
• Panorama—Assign the Panorama App Administrator or Instance Administrator roles to the
user. Depending on the access level you choose, the user will be able to access Insights data
and receive alerts for all your Panorama Managed Prisma Access instances or only specific
instances. Granting a user a Panorama role on the hub does not affect or impact Panorama access
permissions. Right now, the Panorama hub role only controls access to the Insights app.

This role is for Panorama Managed Prisma Access users only. Do not use this role
if you’re using the Prisma Access app for Cloud Managed Prisma Access.
• Prisma Access—Assign the Prisma Access App Administrator or Instance Administrator roles to
the user. Depending on the access level you choose, the user will be able to access Insights data
and receive alerts for all your Cloud Managed Prisma Access instances or only specific instances.
This is the same role required to access the Prisma Access app for Cloud Managed Prisma Access.
Granting users this role will mean they can also access the Prisma Access app.

This role is for Cloud Managed Prisma Access users only. Do not use this role if
you’re using Panorama to manage Prisma Access.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights 377
© 2020 Palo Alto Networks, Inc.
Learn About Insights Alerts
Insights alerts you when something is not right in your Prisma Access environment. Alerts details describe
the issue, give you context, and guide you to a resolution. Alerts also let you know if there’s an issue
impacting the Prisma Access cloud infrastructure, so that you’re aware as the Prisma Access team works on
a fix.
Insights enables you to set up alert notifications, so that you can receive alerts directly in your email inbox.
Alerts are resolved only when the issue that triggered the alert is fixed; you cannot manually resolve alerts.
Users subscribed to alert notifications receive a notifications receive a notification both when Insights first
detects an issue and when it is resolved.
• All Insights Alerts
• Investigate Alerts in the Insights App
• Turn on Alert Notifications

All Insights Alerts


Turn on Alert Notifications to get email updates when Insights detects an issue and when it is resolved.
Prisma Access Insights provides two types of alerts:
• Environment alerts tell you about the status of your Prisma Access environment, especially if something
is not working as expected.
Insights generates alerts when an issue is triggered, and also when it’s resolved so that you know it’s
been addressed. You cannot manually resolve alerts—an alert is only considered resolved when the issue
triggering the alert has been fixed. Some alerts let you know about issues that the Prisma Access team is
working on; others let you know about issues that you can resolve with a configuration update.
• Upgrade notifications let you know about upcoming software upgrades and status for upgrades that are
in-progress or completed.

Also subscribe to status updates for Palo Alto Networks cloud services.

Environment Alerts

Alert Scope What does this mean? What action can you take?

A Prisma Access Remote A Prisma Access location has Check the status of remote
location is down Networks been down for more than two network sites in this
minutes, and we’re working location to see how they are
on a fix. Check the status of impacted, and hang in there
remote network sites in this while the Prisma Access
location to see how they are team works to fix this. We’ll
impacted. send you a notification to
let you know when we’ve
resolved this.

A Prisma Access Mobile Users This Prisma Access location has Hang in there while the
location is down been down for more than two Prisma Access team works
minutes, and we’re working to fix this. We’ll send you a

378 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights
© 2020 Palo Alto Networks, Inc.
Alert Scope What does this mean? What action can you take?
on a fix. In the meantime, notification to let you know
mobile users in this location when we’ve resolved this.
automatically connect to
another of your Prisma Access
locations.

A Prisma Access Mobile Users The impact to your users is Hang in there while the
login portal is minimal when a single Prisma Prisma Access team works
down Access login portal is down. If on a fix. We’ll send you a
all Prisma Access login portals notification to let you know
are down, only Prisma Access when we’ve resolved this.
users who are connecting for
the first time are impacted.
These users must wait for the
portal to be up before they can
successfully log in.

A service Service All Prisma Access nodes that Hang in there while the
connection is down Connection process traffic for this service Prisma Access team works
connection are down. We’re on a fix. We’ll send you a
aware of this issue and working notification to let you know
on a fix. when we’ve resolved this.

