Prisma Access by Palo Alto Networks Reviews

We are a partner of Palo Alto. We focus on healthcare customers, and we help them onboard and manage different Palo Alto solutions, including Prisma SaaS.

It gives you visibility and an understanding of what you have in your environment. A couple of years ago, all the information that you had in your SaaS environment was kind of a black box. You didn't have any information about what you or your employees had there. So, visibility is one use case, and another very important use case is the ability to review the way the files and information are shared. You can see if a confidential file is being shared. Having this information and awareness is important for the administrators of Office 365 and other environments so that they can make corrections.

With the use of the Data Loss Prevention (DLP) module, the scanning process scans all the files that you have in there and classifies them through the DLP engine. So, when you get your results, you would have files with the matching results, such as with credit card numbers or phone numbers. There are also data profiles or policies, such as PCI, PII, or GDPR compliance. Palo Alto is working on adding more profiles, such as HIPAA, based on different compliance standards in the industry.

It is a SaaS solution, and we are using its most recent version.

You get the control and visibility into what you have in your SaaS applications. It helps you to know what you have in your environment and then meet your compliance needs. You get to know whether all of them are on a single platform. You also get an understanding of what type of information you have and how it is disposed of. Based on the results that you get from the scanning process, you can accomplish goals, such as PCI compliance or GDPR compliance. Most of the customers are governed by their security information team and have an obligation to be compliant with different industry standards, such as PCI, PII, or GDPR. With this platform, you are a step ahead in knowing what you have in your environment and accomplishing the compliance goals.

You have the ability to create your own expressions for your data. Palo Alto understands that DLP is not the same for all consumers. You might have a particular need to fulfill, and they give you the opportunity to create a custom expression to match the specific format that you have. For a confidential file property that you have in your files, you can add a metadata field. It gives you that opportunity to create that.

Another thing that I really like is the Azure AD integration. You can integrate with Azure AD in order to apply what they call the groups in Azure AD. You can apply groups, and you can have different characteristics, but the most important thing for me is that you can select groups and put the groups into your policies because your DLP or the things that you want to catch may be different for different departments. Your requirements would be different for your HR department versus your development team. For the HR department, it would be more useful to have PII information because they are trying to work with new employees and information. So, it should be different. With Azure AD, you can make a differentiation between these two departments. I found that very useful.

They can add some new characteristics. For example, when an incident triggers, they can automatically send a template for a particular match that is related to the policy. We don't have that right now. It is something to improve. There could be more automation for certain actions. For example, for a particular group, it can send an administrator alert to their manager. It was one of the concerns of our customers. 

You have three types of rules in SaaS Security API. You have the asset policies. You have the user activity policies, and you have the security control rules. Asset policies are more general, and they are more focused on the general behavior of an asset, which is a file. The user activity rules control or alert about unusual user activity or compliance violations, such as when a user uploads a large number of files. It would be good if you can put User IDs for the asset rules. In the asset rules, you can use the Azure AD group, but you cannot use the User ID. That would be a good improvement. 

Palo Alto has a lot of different solutions, and it would be good if the DLP part can be integrated with other solutions as well.

I've been working with Prisma SaaS for two years.

In general, it is good, but everything could be a little bit better. For example, they are working on including more data to catch or trying to reduce the gaps between the matches. It is DLP, but it is not perfect. We're going to have a false positive. They are working on closing that gap and being more accurate, but in general, it gives you accurate and reliable information.

You can onboard certain applications, and if you add more and more files, it's going to continue scanning those files. If you take a business decision to purchase a new SaaS application for your team, such as Slack, you can onboard that new application. You don't have a particular limitation on that. So, if you want to grow and have more business applications, your only concern should be whether they are supported by SaaS Security API. That's because not all the applications work the same way or have the same characteristics, but it gives you an opportunity to grow.

We have had environments with 200 to 2,000 users. It depends on a customer's SaaS environment, and if they want to apply to all of it or a part of it. There was a requirement from a customer to be notified when there is a file share with certain domains, which were their competitor's domains. That way they would get to know when someone from inside the company is sharing information with the competitors. Another common requirement is to be notified or create an incident when I share a public file in my Office 365 account. 

It is gaining more popularity among different customers in the last year. Palo Alto is trying to focus and combine it with other types of solutions related to DLP in order to secure not only your SaaS environment but all of your perimeter. Palo Alto is going to be very focused on that, and its usage is going to increase. In the past, it was not something that a lot of customers required. Palo Alto is working on improving the platform and making it more attractive to meet customers' needs. The market is changing continuously, and Palo Alto is focused on having DLP in different environments.

