Prisma Access by Palo Alto Networks Reviews

I'm a cloud security architect, but I joined this project because one of my teammates left. My manager asked me to join because I have prior experience with Cisco Systems and Dell security. 

Our client has 40 sites, and they used other products called Peruit and PescUmbrella. My colleague was helping them remove the products from their laptops and replace them with Cortex XDR and Prisma Access. 

Prisma Access is a better product than our client's previous solution, and it helps organizations work differently. It saves time, but I'm not sure about money. I had never considered that aspect because I'm not involved in the financial side. The solution helps us to operate efficiently. Everything we want to do is in there, including DNS, web, and URL security.

Endpoint Protection is something I use on my corporate laptop, and it's doing a wonderful job. I don't experience latency. Prisma has a massive number of secure gateways compared to any other product. All these gateways reduce latency and provide better bandwidth because they use cloud platforms. The scalability and efficiency are excellent so far. 

Prisma integrates well with Cortex XDR and Cortex Data Lake. My company has been also using Prisma Access in-house for nearly a year, and it integrates seamlessly. 

Another aspect I like about Prisma is its usability and control. You can do many functions from a single dashboard. It has more features than Zscaler. The look and feel are better. Prisma is a one-stop shop that does many tasks, like logging and monitoring. 

Having a cloud-based platform is essential because we're pushing all our customers to the cloud. Most of our customers will be using Prisma in the future. Prisma Access provides traffic analysis, threat prevention, URL filtering, and web filtering, which are critical features that our customers request. You don't need a separate administrator for each task. One admin with a little training can handle all of them on Prisma Access. The rest depends on how much you can play with the product.

The documentation is generally good, but they could provide a more detailed description of all the configuration steps. I have to search for information or call support. Palo Alto could add more knowledge base articles about configuration with screenshots and walkthroughs. That would be helpful. When configuring a product, you want to see examples of how it is done. 

I am using Prisma Access for two projects. I haven't been using it for more than six months. 

I haven't worked with Prisma for long, but my impression of the stability so far is good. 

Prisma Access is most suitable for large enterprises because it also includes posture management. It's comparable to Microsoft ESPM. Microsoft makes many of the tools I use as a cloud architect, so I see everything from that perspective.

I don't think smaller companies will have any issues with Prisma. My company has five offices in India and users in 55 countries. Prisma is excellent in terms of scalability, usability, readiness, and user experience. It also runs on older operating systems and new ones too. The laptop I initially got from the company was pretty old. It's a gen-three. I got a newer laptop, and it works on either. 

I rate Prisma Access support a nine out of ten. Their support is helpful. They have a large team of product managers, so they're always available to talk. The response times are excellent. 

I'm impressed. Their technical teams are knowledgeable about the product, and they have global support. You can get support around the clock no matter which time zone you are in. One of my clients is in the US, and the other is in India. Both can access support without a problem.

Positive

I worked with Cisco Fire and AnyConnect, which combines security and VPN. AnyConnect is a popular Cisco product clients use remotely to connect their machines to their offices. That was the first product. Cisco acquired Sourcefire and rebranded it to Fire, which is again a client-based solution.

The deployment is straightforward, and it's done via Prisma's console. I didn't find it to be tricky or have any difficulty finding what I needed. Everything is clearly labeled and intuitive. The more you play with that, the more comfortable you get.

It only takes a minute or two if you have everything configured and you simply need to push the config file. That also depends on how much configuration you push at once. A small configuration takes less than 30 seconds. A larger configuration like we've done in the past few days might take a minute or more. 

I rate Prisma Acess a nine out of ten. It's better than any other product in the market.

We need global connectivity because we are a software company, and we have a lot of contractors around the globe. We are using Prisma Access for them to be able to connect from anywhere and have access to our data center, which is on-premises. It is not in the cloud.

We are using its latest version. It is always up to date. 

It provides zero trust security and access to our resources. It brings security and provides access. The security provided by Prisma Access is very good. I would rate it a nine out of ten in terms of security.

Prisma Access provides all its capabilities in a single, cloud-delivered platform, which is very good. Before choosing Prisma Access, we did extensive research. A single console was very important for us. If we had gone for Cisco, we would have had to combine three different products of Cisco, and we would have had three different consoles to manage, which is not what we wanted.

Prisma Access provides traffic analysis, which is very important for us because we want to know what is happening with the traffic, who is connected, how they are connected, and what is happening with the endpoint during this connection. We are working with the current information, and it is very important. For threat prevention, we are going to implement Palo Alto WildFire.

Prisma Access provides millions of security updates per day. It is very important because if we have zero-day or any other type of breach, it would not be good. There should be regular updates.

Prisma Access' ADEM was another feature that made us go for Prisma Access as compared to the other vendors. It provides real and synthetic traffic analysis, but it also depends on how you tune up ADEM. You need to make rules in order to maintain certain services. If you are doing it right, it will be able to show you where the weak point to the connection is. ADEM does not affect the digital experience for end-users. They do not even know that it is there.

