The connection between the Prisma Access Cloud and the on-prem devices is usually based on the IPSEC protocol for site to site VPNs. For extra security, configure Prisma Access to be the VPN responder and the on-prem firewall/router as the VPN initiator.
This article is based on a discussion, Best practice to allow Internet IPs, posted by @thanawat_l and answered by @PavelK . Read on to see the discussion and solution!
I want to optimize my security policy. I have many rules that allow any, but I want to change from any to internet IP. Does PaloAlto have an Internet IP object by default? or how can I define internet IP space in address?
Solution: You can do it reverse by using "negate" in policy to allow anything except reserved RFC1918 addresses that are not routable on the internet.
For these ranges there are Palo Alto built-in objects including class D IP ranges that you can exclude from policy and allow anything also on internet.