I didn't use their support that much, but it is fine. Palo Alto has different teams that are focused on different types of solutions. They have a SaaS team for the SaaS API problems that can come. They are good, but sometimes, it would be good to have a quicker response from their side because you want to resolve an issue as fast as you can. They have a lot of companies, and it is kind of hard. You would find this problem with most of their partners, but they always come to you with a good disposition and try to solve it in the shortest time possible. So, overall, their support is good. I would rate them a four out of five.

Positive

I didn't use any similar solution previously. The company that I have been working for is very focused on Palo Alto solutions, and I didn't have the opportunity to work with other tools that are on the market.

In most cases, it is easy, but it depends on the application that the customers want to onboard. For example, if you want to onboard Office 365, Microsoft Teams, and Exchange, the onboarding is easy because you can use the same user account for these three solutions. The challenging part is that you need to create an account with the specific rights for communication and gathering the appropriate information. That's more complex. In some cases, the companies are not completely controlling their Office 365 environment. They have a leader company that gives you the rights, which can take a bit longer.

It could be challenging when you try to use the S3 bucket because you have to work with the IAM to get the exact privilege access to the bucket. That's a more complex part, but if you know what you are doing, it's not that hard.

For me, its implementation is very straightforward. I would rate it a four out of five in terms of ease. Its duration varies because it depends on the information that you have in your SaaS applications because it's going to communicate with your applications through API.  It depends on a lot of things, but in my experience, one week to one and a half weeks is generally enough time. It is not something set in stone. It can take less or more, but you obtain a lot of information once that is finished.

It is not necessary to have a consultant from Palo Alto. The activation part is straightforward. They send you a magic link to have access and configure it. It takes about 20 to 30 minutes to generate the tenant, if I am not wrong. After that, it's very straightforward. There is documentation about each application that you want to onboard.

Before implementing it, it is very important to have a conversation with the customer about the applications they want to onboard, and inside those applications, what type of information they want to catch. For example, a pharmaceutical company might not be as aware of all the compliances for HIPAA or PII. It is important to have that information in order to understand what they want to catch. You can have that covered with predefined ones. We might also have to create custom ones, but it is not that necessary to have someone from Palo Alto if you have a correct partner who knows about the platform.

After onboarding applications, we recommend testing the rules on specific owner files to verify that the results that you are obtaining are accurate and as expected. If they are good, you can go ahead and apply the rules for all. Because a rule is already tested, you don't have to modify it a lot later. If you have a new need, you can create a new rule. After that, the knowledge transfer with the customer is very important. It is not a complex application to manage for the customer, but they really need to understand what it's doing. This knowledge transfer is really important, and it is something that we care about a lot in the company.

After rebranding, its name now is SaaS Security API. My experience with the product is mostly good. Before going for this solution, it's very important to understand what the customer is looking for. In terms of visibility, it's very good because it's an opportunity to have a lot of visibility about the applications that you onboard. For example, you have all that information centralized, and you can apply policies for them. It is very good for that purpose, but it's communication through an API. So, it's not something like a firewall where you can block something instantaneously. It requires a different approach. You need to have an understanding and the objective to obtain visibility and gain more results.

You need to be very clear about what you are looking for and what type of information or compliance you want. Focus on not using it as an individual solution. It's a platform that generates more value when working together with other solutions. 

I would rate this solution an eight out of ten.

Prisma Access is useful for organizations with hardware and firewalls that don't support their total number of users for remote working. If they need to increase this quantity, instead of increasing the hardware, they can use a solution as a firewall service.

A maximum of 200 people use this solution. We don't utilize all of the solution's capabilities.

I had a customer who needed to move all of their operations to work from home during the pandemic. They moved all of their configurations to Prisma Access, and we helped them enable permissions for their users to work from home.

Prisma Access provides better app performance. It allows all the traffic that's really needed for applications and internal resources without any impact on the hardware. It can be continuously scaled in case more resources are needed.

The most valuable feature is the ability to change the gateway. For example, if there's a problem with a specific region or vendor, we can make modifications. The solution is scalable, and there are different gateways that can be created depending on the demand.

Prisma Access supports all of the traffic that the user generates. We have the ability to send all of the traffic through the Prisma Access firewalls.

Prisma Access provides traffic analysis, threat prevention, URL filtering, and segmentation capabilities. It also provides DLP. If you have Panorama to manage firewalls and you have a device group that has some configurations with specific profiles for the spyware or antivirus, it's good to have the ability to replicate that in your Prisma Access environment without any compatibility issues.

It's important that Prisma Access provides millions of security updates per day because we have to be aware of attacks in the cybersecurity industry. It's very helpful to have these updates from Palo Alto because they can prevent the organization or customers from having issues.

Prisma Access gives us the ability to configure clientless VPN, which helps us address specific applications that are consumed through Prisma.

The Autonomous Digital Experience Management feature is helpful because it shows the source of a problem. One user could say that they have a problem with slowness or that some applications don't work that well. It could be a problem with Prisma or a problem with the user's internet provider.