A remote network Remote All tunnels connecting a Check the IPSec tunnel
site is not Networks remote network site Prisma configuration for this
connected to Access are down. remote network site.
Prisma Access

A tunnel is down Remote The tunnel has been down for Check the configuration for
(and tunnel Networks more than five minutes. Note the remote network site
monitoring is not that you do not have tunnel and the IPSec tunnel that is
enabled) monitoring configured. down.
Also consider turning
on tunnel monitoring to
proactively detect tunnel
connectivity issues.

A tunnel is down Remote Tunnel monitoring detects that Check the configuration for
(and tunnel Networks a tunnel has been down for the remote network site
monitoring is more than five minutes. and the IPSec tunnel that is
enabled) down.

A Prisma Access Prisma Access A Prisma Access Location Hang in there while the
location has lost Location has not been able to connect Prisma Access team works
connectivity to some SaaS applications on a fix. We’ll send you a
to some SaaS for more than five minutes. notification to let you know
applications This impacts mobile users when we’ve resolved this.
and remote network sites
connecting to this location.

A Prisma Access Prisma Access A Prisma Access location has Hang in there while the
location has Location not been able to reach the Prisma Access team works
on a fix. We’ll send you a

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights 379
© 2020 Palo Alto Networks, Inc.
Alert Scope What does this mean? What action can you take?
lost internet internet for more than five notification to let you know
connectivity minutes. when we’ve resolved this.
This impacts mobile users
and remote network sites
connecting to this location.

A service Service A service connection tunnel Check the IPSec tunnel


connection tunnel Connections has been down for at least two configuration for this
is down minutes. service connection.
If this is the only tunnel
configured for the service
connection (there’s no
secondary tunnel configured),
this might mean that the
connection between an HQ or
data center and Prisma Access
is down.

A service Service A service connection tunnel Check the IPSec tunnel


connection tunnel Connections has disconnected from Prisma configuration for this
is flapping Access (and then reconnected) service connection.
at least two times in the last
five minutes.

Upgrade Notifications

Alert What does this mean? What action can you take?

Planned Software Upgrade Informs you of the scheduled Go to Prisma Access Insights,
date for an upcoming software click the help icon, and
upgrade. choose your upgrade window
preference. If you don’t choose
an upgrade window, the upgrade
takes place on the scheduled
date, between 12 and 4 AM
local time for the Prisma Access
location.

Upgrade Window Confirmation Confirms that you’ve chosen Double-check the upgrade
a time window for a software window and the Prisma Access
upgrade to take place, and the locations you’ve chosen for
Prisma Access locations that’ll be upgrade.
upgraded.

Three Day Notice for a Software Lets you know that a software Plan for the upgrade window.
Upgrade upgrade is scheduled for three During the upgrade window, you
days from now, and the Prisma cannot save configurations for
Access locations that will be the deployments you have in the
upgraded. Prisma Access location that is
being upgraded.

380 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights
© 2020 Palo Alto Networks, Inc.
Alert What does this mean? What action can you take?

A Software Upgrade is in Alerts you to a software upgrade During a software upgrade,


Progress that is in progress, and the you cannot save configuration
Prisma Access locations that are changes to Prisma Access.
being upgraded. Upgrades usually take a few
hours to complete.

A Software Upgrade for a A Prisma Access location has Wait for all of your Prisma
Prisma Access Location is been successfully upgraded. Access locations to be
Complete The Prisma Access team now successfully upgraded before
has this location advanced trying out new features.
performance monitoring for
the next seven days to ensure a
seamless transition.

Software Upgrades for all All your Prisma Access locations A Prisma Access software
Prisma Access Locations are are successfully upgraded. upgrade can include transparent
Completed Successfully updates (infrastructure updates
or performance enhancements)
or new capabilities and
management features for you to
try out. To see what’s new with
Prisma Access, visit the release
notes for the Prisma Access
management interface you’re
using (Panorama Managed or
Cloud Managed).