Prisma Access does not enable us to deliver better applications, but it has had an impact. It is stopping some applications that our people are using.

It is easy. There are service connections that they are using for connecting from the cloud to your data center. It is simple. 

There is a system for monitoring the traffic. You can monitor the traffic of the connected people and point out any issues on the connection part. 

The user interface could be better. They need to work a little bit on the console. It is similar to their firewalls but not exactly. They need to clean it up a bit.

Prisma Access' ADEM is good when it comes to segment-wise insights across the entire service delivery path. The only minus is that it is not supporting Linux. It is only for Windows and macOS.

We are not able to manage firewalls from the cloud. They have promised to make this feature available in the future where we will be able to manage firewalls from the cloud. Currently, we can only use Panorama to manage firewalls.

I have been using this solution for two months.

It is very stable. I would rate it a ten out of ten in terms of stability.

It is very scalable. We have 200 users. I would rate it a ten out of ten in terms of scalability. 

We use it very often. It has been okay so far.

We take the help of the integrator who is helping us. We still have questions regarding the product. They have provided a service engineer, and we work with him. We are able to call him directly for any help.

Positive

We did not use any other solution previously. 

It is straightforward because all the work is done by Palo Alto. They provide help for the initial setup to go without any issues or with minimum problems. They power up the machines, and they give us console access from there.

After Prisma Access was set up, it took us about a week to tune everything and connect our data centers to Prisma Access, etc.

We had two engineers for its setup. It does require maintenance. I am the only person handling the maintenance. It is not difficult to maintain.

We use an integrator. 

It is too early for that. We need a little bit more time to see the ROI.

It is not cheap. It is expensive. The good thing is that you are able to pay for what you need, but overall, it is not cheap. The pricing is not based on packages. You pay based on the features. If you want DLP, you only pay for DLP. They are very flexible. It is not cheap, but the licensing is flexible. There are no additional costs in addition to the standard licensing fees.

I would advise starting with the lowest package or minimum services, and then you can upgrade based on your needs. The full package is not cheap, and you might not need all the features.

Their cloud access router could be a little bit cheaper.

We evaluated Cato Networks, Cisco Umbrella, and Zscaler. We also had presentations from Perimeter 81 and CloudFlare.

We went for Prisma Access because it is able to integrate with their firewalls. They have very good connectivity. Palo Alto is a leader in the next-generation firewall, which means their security is good. 

Prisma Access has a lot of features, but we have been using it for only two months. We have not fully used it yet. We have not used the whole functionality.

The good thing is that they are providing a proof of concept. You can do a proof of concept and see if it is suitable for you. If you are already using Palo Alto firewalls, it will be better for you. It will be much easier for you to use Prisma Access.

If you are familiar with Palo Alto in general, it is easy to use because it is very similar to their operating system of firewalls. If you have previous experience with Palo Alto, it is much easier. Otherwise, it will take a little bit of time, but it is easy. The only thing that can be a bit complicated is the service connection. In Prisma Access, you have two types of connections: service connection and network connection. They do almost the same thing. They can create confusion if you are not familiar with them.

Prisma Access can secure not just web-based apps but non-web apps as well, but we are not using this feature currently. 

Overall, I would rate Prisma Access an eight out of ten. That is because we cannot manage firewalls from the cloud.

We use Prisma Access to build an allowlist that we put into Socks App, so we can gate access to what we want based on whether someone is allowed onto the VPN. Prisma is a SaaS product. We have the cloud-managed version that we use to access a mixture of on-prem, public cloud, and SaaS tools. 

We aren't using it extensively. There are only around six rules. I've had five hundred or a thousand rules in previous companies that used Palo Alto Networks. We have six, so we're not using the solution extensively. We're looking at various products for DNS filtering and security, so we will potentially get rid of Prisma Access in the future. It's a heavy-handed way of doing what we're trying to do.

Prisma helped us build a moat around our production systems. It's now impossible to log into our production from a non-MDM laptop. Prisma Access provides decent security overall.

Prisma Access protects all app traffic so users can access all our apps, which is crucial because we want this to be as transparent as possible. The ability to secure web-based and other apps is also critical. We use this as a gateway into production or specific systems. That might be over 443, HTTPS, DB, or any other protocol.

Prisma Access offers features in one cloud-delivered platform, which is pretty important. Anything we can do to reduce the complexity of this is good. It will get messed up at some point if there are too many moving parts.

The traffic analysis, threat prevention, and URL filtering features are pretty critical. Prisma Access is our frontline defense for our production environments. On top of that, it protects the engineering staff's endpoints, so it needs to provide essential URL scanning and WildFire AV detection.

I've had a ton of issues with Prisma Access. The UI is horrible and not intuitive. For example, error handling when applying configuration changes is atrocious. The UI itself is buggy and lags. The sales staff tried to be helpful, but they sold us the wrong license SKU, which broke our environment, and it took two months for them to fix it. Two months is an eternity for something as critical as this.

