Prisma Access

The hybrid workforce and direct-to-app architectures have rendered legacy security
architectures obsolete while dramatically increasing our attack surface. Cloud-
based security offerings have emerged, but they can offer only inconsistent and
incomplete protections as well as deliver poor performance and user experiences.

Palo Alto Networks Prisma Access protects hybrid workforces with the superior
security of ZTNA 2.0 while providing exceptional user experiences from a simple,
unified security product. Purpose-built in the cloud to secure at cloud scale, Prisma
Access delivers the industry’s only ZTNA 2.0 solution that protects all Internet,
SaaS, and private application traffic with best-in-class cloud-delivered security
services and data protection to effectively reduce the attack surface. With a
common policy framework and single-pane-of-glass management, Prisma Access
secures today’s hybrid workforce without compromising performance, backed by
industry-leading SLAs to ensure exceptional user experiences.

Prisma by Palo Alto Networks | Prisma Access | Datasheet 1

The Prisma Access Difference
Prisma Access enables organizations to securely connect all users to the Internet, SaaS and private
applications they need, regardless of where they’re accessing them from or which device they are
using, all while significantly reducing risk. It provides a cloud native single product to secure hybrid
enterprises and workforces, is made up of best-in-class security capabilities, optimizes the user
experience with dynamic scalability, and guarantees maximum end-user performance. Prisma Access
makes securing today’s hybrid workforces and cloud-first organizations easy by offering:
• The superior protection of ZTNA 2.0 that combines fine-grained, least-privileged access with deep
and ongoing security inspection as well as enterprise DLP to protect all users, devices, apps, and data.
• A unified security product with comprehensive protections converged into a single unified product, sin-
gle-pane-of-glass visibility, consistent policy management and shared data for all users and all apps.
• The best user experiences from a truly cloud native architecture built to secure at cloud scale, provid-
ing uncompromised performance—all backed by leading SLAs.
Prisma Access consolidates best-in-class security in a leading cloud native security service edge (SSE)
platform. When combined with Prisma SD-WAN, businesses are able to transform their networking and
security with the most complete secure access service edge (SASE) solution in the industry.

Security-as-a-Service Layer
Prisma Access includes comprehensive security capabilities consolidated into a single SSE platform that
delivers ZTNA 2.0 with the best user experience on a single unified platform.
Firewall as a Service
Prisma Access provides firewall-as-a-service (FWaaS) capabilities with the full functionality of Palo
Alto Networks Next-Generation Firewalls (NGFWs). This includes inbound and outbound protection,
native user authentication and access control, and Layer 3–7 single-pass inspection to secure branch
offices against threats.
Cloud Secure Web Gateway
Prisma Access provides cloud secure web gateway (SWG) functionality to protect users from threats
when accessing the internet and SaaS applications. Flexible connectivity options include proxy auto-
configuration (PAC) files, agent, agentless, and IPsec tunnel / SD-WAN. Proxy-based connectivity
through the single unified GlobalProtect agent enables organizations with proxy architectures to
benefit from ZTNA 2.0 while even coexisting with 3rd-party VPN agents. IT teams can operationalize
next-generation internet, SaaS, and application security that meets all proxy-based routing and
compliance requirements. Organizations can easily migrate from legacy on-premises web proxies or
alternative cloud-based proxies with ease.
Cloud SWG is natively integrated with Next-Generation CASB and supports all the web security
protections Prisma Access offers, including Advanced Threat Prevention, Advanced WildFire®,
Advanced URL Filtering, DNS Security, and DLP. Also, remote browser isolation (RBI) is supported via
integration with the CloudBlades architecture in Prisma Access.
Zero Trust Network Access 2.0
Prisma Access ZTNA 2.0 connects all users and all apps with fine-grained access controls, providing
behavior-based continuous trust verification after users connect to dramatically reduce the attack
surface. It secures all apps, all the time, including premises-based, internet-based, legacy, SaaS, and
modern/cloud native apps, with deep and ongoing security inspection to ensure all traffic is secure
without compromising performance or user experience. What’s more, Prisma Access ZNTA 2.0 provides
consistent visibility with a single DLP policy to secure both access and data across the entire enterprise.

Next-Generation Cloud Access Security Broker

Prisma Access natively provides the industry’s only Next-Generation CASB that automatically keeps pace
with the SaaS explosion by combining powerful SaaS security posture management (SSPM) capabilities,
proactive visibility, real-time data protection including hard-to-detect secrets exchanged in collabo-
ration apps, and best-in-class security. It delivers multimode functionalities via inline and API-based
security for sanctioned and unsanctioned SaaS apps to help today’s cloud-first organizations:
• Detect and stop activity from compromised accounts and malicious insiders before any damage is done.
• Detect suspicious user activity that could indicate a compromised account or malicious insider.