The security provided by Prisma Access is very good because we have the same configurations and models that we have on our normal firewalls. If you have worked with Palo Alto before with firewalls or Panorama, it's very easy to create configurations to implement your security posture. It's on the same technology as Palo Alto, so it's compatible with firewalls. It's also very secure, and it has the same scalability options.

My organization has created different gateways, so they have two different cloud vendors. This redundancy on cloud is helpful. There is redundancy at different branches to provide a backup in case there is a problem with a vendor in a specific area.

I would like the solution to support a different type of authentication. We can't configure a secondary method for our portal.

I've worked with Prisma Access for about six months.

The stability is very good. I haven't had issues with the connection or dropping traffic.

I haven't had any issues with scalability. The solution allows us to define all of the resources that we need. For example, we can define the IP addresses that we need for the number of users that will be connected. If there's a large quantity of users, they can increase the resources. 

The technical support could be faster after we open up a case.

Setup is very straightforward. Prisma Access has very extensive documentation. If you use that, it's easy to deploy the solution. You need to read a lot more for routing considerations, but I think it's easy for people with startup experience.

The amount of time it takes to deploy the solution depends on the complexity of the consumer's considerations. Normally, the basic implementation and policy authentication can be completed in two or three hours.

We require a few people for maintenance. One person provides support and two people do the implementation.

I received some help from engineers who had more experience in the company. They taught me how to configure it, and I was able to complete the deployment after that.

I would rate this solution as nine out of ten. 

We use Prisma Compute for container monitoring and Prisma Cloud for cloud monitoring. Compute looks at workload security, and we use it for container security, build security, and assessments. Cloud looks at our AWS account and gives us input on any security issues with our AWS workload.

We now know if there's any vulnerabilities during runtime, which is not something we had before. We didn't used to have visibility into our cloud infrastructure or our container space once the containers were running but we do have that visibility now. We also have visibility into how the different pieces of our solution talk to each other, so we know which services talk to each other, and then we are able to pick up anomalies. For example, when service A is talking to service B and there's no reason why they should be talking to each other. That's been a real help.

The solution is pretty comprehensive across all three tenets of build, run, and software. This has improved our operations because, for example, at build time if there is an inability within dependencies or within the Docker images we're going to use, we are able to stop, build, and remediate at that point. Within our registries where we keep our containers, we are still able to look back and see how vulnerabilities were corrected over time. Sometimes you build images in a repository, so a vulnerability might get discovered on the internet and it's good to know whether you're still safe before you run your images. Also, once you are running, it's helpful to know that you are still running secure environments.

A feature I've found very helpful is run time security because most of the products on the market will look at security during the build time, and they don't really look at what happens once you're going into production. 

It's a perfect solution for protecting the full stack native cloud. There's been a lot of development over time, so it's gotten better during the time we've been using it. 

The solution provides visibility and it's pretty simple to use. The dashboard is very intuitive. The solution makes it easy because we can look at one screen and see vulnerabilities across the infrastructure.

There is room for improvement in the multi-environment visibility, especially around containers. The product easily gets confused if you have, for example, similar Docker images that are running in different environments. It does not have a way of isolating that even though it's the same image, it's running in a different environment. It just consolidates that reporting and makes it difficult to figure out how far your plus range is.

I don't think the solution has a preventative approach. I think most of it is really more fighting. I guess you could use what it finds to predict what might happen in the future, but I haven't seen any features that are preventative.

I've been using this solution for three years now. 

The solution is very stable. I think in the last year we've done around four upgrades and it's never missed a beat, even through those.

The solution scales quite easily. We've thrown a lot at it and it's still standing. Everything that we run goes through Prisma. 

I think the support has a lot to improve on. Sometimes it's very difficult to get context around tickets, especially if they get keep on getting switched around, and then there are many issues. Not issues per se, but there are times when you need help and the person who is running the ticket is not able to service your ticket and then they have to push it on to engineering and that takes forever. I would rate the customer service as a five out of ten. 

Neutral

The initial setup was pretty straightforward. The product has very good documentation that is very easy to follow. Deployment took about a day. Rolling it out took longer, but that was because of internal challenges, not the product itself. 

We handled it all in-house. I actually did the deployment myself, and it went good. We used Terraform for deploying, and ran it in ECS, in our container environment. Our services are all running in AWS ECS, so we used their ECS module to plug our content environments into Prisma, and then we used their standalone agent for the rest of our systems that are not running container services.

We have seen an ROI because now it takes less time to identify vulnerabilities and fix them. When vulnerabilities are detected, the responsible teams are notified immediately, as opposed to having security go around once a week.

The pricing is very friendly and that's the reason why we renewed this solution. It was really just based on pricing, and the licensing is also pretty understandable. It's not confusing to figure out your workload and how much you'd be paying for the solution. 

