Prisma Access by Palo Alto Networks Reviews

We use Prisma Access, not only for our remote users, in a distributed workforce, but for our offices as well. Right now, because of COVID, there is a very limited footprint on the office side of it. But we would like to cover our offices so that when people are working in them and trying to access resources, whether those resources are hosted on public cloud, private cloud, in data centers, or on-prem, Prisma Access is involved.

Prisma Access is completely hosted on Google Cloud Platform. Palo Alto Panorama, which is the centralized management tool, is also hosted on a public cloud environment. So the entire solution lies in the cloud.

The fact that Prisma Access provides millions of security updates per day is really important because it takes care of the equivalent of preparing patches and pushing them to your environment, without the headaches of managing and maintaining those processes for your infrastructure. If you get security intelligence from different verticals and different alliances, or through some sort of open API integration where vulnerabilities arise at different times, it's going to be difficult to keep up. Subscribing to this service and having it take care of that is really phenomenal.

And the best part is that you know that you are part of a bigger ecosystem where this learning about security issues is happening, and things are made available to you on a scheduled basis every day. It automatically strengthens your security posture. We are quite happy with this feature and feel very confident that the Palo Alto security stack takes care of all of these things automatically. That is one of the salient features and was one of our evaluation parameters for choosing a solution.

Another benefit is that before, if we had to set up a restricted environment for a given project, the lead time was about a day to get everything functioning correctly and to get the go-ahead from the security team. Now, setting up these environments can literally happen in less than five minutes. It is already segmented. All you need to do is ensure the people who are part of the project are included in a single access-control list, which these days is based on GCP Identity-Aware. Based on that, it provides the right privileges required to access certain things. That is the building block of any SasS solution with zero cross-network access. And it is very easy now.

I have been working with Prisma Access since 2019. We have a service reminder for some of our customers. Our usual cases involve the integration of end-user computing solutions with GlobalProtect VPN services, managing private access applications, SaaS, and cloud networks such as AWS, Microsoft Azure, or Google Cloud Platform, using Prisma Access.

The most valuable features are ZTNA 2.0, CASB, Threat Prevention, and Autonomous Digital Experience Management (ADAM). These features are security-driven, providing robust protection against increasing cyber threats by integrating NG Firewalls, SD WAN, and CASB, all within a fully cloud-native solution. This enables easy integration with both legacy and modern platforms, allowing enhanced leverage and scalability.

We could write a book about our use cases. It provides best-of-breed optimization in CASB and SASE together. Our primary use case is enabling users from all walks of life, and all over the planet, to have remote access in the most optimized way.

Prisma Access is a SASE-oriented solution, making it a hybrid and SaaS. Of course, it's built on Google's high-capacity backbone, but it is provider-neutral.

With the centralized remote access solution we had before, F5, we used to see a lot of latency and a lot of intermittent disconnects. But our people have reported that they like Prisma Access so much better in terms of speed and how it operates. The user experience is so much better in terms of throughput. They don't see as much lag. Of course, there are users who don't have the most stable internet connection, but even for those users, by optimizing data reduction, it works better. We can't really help users who have some sort of wireless connection, because if their underpinning link is not good, this overlay won't do much. But for users who are using a satisfactory type of connectivity, even for people who are on 10 Mbps, it works well.

In addition, from an application accessibility standpoint, the integrated features that come with the QoS mean you can choose what types of applications get higher priority than others. It optimizes applications for QoS prioritization.

We have about 2,000 users, and everybody started working from home when COVID hit, so they needed to use Prisma Access to do their work securely. They told us that this was the best thing we'd ever used. Employees said Prisma was a lot better than Juniper and the previous mode access solution we had. 

We implemented it so that it's always on. A user doesn't need to do anything. It connects. Whether you're home or at the office, it cranks up, and you don't have to do anything.

The always-on feature is fantastic for the users. They don't have to think about it. When they go to a coffee shop to do work, there's no need to remember to toggle the VPN on. We'll protect them. URL filtering is the same at home as it is in the office. We can apply policies for URLs wherever our employees work. We see all their traffic and log everything they do as if they were in the office. 

When COVID hit, we suddenly had 2,000 users that all needed to use a VPN solution. We had to abandon our previous VPN solution because Pulse couldn't accommodate such a large volume of users at one time. We stood up this cloud environment and switched everybody over to the Palo Alto Prisma Access, GlobalConnect, and GlobalProtect.