It applies commits to the firewalls slowly. There isn't an API you can use for anything. We've previously had trouble with the egress IP addresses though we expressed to engineering that those mustn't change. They changed several times without warning, causing a lot of headaches.

I have used Prisma Access for a year and a half. 

Prisma hasn't broken yet. There have been a lot of outages, but luckily only a handful have affected us.

Prisma is somewhat scalable. We want to use this as an allowlist for our external applications. However, other external tools don't allow you to add an arbitrary number of IPs. If we were going to put in the complete list of active and reserved IPs that we get from our seven points of presence, then that's roughly 41 IPs. That goes over the max of 40 that GKE and GCT use. We can't use it to gate Kubernetes pods because there are too many IPs.

We can't seem to remove them once they're added. I've opened several support cases, and we still have half. Half of this list is all reserved and unusable points of presence because they aren't assigned to anything. It is a bit cumbersome and not as agile or straightforward as I was led to believe.

I rate Palo Alto's support a four out of ten. When I put in a ticket for a problem, they will send me a link to documentation that is either for the wrong product or something that doesn't apply to me. I usually get on a Zoom call with an engineer, show them the problem, and wait a week or two before I get a solution.

Neutral

Setting up Prisma Access was relatively straightforward for our use case. We deployed some firewalls in our system and used the IP addresses we got from those to inform and allow this. So it was very straightforward to get it to work, but tweaking it over time has been cumbersome.

I was the only person from our company working on the deployment. I designed and implemented the architecture, then deployed the tool to the endpoints internally. I'm responsible for educating the users and troubleshooting problems they find. I do things like telling a guy, "No, there isn't a problem with the VPN. You shouldn't use the web version of Spotify because only crazy people do that."

We used CDW and Palo Alto professional services. It was fine. It wasn't the best engagement, but it wasn't the worst.

It's hard to say if we've seen an ROI. I imagine we have. We haven't been breached, so that's something.

There's no reason not to buy the enterprise version that gives you unlimited PoPs, but you must understand the limitations you impose on yourself if you do that. If you go crazy, that allowlist will be too big for Kubernetes clusters.

The API that pulls the egress IPs allocated to you should be updated by the minute or as often as possible. There's no forewarning of impending changes. That should be built into your CI/CD system so no one needs to update anything manually. It should just flow through. However, you need notifications because it's a slippery slope. If you're adding and changing IPs all the time, who knows what's what anymore.

I did demos of around 16 different products that do something similar, including Zscaler, Netskope, Fortinet, Twingate, and Tailscale. Palo Alto was the only solution that could give us dedicated egress IPs. 

I rate Prisma Access a four out of ten. There are many tools out there that can do the same actions. This is not the best tool to use if you're only looking for an allowlist for production. 

We have about 2,000 users, and everybody started working from home when COVID hit, so they needed to use Prisma Access to do their work securely. They told us that this was the best thing we'd ever used. Employees said Prisma was a lot better than Juniper and the previous mode access solution we had. 

We implemented it so that it's always on. A user doesn't need to do anything. It connects. Whether you're home or at the office, it cranks up, and you don't have to do anything.

The always-on feature is fantastic for the users. They don't have to think about it. When they go to a coffee shop to do work, there's no need to remember to toggle the VPN on. We'll protect them. URL filtering is the same at home as it is in the office. We can apply policies for URLs wherever our employees work. We see all their traffic and log everything they do as if they were in the office. 

When COVID hit, we suddenly had 2,000 users that all needed to use a VPN solution. We had to abandon our previous VPN solution because Pulse couldn't accommodate such a large volume of users at one time. We stood up this cloud environment and switched everybody over to the Palo Alto Prisma Access, GlobalConnect, and GlobalProtect.

The user experience was so much better. Our executives were impressed. We got many compliments. Our senior team tends to worry about security, but they didn't need to fret over our VPN. 

It's a full firewall, so I can apply firewall policies just as well for web-based apps as I can for offline apps. I definitely think that reduces the risk because I can write any policy I want.

Palo Alto has several other advanced threat protection features. In addition to the normal application and threat protection, it has DNS security, IPS, IDS, etc. I run their traffic through all of the impressions. It's not just URL filtering and decryption. Prisma Access offers a full firewall feature, and I take advantage of it.

Prisma Access is a Palo Alto firewall in the Cloud that works just like an on-prem firewall. I can manage it from the same platform I use to manage all my other firewalls. I write a policy in one place, and it goes into effect everywhere. It's extremely simple.

The security updates are definitely in there as well. I set it up to dynamically download and store the updates as soon as they're available. When Palo comes out with an extremely hot threat, I'm automatically blocking and protecting against it—not just on our internal corporate network, but for all remote VPN users.

That is an extremely important feature to have. You pay for those subscriptions, so why would you not take advantage of the people writing protections for you? Why aren't you installing them automatically? 