We chose a mixed infrastructure where we have a bit on-prem and then also a direct cloud version. If you're running it on-prem, you have to meet infrastructure costs for the solution to run on your server in addition to standard licensing costs.

Before we did our last renewal we looked at a couple of other products. We chose to renew because of the pricing and licensing of this solution. 

The crux of why we're using the product is because of the automations. We are very confident that the product will keep us secure at all times. 

We are able to inject Prisma into our build jobs without it really affecting our build times or the developers.

The solution has reduced alerts investigation times by 60-70%.

I would rate this product as a nine out of ten. 

I use Prisma Access by Palo Alto Networks in our company for remote access, especially to help new users connect to corporate resources from over a distance, in other countries, or while they are not in the office.

I have seen some benefits from using the solution in our company since it offers mobility. My company has users around the world who connect to the resources remotely without any issues because of Prisma Access by Palo Alto Networks.

The most valuable features of the solution stem from the fact that it offers stability and scalability while being a very secure product.

Certain complications are related to the VPN part of the product, which can lead to a very deep and technical discussion. From an improvement perspective, I want the product to be integrated with SASE products.

Palo Alto Networks GlobalProtect or VPN in general with a cloud-based service would be a great improvement.

The product should be made more capable of offering more integration with the recent technologies introduced in the market. The product's integration capabilities with the already existing products in the market are good.

The product's current price is an area of shortcoming where improvements are required.

I have been using Prisma Access by Palo Alto Networks for four years. As it is a security product, our company keeps it updated to the latest version.

It is a 100 percent stable solution. Stability-wise, I rate the solution a ten out of ten.

It is a very scalable solution.

Around 800 people in my organization use Prisma Access by Palo Alto Networks. The solution can be scaled up to fit around 3,000 users at a time.

Prisma Access by Palo Alto Networks is used extensively twenty-four hours a day and seven days a week in my organization since we operate in different time zones.

The support offered by Palo Alto Networks is amazing. Whenever my company opens a ticket with the support team of Palo Alto Networks, we get amazing support. The support team of Palo Alto Networks is fast, customer-friendly, and knowledgeable.

I have experience with Cisco and Fortinet. I have experience with Cisco AnyConnect Secure Mobility Client. The last time we used Cisco AnyConnect Secure Mobility Client in our company was three years ago, after which it was phased out from the set of standard solutions we use. Based on my experience with Fortinet and FortiClient, I can say that the support is not at the same level as the one offered by Palo Alto Networks. Fortinet's technical support team is not as strong as the technical team of Palo Alto Networks. Only the prices of Fortinet and FortiClient were good compared to Palo Alto Networks.

The product's initial setup phase was very straightforward.

The deployment process involves identifying the user profiling and figuring out what exactly its users need, meaning there are some prerequisites involved in the deployment's preparation phase, and it is the most important process critical for the product's success.

The solution is deployed on an on-premises model.

The solution can be deployed in two days.

The deployment can be carried out with the help of our company's in-house team.

Prisma Access by Palo Alto Networks is an expensive solution, especially when compared to other solutions like Cisco. There are no additional charges apart from the standard licensing costs attached to the solution.

Those who plan to use the solution should ensure very good user profiling is carried out, after which they should link the product with the corporate security policy. Prisma Access by Palo Alto Networks is a very flexible solution, and you need to know exactly what you want out of the solution, which should align with the policies in your company as it is an area that differs from one corporate entity to another.

Considering the cost of the solution, I rate the overall tool a nine out of ten.

We use the solution for VPN connection for remote work.

The most important feature of the solution is that it works transparently, and you don't need to enter a new password after restarting the PC. Prisma Access by Palo Alto Networks is a seamless solution. People don't need to know how the infrastructure is working. It just seamlessly works for them.

The most valuable features of the solution are encryption, compliance, and stability.

The solution’s stability could be improved.

I have been using Prisma Access by Palo Alto Networks for one month.

I rate the solution a nine out of ten for stability.

Prisma Access by Palo Alto Networks is a scalable solution.

I rate the solution a nine out of ten for scalability.

The solution's initial setup is pretty straightforward. The solution is easy to implement.

The solution's deployment took two weeks. Compared to other products, the solution has a pretty fast deployment.

We have seen a positive return on investment with the solution because remote work is very important for us.

I would recommend Prisma Access by Palo Alto Networks to other users.

Overall, I rate the solution a nine out of ten.

We use it to monitor our cloud environments to get a real-time inventory of what's being stood up, what's being torn down, vulnerability management, risk management, and all of our cloud resources across all AWS, Azure, and GCP.

If somebody configures something in a way that's vulnerable, we know instantly. We'll get an alert and address it so that it's remediated and not left open. For example, if somebody stands up a new storage container and inadvertently makes it publicly accessible, that's something we'd want to know right away to prevent a breach. We could automate it to prevent it from being stood up with public access. 