Prisma by Palo Alto Networks | Prisma Access | Datasheet 2

• Go beyond standard compliance checks and get comprehensive protection from the industry’s first
Security Posture Policy Engine.
• Eliminate the risk of compromise and data loss due to user misconfiguration.
• Resolve critical misconfigurations with a single click, dramatically reducing remediation time.

Network-as-a-Service Layer
Prisma Access provides consistent, secure access to all applications—in the cloud, in your data center,
or on the internet.

Networking for Hybrid and Mobile Users

Connect hybrid and mobile users with the GlobalProtect app, which supports user-based always-on,
pre-logon always-on, and on-demand connections. Prisma Access supports split tunneling based on
access route and application types, including its associated risk and bandwidth utilization.

Networking for Remote Networks

Connect branch offices to Prisma Access over a standard IPsec VPN tunnel using common IPsec-
compatible devices, such as your existing branch router or software-defined wide area network
(SD-WAN) appliance. You can use Border Gateway Protocol (BGP) or static routing from the branch,
and you can use equal-cost multipath (ECMP) routing for faster performance and better redundancy
across multiple links.

Digital Experience Monitoring

The Autonomous Digital Experience Management (ADEM) add-on for Prisma Access provides native
end-to-end visibility for SASE. With ADEM, you gain segment-wise insights across the entire service
delivery path, with real and synthetic traffic analysis that enables autonomous remediation—now
including user self-service remediation with ADEM Self-Serve—of digital experience problems when
they arise. The complimentary Prisma Access Insights lets you monitor and get on-demand visibility
into the health of your Prisma Access deployment.

Centralized Management
Prisma Access supports flexible management options:
• Prisma Access Cloud Management streamlines Prisma Access configuration management
with seamless onboarding, including including secure out-of-the-box configurations built on best
practices, continuous assessment of security posture, digital experience monitoring, and reporting
through a unified experience delivered from the cloud.
• Panorama network security management centralizes policy management across all Palo Alto
Networks Next-Generation Firewalls and Prisma Access. Panorama saves time and reduces
complexity by managing network security through a single pane of glass.

Prisma by Palo Alto Networks | Prisma Access | Datasheet 3

 Internet SaaS Public Cloud HQ/Data Center

Security Network User Experience

as a Service as a Service

• ZTNA 2.0 • Cloud SWG • SD-WAN • ADEM

• NG-CASB • FWaaS

Branch/
Retail Home Mobile

Figure 1: Prisma Access architecture

Table 1: Prisma Access Details, Features, and Specifications

Prisma Access for
Prisma Access for Users Prisma Access for Clean Pipe
Networks

100+ in 77 • 100+ in 77 countries (GlobalProtect)

Locations 17 locations
countries • 25 locations (explicit proxy)

• GlobalProtect app IPsec/SSL/Explict

Proxy Peering via Partner Interconnect
Connection Type IPsec/SSL/Explicit Proxy • GlobalProtect Clientless VPN (VLAN attachment per tenant)
• Explicit proxy

• Apple iOS
• Apple macOS
• Google Android
• Android App for Chromebook
• CentOS Linux
• Red Hat Enterprise Linux
GlobalProtect App • Ubuntu
n/a • Windows 10 and UWP n/a
Platform Support

IoT Platforms
• Raspberry Pi OS
• Windows IoT Enterprise
• Ubuntu
• Google Android

