Palo Alto Networks Prisma Access (SASE)
Cloud access security for branch offices, retail locations and
mobile users
Click here to jump to more pricing!
Please Note: All Prices are Inclusive of GST
Overview:
Global expansion, mobile workforces, and cloud computing are changing the ways organizations implement and deploy applications. Get the protection you need, where you need it, with Prisma™ Access. Prisma Access delivers a secure access service edge (SASE) that provides globally distributed networking and security to all your users and applications.
Whether at branch offices or on the go, your users connect to Prisma Access to safely access cloud and data center applications as well as the internet.
What Makes Prisma Access Different?
Prisma Access is designed to prevent successful cyberattacks, and that’s why it does more than just secure the web. To stop cyberattacks, it’s necessary to inspect all traffic. Anything short of full inspection of all traffic introduces a significant gap in security.
Prisma Access consistently protects all traffic, on all ports and from all applications, enabling your organization to:
- Prevent successful cyberattacks with proven security philosophies and threat intelligence for deep visibility and precise control that extends across your organization.
- Fully inspect all application traffic bidirectionally-including SSL/TLS-encrypted traffic-on all ports, whether communicating with the internet, with the cloud, or between branches.
- Benefit from comprehensive threat intelligence powered by automated threat data from Palo Alto Networks and hundreds of third-party feeds.
Network as a Service Layer
Prisma Access provides consistent, secure access to all applications-in the cloud, in your data center, or on the internet.
Networking for Remote Networks
- Connect branch offices to Prisma Access over a standard IPsec VPN tunnel using common IPsec-compatible devices, such as your existing branch router, SD-WAN edge device, or a third-party firewall.
- Use Border Gateway Protocol (BGP) or static routes for routing from the branch.
- Use equal cost multi-path (ECMP) routing for faster performance and better redundancy across multiple links.
Networking for Mobile Users
- Connect mobile users with the GlobalProtect app, which supports user-based always-on, pre-logon always-on, and on-demand connections.
- Use an always-on full tunnel for optimal security. Prisma Access supports split tunneling based on access route, perapp VPN split tunneling, and split tunneling based on lowrisk/high-bandwidth applications, such as streaming video.
Bandwidth Management
- Enable application whitelisting and blocking policies with App-ID™ technology to free up the network from unnecessary, bandwidth-hogging applications.
- Prioritize and shape the traffic handled by Prisma Access using quality of service (QoS) policies.
Logging
- Take advantage of automated, centralized, cloud-scalable log storage.
- Centralize your management and reporting.
- Forward logs to your syslog server and/or security information and event management (SIEM) system.
Security as a Service Layer
Firewall as a Service
Prisma Access provides firewall as a service (FWaaS) that protects
branch offices from threats while also providing the security
services expected from a next-generation firewall. The full
spectrum of FWaaS includes threat prevention, URL filtering,
sandboxing, and more.
DNS Security
Prisma Access delivers our DNS Security service, which provides a
combination of predictive analytics, machine learning, and
automation to combat threats in DNS traffic. Organizations can
block known malicious domains, predict new malicious domains, and
stop DNS tunneling.
Threat Prevention
Using Prisma Access for threat prevention combines the proven
technologies in the Palo Alto Networks platform, together with
global sources of threat intelligence and automation, to stop
previously known or unknown attacks.
Cloud Secure Web Gateway
Prisma Access for secure web gateway (SWG) functionality is
designed to maintain visibility into all types of traffic while
stopping evasions that can mask threats. Our web filtering
capabilities also drive our credential theft prevention
technology, which can stop corporate credentials from being sent
to previously unknown sites.
Data Loss Prevention
Prisma Access combines integration with data loss prevention (DLP)
controls that are API-driven (through Prisma SaaS) as well as
in-line (through Prisma Access). These DLP policies allow
organizations to categorize data and establish policies that
prevent data loss.