We can prevent specifically forbidden configurations automatically by using this tool to never allow a resource storage container to be stood up and made publicly accessible. Automation is key there, and I'd say that would be an example of how Palo Alto has improved my organization.

Prisma SaaS helps us keep pace with SaaS growth in our organization. Everything's going to the cloud, and containers are being used more and more. As security professionals, we don't live in the development world, so we need to know what's going on in that realm, and the platform will help us identify those things and make sure that they're stood up securely. 

If there's something new, a new vulnerability, or a new standard, we'll be alerted about it. That's important because we don't speak developer language, and we, as security folks, consume the data. We must understand what's being stood up and how, and the platform will help us identify that and explain why it's vulnerable and needs to be fixed.

Prisma's most valuable feature would be its ability to identify bad or risky configurations. People stand up stuff in the cloud all the time, and as security professionals, we're not always aware of it. Prisma is critical for flagging real-time inventory and configuration risks, general vulnerabilities, and also issues in Kubernetes. Prisma is very effective for securing new SaaS applications. The code used to configure new SaaS applications is critical for identifying what we want as our security standards and confirming that they're being practiced.

Prisma would be a stronger solution if it could aggregate resources by project or by application. So say we have an application we've developed in AWS and five applications we've developed in Azure. The platform will group it according to those applications, but it's based on the tags we use in Azure, which means I have to rely on development teams to tag resources properly. If they don't do that, it doesn't group them properly in the platform. 

It would be nice if we could group the application according to the platform itself instead of relying on the development team to tag correctly in the cloud environment. My development team for one project might be different from the development team in another project. If I see a resource that needs to be fixed or changed, I need to know what project that resource is associated with. Ideally, I don't want to have to go into Azure and try to figure that out. So if I could tag it using the platform itself rather than relying on the tags that the development team uses in Azure, that would be extremely helpful. I wouldn't say Prisma is particularly useful for protecting data. It's hard to say. We're not looking at the data of the resources, so to speak, using Prisma. It's more like the resources that hold the data.

I've been working with Prisma SaaS for about five years.

I'd say Prisma is extremely stable. We haven't had any issues there.

Prisma is highly scalable. It's a cloud solution, so it automatically updates when new resources come out. We don't have to do anything. It just sees it and adjusts accordingly. I recently started a new role at a company, and we're planning on implementing it and using it more. Where I came from, we used it extensively and relied on it to monitor and manage our cloud environment.

I rate Palo Alto tech support seven out of 10. The technical support used to be a lot better when they were a smaller company. Back when they were called Evident.io and then RedLock, they were more personable and provided good one-on-one technical support. Their support structure changed about a year and a half ago. Now, they're more like group support, and I don't think it's as thorough, but it's still okay. 

Neutral

I would say the cloud SaaS part was extremely straightforward to set up. We had no problems there. Then there is the container compute area called Compute in Prisma. It's almost like a product within a product. You have to deploy the container section on an agent to your container host. That's a little more complicated because we have to rely on development teams to deploy the agent, but tying the platform to your cloud subscriptions was straightforward and took only 30 minutes to an hour. 

It is a little more involved to set up the Kubernetes containers and deploy the agent. That could take up to a day because you have to collaborate with other teams to get that deployed and make sure it's pulling the right data. Then again, it depends on how receptive your development team is to deploying the agents. That part usually takes around three hours. It takes one or two security engineers to deploy and maintain. 

We did it in-house with some help from Palo Alto that we purchased through a support license.

I don't have specific metrics, but I will say that it helps us know what we don't know, and that's ideal from a security perspective—seeing things that we didn't realize were an issue. The return on that investment is significant because you can't secure what you don't know is there. Prisma accomplishes that pretty easily without having to be on the platform constantly responding to alerts.

Prisma integrates pretty nicely even if you aren't using other Palo Alto products. It's very effective for a CSP solution, and the time to value is almost instant. As soon as you stand it up, it shows value by telling you all the vulnerabilities or risks in that environment. I feel like Prisma is one of those things that is essential. If you have resources in the cloud, you're going to need something to monitor it, and it's not ridiculously priced. I'm not too involved in the budget, so it's one of those things that's a necessary evil. I feel like it's a reasonably priced necessary evil.

Prisma is in the middle of the road. It's not the most expensive, but it's not the cheapest. There aren't any additional costs, to my knowledge. I know they have some extra modules, but we didn't use them. 

I'd say the price fits the solution. Prisma is capable of many other things, but Palo Alto doesn't charge you extra for those things, unlike other companies. You can use them or not. Because your environment grows, you may not use it now, you may not need it now, but you may in the future. Those capabilities are there without an additional cost for a different module where other companies will break it out, where you have to pay for those things.

