Im really new to Prisma Access as I am still learning. From what I gathered so far though, the use cases seem to be very niche if Im understanding correctly. Much of Prisma Access advantages seems to be in gaining standard PA features/security while maintaining minimal Internet latency based on the users location. Please help me if my assumptions/understanding below are incorrect and/or if there are some instances where I may not be considering.
Cases where Prisma Access doesnt seem to be a fit
A customer with a single main site/DC and any number of remote users that all typically reside in close proximity (500 miles) of the main site/DC. Remote users can vpn back into the main DC and maintain the same features provided by the main PAs at the main site. I wouldnt think it would make sense to deploy Prisma Access in this situation because all users in this instance would have the standard features provided by the main site PAs and with most remote users being relatively close, there arent any latency gains.
A customer with several main sites/DCs and several branch sites spread throughout a single country. All sites are running PA firewalls for their WAN/Internet connectivity. Again, with running PA products at all sites, PA standards should be able to be met. Panorama should be able to maintain a standard for all configurations. Assuming DCs arent extremely large distances between each other witinh the country, again, the latency you might gain by a local Prisma Access instance doesnt seem to really warrant its need.
Possible Cases for Prisma Access
A multinational customer with offices spread throughout the world with DCs in only specific strategic locations. Remote users and/or branches may be spread in far distances from the DCs. In this case, I can see the value in Prisma Access as you dont want remote users in Japan for instance VPNing all the way back to the UK. This Prisma Access could provide the same standard PA features/security whole not causing excessive delay from remote users say in Japan from having to remote all the way back to the UK.
A customer operating within a single country with main sites, branches and remote users spread throughout the country. However, in this instance, they dont have PA firewalls at all these locations. Thus without PA firewalls at all locations, PA standards/security cant be maintained. Prisma Access would provide this set of standard access/policy. My main possible objection here is that that the branches are still going to need some form of router/firewall at these branch locations. So, yes theoretically, a company could go with a super low cost option for the local branches' router/firewall for internet and ipsec connectivity to Prisma, but would the cost of Prisma access for that branch basically be the cost to eventually to upgrade that branch with a small PA?
Also, overall in regards to the "services" vpn from prisma access to your main site for remote and branch access to resources at your main site, the concern there is the latency with essentially the "double vpn". There is the vpn from the remote user/branch to Prisma Access and then the vpn from Prisma to your main site over the services connection. To me this would add considerable delay as with any other double vpn solution?
Why would you need a firewall at the branch when you have ipsec or gre tunnel to prisma access? Any router can create this tunnel.
Better consider that Prisma Access autoscales when you have more traffic for example more mobile users are working at home at one day and at the other day less mobile users are working from home. Also Palo Alto firewalls are great but even they can get overutilized expecially the older models when you are doing ssl decryption but Prisma Access will handle this. Also for mobile workers from home sending all the traffic to the on-prem firewall can make issues as I mentioned as bandwidth, firewall cpu/memory etc. and many times a split tunnel is used that can cause security risks if users are allowed to go Internet without any security but with prisma access and the globalprotect agent all the user traffic can go through VPN to Prisma Access and be scanned or if you have on-prem firewalls and VPN you can use Prisma Access Explicit Proxy mode to send only the Internet web traffic to Prisma Access and the other traffic with VPN split tunnel can go to the on-prem firewalls.
Also as it is firewall as a service you don't handle upgrades of the infrastructure as Palo Alto handles this.
Also Prisma Access/Sase has some nice features like ADEM for user expiriance to discover network issues or SD-WAN as you can have Prisma Access ION devices on-prem to connect you to the Prisma Access:
Better go to the Prisma Access education if you are going to work with it or first ask Palo Alto for a test drive and demo on Prisma Access as they will make one for you:
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!