Cloud Access Security Broker
Prisma Access and Prisma SaaS implement security controls that
combine in-line security API security and contextual controls,
acting as a cloud access security broker (CASB) to determine
access to sensitive information. These controls are implemented in
an integrated manner and applied throughout all cloud application
policies.
Management
Prisma Access supports two management options:
- Panorama™ network security management for centralized administration across Palo Alto Networks Next-Generation Firewalls and Prisma Access.
- Cloud management through a web-based interface with preconfiguredprofiles and streamlined workflows,using the Prisma Access app in the hub.
At a Glance:
Prisma Access Highlights
- Protects remote networks and mobile users in a consistent manner, wherever they are.
- Provides connectivity and security to access all your applications.
- Offers flexibility and cloud scalability to handle your changing requirements.
Challenges Protecting Your Growing Organization
Cloud and mobility are driving changes in your network and your security requirements. To date, organizations have faced numerous challenges with implementing these changes on top of existing infrastructure:
- Backhauling traffic over virtual private network (VPN) connections or multiprotocol label switching (MPLS) circuits is inefficient and hurts the user experience.
- Routing branch and mobile user traffic directly to the internet without inspection is not safe.
- First-generation cloud-delivered security products, such as proxies, DNS filtering, and cloud access security brokers (CASB) have limited security capabilities.
These issues drive up administrative costs and create operational challenges, and the market demands a change. In 2019, Gartner defined a new cloud-delivered architecture for networking and security called the “secure access service edge” (SASE), which converges first-generation, standalone products with a common service delivery model.
Prisma Access
Prisma™ Access is a SASE that helps organizations embrace cloud and mobility by providing networking and network security services from the cloud. With a growing number of users, branch offices, data, and services located outside the protection of traditional network security appliances, organizations need a cloud-based infrastructure that converges networking and network security capabilities. Prisma Access provides consistent security services and access to cloud applications (including public cloud, private cloud, and software as a service), delivered through a common framework for a seamless user experience.
All users, whether at corporate headquarters, branch offices, or on the road, connect to Prisma Access to safely use cloud and data center applications as well as the internet. Prisma Access consistently inspects all traffic across all ports and provides bidirectional networking to enable branch-to-branch as well as branch-to-HQ traffic.
Prisma Access is delivered as a cloud service from more than 100 locations in 76 countries for users and branch offices to connect, enabling connectivity and security for mobile users, branch offices, and retail locations.
Prisma Access for Networks
Many branch offices and retail stores are geographically distributed and lack full-time IT staff, making deployment, management, change control, and hardware refreshes difficult.
Prisma Access can be used to connect remote networks over a standard IPsec connection-using any existing router, software-defined wide area networking (SD-WAN) edge device, or firewall that supports IPsec-to secure traffic, protect confidential information, and address data privacy needs. Prisma Access supports SD-WAN options using Palo Alto Networks Next-Generation Firewalls as well as third-party vendor products.
Prisma Access for Users
Mobile users need consistent security to access data center and cloud applications. Remote access VPN falls short because users typically connect to a gateway for access to data center applications, and then disconnect from the VPN to get better performance (but less security) when accessing cloud and internet applications.
Prisma Access brings protection closer to your users so traffic doesn’t have to backhaul to headquarters to reach the cloud. It works together with the GlobalProtect™ app on a user’s smartphone, tablet, or laptop. The app automatically establishes an IPsec/SSL VPN tunnel to Prisma Access for the enforcement of security policy without the backhaul to headquarters. With Prisma Access, all users have secure, fast access to all applications in the cloud, on the internet, or in your data center.
The GlobalProtect app also lets you establish access policies based on host information profile (HIP), enabling even more granular security policies tied to device characteristics-such as operating system, patch level, and the presence of required endpoint software-when accessing sensitive applications.
Large populations of users may need to change locations from time to time, as conferences, weather, and natural disasters can strain local infrastructure. Prisma Access monitors conditions and automatically scales to add capacity in regions that need it.