We evaluated a few, including Sysdig, Threat Stack, and Lacework. The deciding factor was the ease of use. It's critical to understand what you're looking at and for the platform to provide value with reports. The data presentation in Prisma was more straightforward.

I rate Prisma SaaS nine out of 10. Ideally, you want a platform that will save you time by giving you the information quickly so you can understand it and act on it. Many platforms have loads of colorful graphs or bells and whistles, but they don't help you get to the bottom of what you're looking at. I feel that Prisma does that. You can get so much information directly from the platform without the need to reach out to other teams or go into the cloud to understand what you're seeing.

We are a small team of ITOps Engineers. With Prisma, we can manage all our Edge Network Infrastructure (Mobile Users, Remote Networks, and Data Centers) in one location.

We also decommissioned our  legacy MPLS connections and moved to VPN. If we need to expand to more offices, different countries, and different regions, it would be much simpler to do it with Prisma Access because the only things required are an internet connection and a pair of firewalls. 

On our IT team, we now have a single interface (using Palo Alto Panorama) where we can monitor our whole infrastructure. The office and Data Center Firewalls, as well as, the Remote User VPN, forward all the traffic to the Prisma Access Infrastructure. There we can apply deep packet inspection and allow or deny traffic, and also apply additional security features like threat prevention, DNS security, malware and anti-virus protection etc.

For remote users, the VPN connection is more secure and much faster than the legacy solutions. Some of our users are located in different European countries. Now they can pick their closest location and connect to a VPN "concentrator" near their region. Whereas before, they needed to connect with one of our data centers in the UK. 

Since everything is connected to Prisma, now we are able to be more proactive, detect end-user or site connectivity issues much faster. Before we were running multiple applications (NMS, Syslog, Netflow) that required a lot of engineering overhead to manage those, but also to extract the information needed. Now a lot of those tasks can be picked by the Service Desk team. 

In addition, similarly to any other Cloud "Platform" the administrative tasks have been dramatically decreased. The upgrade process is very simple compared with any on-premise solution.

I don't think we have actually fully utilised all the functions of Prisma yet. The main concept of Prisma Access is what really help us to transition our infrastructure from a legacy and complex approach to a more simple and easy to manage and maintain one.

Prisma Access has three major components / connections: 

- Remote connections: The links to the Remote Offices 

- Mobile Users 

- Service Connections : The links to the Data Centers. 

You connect everything by establishing VPN tunnels with the Prisma Access Infrastructure. Prisma is now the “brain” of the infrastructure. All edge devices send all traffic to Prisma and Prisma has the knowledge to route the traffic to the correct destination. In addition you can also apply all the additional security features a NGFW can offer. 

Since this is a cloud platform you can easily scale up adding more mobile users or new remote offices. Prisma will simple auto-run (if needed) additional instances in the cloud to support your load 

Also,  because everything's on the cloud, we don't have to worry about patching; we get all the new features as they come in. One of the biggest problems for us used to be to upgrade our VPN application. Now, it can be done with a click of a button. The administrative overhead has been reduced, and we are able to focus on things that actually matter.

The only drawback at the moment is that a “Cloud” solution like Prisma Access requires Palo Alto Panorama, which is normally a VM that sits in your DataCenter. Panorama is used for monitoring and mainly for configuring the different components of Prisma Access.

For the configuration part, Palo Alto has recently introduced an equivalent cloud application, but not all features are available yet. Also at this moment if you enable Prisma Access with Panorama you cannot migrate to the Cloud version.

I've been working with the Palo Alto team since the beginning of the year (2021), when we started the initial setup. It took us around 2 months (multiple weekly sessions) to complete the setup. And the last 2 months we are fully utilising the Prisma components (Remote Networks, Service Connections and Mobile Users)

We have utilised Prisma Access for the late couple of months. Now we are in the process of migrating all our Remote users from the on premise Firewalls to the Prisma Access VPN as a Service solution. 

Over this period we haven't faced any connectivity issues. Prisma Access underlying infrastructure is high available and scalable. 

As any major Cloud Vendors line Google or AWS we may face outages in the future, but we havent experience any problems yet. 

As with any infrastructure where the managent plane is in the cloud, we can know schedule an upgrade and the Prisma will take care the rest. No more complicated upgrade processes that could lead to outages and downtimes. 

A few days ago the Prisma Access dataplane was upgraded. We had zero downtime and the auto-procwss went smoothly (as expected).

As for scalability, you can easily bring more users to the platform; you would just need to buy additional licenses.

There is no need for purchasing new and more powerful hardware. Palo Alto will scale your platform up to support your infrastructure.

Simple integration with LDAP, SAML can help us to provision 100s of users quickly and onboard more users are the company is getting out of the pandemic freeze period.

I think Palo Alto has great technical support in terms of the time of response and the efficiency of response.