I actually worked for a company that did not automatically install things. They thought we might break something. All the places where I had worked in the past automatically installed updates, and we never broke anything. It just worked. Palo Alto is really good about doing it right and protecting the customer.

Palo Alto Prisma 10 came out over a year ago. Palo Alto added this identity management feature. The legacy way Palo Alto selected which user is sitting on an IP address it passes through has been clunky.

Prisma Access still cannot use that feature, and it's been out for a year. Until they upgrade the Prisma Access backbone to 10.1, that integration will not be there. It's a powerful feature, and it's much more than collecting user IDs. Hopefully, they will add it this month.

I have been using Palo Alto firewalls for about 10 years now.

In the past two years, we've had no issues with the reliability of their cloud environment.

It scales up to thousands of users with no problem. We plan to go from 2,000 to 20,000 users. I don't need to do anything to scale up except buy more licenses. 

I rate Palo Alto support a nine out of ten. The presales and support teams are fantastic. They have a technologically proficient person to help you through issues. They can bring someone else in if they don't. We changed support groups. Initially, we were a mid-tier group, but they switched us to the large enterprise team.

Positive

We used a Pulse VPN solution, and I also worked with Cisco AnyConnect in the past. In fact, that's probably what we're going to kick out the door in favor of GlobalProtect.

Pulse VPN used on-prem boxes. Our devices had reached the end of their usable lives, and I couldn't support them. It was going to cost a lot to buy new boxes. For that same amount of money, I could move everything to a virtual cloud environment. I don't need to maintain the hardware anymore. Instead of one box here in the United States, one in Europe, and one in China, I have 100 boxes worldwide.

Setting up Prisma Access is somewhat complex. You must configure many little pieces ahead of time to build the entire portal and LAN. It's slightly painful to ensure everything is working correctly. Do you wrap the comprehensive policy around everything you're trying to do? Configuration is not straightforward.

The solution doesn't need care and feeding once it's set up. It is just like another firewall. Adding rules isn't any different from setting restrictions on a local on-prem firewall.

I set up Prisma Access by myself with the help of Palo Alto's tech support and presales staff.

Prisma Access is worth what we pay for it, but it's hard to quantify. All of our senior staff would say it's worth the cost because it gives us peace of mind. They don't need to worry about security while they're on the road. We can protect all our remote users as well as our in-office users.

Palo Alto is the Cadillac solution, so their products are pretty expensive. That's just the way it is. Their solution surpasses anything else. Cisco AnyConnect, Zscaler, and all of the other products don't compare. Palo Alto is the market leader with the most features. It saves you work, and you don't have to worry about it.

The only license is GlobalProtect. That's the only part that you need to buy. The other features are all included. 

I was already set on Palo Alto. We were doing a PoC with Palo Alto when COVID hit, and the codes did it for me. We had to get something stood up. Our hands were tied with Pulse because we couldn't support 2,000 users rushing in the door. The box would just tip over to that.

I rate Prisma Access a nine out of ten. There are definitely things they need to fix. Most people are familiar with VPN technologies. You ensure that it's connected and running the antivirus, etc. All those vendors do pretty much the same thing in that regard.

You can force Cisco into always-on mode as well. It's just different. Palo Alto is integrated into one Palo Alto management platform. There's no need to switch between various consoles to manage remote access. Everything logs to the same place as well. It's a single pane of glass for my corporate and my remote user logs.

We use the solution for VPN connection for remote work.

The most important feature of the solution is that it works transparently, and you don't need to enter a new password after restarting the PC. Prisma Access by Palo Alto Networks is a seamless solution. People don't need to know how the infrastructure is working. It just seamlessly works for them.

The most valuable features of the solution are encryption, compliance, and stability.

The solution’s stability could be improved.

I have been using Prisma Access by Palo Alto Networks for one month.

I rate the solution a nine out of ten for stability.

Prisma Access by Palo Alto Networks is a scalable solution.

I rate the solution a nine out of ten for scalability.

The solution's initial setup is pretty straightforward. The solution is easy to implement.

The solution's deployment took two weeks. Compared to other products, the solution has a pretty fast deployment.

We have seen a positive return on investment with the solution because remote work is very important for us.

I would recommend Prisma Access by Palo Alto Networks to other users.

Overall, I rate the solution a nine out of ten.

We use this solution for container security. We use it in an environment with 200 developers.

We use its latest version and the version prior to the latest one.

It helps with container security. Month by month, developer accounts in the company are increasing. Prisma Access supported and helped us very effectively in securing their workstations and working environment.

Prisma Access is good for securing access and privileges. Our developers have a security background, and they have knowledge of cybersecurity. It gives us assurance that they would not be able to do anything as an insider cyber attacker. They would not be able to use their environment to jump to other servers because such functions are prevented by this solution.

Prisma Access can protect all app traffic, but we classify the apps inside the company and choose the critical and the medium-risk level apps. This protection is important security-wise. On the IT side, it is important. It is also important on the business side, but they are only concerned about the price. We tried to connect with Palo Alto to get a discount on the first and second years to make the company get the maximum benefit and see the benefit of this solution. After that, they can remove the discounts, and it will be the decision of the company whether to continue with this solution or not.

