cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Who rated this post

Cyber Elite
Cyber Elite

I've added comments in green


 

The question around design is in a Prisma Access world, where are on-prem perimeter/edge firewalls truly needed.  More specifically, where is a FW needed with threat/url/wildfire licenses.  Some sites won't have a device capable of IPSec tunnel, so in those cases, sure fw will need to remain but licensing can be removed.

 

With Prisma Access fully deployed, the only location(s) that would still need their own Firewall are the datacenters where the service connection is terminated. Since a SC is the only connection that doesn't have a 'firewall in the cloud' and also can't be used for internet access, whatever internet access that is needed at that site would use it's own internet breakout (or have a secondary Remote Network purely for internet access),  From a zero trust perspective it's also good to have a firewall in place to control all incoming connections from remote users and networks (via the SC)

 

My understanding is, a branch site will not need a firewall unless it has local resources that other sites will need to access. I believe this is the case since for service connections, as traffic exits Prisma, it is not inspected, so you'll need an on-prem firewall to do that inspection

 

site-to-site from any Remote Network to another RN or a SC traverses an enforcement node, so security policy can be applied to this natively. the only connections that don't pass any enforcement would be Service connection to service connection

 

What about sites that have resources that are accessible to the internet?  My thought would be absolutely, but I've heard there is a way to have those internet accessible resources to be routed through Prisma Access?  This doesn't make sense to me, I don't see how this is possible.  Also, even if it was possible, it would run into the same as above. The traffic leaving Prisma Access to the service connection is not inspected.   So for this reason, I believe if you have resources exposed to the internet, local firewall must remain.

 

AFAIK you can't host any services that are accessed from the internet through prisma access, you'd use prisma cloud for cloud-hosted apps and a local firewall for locally hosted apps

 

My final question is about those offices accessing to the internet.  Is there a user limit where you'd want internet traffic to egress a local firewall to the internet, instead of sending it to Prisma Access?  For instance, if I have an office with 300,400 or 500 users, is there acceptable performance to send all their internet traffic to Prisma Access or is the on-prem FW a better solution here?

 

The only limiting factor is bandwidth and you can bundle up to 4x500mbps on a single Remote Network, but that will come at a cost. If the site has it's own firewall and you want to save a little money, you could break out trusted connections (o365 for example) locally

 

Thanks!

 

Prisma Access uses two 'zones' for its enforcement. Trust and Untrust. all connections going out to the internet require security rules from trust to untrust. All internal connection (Remote USers, Remote Networks, Service Connections) in any direction is considered trust to trust, but even within the trust area you can create individual zones to delimit users or remote networks, and you can apply security rules on anything TO and FROM  Remote Users and Remote Networks, that includes connections to the Service Connection

the Service Connection should be considered an extension of the datacenter network, everything else needs to pass through a firewall

 

 

hope this helps

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
Who rated this post