Prisma Access / On-Prem FW Scenarios

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Prisma Access / On-Prem FW Scenarios

L3 Networker

I'm beginning to pursue Prisma Access and just wanted to make sure my understanding is correct.  Currently, my sites (HQ/DC/Branch) in various parts of the world have PA firewalls.  For GP, users connect to a PA FW in their region, all traffic is backhauled to that specific FW.  These offices range from as low as 10 people to a couple hundred users.

 

The question around design is in a Prisma Access world, where are on-prem perimeter/edge firewalls truly needed.  More specifically, where is a FW needed with threat/url/wildfire licenses.  Some sites won't have a device capable of IPSec tunnel, so in those cases, sure fw will need to remain but licensing can be removed.

 

My understanding is, a branch site will not need a firewall unless it has local resources that other sites will need to access. I believe this is the case since for service connections, as traffic exits Prisma, it is not inspected, so you'll need an on-prem firewall to do that inspection

 

What about sites that have resources that are accessible to the internet?  My thought would be absolutely, but I've heard there is a way to have those internet accessible resources to be routed through Prisma Access?  This doesn't make sense to me, I don't see how this is possible.  Also, even if it was possible, it would run into the same as above. The traffic leaving Prisma Access to the service connection is not inspected.   So for this reason, I believe if you have resources exposed to the internet, local firewall must remain.

 

My final question is about those offices accessing to the internet.  Is there a user limit where you'd want internet traffic to egress a local firewall to the internet, instead of sending it to Prisma Access?  For instance, if I have an office with 300,400 or 500 users, is there acceptable performance to send all their internet traffic to Prisma Access or is the on-prem FW a better solution here?

 

Thanks!

 

 

 

5 REPLIES 5

Cyber Elite
Cyber Elite

I've added comments in green


 

The question around design is in a Prisma Access world, where are on-prem perimeter/edge firewalls truly needed.  More specifically, where is a FW needed with threat/url/wildfire licenses.  Some sites won't have a device capable of IPSec tunnel, so in those cases, sure fw will need to remain but licensing can be removed.

 

With Prisma Access fully deployed, the only location(s) that would still need their own Firewall are the datacenters where the service connection is terminated. Since a SC is the only connection that doesn't have a 'firewall in the cloud' and also can't be used for internet access, whatever internet access that is needed at that site would use it's own internet breakout (or have a secondary Remote Network purely for internet access),  From a zero trust perspective it's also good to have a firewall in place to control all incoming connections from remote users and networks (via the SC)

 

My understanding is, a branch site will not need a firewall unless it has local resources that other sites will need to access. I believe this is the case since for service connections, as traffic exits Prisma, it is not inspected, so you'll need an on-prem firewall to do that inspection

 

site-to-site from any Remote Network to another RN or a SC traverses an enforcement node, so security policy can be applied to this natively. the only connections that don't pass any enforcement would be Service connection to service connection

 

What about sites that have resources that are accessible to the internet?  My thought would be absolutely, but I've heard there is a way to have those internet accessible resources to be routed through Prisma Access?  This doesn't make sense to me, I don't see how this is possible.  Also, even if it was possible, it would run into the same as above. The traffic leaving Prisma Access to the service connection is not inspected.   So for this reason, I believe if you have resources exposed to the internet, local firewall must remain.

 

AFAIK you can't host any services that are accessed from the internet through prisma access, you'd use prisma cloud for cloud-hosted apps and a local firewall for locally hosted apps

 

My final question is about those offices accessing to the internet.  Is there a user limit where you'd want internet traffic to egress a local firewall to the internet, instead of sending it to Prisma Access?  For instance, if I have an office with 300,400 or 500 users, is there acceptable performance to send all their internet traffic to Prisma Access or is the on-prem FW a better solution here?

 

The only limiting factor is bandwidth and you can bundle up to 4x500mbps on a single Remote Network, but that will come at a cost. If the site has it's own firewall and you want to save a little money, you could break out trusted connections (o365 for example) locally

 

Thanks!