Prisma Access secures not just web-based apps but non-web apps as well. However, about 70% of our applications are web-based applications. If they do not get the discounts, we will only use them for critical web-based applications. Based on my experience, Prisma Access is good not only for web-based but also for non-web applications. It is effective.

Prisma Access provides traffic analysis. We are also using Cortex XDR. It is Palo Alto's XDR solution that also supports us for traffic analysis. By using both of them in one environment, we have an end-to-end, more holistic, and zero-trust approach.

Prisma Access provides millions of security updates per day. We are also from the cybersecurity side, so we understand that it is a new product. It has only been around for two or three years. In every new product, such updates are welcomed, but we hope that in the next few years, there will be fewer such updates and more targeted updates.

Prisma Access enables us to deliver better applications on the security side but not the business and IT side. We are now more confident that our applications are secure.

Its front end is user-friendly. It is easy to use for us. We are familiar with other Palo Alto products. Its interface is similar to other products of Palo Alto, so it is familiar and easy to use for us.

My experience with Prisma Access has been perfect. It is good considering the fact that our networks are mainly based on Palo Alto products. We are using Palo Alto's next-generation firewalls and Cortex XDR, so it is good to have Prisma Access in the infrastructure to get a fast network environment.

Its integration with non-Palo Alto products can be improved. Currently, it is easy to integrate it with other Palo Alto products such as Cortex XDR. It integrates well with other Palo Alto products. A major part of our network is based on Palo Alto products, but for those companies that use multi-vendor products in their infrastructure, Palo Alto should optimize the integration of Prisma Access with the network devices from other vendors.

They should also increase their support team. There is scope to optimize their support.

We have been using this solution for about eight months.

Stability depends on the company that has developed a solution. As a vendor, we see Palo Alto as a stable company. Their stock value has increased year by year. Based on our communication with the headquarters of Palo Alto, we see that they are investing more and more in their cybersecurity solutions in terms of financials, features, and talent. Therefore, it is one of the stable solutions.

It is scalable for now. It has only been eight months since we have applied this solution in our environment.

On the client side, there are about 200 users. Overall, there are 500 users on the client side and our side. Most of them are developers and network security and IT security people. In our SOC center, they are monitoring this solution too.

It is being used on a daily basis. We have integrated this solution with the SIEM solution, and when an incident or a request comes, we focus on this. On a daily basis, we have some alerts and incidents coming.

Their technical support is good, but in some cases, when we asked them some questions, they took several days or hours to discuss that internally and come up with the answers from their side. However, it is acceptable because we know that it is a new product.

We did not have any solution for providing a secure environment on the developer's side. It is our first year, and it has been surprising and effective for us. 

The deployment of the key features of the product took about three months, but that was because of the delays from our side and the client's side. 

It was a standard deployment. We took sample applications and tested it on them as a PoC. We became familiar with the security function of the product, and we realized its benefits. We then applied it part by part to other web applications and non-web applications.

It is deployed on the cloud. We use Google and other clouds.

For the initial setup, we got support from the Palo Alto support team, so it was good. We are satisfied with them.

In our cyber team, we have around 40 experts. As a project team, they also engage. We use their support too.

For its deployment and maintenance, we have about 12 people who are actively engaged, but overall, there are 30 people engaged with this project.

In terms of pricing, considering that it is a two or three years old solution, they should apply big discounts for the next two or three years. This approach will be better for them to capture the market.

There are no additional costs. After purchasing and acquiring this solution, we also got support. 

We evaluated Cato Networks, Check Point, and Prisma Access. We went for Prisma Access because of its features and its integration with other cybersecurity solutions. Its integration is easy, and it takes less time to integrate it with other cybersecurity solutions. 

There are also open-source applications. They are also good, but they need more tuning and more time to get to the level of solutions like Prisma Access. A benefit of these open-source solutions is that you can tune them according to your environment. They are also free, so there is a cost-benefit.

It is one of the top solutions in the market. I hope that they will continue to tune and optimize their product based on the feedback that they get from the users. This way, it will keep its place among the top ten solutions in the global market.

Overall, I would rate Prisma Access an eight out of ten. It is good, but they should improve their support and its integration with non-Palo Alto solutions.

During the COVID times, the firewalls that were the on-prem gateways couldn't handle SSL decryption and VPNs. After everyone started working from home, the company faced the issue of not having enough firewalls for gateway and SSL decryption services. That's why we started using Prisma Access.

I used version 2.2 while working last with it two or three months ago. In terms of deployment, it was a Prisma Access hybrid solution with Panorama where we had firewalls and Prisma Access. It was not cloud-native Prisma Access with only cloud-based aspects.