Over the past few months we raised multiple tickets (P2-P4). On all of them the responses were quick within the SLA timelines. All the support Engineers had deep knowledge of the product, and always went above and beyond not only by fixing our issues, but also by trying to explain us why was misconfigured or what actually went wrong. Everyone had great communication skills, they were patient and listening our needs and requirements.

We used local Cisco ASA Firewalls that were located in our two UK offices.Normally we had around 10-15 % of our users working remotely. During the pandemic we had to setup around 500 users to connect to the VPN. Unfortunately our ASAs had limited capabilities (250 max users for the 5515-X and 100 for the 5508-X). Our temporary solution was to use the AWS VPN solution for the remaining users. 

At that point we realised that we need a flexible and scalable solution. In addition the company has embraced the cloud first approach a few years back by moving all our servers to the cloud, so utilising a VPN as a Service (offered by Prisma Access) was an expected next  step. 

In my team there are Cisco certified engineers and we have been using Cisco products for many years, but for my opinion when it comes to security and NGFWs, but they haven't reached the level of Prisma Access by Palo Alto Networks. I believe Palo Alto is the key player in the market. 

We had a mixture of different applications and vendors, and we wanted to merge everything under Prisma Access. The terminology is a bit different between Palo Alto and Cisco ASA, and between their local firewalls and the Prisma Access firewalls. It took us about a month to wrap our heads around it and understand how things worked. Once we did that, it was easy to implement. We have gradually migrated all our services. We did our MPLS and the connection to AWS, and now, we're slowly migrating the users. No one has noticed, so it has been seamless.

We don't have a big infrastructure and did the migration piece by piece, and it was really easy and seamless.

To set up the infrastructure with the team, it took us less than a week. The gradual migration took us three weeks, but the basic setup takes less than a week.

We used the Palo Alto professional services, which mainly help us though multiple Zoom sessions to understand all the Prisma components and also to configure the core Prisma setup. The fine tuning was done by the in-house team. 

We had a great experience. All the Palo Alto consultants had a great knowledge of the product and they were very helpful, making it very simple for us to understand this new Platform. They were never leaving any questions unanswered and they were always providing accurate documentation and references for my team to get the required knowledge and to understand / follow up during the Setup.

I think the ROI has been good. We no longer need people to maintain the whole infrastructure, and we do not need to spend money on different services that we no longer use like MPLS or other kinds of support.

Also, the fact that we can quickly scale up without worrying about buying additional licensing is great for us.

The price has been good for the ROI during these difficult times for the cruise industry. With Prisma, you need three types of licenses

- Palo Alto support

- Number of Remote Users that are connected to VPN (concurrent connections)

- Total Bandwidth between Remote Sites offices and Prisma. If you have three or fewer DCs then you don't have to purchase additional connections or bandwidth.

There are no hidden costs; what the product offers is what you get.

We didn't run any PoC with other vendors. Before we were introduced to Prisma Access we were thinking of moving also our Firewalls to Meraki (as we will do with our switches). I believe no other vendor can offer what Palo Alto with Prisma provides, at least at this moment.

In my experience, Prisma Access is a great platform. However, since SASE is a new fairly new concept, it was a bit confusing to understand all the  different components and how all of them work together. On top of that if you are not very familiar with Palo Alto firewalls and especially Palo Alto Panorama, additional training would be recommended. Of course the same concepts of a NGFW from any other vendor are applied. 

 Once you grasp how Prisma Access works, then it's really a piece of cake to set everything up.

For example, we are a small team of three people, and I'm the senior network engineer. My VPN knowledge was not good because we've mainly had MPLS. Still, it was very easy to set everything up.

You setup everything through the web GUI (Palo Alto Panorama). You don't need to know a lot about CLI. With Cisco devices, you have to be an expert in CLI to set up a few things.

On a scale from one to ten, I would rate Prisma Access by Palo Alto Networks at ten because it's an innovative product. They “invented” the whole concept (SASE), and they're way ahead of other competitors.

One of the main advantages we have found of Prisma Access is that it has gateways across multiple continents. Due to that, many users can connect from different parts of the world will be able to access everything very fast. Also, internet access through VPN has become much simpler in getting the traffic to our on-prem data center.

The main example is my particular client that has employees working from different parts of the world - Malaysia, Singapore, India, Europe, and even the Middle East. The use of multiple continental gateways has helped us a lot. The users who are working in different parts of India can connect to different gateways. There are four gateways, including in India itself, the Middle East, and Europe as well.

The WildFire Analysis is one of the good features we observed. Due to the fact that the traffic from the user to the internet is not passing under our on-prem, there is generally less control over it. With the help of WildFire Analysis, we are able to make sure the users are not downloading or accessing any malicious sites or any malware or anything.

The use of Microsoft Teams from a VPN used to give some issues earlier, however, with the Prisma Cloud, that has improved quite a lot. Even if you're tunneling the traffic of MS Teams through this Prisma terminal, there has been no issues yet. The VPN access it allows for is great.