 

Prisma Access uses two 'zones' for its enforcement. Trust and Untrust. all connections going out to the internet require security rules from trust to untrust. All internal connection (Remote USers, Remote Networks, Service Connections) in any direction is considered trust to trust, but even within the trust area you can create individual zones to delimit users or remote networks, and you can apply security rules on anything TO and FROM  Remote Users and Remote Networks, that includes connections to the Service Connection

the Service Connection should be considered an extension of the datacenter network, everything else needs to pass through a firewall

 

 

hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper 

 

Thanks for the response.  I have some more questions, but I'll go from bottom to top.


I did see the bandwidth was increased to 500Mbps, but wasn't aware that you could bundle them. Is that 500Mbps shared with multiple remote sites or each site gets 500Mbps?  For example, in 1 state, I have 3 different physical locations, would those 3 locations be setup as remote networks and each of them gets 500Mbps or would those 3 share the 500?

 

What about the scenario where the service connection is a site that also has users that require internet access? For example, I have a site with 1GB internet that would be considered a SC, since that's where internal resources would be.  However, that same location also has roughly 200 users that would need access to the internet.  In this scenario, would I have my HA pair of FWs be the service connection for Prisma but the users would have to egress locally, since the SC can't be used for internet access?   If so, can I use the same 1GB link for both, or would it require a dedicated circuit for the SC?

 

 

Hi Mike, 

 

You can consider using remote networks for the internet access for users in a site. 

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-fo...

The other requirement to make the site available on internet can also be done with inbound access and here is the document for that.

https://docs.paloaltonetworks.com/prisma/prisma-access/prisma-access-panorama-admin/prisma-access-fo...

 

Hope this helps,

Yogesh 

Hi, 

 

How would you segregate those additional zones? Behind the scenes the zones are only mapped to trust and untrust.
So if TRUST1 and TRUST2 are mapped to Trusted zone it wouldn't make any difference if you used TRUST1, TRUST2 or even both as source zone for example. 


 


I did see the bandwidth was increased to 500Mbps, but wasn't aware that you could bundle them. Is that 500Mbps shared with multiple remote sites or each site gets 500Mbps?  For example, in 1 state, I have 3 different physical locations, would those 3 locations be setup as remote networks and each of them gets 500Mbps or would those 3 share the 500?

 

the 500mb is assigned to the location and shared among all connected RN, so if one RN is using up 400Mbps, the others are left with 100Mbps

 

What about the scenario where the service connection is a site that also has users that require internet access? For example, I have a site with 1GB internet that would be considered a SC, since that's where internal resources would be.  However, that same location also has roughly 200 users that would need access to the internet.  In this scenario, would I have my HA pair of FWs be the service connection for Prisma but the users would have to egress locally, since the SC can't be used for internet access?   If so, can I use the same 1GB link for both, or would it require a dedicated circuit for the SC?

 

A service connection does not allow access to the internet, so in the case of a hybrid site, you would have the SC connect your datacenter services, and either a local breakout for internet, or a second RN ipsec tunnel for internet connectivity. as long as you control your routing, both tunnels can live side by side 

 

How would you segregate those additional zones? Behind the scenes the zones are only mapped to trust and untrust.
So if TRUST1 and TRUST2 are mapped to Trusted zone it wouldn't make any difference if you used TRUST1, TRUST2 or even both as source zone for example. 

 

those zones will only be used for logging and reporting purposes, but for enforcement you'll need to rely on User-ID and source/destination subnets. As all the RN and MU sit inside the 'trust' zone, any rule that translates to "from trust to trust allow" would allow all these to connect to eachother, so for your own sanity and visibility, refrain from creating more trust zones as they boil down to the same 'trust' at the security rule level. (for logging each RN automatically gets it's own source zone assigned, that is named exactly like the ipsec tunnel)


Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 3870 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!