We started using Prisma Access after everyone started working from home during COVID. Its auto-scaling feature was helpful for our organization. Prisma Access could scale depending on how many users were working from home. When we had additional users, unlike on-prem firewalls, we didn't have to worry about CPU and other things. It was also cheaper than on-prem firewalls because to handle a large number of users working from home, in the case of on-prem firewalls, we would've had to buy big firewalls. 

With Prisma Access, there is auto-scaling. When there are fewer mobile users, there are fewer Prisma Access gateways, and when there are more mobile users, more mobile gateways are created automatically. For example, if you have a company with 10,000 people, you should be able to handle the VPN traffic of 10,000 people and SSL decryption of that traffic. So, you need to buy a big on-prem solution. After COVID, even when people start working from the office, you would need the biggest firewall to be prepared for the future. 

Nowadays, most companies have started allowing employees to work from home. Most people don't want to return to the office. In many companies, many people are still working from home. Even in such a scenario, companies are expected to have a solution that provides flexibility for the workforce to work from home. 

We were able to use Prisma Access as a VPN solution. We used it as a proxy, and all the traffic was going through it. We wanted the same capability as an on-prem VPN. It was nice to be able to VPN all the traffic that we wanted. We were able to secure what we wanted to secure.

Prisma Access has the same capabilities as an on-prem Palo Alto Firewall in terms of signatures and application IDs. You could do everything with Prisma Access to secure web apps and non-web apps. It is a cloud-native firewall. It seems they use containers in the background but with the same Palo Alto software that is on the firewalls.

It provides traffic analysis, threat prevention, URL filtering, and segmentation.

It supports auto-scaling for mobile users. It auto-scales depending on the mobile user traffic. For example, if 1,000 people are working from home today, and tomorrow, the number increases to 2,000, it is not going to be an issue. Prisma Access is automatically going to scale based on the users. This is really important because with on-prem firewalls, if you enable SSL decryption and VPN and many people join, logging becomes a big issue.

Prisma Access updates its signatures in the background, which is important because when you have on-prem firewalls, sometimes, the users forget to update signatures. With Prisma Access, this is not the issue because it automatically updates signatures.

Prisma Access provides the ability to make custom signatures, which is really important because if you want to block something, you can do it yourself. You don't have to call the vendor and ask for a custom signature to be made. When we compared it with Zscaler, Zscaler is not a bad solution, but it is quite simple. You can't add custom signatures for applications. With Palo Alto, irrespective of whether it is an on-prem firewall or Prisma Access, you can make many customizations, such as custom signatures. For example, you might want to write custom signatures for the Log4J attack. This is something you can't do with Zscaler.

It can be improved if some customers want to use Prisma Access only for web traffic. Currently, it is a bit limited. Zscaler works better for web traffic. Zscaler's agent application on your computer can configure the proxy settings automatically, whereas Palo Alto's GlobalProtect agent is only a VPN solution. You can't use it also as a secure gateway agent to force the computer to have the settings to send the data to Prisma Access. They suggest using other techniques to force the computer to use Prisma Access for a secure web gateway solution. So, Zscaler is more like a secure web gateway, and Prisma Access is more like a full VPN solution. I see the limitations of both vendors. Palo Alto needs to improve the GlobalProtect agent to work as a secure web gateway agent, not only as a VPN agent because some companies would want only a secure gateway. They wouldn't want a full VPN. So, Palo Alto has to make the VPN agent work as a secure web gateway agent for those customers who want only the secure web gateway solution. Other vendors' agents, including ForcePoint which I don't like at all, can do that. 

One feature that I find missing in Prisma Access, as well as Palo Alto firewalls, is that they can't insert the 644 header. I want to be able to see the IP address of the users basically. My understanding is that almost no firewall can do this. It is not only Palo Alto, but it would be good to have this feature. The only vendor that I know can insert it is FortiGate, but with them, many other things don't work.

I have been using this solution for almost three years. I have worked with this solution in two companies. One of the companies was a partner with Palo Alto for their Next-Generation firewall and Prisma Access solutions. I also used it for a few months in another organization. I am now in another company, and I'm not using Prisma Access in this company.

It has good stability because it is a Palo Alto firewall. Palo Alto has made firewalls for many years now. It is based on the same software. So, if Palo Alto firewalls are stable, Prisma Access is stable. It is not something so new as everyone is talking about. It is based on the Palo Alto firewalls which are the leader in the market. 

They had some issues before, but at that time, Prisma Access was only using Google Cloud. They had some latency issues, but now, Prisma Access is also using AWS. They can use Google Cloud or AWS in the background to provision your environment. The latency issues are now gone because AWS has better coverage than Google Cloud. Palo Alto understood that Google Cloud is not enough. So, they used AWS and Google Cloud as the providers for the Prisma Access solution.

It is a cloud solution. It auto-scales. It is using AWS and Google Cloud. They have a lot of coverage. It can be used anywhere AWS and Google Cloud have PoPs.

We had 1,000 to 2,000 people using it on a daily basis. 

