Prisma Access by Palo Alto Networks Reviews

The solution is not very complex and is easy to manage for people who may or may not have knowledge about Palo Alto Networks. 

The initial support team is not very good. Most of the time, I have found that they are one to three years experienced only. They don't have network expertise. They know about Palo Alto products but don't know how to troubleshoot the issues. We have to guide them most of the time to troubleshoot correctly since their approach is not developed. 

I have been working with the solution for a few months. 

The solution is very stable. 

We are a large team and work for multiple customers. 

The senior engineers are very good and you need to escalate your issues to them. 

The tool is very easy to set up. It will take some time since you need to plan all the things. You also need to think about the migration of the existing infrastructure. It is not like you can complete the installation in a week. We will collect information first on users and categorize them from a user perspective like the applications and services which will be connected to the product. We will make a plan once we understand the user requirements. It is a long process and we will ensure that everything is secure. A document will be created with the data flow. We will ensure 100 percent that everything is working fine. 

Prisma Access is a good product and I would rate it a nine out of ten. 

One of the main advantages we have found of Prisma Access is that it has gateways across multiple continents. Due to that, many users can connect from different parts of the world will be able to access everything very fast. Also, internet access through VPN has become much simpler in getting the traffic to our on-prem data center.

The main example is my particular client that has employees working from different parts of the world - Malaysia, Singapore, India, Europe, and even the Middle East. The use of multiple continental gateways has helped us a lot. The users who are working in different parts of India can connect to different gateways. There are four gateways, including in India itself, the Middle East, and Europe as well.

The WildFire Analysis is one of the good features we observed. Due to the fact that the traffic from the user to the internet is not passing under our on-prem, there is generally less control over it. With the help of WildFire Analysis, we are able to make sure the users are not downloading or accessing any malicious sites or any malware or anything.

The use of Microsoft Teams from a VPN used to give some issues earlier, however, with the Prisma Cloud, that has improved quite a lot. Even if you're tunneling the traffic of MS Teams through this Prisma terminal, there has been no issues yet. The VPN access it allows for is great.

The stability of the solution is very good.

The scalability of the solution is excellent.

Our security team had a concern that they are not able to filter out a few things. There is some particular traffic that the security team wants to filter out and apply their own policies and they cannot. Earlier, we used our on-prem solution for that, however, when it is in the cloud, the problem is that it has to be done manually. When we do changes on the on-prem, it will not automatically sync to the cloud. Therefore, manually, the admin has to do changes on the on-prem for spam filtering and at the same time on the cloud as well.

We actually faced some a problem with using the failure of authentication. Our primary authentication happens through a RADIUS server, to a non-IP solution, so that there is a double-factor authentication. In that double-factor authentication, we are using three different RADIUS servers. Apart from that our requirement was that if all our RADIUS servers failed, we wanted the authentication of users to fall back to LDAR.

The problem we faced is that each RADIUS server was consuming 40 seconds each for the timeout, and then only will it go to LDAR. However, the total timeout of the global product timeout, we are not able to adjust. If you take an on-prem Palo Alto device, you can adjust or increase the Global Protect time out value from 30 seconds to up to 125 seconds or 150 seconds. Later, we were able to resolve this by reducing the timeout value for each RADIUS server.

Technical support could be a lot better.

We have deployed the Prisma solution and environment almost six months ago and we have been using it for the last six months.

The solution is very stable. It doesn't have bugs and glitches. It doesn't crash or freeze.

So far, we haven't observed any such issues. We have been closely monitoring for the last six months but there have been no issues with latency or anything. The only thing we are worried about is that what if something goes from the cloud if the cloud set up as an issue. So far, we haven't encountered such an issue yet, however, the client is always worried about that point as all these things are happening externally to our own firm. That said, so far it hasn't given any trouble.

Scalability-wise it's a very good solution as we will be able to increase the number of users or decrease the number of users or even the bandwidth. Scalability-wise it's a perfect solution.

This solution is used by little over 8,000 users in our intranet and the user roles span from high-level management up to the contacts and their employees who are supporting the calls and the suppliers for the telecom. It is being used by a lot of different variety of users, management, IT, admin, business users, call center users, everyone.

When we decode, we decode it for 10,000 users. So far, we haven't increased it yet. In the future, if our number of user accounts increases or if the Work from Home situation due to COVID continues, then maybe our client will think about increasing it.

Technical support for this solution is via one of our third-party vendors. One problem is that the third-party vendor is not able to resolve all the issues. They will have to go to Palo Alto technical support via their exclusive support. One problem is ASP. Palo Alto is taking a lot of time for coming online and supporting that could be for a minor issue or a major issue. The time taken by Palo Alto Support to get online and support us has been a pain area. We're not really that satisfied.

Before Prisma, we were using the Palo Alto on-prem solution, Global Protect Solution. We had Palo Alto firewalls in our on-prem which we were using for VPN and before that, we used a few VPN solutions.

The initial setup was a mix of difficult and straightforward. We did the deployment in phases for users across different continents. By the time we finished the deployment, which took nearly six months, it was in our case a stable solution and simple to use as well. However, it took a while as we were working on different continents and moving from one to the other in a particular order.