Service-Level Agreements

Uptime Availability 99.999% per calendar month

Connectivity 99.99% for 10 ms over a 1-hour period

Prisma by Palo Alto Networks | Prisma Access | Datasheet 4

 Table 2: Prisma Access Features
Feature Description
Continuously classifies all applications regardless of port, TLS/SSL encryption, or technique used by an at-
tacker to evade detection. Unlike legacy solutions that depend on Layers 3 and 4 as the first layers of control
App-ID
before application classification is applied, Prisma Access applies App-ID along with other Layer 7 controls,
such as User-ID.
Integrates with a wide range of user identity repositories so that your policies follow your users and groups
User-ID regardless of their location. User repositories include wireless LAN controllers, VPNs, directory servers, brows-
er-based captive portals, proxies, and more.
Allows policies to be created that follow a device no matter where in the network it is connected. Enforcement
based on device attributes, such as operating system version, enables security teams to control the attack surface
Device-ID *
more strictly. Device-ID logging provides additional visibility as well as context and, combined with App-ID and
User-ID, allows for deep insights into behavior on the network.
Inspects and applies policy to TLS/SSL-encrypted traffic, both inbound and outbound, including for traffic that
SSL Decryption uses HTTP/2. For privacy and regulatory compliance, you can enable or disable decryption flexibly based on URL,
source, destination, user, user group, and port.
Dynamic User Provides dynamic security actions based on user behavior to restrict suspicious or malicious users. Allows you to
Group (DUG) define DUGs in Prisma Access to take time-bound security actions without waiting for changes to be applied to
Monitoring user directories.
Delivers inline, signatureless attack detection and zero-day exploit prevention. Prisma Access adapts and
AI/ML-Based
provides instantaneous real-time protection vs. scheduled updates. It prevents up to 95% of unknown threats
Detection
instantly, with less than 10-second signature delivery, resulting in a 99.5% reduction in infected systems.
Combines machine learning with our leading App-ID technology and crowdsourced telemetry to profile all de-
vices for discovery, risk assessment, vulnerability analysis, anomaly detection, and trust-based policy recom-
IoT Security*
mendations. It prevents known and unknown IoT, IoMT, and OT threats and delivers native enforcement with a
Palo Alto Networks ML-Powered NGFW or orchestration with third parties.
Allows customers to choose proxy mode. This explicit proxy option is an alternate way for users, servers, and
Explicit Proxy
VDIs to connect to Prisma Access and secure their Internet and SaaS application traffic (HTTP/HTTPS). The
Onboarding
GlobalProtect agent in proxy-mode and PAC files are supported for browser configuration.
PAN-OS Policy Provides a simple workflow to migrate your legacy port-based rule base to App-ID rule base. This reduces your
Optimizer attack surface and increases the efficacy of your security policies.
Through CloudBlades, integrates with third-party RBI clouds by leveraging existing NGFW URL categorization
Remote Browser and URL rewrite features to forward select/all internet-bound traffic to the RBI cloud. This capability provides a
Isolation Support seamless user experience while forwarding certain traffic (unknown or high-risk categories) to RBI for addition-
al inspection, while the remaining traffic can be inspected by Prisma Access and egress directly to the internet.
Includes, as a standard, a detailed, customizable SaaS application usage report that provides insight into all SaaS
Reporting
traffic—sanctioned and unsanctioned—on your network. You can also create custom reports based on your
needs and easily schedule, download, and share them with others in your organization.
User Supports all existing PAN-OS authentication methods, including Kerberos, RADIUS, SAML, LDAP, client cer-
Authentication tificates, and a local user database. Once GlobalProtect authenticates the user, it immediately provides Prisma
Access with a user-to-IP address mapping for use by User-ID technology.
Applies real-time protections and inline machine learning to disrupt C2 callback and other attacks that use DNS.
Advanced DNS
Natively integrated into Prisma Access, Advanced DNS Security provides automated protections, preventing attack-
Security
ers from bypassing security measures, and eliminates the need for independent tools or changes to DNS routing.
Superior protection against web-based threats, such as phishing, malware, and C2, that combines powerful
database protections with an ML-powered web security engine that categorizes and blocks new malicious URLs
Advanced URL
in real time. Industry-leading phishing protection tackles the most common causes of breaches, letting you take
Filtering
back control of your web traffic through fine-grained controls and policy settings that automate security actions
based on users, risk ratings, and content categories.
Includes a set of tools and processes that allow you to protect sensitive information against unauthorized access,
Data Loss
misuse, extraction, or sharing. DLP on Prisma Access enables you to enforce data security policies and prevent
Prevention (DLP)*
the loss of sensitive data across mobile users and remote networks.
With the ADEM add-on for SASE, organizations get visibility into mobile user and remote network application and
Digital Experience
network performance. ADEM provides segment-wise insights across the entire service delivery path, with real and
Monitoring
synthetic traffic analysis that enables the ability to drive autonomous remediation—including new remote user
(DEM)*
self-service remediation with ADEM Self-Serve—of digital experience problems when they arise.
Host Information Checks the endpoint to get an inventory of how it’s configured and builds a HIP. Prisma Access uses the HIP to
Profile (HIP) enforce application policies that only permit access when the endpoint is properly configured and secured.