When you are working from your home, you can go to Prisma Access or on-prem gateways depending on the configuration. Prisma Access can work together with Palo Alto on-prem gateways. For example, if there's an on-prem firewall in Germany, German users do not have to go to Prisma Access. They can go to the German VPN Palo Alto Gateway, but if you have users in other countries where there are no firewalls, they will go to Prisma Access. So, you have this capability.

Their support is at a medium level. If you pay for premium support, they provide good support. Their normal support is not very good, but that's not only for Prisma Access, that is how Palo Alto works. 

I'm working a lot with F5's BIG-IP. They have one of the best support teams. Even if you don't have payment support, their support is quite good. It is better than Palo Alto's normal support. In general, most vendors have issues with support. The worst vendor that I have worked with is Forcepoint. Their support is extremely bad even for paying users.

Neutral

We have different technologies. We still have web application firewalls that we use in the company. Palo Alto Prisma Access is basically for coordinated firewalls, where you have your firewalls in the cloud. Everything you can do with on-prem firewalls can be done with Prisma Access, but this isn't the only solution you need. You would still need web application firewalls along with Prisma Access. The use case of Prisma Access is to secure your corporate employees. Its use case is not to secure your servers from inbound internet traffic. It is like a secure web gateway proxy to secure your corporate users.

It is easy, and I can't complain. It is a straightforward process. It takes about one hour. It is not so complex. It is a cloud solution. So, you just specify how many gateways you want, and with a few clicks, it gets deployed.

You don't need prior knowledge of the setup, but you should be a good network engineer and have the basic knowledge. It can't be done by someone who doesn't understand security networking. You need to have a good understanding of how much bandwidth you need because Prisma Access is taxed on bandwidth. So, you have to know how much bandwidth you need. You have to do static analysis before deploying Prisma Access to know how much bandwidth your users are using on average and how big the connection is going to be. You can increase the bandwidth later, but it is better to provision from the start based on the bandwidth requirements. The bandwidth analysis takes more time than the provisioning itself.

Palo Alto helped us with the initial deployment. In terms of maintenance, being a cloud solution, it requires next to no maintenance. If your company becomes bigger, you may have to push out more bandwidth from Prisma Access.

It is a little expensive. Because it is one of the best in the market, it is a little bit more expensive than other vendors. 

It is a little bit more expensive than Zscaler, but for a big company, this difference is not so big. Forcepoint has the cheapest support and the cheapest price. Forcepoint has a Cloud Security Gateway solution, but we ran away from them. If you want to go for the cheapest solution, go for Forcepoint and then complain as much as you want.

When comparing Prisma Access with Zscaler, you can't do much customization with Zscaler. That's why we selected Prisma Access. I like Prisma Access more than Zscaler because Zscaler doesn't have many capabilities. It doesn't let you do much customization, and you just have to depend on what the provider gives you as signatures.

For me, Zscaler is more for web traffic. Zscaler is comparable to Prisma Access when it comes to web filtering, like a secure web gateway proxy. If you want to filter out all your traffic, not only the web traffic, then you should definitely go for Prisma Access. Zscaler can be used as a firewall. They say it is similar to Prisma Access to filter out applications, not only web applications, but with Zscaler, you can't make custom signatures. They don't give you a lot of customization. You just enable the features and hope that they're enough. You can't do customizations that most big companies want. So, as a web filtering solution, it is comparable to Prisma Access, but if you want to filter out all the traffic and not only web traffic, then it is not so comparable to Prisma Access.

Zscaler also doesn't have application-level capabilities. Zscaler can't work with SIP traffic where you have to dynamically open FTP ports. For that, the solution should listen to the control plane traffic to know which port to open. Zscaler doesn't support that. So, it is quite limited for anything other than web traffic. However, Prisma Access is more limited when you use it as a secure web gateway solution.

Forcepoint also has a Cloud Security Gateway solution, but we ran away from them. Their cloud solution sometimes couldn't decrypt the web traffic. They had a bug when you want to decrypt one site from a category. For example, you want to decrypt Facebook, but you don't want to decrypt the social media category. In the Forcepoint GUI, you can specify that. In the GUI, it works, but in reality, it doesn't. There is a bug where the site will be decrypted or not decrypted only depending on the main category. You can't in reality change a site's decryption settings. Forcepoint didn't tell us they have this bug. They took two months to admit that and even got angry with me.

It is basically a Palo Alto firewall in the cloud. So, you can make custom applications and custom threat signatures. In terms of debugging, it is not as good as on-prem firewalls. With on-prem firewalls, you can do a lot more debugging, but you don't get a coordinated solution.

It is easy to use if you have experience with on-prem Palo Alto firewalls. Most customers who have Palo Alto on-prem firewalls have Panorama. Prisma Access integrates with Panorama just like on-prem firewalls. So, for customers who already have Palo Alto experience, it is quite easy. Palo Alto has another product for new customers, which is the Cloud Native Prisma Access, where you don't have on-prem firewalls. I have seen some videos about its web interface, and it seems very simple even for new customers. They can use Prisma Access without on-prem firewalls. They can use the cloud console, not Panorama. It seems even easier. So, newer customers would probably go with that technology and SD-WAN-based deployment, where almost all security is going to be in Prisma Access.