The stability of the solution is very good.

The scalability of the solution is excellent.

Our security team had a concern that they are not able to filter out a few things. There is some particular traffic that the security team wants to filter out and apply their own policies and they cannot. Earlier, we used our on-prem solution for that, however, when it is in the cloud, the problem is that it has to be done manually. When we do changes on the on-prem, it will not automatically sync to the cloud. Therefore, manually, the admin has to do changes on the on-prem for spam filtering and at the same time on the cloud as well.

We actually faced some a problem with using the failure of authentication. Our primary authentication happens through a RADIUS server, to a non-IP solution, so that there is a double-factor authentication. In that double-factor authentication, we are using three different RADIUS servers. Apart from that our requirement was that if all our RADIUS servers failed, we wanted the authentication of users to fall back to LDAR.

The problem we faced is that each RADIUS server was consuming 40 seconds each for the timeout, and then only will it go to LDAR. However, the total timeout of the global product timeout, we are not able to adjust. If you take an on-prem Palo Alto device, you can adjust or increase the Global Protect time out value from 30 seconds to up to 125 seconds or 150 seconds. Later, we were able to resolve this by reducing the timeout value for each RADIUS server.

Technical support could be a lot better.

We have deployed the Prisma solution and environment almost six months ago and we have been using it for the last six months.

The solution is very stable. It doesn't have bugs and glitches. It doesn't crash or freeze.

So far, we haven't observed any such issues. We have been closely monitoring for the last six months but there have been no issues with latency or anything. The only thing we are worried about is that what if something goes from the cloud if the cloud set up as an issue. So far, we haven't encountered such an issue yet, however, the client is always worried about that point as all these things are happening externally to our own firm. That said, so far it hasn't given any trouble.

Scalability-wise it's a very good solution as we will be able to increase the number of users or decrease the number of users or even the bandwidth. Scalability-wise it's a perfect solution.

This solution is used by little over 8,000 users in our intranet and the user roles span from high-level management up to the contacts and their employees who are supporting the calls and the suppliers for the telecom. It is being used by a lot of different variety of users, management, IT, admin, business users, call center users, everyone.

When we decode, we decode it for 10,000 users. So far, we haven't increased it yet. In the future, if our number of user accounts increases or if the Work from Home situation due to COVID continues, then maybe our client will think about increasing it.

Technical support for this solution is via one of our third-party vendors. One problem is that the third-party vendor is not able to resolve all the issues. They will have to go to Palo Alto technical support via their exclusive support. One problem is ASP. Palo Alto is taking a lot of time for coming online and supporting that could be for a minor issue or a major issue. The time taken by Palo Alto Support to get online and support us has been a pain area. We're not really that satisfied.

Before Prisma, we were using the Palo Alto on-prem solution, Global Protect Solution. We had Palo Alto firewalls in our on-prem which we were using for VPN and before that, we used a few VPN solutions.

The initial setup was a mix of difficult and straightforward. We did the deployment in phases for users across different continents. By the time we finished the deployment, which took nearly six months, it was in our case a stable solution and simple to use as well. However, it took a while as we were working on different continents and moving from one to the other in a particular order.

The team was a combination. The team was a combination of one of the vendors in Malaysia and my team, who's from a client end. So there was a total of seven members in the team.

Our implementation strategy was as follows: we already had one Palo Alto Global Protect Retail Solution, so it was not big trouble for us to migrate it to a cloud. We started implementing, planning the redundancy for such two different sites. We established the IP set terminals with our two different sites, which will terminate from the cloud to Palo Alto VPN Box on our on-prem. Then, we gradually migrated the users from on-prem to the cloud.

In terms of maintenance, first of all, we have to keep on monitoring it. If there is something wrong with the cloud, we will have to get the alert and act accordingly. Maintenance-wise so far we have increased the bandwidth for internet links. At that time we had set up redundancy and there was no trouble with that. Apart from that, so far, no other maintenance has been done.

We had a vendor assist us a bit during the implementation.

I can't speak to the licensing costs. We had a two-year license, which we are still on.

We're just customers and end-users.

We are using a SaaS version of the solution.

I will definitely recommend implementing this product as it has a very good scalable solution. Considering this work from home scenario in COVID, it is one of the best solutions one can implement. However, my advice would be to make sure you have enough internet bandwidth while implementing and also make sure there is site-level redundancy at your end. If you are a client then you won't implement it. Make sure there are two separate IP set terminals published from the client to your end. That way, if something goes wrong, your internet goes down or something, the VPN will be accessible.

One good lesson I have learned is that earlier in my thought process related to VPN was very narrow. I never thought that you can put it across multiple continental gateways and allow users to access it so fast. 

I'd rate the solution nine out of ten.