SASE Services
Prisma Access delivers both networking and security services, which include:
Networking
- SD-WAN-support for Palo Alto Networks Next-Generation Firewalls and integration with third-party SD-WAN
- VPN-options for connecting users and networks, including IPsec, SSL/IPsec, and clientless VPN
- Zero Trust network access (ZTNA)-access control and threat prevention to protect applications
- Quality of service (QoS)-prioritization of bandwidth for critical applications
- Clean Pipe-outbound internet security for managed service providers
Security
- Firewall as a service (FWaaS)-next-generation firewall security for branch offices and retail locations
- DNS Security-advanced analytics and machine learning to protect against threats in DNS traffic
- Threat Prevention-blocking of exploits, malware, and command-and-control (C2) traffic using threat intelligence
- Cloud secure web gateway (SWG)-blocking of malicious sites using static analysis and machine learning
- Data loss prevention (DLP)-categorize sensitive data and apply policies to control access
- Cloud access security broker (CASB)-governance and data classification to stop threats with in-line and API-based security
Licensing Options
Prisma Access for Networks is licensed based on the total bandwidth used across all sites, with the bandwidth pool divided into the amounts each location needs (minimum bandwidth pool: 200 Mbps).
Prisma Access for Users is licensed based on the total number of users, with tiers from 200 users up to more than 100,000. Prisma Access for users requires the GlobalProtect app. Supported endpoints include Microsoft Windows®, Apple macOS® and iOS, Android®, Google Chrome® OS, and Linux.
Technical Specifications:
| Feature | Description |
|---|---|
| App-ID | Continuously classifies all applications regardless of port, SSL/TLS encryption, or attacker evasion techniques. Unlike legacy Layer 3/4 solutions, Prisma Access applies App-ID™ together with Layer 7 controls such as User-ID™. |
| User-ID | Integrates with identity repositories so policies follow users and groups. Supports WLCs, VPNs, directory servers, captive portals, proxies, and more. |
| Device-ID* | Enables device-based policy enforcement anywhere. Uses device attributes (OS version, etc.) for strict security posture control. Provides enhanced context and logging along with App-ID and User-ID. |
| SSL Decryption | Inspects SSL/TLS-encrypted traffic (inbound & outbound), including HTTP/2. Allows flexible enable/disable based on URL, source, destination, user, group, and port. |
| Dynamic User Group (DUG) Monitoring | Enables dynamic response to suspicious or malicious user behavior. Allows time-bound security actions without waiting for directory updates. |
| AI/ML-Based Detection | Provides inline, signatureless zero-day detection and prevention. Instantly blocks up to 95% of unknown threats with <10-second signature delivery and a 99.5% reduction in infections. |
| IoT Security* | Uses machine learning and telemetry to profile devices, assess risk, detect anomalies, and recommend trust-based policies. Prevents known and unknown IoT, IoMT, and OT threats with native enforcement and integrations. |
| Explicit Proxy Onboarding | Provides optional explicit proxy mode for user, server, and VDI traffic (HTTP/HTTPS). Supports GlobalProtect proxy-mode and PAC file browser configuration. |
| PAN-OS Policy Optimizer | Streamlines migration from port-based to App-ID rulebases, reducing attack surface and improving security accuracy. |
| Remote Browser Isolation (RBI) | Isolates risky or unknown web traffic for managed & unmanaged devices. Supports integration with third-party RBI clouds through CloudBlades. |
| Reporting | Includes customizable SaaS usage reporting for sanctioned and unsanctioned traffic. Supports custom reports, scheduling, downloads, and sharing. |
| User Authentication | Supports Kerberos, RADIUS, SAML, LDAP, client certificates, and local database. GlobalProtect maps user-IP instantly for User-ID. |
| Advanced DNS Security | Uses inline AI to analyze DNS traffic and detect never-before-seen malicious domains and hijacking attempts in real time. |