Prisma Access has two zones: an internal test zone and an external zone, which is basically the internet. It allows you to use segmentation. For example, if you're a customer of Prisma Access and you have many departments, you can create different tenants. So, different departments have different Prisma Access instances, but because we were a single company, we didn't use the tenant function. However, it provides the ability to split your organization's tenants so that different tenants get different policies. 

Prisma Access’ Autonomous Digital Experience Management (ADEM) is a good feature that you can't have with on-prem firewalls. I have not been using Prisma Access for a couple of months, but I'm still watching the Palo Alto channels. I saw that, with ADEM, they have an agent application that could be installed on the end-user devices. It provides visibility and helps identify any connectivity issues to an application over the VPN. The user gets to know if the issue is with Prisma Access or their ISP so that they don't call the IT department for simple things. For example, if you have a packet loss with Salesforce, you would know where the issue is happening. Is it with the Salesforce cloud application? Is it in Prisma Access between you and the Salesforce application? Is it with your internet service provider? That's the idea of Prisma Access ADEM.

Overall, I would rate it an eight out of ten. 

We propose solutions to customers. They face challenges in their existing setups like long troubleshooting durations, fault tolerances, security concerns, and management concerns. They had traditional setups, like Cisco routers, in their locations.

It took a long time to troubleshoot and resolve issues. The cost was a factor because they were using MPLS connections. MPLS is costly compared to the internet leased lines. Considering all these factors, we decided to go with Prisma's cloud solution.

It's a hybrid solution. We have a few sites on cloud and a few branch locations where the solution is deployed on-premises. The cloud provider is Azure.

We have more than 2,000 branches around the world. The solution is deployed across Europe and Asia. Between 7,000 and 9,000 ION boxes have been deployed. 

Before using this solution, the prime complaints were about voice applications, like RingCentral and GoTo. We reported these issues to the Palo Alto TAC teams, and they came up with more stable versions. Whatever we discuss with the Palo Alto engineering team, they come up with the solution very quickly. We had updates on a regular basis, and the client is very happy now because we have solved 95% of those problems. Everything is stable from a security point of view. 

Prisma SaaS helps us identify cloud applications that we were unaware of employees using. The solution helps us identify a lot of cloud apps, but we identified four to five applications that were the most useful.

The solution protects what our clients want it to protect. They haven't reported any threats or data attackers in their systems. We haven't received any complaints from clients about data security.

The time to value is quicker with Prisma SaaS.

This GUI is a good feature. The stacked policies, event policies, and routing policies are easy to understand for someone with general knowledge.

Securing new SaaS applications is really easy. There weren't any security risks. Prisma also has great reporting and alarming functions.

The data security is good. We don't have any complaints from clients. They're very satisfied with the solution.

It's very easy to write down the policies based on Cloud App-ID. The app detection and analytics are great features.

The Cloud App-ID technology has helped us identify and control shadow IT apps. It's a very important and exclusive feature that's available with Palo Alto.

The solution helps us keep pace with SaaS growth in the organization. It's very important to us. Prisma SaaS is integrated and easy to deploy.

The frequency of updates could be reduced. The updates are necessary, but they occur too frequently. The updates require devices to be rebooted, so there's downtime in the production environment. It's difficult to ask for downtime in a critical production environment every time there is an update.

The software versions should be stable for longer durations. For example, six months or a year.

I used this solution in a technical support role for about seven months.

It's stable. About three months ago, we had some issues with stability, but it's been stable since then. The throughput is very high. At the data center location, it's performing really well.

The scalability is one of the best features. It's an elastic solution. We can stretch whatever we need to for our requirements.

I would rate this solution as eight out of ten.

We previously used a different solution. The main reason why we switched to Prisma SaaS was because of its scalability.

Setup was very easy. It's just plug and play. Deployment took between two and three hours. There wasn't a lot of physical technical intervention.

To deploy Prisma SaaS, we had to turn it on in our Palo Alto Prisma Axis.

Deploying Prisma takes a tenth of the time that it takes to deploy traditional CASB solutions in the market.

The complexity of the solution depends on how it's designed. Anyone who has a basic knowledge of networking can understand Prisma and administer it. It was quite difficult to manage, and it has a lot of components involved. Their onboarding process took a long time.

It has drastically reduced the total cost of ownership. Our costs have been reduced by 40%.

I would rate this solution as eight out of ten. 

My advice for those who are looking for a SaaS solution is to use Prisma. It's one of the best solutions in the industry at the moment. It's simpler and really easy to deploy. Palo Alto has its own support team. It's a very trustworthy solution.

To a colleague or another company who says, "We don't want to use Palo Alto Next Generation Firewall or Prisma Access as an enforcement solution, we just want a CASB product to secure our cloud adoption," I would say you're losing the best features of this product.