The user experience was so much better. Our executives were impressed. We got many compliments. Our senior team tends to worry about security, but they didn't need to fret over our VPN. 

I recently worked on a huge project for a new entity of a major semiconductor company. We had a greenfield deployment where we were building everything from scratch. The primary use case was to build a solution that meets the following requirements:

• Provides Zero Trust Network Access for all remote users.
  
• Provides seamless performance.
• Avoids all bottlenecks that the traditional VPN concentrators have with regards to being a single point of failure by putting the entire global traffic to a particular VPN concentrator. 

On the secondary front, we did a couple of integrations with Cisco Viptela. It is an SD-WAN solution for ensuring traffic optimization, traffic steering, branch-to-branch connectivity, and branch cloud connectivity. We had to ensure adequate performance and zero trust and have metrics and security compliance with all standard regulatory frameworks such as GDPR for the European region. This was a huge deployment with a budget of close to 2 million dollars.

The plugin version is 2.1.086 innovation, and the platform version is 2.1.

It protects all app traffic so that users can gain access to all apps. There are definitely a lot of integrations. Prisma Access also derives the App-ID capability from the Palo Alto Next-Gen firewalls, which is a USP of Palo Alto. So, it inherently has the capability to see and monitor all the traffic and understand all applications. If an application is being tunneled through different ports or protocols just to masquerade the traffic to bypass the traditional security controls, it won't work. Technically, you cannot bypass any of the security controls that Palo Alto has.

The Single Pass Parallel Processing (SP3) still works with Prisma Access. So, you can have all the integration that you want. It also integrates very well with Prisma SaaS, which is a new solution from Palo Alto.

It can build IPS tunnels with all vendors that you have. It could be a very small router or a firewall from any vendor. With regards to protocols, traditional IPS used to have a couple of restrictions in terms of inspection and other things, but Prisma Access understands every application and every packet. It can see the higher progress of a session. It is a great product to work with.

It secures both web-based and non-web-based apps. Traditionally, I used to have problems with web-based and non-web-based traffic. Prisma Access is a full tunnel, and it is fairly agnostic to the type of traffic. It recognizes everything such as a torrent, FTP, or UDP session. It recognizes web applications, non-web applications, or custom applications. We have a couple of applications that are Java-based, custom developed, and custom managed. It is capable of recognizing every application.

It understands all applications and all standard and custom signatures that you can configure. With regards to the data leaks, it has a network DLP functionality. So, you can potentially configure regex or something else to inspect the traffic and look for patterns, such as credit card numbers and social security numbers. You can define the patterns and put a monitor for notification.

It provides all capabilities in a single, cloud-delivered platform.

It provides traffic analysis, threat prevention, URL filtering, and segmentation. Its usage for segmentation is less because we are also using their firewalls. On the transport side, we are using SD-WAN. We cannot do away with any of these features simply because we expect this platform to provide Next-Gen filtering capabilities. URL filtering is definitely important because we don't want to buy another dedicated solution. Threat prevention is like antivirus and anti-spyware, and all IPS functionalities are absolutely mandatory for us. Technically, it does everything that a typical Next-Gen firewall is supposed to do, but it does that in the cloud. So, you get all the scalability and visibility. We absolutely want all these features, and that perhaps was one of the reasons why we went for Prisma Access instead of another product.

It provides millions of security updates per day, which is important to us. There is something called AutoFocus, which is their threat intel platform. We also get a lot of updates from Unit 42, which is their threat intel feed. We have incorporated that with our platform. It is absolutely essential for us to at least know all known threats so that we can take steps to fix them well in advance. There were recent attacks with regards to SolarWinds and other solutions, and we were able to get timely feeds and notifications from Palo Alto automatically through the signature updates. We also got proactive updates from the Palo Alto technical support. This is absolutely necessary for us, and it keeps all known threats at bay.

