Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
Due to COVID-19 pandemic, customers are asking their employees to work remotely. As a result, they expect to see a significant increase in the remote users connecting to Prisma Access and have questions around the scalability and capacity for mobile users with Prisma Access. A new FAQ for Prisma Access has been put together to address some of the most questions.
A: Prisma Access leverages AWS and GCP as cloud infrastructure providers to operate the service worldwide and help with scale and capacity. Due to the COVID-19 pandemic, all service providers including Prisma Access understand the need to add additional capacity. Definitive steps have been taken to ensure that Prisma Access is able to get the required resources from the cloud providers to meet your increasing demand.
A: You can sign-up for alerts at Palo Alto Networks Cloud Services Status to be notified if the service is experiencing any issues.
A: Yes, we have several SLAs for your service.
For more details, please see: Prisma Access Service Level Agreement
A: The current release version for the Cloud Services plugin is 1.5. You are required to use Panorama version 9.0.4 or higher to manage Prisma Access. Please note that Panorama version 9.1.x is not supported with Cloud Services plugin 1.5.
For more information, please see: Features Introduced in Prisma Access.
A: To ensure that the business-critical applications get the priority and are not impacted by video streaming services like Netflix, Youtube and Zoom, please consider the recommendation below to optimize your mobile user deployment.
You can steer video traffic directly to the internet instead of tunneling through Prisma Access. This can reduce the amount of low-risk video traffic to Prisma Access, so that interesting traffic can be serviced in an efficient manner. For example, you can leverage this feature to split high-bandwidth video streaming traffic, such as 'netflix-streaming,' and provide additional bandwidth to business-critical applications. For more information, please refer to:
GlobalProtect: Implement Split Domain and Application
Optimized Split Tunneling for GlobalProtect
A: Yes, it is highly recommended that you revisit the size of provisioned mobile user IP pool for each theater, and compare that to the number of remote users that you expect connecting to the service in each theater. If you identify that a mobile user pool assigned to a theater cannot accommodate all users in that theater, you need to proceed with one of the following options:
For more information on how global pools are routed, please refer to the routing guide:
A: Prisma Access supports auto-scaling for mobile users, and it is transparent to the end users and network administrators. As auto scaling takes place, new mobile user connections are automatically distributed to the new cloud instances. Depending on the demand, new IP addresses may be added to the service during auto-scaling event.
If you currently whitelist your Prisma Access dedicated IP addresses with a SaaS provider or partner, please see:
"Plan for IP Address Changes for Mobile Users, Remote Networks, and Service Connections."
A: Best practices need to be followed (as mentioned before regarding the split-tunneling feature) to prioritize business critical traffic. If you practice public IP whitelisting with SaaS providers and partners to accommodate autoscaling events, keep in mind that you must consider whitelisting both active and reserved public IP addresses of the gateways with SaaS providers. This will ensure that your users have uninterrupted access to the SaaS services that are critical to perform job duties.
Please see the following resources for more information:
Plan for IP Address Changes for Mobile Users, Remote Networks, and Service Connections
Retrieve the IP Addresses for Prisma Access
A: Yes, users on unmanaged devices (Windows and Mac) can download and install GlobalProtect agent from the Prisma Access mobile user portal and connect to the service with corporate credentials. For additional security, you can enforce a certain device posture by applying HIP checks and policies. To facilitate the access from unmanaged devices, the following conditions must be followed:
For more information, please see: Download and Install the GlobalProtect Agent for Windows.
A: For mobile users, Prisma Access leverages GlobalProtect architecture to provide redundancy in case of a failure of the gateway. In the unlikely event that a GlobalProtect gateway fails, the Global Protect agent will automatically reconnect the user to the closest gateway. Often, this event is transparent to the user, and it is recommended to turn on multiple Prisma Access locations in each region for mobile users to provide the best user experience.
A: In order to operate the service efficiently and to meet the increasing demand, the Prisma Access Site Reliability Engineering team leverages advanced and modern tools to continuously monitor the Prisma Access infrastructure and auto remediate common network issues when encountered. The SRE team is also capable of proactively reaching out to customers in case an anomaly is identified that can have an impact on service usability. The team has a presence around the globe to provide around the clock support in theaters, including Americas, EMEA, and APAC.
Prisma Access infrastructure supports large scale deployments with some customers connecting over 100K mobile users everyday. Prisma Access provides a dedicated dataplane to each customer, and an autoscaling event for one customer does not impact any other customer connected to the service.
Due to the COVID-19 situation, many Palo Alto Networks employees around the world are primarily working from home, and they rely on Prisma Access to provide best in class user experience and performance at scale.
A: The Global Protect app inherently has the ability to reconnect to the next available mobile user gateway in case of an issue at a certain location or region. Please see question on GlobalProtect redundancy above.
A: Palo Alto Networks will allow customers to use more than their purchased mobile user license for temporary emergencies, such as the shelter-in-place orders due to the COVID-19 pandemic. Prisma Access will not prevent extra users from connecting, and we will not charge for the increased usage as long as it is for emergency usage and not a long term reliance on the extra capacity.
A: Prisma Access operations team is SOC2 certified.
Please see: Palo Alto Networks SOC2
A big thanks goes to Saurabh Dixit (@sadixit) for helping with this FAQ.
Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumb up) button, don't forget to subscribe to the LIVEcommunity Blog.
As always, we welcome all comments and feedback in the comments section below.
Stay Secure,
Joe Delio
End of line
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 3 Likes | |
| 2 Likes | |
| 2 Likes | |
| 2 Likes | |
| 2 Likes |
| User | Likes Count |
|---|---|
| 5 | |
| 4 | |
| 2 | |
| 2 | |
| 2 |