| Advanced URL Filtering | Provides ML-powered web threat protection against phishing, malware, and C2. Categorizes and blocks malicious URLs in real time with fine-grained policy control. |
| Data Loss Prevention (DLP)* | Includes Network, Endpoint, and Email DLP. Provides consistent cloud-delivered DLP policies across all egress points and cloud locations for privacy and compliance. |
| Digital Experience Monitoring (DEM)* | AI-powered ADEM improves user experience with autonomous digital experience monitoring, synthetic tests, and browser-based RUM for precise root cause analysis. |
| Host Information Profile (HIP) | Builds a device HIP profile and enforces application access policies based on device posture and configuration. |
| Device Quarantine | Blocks compromised devices from accessing sensitive data. Supports manual and automatic quarantine via GlobalProtect. |
| Quality of Service (QoS) | Prioritizes business-critical or low-latency traffic such as VoIP/video. Allows reserving bandwidth for key applications. |
| IPv6 Internal Traffic | Secures internal IPv6 traffic for mobile users, GlobalProtect, remote networks, and service connections. |
| Site-to-Site IPsec VPN | Supports IPv4, IKEv1/IKEv2 tunnels, and ECMP for redundancy and efficient load balancing across links. |
| Logging | Provides cloud-based logging for traffic, applications, users, threats, URLs, and data filtering via Strata Logging Service. |
| Traffic Replication | Enables forensic analysis, threat hunting, and troubleshooting by replicating traffic across SSE/SASE architecture to support regulatory requirements. |
| UEBA* | Detects abnormal patterns using user and entity behavior analytics, improving incident response and network security. |
| Policy Automation | Dynamically updates security policies using third-party data with DAGs and the XML API. |
| Intrusion Prevention System (IPS) | Blocks exploits, port scans, malformed packets, and evasion attempts. Continuously updated threat signatures with support for custom Snort/Suricata imports. |
| Antimalware | Stream-based engine blocks known and unknown malware at high speed. Integrated with IPS to reduce product sprawl. |
| C2 Protection | Stops malicious outbound communications, detects botnets via DNS patterns, and prevents secondary payloads. |
| Unknown Threat Detection with Advanced Analysis | Identifies unknown threats using cloud hypervisor analysis and community-sourced malware data from global networks. |
| Protection from Unknown Threats | Auto-generates prevention for new threats and distributes protections in seconds to all Advanced WildFire subscribers. |
| File Behavior Analysis | Provides deep behavioral analysis to understand malware operations, enabling rapid breach investigation and visibility. |
| Cloud-Based Prevention | Cloud-based modular architecture provides automatic prevention based on global intelligence without on-prem appliances. |
| Multivector Analysis & Visibility | Prevents multi-stage, multi-hop attacks with recursive file + URL analysis. Updates URL filtering with phishing/malicious page insights. |
| Comprehensive File Execution | Executes files across multiple OS/app versions to expose threats that evade single-image sandboxing. |
| Private App Connections | Secure access to internal/private apps via ZTNA Connector, Colo-Connect, or Service Connections for mobile/branch users. |
| App Acceleration* | Boosts hybrid worker performance by preparing dynamic content at the edge, improving cloud application responsiveness up to 5×. |
| Dynamic Privileged Access | Enables granular Zero Trust segmentation and project-based privileged access with geo-aware assignment controls. |
| End-User Coaching | Provides just-in-time user notifications to reduce help desk tickets and improve productivity when access restrictions occur. |
| Privileged Remote Access | Enables clientless RDP/SSH access via browser for third parties or unmanaged devices. |
Documentation:
Download the Palo Alto Networks Prisma Access Datasheet (PDF).
Need Professional IT Security Services?
Contact our certified security experts today to discuss your specific requirements and learn how our professional services can enhance your organization's security posture.
Pricing Notes:
- All Prices are Inclusive of GST
- Pricing subject to change without notice.