Our implementation is still in progress, and we use its Autonomous Digital Experience Management (ADEM) features for performance-based monitoring, checking the latency, and checking the end-user experience not only based upon a couple of traditional metrics but also based on the actual ones. We don't have a standard benchmark to compare it with, but we definitely have complete visibility of who is doing what and who is getting what type of end-user experience. If someone is working from Seattle and needs to connect to Oregon, we definitely don't want to have the traffic all the way to some data center and then take a zig-zag route. We want it to follow an optimal path. It does provide us actionable insights into what's happening, and we can take corrective measures in the long run.

ADEM provides real and synthetic traffic analysis. We do have a security operations team that tests and ingests into SIEM/SOAR platforms that do automatic remediation. This is quite crucial because if there is suboptimal routing, it totally destroys the end-user experience. We check for the concentration of the users. Especially at this time when most of the users are working from home or remotely, we need to have such insights so that we can enable all points of presence within Prisma Access to ensure a better end-user experience.

During the COVID times, the firewalls that were the on-prem gateways couldn't handle SSL decryption and VPNs. After everyone started working from home, the company faced the issue of not having enough firewalls for gateway and SSL decryption services. That's why we started using Prisma Access.

I used version 2.2 while working last with it two or three months ago. In terms of deployment, it was a Prisma Access hybrid solution with Panorama where we had firewalls and Prisma Access. It was not cloud-native Prisma Access with only cloud-based aspects.

We started using Prisma Access after everyone started working from home during COVID. Its auto-scaling feature was helpful for our organization. Prisma Access could scale depending on how many users were working from home. When we had additional users, unlike on-prem firewalls, we didn't have to worry about CPU and other things. It was also cheaper than on-prem firewalls because to handle a large number of users working from home, in the case of on-prem firewalls, we would've had to buy big firewalls. 

With Prisma Access, there is auto-scaling. When there are fewer mobile users, there are fewer Prisma Access gateways, and when there are more mobile users, more mobile gateways are created automatically. For example, if you have a company with 10,000 people, you should be able to handle the VPN traffic of 10,000 people and SSL decryption of that traffic. So, you need to buy a big on-prem solution. After COVID, even when people start working from the office, you would need the biggest firewall to be prepared for the future. 

Nowadays, most companies have started allowing employees to work from home. Most people don't want to return to the office. In many companies, many people are still working from home. Even in such a scenario, companies are expected to have a solution that provides flexibility for the workforce to work from home. 

We were able to use Prisma Access as a VPN solution. We used it as a proxy, and all the traffic was going through it. We wanted the same capability as an on-prem VPN. It was nice to be able to VPN all the traffic that we wanted. We were able to secure what we wanted to secure.

We are an on-premises company at the moment, so we use GlobalProtect. Our firewalls are hosted in our on-premises data centers and offices. We have been using this solution for years and are exploring options like Prisma Access and Azure VPN to enhance security and support for remote workers.

GlobalProtect has been beneficial for its cloud security capabilities, which are vital as businesses seek hybrid options and need to support remote workers while addressing latency issues. By establishing regional hubs in the cloud, we benefit from good backbone services provided by cloud providers like Prisma Access or Azure, which enhances performance.

We propose solutions to customers. They face challenges in their existing setups like long troubleshooting durations, fault tolerances, security concerns, and management concerns. They had traditional setups, like Cisco routers, in their locations.

It took a long time to troubleshoot and resolve issues. The cost was a factor because they were using MPLS connections. MPLS is costly compared to the internet leased lines. Considering all these factors, we decided to go with Prisma's cloud solution.

It's a hybrid solution. We have a few sites on cloud and a few branch locations where the solution is deployed on-premises. The cloud provider is Azure.

We have more than 2,000 branches around the world. The solution is deployed across Europe and Asia. Between 7,000 and 9,000 ION boxes have been deployed. 

Before using this solution, the prime complaints were about voice applications, like RingCentral and GoTo. We reported these issues to the Palo Alto TAC teams, and they came up with more stable versions. Whatever we discuss with the Palo Alto engineering team, they come up with the solution very quickly. We had updates on a regular basis, and the client is very happy now because we have solved 95% of those problems. Everything is stable from a security point of view. 

Prisma SaaS helps us identify cloud applications that we were unaware of employees using. The solution helps us identify a lot of cloud apps, but we identified four to five applications that were the most useful.

The solution protects what our clients want it to protect. They haven't reported any threats or data attackers in their systems. We haven't received any complaints from clients about data security.

The time to value is quicker with Prisma SaaS.