Software Upgrade Roll-Back The Prisma Access team Hang in there while we roll-
closely monitors Prisma back Prisma Access. During
Access locations following a the roll-back, you cannot
software upgrade. We’ve found save configuration changes to
something unexpected, and are Prisma Access. You’ll receive a
rolling back to the last software notification when the roll-back is
version running in your Prisma complete.
Access environment.

Cancelled Software Upgrade A scheduled software upgrade is There’s no impact to you. The
canceled. Prisma Access team will let you
know when the next upgrade is
scheduled.

Investigate Alerts in the Insights App


Insights shows you open and resolved Prisma Access alerts from the past 30 days, though you can narrow
your alert view to focus in on specific time periods.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights 381
© 2020 Palo Alto Networks, Inc.
Click on an alert to learn more about the what’s happening and the impact to your mobile users and remote
sites.

382 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights
© 2020 Palo Alto Networks, Inc.
Turn on Alert Notifications
Enable Insights to send email alerts when it initially detects an issue and when the issue is resolved. These
alert notifications describe the issue and impact, and include a link to Insights where you can investigate
further.
The Palo Alto Networks email address from which you receive alert notifications is
[email protected].

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights 383
© 2020 Palo Alto Networks, Inc.
To send alert notifications to an email destination:

STEP 1 | Grant access to the Insights app for the people who you want to receive alert notifications.
To receive Insights alerts, you must be an Insights admin. There are three types of admin roles that can
access Insights, but only account administrators can grant users access to an app. Go to the hubto check
role assignments and assign roles.

STEP 2 | Log in to Insights from the hub.

STEP 3 | Go to Settings and add the email address to which Insights should send alert notifications.
The email accounts to which Insights sends alerts must be the same email accounts associated with
users in your Palo Alto Networks support account.

384 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights
© 2020 Palo Alto Networks, Inc.
Choose a Preferred Window for Certain Prisma
Access Upgrades
For certain Prisma Access upgrades—learn about the different types of Cloud Managed and Panorama
Managed updates—Prisma Access Insights gives you the option to choose a preferred upgrade window.
Because you cannot make configuration changes during a Prisma Access infrastructure upgrade, this gives
you a way to choose the window that works best for your organization. You can also choose the Prisma
Access locations to upgrade first—the Prisma Access team closely monitors the locations you choose for
seven days, and then continues to update remaining locations.
The option to choose a preferred upgrade window is available only for certain types of releases. To know
when a preferred upgrade window is available and to choose your window:

STEP 1 | Sign up to receive Prisma Access Insights alert notifications.


We’ll send you notifications:
• When the option to choose a preferred upgrade window is available
• To confirm a preferred upgrade window
• To give you three days notice ahead of a scheduled upgrade
• When a Prisma Access location upgrade begins
• When a Prisma Access location upgrade is complete
• When all Prisma Access locations are successfully upgraded

STEP 2 | After you are notified that an upgrade window preference is available, go to the Prisma Access
Insights app to choose your preferred upgrade window.
1. Go to the Insights App.
2. You’ll see a banner in the app, letting you know that you can choose your upgrade window
preferences.
Choose your preferred upgrade window from the selections available, along with the Prisma Access
locations you want upgraded during this window.
After you’ve submitted your preferred upgrade window, you’ll receive a Prisma Access Insights
notification confirming your window choice. You cannot change your upgrade window after
submitting your preference.

PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights 385
© 2020 Palo Alto Networks, Inc.
Release Updates
Here’s where you can learn about the latest Prisma Access Insights features and the known issues the team
is working on to improve your Insights experience:
• Insights Release Notes (Panorama Managed)
• Insights Release Notes (Cloud Managed)

386 PRISMA ACCESS ADMINISTRATOR’S GUIDE (PANORAMA MANAGED) | Prisma Access Insights

You might also like