The connection between the Prisma Access Cloud and the on-prem devices is usually based on the IPSEC protocol for site to site VPNs. For extra security, configure Prisma Access to be the VPN responder and the on-prem firewall/router as the VPN initiator.
Searching for the obvious can sometimes be hard. You simply might have overlooked something or you might have never needed it before. Things can become especially tricky when you have a security policy that's several hundreds of rules long.