Prisma by Palo Alto Networks | Prisma Access | Datasheet 5

 Table 2: Prisma Access Features (continued)
Feature Description
Blocks compromised devices from accessing privileged data. You can either manually or automatically add
Device Quarantine compromised devices to a quarantine list and block users from logging into the network from those devices using
GlobalProtect. You can also restrict access to applications from these compromised devices.
Enables you to dependably run high-priority applications and traffic under limited network capacity. QoS priori-
Quality of
tizes business-critical traffic or traffic that requires low latency, such as VoIP or videoconferencing. You can also
Service (QoS)
reserve a minimum amount of bandwidth for business-critical applications.
IPv6 Internal Secures all internal IPv6 traffic between endpoints and private applications. This is supported for mobile users,
Traffic GlobalProtect, remote networks and service connections.
Supports site-to-site tunnels over IPv4 and IKEv1/IKEv2 to ensure compatibility. For multiple connection sites,
Site-to-Site
ECMP routing can provide additional redundancy and cost efficiency by balancing sessions over available inter-
IPsec VPN
net connections.
Shows overall traffic, application, user, threat, URL, and data filter logging to facilitate organization of data via
Logging
the cloud-based Cortex Data Lake.
Policy Enables you to use information from third-party sources to drive security policy updates dynamically through a
Automation combination of Dynamic Address Groups (DAGs) and the XML API.
Blocks vulnerability exploits, buffer overflows, and port scans. Additional capabilities, such as blocking invalid
Intrusion or malformed packets, IP defragmentation, and TCP reassembly, protect you from attackers’ evasion and
Prevention obfuscation methods. Vulnerability-based signatures are continuously updated from the Advanced WildFire
System (IPS) malware prevention service. Custom signatures can also be manually imported, including from popular
formats like Snort and Suricata.
Uses a stream-based engine that blocks inline at very high speeds, detecting known malware as well as unknown
Anti-malware variations of known malware families. IPS and anti-malware address multiple threat vectors with one license,
eliminating the need to buy and maintain separate IPS and proxy-based products from legacy security vendors.
Stops malicious outbound communications stemming from malware infections, passively analyzes DNS queries
C2 Protection and identifies the unique patterns of botnets. This reveals infected users and prevents secondary downloads and
data from leaving your organization.
Unknown Identifies unknown threats with shared data from the industry’s largest enterprise malware analysis commu-
Threat Detection nity, including threats submitted from networks, endpoints, clouds, and third-party partners. Leveraging our
with Advanced custom-built hypervisor with bare metal analysis, Advanced WildFire uses various complementary analysis
Analysis engines that can detect sandbox-evading attacks.
Automatically generates protections across the attack lifecycle when a new threat is first discovered—blocking
Protection from
malicious files, access to malicious URLs, and C2 traffic—and then delivers those protections to all Advanced
Unknown Threats
WildFire sub-scribers in seconds for most new threats.
Uses detailed behavior analysis to help you understand how newly discovered malware operates. Integrated logs
File Behavior
enable you to quickly identify infected users and investigate potential breaches with detailed analysis of and
Analysis
visibility into unknown threat events.
Employs a unique cloud-based, modular architecture, providing automatic prevention based on global threat in-
Cloud-Based
telligence without the headache of having to implement and manage separate devices for web and email at every
Prevention
ingress/egress point in your network.
Combines the cloud scale of Advanced WildFire with advanced file analysis and URL crawling to deliver Multi-
Multi-Vector Vector Re-cursive Analysis, a unique and comprehensive solution that prevents multistage, multihop attacks.
Analysis and Unlike other solutions, Advanced WildFire can follow multiple stages of attack even if execution fails in a given
Visibility stage. When Advanced WildFire visits embedded links or links in emails as part of its email link analysis, it
updates Advanced URL Filtering if any corre-sponding webpages host exploits or display phishing activity.
Executes unknown files in multiple OS and application versions simultaneously to fully understand the scope of a
Comprehensive threat. Multiversion analysis ensures Advanced WildFire analysis is thorough, unlike sandboxes that require
File Execution golden imag-es, which could deem a malicious file benign simply because the target OS or application version
wasn’t specified in the golden image.
Note: Regional differences may apply. For more details, refer to the Prisma Access Service-Level Agreement.
* Requires an add-on license.

3000 Tannery Way © 2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered
Santa Clara, CA 95054 trademark of Palo Alto Networks. A list of our trademarks can be found at
https://www.paloaltonetworks.com/company/trademarks.html. All other
Main: +1.408.753.4000 marks mentioned herein may be trademarks of their respective companies.
Sales: +1.866.320.4788 prisma_ds_prisma-access_033023
Support: +1.866.898.9087

www.paloaltonetworks.com