2. Palo Alto PRISMA Access
Prisma Access is a globally distributed cloud service from Palo Alto Networks that scales automatically to
provision remote employees & office locations with the capacities they need.
Prisma comes with the same security features as PAN next-generation firewalls without having to deploy a
completely new infrastructure. This enables companies to efficiently maintain business continuity as Prisma
Access automatically scales up where extra capacity is required.
Prisma is PAN’s Secure Access Service Edge (SASE) to provide secure connectivity to Remote Networks as well
as Mobile Users
Cloud based Platform geographically dispersed across 100+ locations in 75+ countries across the globe (hosted
in GCP)
Prisma can be used for Sites as well as for Remote-Users to provides:
Security as a Service Layer
Network as a Service Layer
Potential use cases includes:
Site-to-Site Traffic
Remote_User-to-Site Traffic
Site & Remote to Internet Traffic 1
3. Prisma Access Features
• License for Panorama
required
• No license for Prisma Access
Panorama plugin
• Prisma Access does not count
against the Panorama device
license
MANAGEMENT
• URL Filtering
• Threat Prevention
• WildFire
• Host Information Profile
• DNS Security
SECURITY INCLUDED
• Cortex XDR for Logging
• Data Loss Prevention (DLP)
• Prisma SaaS
• Auto Focus
SECURITY
SUBSCRIPTION REQD
• Remote Network License
• Mobile Users License
LICENSES
2
4. Prisma Service Components
3
• Connects central site such as DC to Prisma
Access using IPSec Tunnel to connect
Management Serves
• As of Oct 2020 SC links are not rate-limited &
not counted towards Prisma subscribed BW
• SC can not originate a connection to the
Internet
SC Service Connection
• CAN are deployed with each SC & used to
route traffic to Prisma Access connected
destination
• CAN does not enforce any security policy
CAN Corporate Access Node
• SPNs are used to terminate VPN tunnels and
inspect & secure traffic from remote sites
• SPNs are automatically deployed when
Remote Networks are on-boarded
• SPNs are based on a fault-tolerant, HA
based design within each location which
scales dynamically as needed
SPN Security Processing Node
• Gateway Security Processing Nodes are similar
in functionality as SPN expect that they are to
provide security to Mobile users
GW Gateway Node
5. CDL
Typical Implementation Steps
4
Service Connection is on-boarded which will provision a
Corporate Access Node (CAN)
Remote Networks (RN) are on-boarded which will provision
Security Processing Nodes (SPN) which scales dynamically
Mobile users are on-boarded which will provision one or more
Gateway Security Processing Node (GW)
Full mesh connectivity is established automatically for trusted &
untrusted traffic flows
Site-to-Site Traffic
Remote_User-to-Site Traffic
Site & Remote to Internet Traffic
Logs are forwarded to centralized Cortex Data Lake (CDL)
PRISMA
ACCESS
DC
SC
SPN
CAN SPN
SPN
INTERNET
GW
Mobile
Users
7. Architecture Notes
Prisma comes with a concept of a TENANT (customer)
having multiple sites
Tenant must subscribe to a PRISMA BW, tenant subscribed
BW can be divided across its different sites
Each site will be limited to the BW allocated, site unused
idle BW can not be used for other sites
Prisma BW is symmetric i.e 100MB on a site refers to
100MB up + 100MB down. If SSL decryption is used then
this is the BW of decrypted traffic that Prisma will send to
client site
Prisma FW policies are applied at each Remote Network
connection
Separate subscriptions are required for Mobile users and
Remote Networks
• Example: 200MB PRISMA Tenant BW divided into
sties:
• 1 HO: 100MB (100 up + 100 down)
• 2 BRANCHES: 50 MB (50 up + 50 down) each
• 1 DC (Service Connection): Currently SC don’t count against
PRISMA subscribed BW but it is likely to be changed by
PAN in future by introducing separate SKU
6