https://live.paloaltonetworks.com/t5/globalprotect-discussions/prisma-access-security-policy-enforcement/m-p/597031#M5780 <P>So I was looking at prisma access content and came across this:<BR /><BR /></P> <P>If traffic is initiated from a service connection and bound for a mobile user or a remote network, Prisma Access cannot restrict the traffic. The traffic hits no security-enforcement point, because the RN-SPN and MU-SPNs enforce Security policy only on sessions ingressing into Prisma Access from behind the security processing node. This is not a recommended architecture.</P> <P>&nbsp;</P> <P>The proper way to control traffic sessions that come out of a service connection is with an on-premises firewall on the network behind the service connection. An on-premises firewall at the data center is the correct way to enforce Security policy for a session initiated by a service connection to a remote network.<BR /><BR />when they say firewall on the network behind the service connection, can this be the same palo alto that the service connection terminates to? I would assume so no?</P> Thu, 05 Sep 2024 21:32:26 GMT S_Williams901 2024-09-05T21:32:26Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/prisma-access-security-policy-enforcement/m-p/597031#M5780 <P>So I was looking at prisma access content and came across this:<BR /><BR /></P> <P>If traffic is initiated from a service connection and bound for a mobile user or a remote network, Prisma Access cannot restrict the traffic. The traffic hits no security-enforcement point, because the RN-SPN and MU-SPNs enforce Security policy only on sessions ingressing into Prisma Access from behind the security processing node. This is not a recommended architecture.</P> <P>&nbsp;</P> <P>The proper way to control traffic sessions that come out of a service connection is with an on-premises firewall on the network behind the service connection. An on-premises firewall at the data center is the correct way to enforce Security policy for a session initiated by a service connection to a remote network.<BR /><BR />when they say firewall on the network behind the service connection, can this be the same palo alto that the service connection terminates to? I would assume so no?</P> Thu, 05 Sep 2024 21:32:26 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/prisma-access-security-policy-enforcement/m-p/597031#M5780 S_Williams901 2024-09-05T21:32:26Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/prisma-access-security-policy-enforcement/m-p/597469#M5805 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/271836">@S_Williams901</a>&nbsp;,</P> <P>&nbsp;</P> <P>Yes! It can be the same palo that the service connection terminates to or another on-premises palo to manage and enforce policies. It really comes down to&nbsp;<SPAN>&nbsp;Service Connection (SC-CAN) being aimed aimed for HQ or Data Centers where its assumed you already have existing firewalls on-premise or virtually to enforce security.&nbsp;</SPAN></P> Wed, 11 Sep 2024 03:08:10 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/prisma-access-security-policy-enforcement/m-p/597469#M5805 JayGolf 2024-09-11T03:08:10Z