Due to COVID-19 pandemic, customers are asking their employees to work remotely. As a result, they expect to see a significant increase in the remote users connecting to Prisma Access and have questions around the scalability and capacity for mobile users with Prisma Access. A new FAQ for Prisma Access has been put together to address some of the most questions.
Prisma Access Operations
Q: What certifications are available to Prisma Access?
A: Prisma Access operations team is SOC2 certified.
Q: How is Prisma Access planning to meet the sudden surge in demand?
A: Prisma Access leverages AWS and GCP as cloud infrastructure providers to operate the service worldwide and help with scale and capacity. Due to the COVID-19 pandemic, all service providers including Prisma Access understand the need to add additional capacity. Definitive steps have been taken to ensure that Prisma Access is able to get the required resources from the cloud providers to meet your increasing demand.
Q: How do I know if the service is operating normally?
Q: What version of Panorama do I need to manage Prisma Access?
A: The current release version for the Cloud Services plugin is 1.5. You are required to use Panorama version 9.0.4 or higher to manage Prisma Access. Please note that Panorama version 9.1.x is not supported with Cloud Services plugin 1.5.
Q: How can I ensure that my business-critical applications are not impacted by an increase in remote employees?
A: To ensure that the business-critical applications get the priority and are not impacted by video streaming services like Netflix, Youtube and Zoom, please consider the recommendation below to optimize your mobile user deployment.
Exclude Video Streaming
GlobalProtect provides a built-in mechanism to exclude video-streaming traffic from being tunneled. You can steer video traffic directly to the internet instead of tunneling through Prisma Access. This can reduce the amount of low-risk video traffic to Prisma Access, so that interesting traffic can be serviced in an efficient manner. For example, you can leverage this feature to split high-bandwidth video streaming traffic, such as 'netflix-streaming,' and provide additional bandwidth to business-critical applications.
Q: If all of my employees are going to work remotely, do I need to worry about mobile user IP pool exhaustion?
A: Yes, it is highly recommended that you revisit the size of provisioned mobile user IP pool for each theater, and compare that to the number of remote users that you expect connecting to the service in each theater. If you identify that a mobile user pool assigned to a theater cannot accommodate all users in that theater, you need to proceed with one of the following options:
Increase the size of existing mobile user pools per theater on Panorama.
Assign a new global IP pool if you have not provisioned one already. If, and when, theater specific pools are exhausted, service will start utilizing the global IP pool for new users connecting to the service.
For more information on how global pools are routed, please refer to the routing guide:
A: Prisma Access supports auto-scaling for mobile users, and it is transparent to the end users and network administrators. As auto scaling takes place, new mobile user connections are automatically distributed to the new cloud instances. Depending on the demand, new IP addresses may be added to the service during auto-scaling event.
If you currently whitelist your Prisma Access dedicated IP addresses with a SaaS provider or partner, please see:
Q: How can I prepare for spikes in traffic and overloaded systems?
A: Best practices need to be followed (as mentioned before regarding the split-tunneling feature) to prioritize business critical traffic. If you practice public IP whitelisting with SaaS providers and partners to accommodate autoscaling events, keep in mind that you must consider whitelisting both active and reserved public IP addresses of the gateways with SaaS providers. This will ensure that your users have uninterrupted access to the SaaS services that are critical to perform job duties.
Please see the following resources for more information:
Q: Can users connect to Prisma Access from unmanaged devices?
A: Yes, users on unmanaged devices (Windows and Mac) can download and install GlobalProtect agent from the Prisma Access mobile user portal and connect to the service with corporate credentials. For additional security, you can enforce a certain device posture by applying HIP checks and policies. To facilitate the access from unmanaged devices, the following conditions must be followed:
Client/machine certificate authentication must be disabled.
SSL decryption must be turned off, as unmanaged devices may not have the CA certificate used for SSL decryption.
Q: How does Prisma Access provide redundancy and resiliency?
A: For mobile users, Prisma Access leverages GlobalProtect architecture to provide redundancy in case of a failure of the gateway. In the unlikely event that a GlobalProtect gateway fails, the Global Protect agent will automatically reconnect the user to the closest gateway. Often, this event is transparent to the user, and it is recommended to turn on multiple Prisma Access locations in each region for mobile users to provide the best user experience.
Q: What is Palo Alto Networks doing to ensure Prisma Access is scaling as expected?
A: In order to operate the service efficiently and to meet the increasing demand, the Prisma Access Site Reliability Engineering team leverages advanced and modern tools to continuously monitor the Prisma Access infrastructure and auto remediate common network issues when encountered. The SRE team is also capable of proactively reaching out to customers in case an anomaly is identified that can have an impact on service usability. The team has a presence around the globe to provide around the clock support in theaters, including Americas, EMEA, and APAC.
Prisma Access infrastructure supports large scale deployments with some customers connecting over 100K mobile users everyday. Prisma Access provides a dedicated dataplane to each customer, and an autoscaling event for one customer does not impact any other customer connected to the service.
Due to the COVID-19 situation, many Palo Alto Networks employees around the world are primarily working from home, and they rely on Prisma Access to provide best in class user experience and performance at scale.
Q: How does global deployment help aGlobalProtect VPN client if problems are identified in particular regions?
A: The Global Protect app inherently has the ability to reconnect to the next available mobile user gateway in case of an issue at a certain location or region. Please see question on GlobalProtect redundancy above.
Prisma Access Licensing
Q: Will other users be impacted if I needs to scale above my mobile user license quota in an emergency?
A: Palo Alto Networks will allow customers to use more than their purchased mobile user license for temporary emergencies, such as the shelter-in-place orders due to the COVID-19 pandemic. Prisma Access will not prevent extra users from connecting, and we will not charge for the increased usage as long as it is for emergency usage and not a long term reliance on the extra capacity.
A big thanks goes to Saurabh Dixit (@sadixit) for helping with this FAQ.
Thanks for taking time to read my blog. If you enjoyed this, please hit the Like (thumb up) button, don't forget to subscribe to the LIVEcommunityBlog.
As always, we welcome all comments and feedback in the comments section below.