The team was a combination. The team was a combination of one of the vendors in Malaysia and my team, who's from a client end. So there was a total of seven members in the team.

Our implementation strategy was as follows: we already had one Palo Alto Global Protect Retail Solution, so it was not big trouble for us to migrate it to a cloud. We started implementing, planning the redundancy for such two different sites. We established the IP set terminals with our two different sites, which will terminate from the cloud to Palo Alto VPN Box on our on-prem. Then, we gradually migrated the users from on-prem to the cloud.

In terms of maintenance, first of all, we have to keep on monitoring it. If there is something wrong with the cloud, we will have to get the alert and act accordingly. Maintenance-wise so far we have increased the bandwidth for internet links. At that time we had set up redundancy and there was no trouble with that. Apart from that, so far, no other maintenance has been done.

We had a vendor assist us a bit during the implementation.

I can't speak to the licensing costs. We had a two-year license, which we are still on.

We're just customers and end-users.

We are using a SaaS version of the solution.

I will definitely recommend implementing this product as it has a very good scalable solution. Considering this work from home scenario in COVID, it is one of the best solutions one can implement. However, my advice would be to make sure you have enough internet bandwidth while implementing and also make sure there is site-level redundancy at your end. If you are a client then you won't implement it. Make sure there are two separate IP set terminals published from the client to your end. That way, if something goes wrong, your internet goes down or something, the VPN will be accessible.

One good lesson I have learned is that earlier in my thought process related to VPN was very narrow. I never thought that you can put it across multiple continental gateways and allow users to access it so fast. 

I'd rate the solution nine out of ten.

We are a small team of ITOps Engineers. With Prisma, we can manage all our Edge Network Infrastructure (Mobile Users, Remote Networks, and Data Centers) in one location.

We also decommissioned our  legacy MPLS connections and moved to VPN. If we need to expand to more offices, different countries, and different regions, it would be much simpler to do it with Prisma Access because the only things required are an internet connection and a pair of firewalls. 

On our IT team, we now have a single interface (using Palo Alto Panorama) where we can monitor our whole infrastructure. The office and Data Center Firewalls, as well as, the Remote User VPN, forward all the traffic to the Prisma Access Infrastructure. There we can apply deep packet inspection and allow or deny traffic, and also apply additional security features like threat prevention, DNS security, malware and anti-virus protection etc.

For remote users, the VPN connection is more secure and much faster than the legacy solutions. Some of our users are located in different European countries. Now they can pick their closest location and connect to a VPN "concentrator" near their region. Whereas before, they needed to connect with one of our data centers in the UK. 

Since everything is connected to Prisma, now we are able to be more proactive, detect end-user or site connectivity issues much faster. Before we were running multiple applications (NMS, Syslog, Netflow) that required a lot of engineering overhead to manage those, but also to extract the information needed. Now a lot of those tasks can be picked by the Service Desk team. 

In addition, similarly to any other Cloud "Platform" the administrative tasks have been dramatically decreased. The upgrade process is very simple compared with any on-premise solution.

I don't think we have actually fully utilised all the functions of Prisma yet. The main concept of Prisma Access is what really help us to transition our infrastructure from a legacy and complex approach to a more simple and easy to manage and maintain one.

Prisma Access has three major components / connections: 

- Remote connections: The links to the Remote Offices 

- Mobile Users 

- Service Connections : The links to the Data Centers. 

You connect everything by establishing VPN tunnels with the Prisma Access Infrastructure. Prisma is now the “brain” of the infrastructure. All edge devices send all traffic to Prisma and Prisma has the knowledge to route the traffic to the correct destination. In addition you can also apply all the additional security features a NGFW can offer. 

Since this is a cloud platform you can easily scale up adding more mobile users or new remote offices. Prisma will simple auto-run (if needed) additional instances in the cloud to support your load 

Also,  because everything's on the cloud, we don't have to worry about patching; we get all the new features as they come in. One of the biggest problems for us used to be to upgrade our VPN application. Now, it can be done with a click of a button. The administrative overhead has been reduced, and we are able to focus on things that actually matter.

The only drawback at the moment is that a “Cloud” solution like Prisma Access requires Palo Alto Panorama, which is normally a VM that sits in your DataCenter. Panorama is used for monitoring and mainly for configuring the different components of Prisma Access.

For the configuration part, Palo Alto has recently introduced an equivalent cloud application, but not all features are available yet. Also at this moment if you enable Prisma Access with Panorama you cannot migrate to the Cloud version.

I've been working with the Palo Alto team since the beginning of the year (2021), when we started the initial setup. It took us around 2 months (multiple weekly sessions) to complete the setup. And the last 2 months we are fully utilising the Prisma components (Remote Networks, Service Connections and Mobile Users)

We have utilised Prisma Access for the late couple of months. Now we are in the process of migrating all our Remote users from the on premise Firewalls to the Prisma Access VPN as a Service solution. 

Over this period we haven't faced any connectivity issues. Prisma Access underlying infrastructure is high available and scalable. 

As any major Cloud Vendors line Google or AWS we may face outages in the future, but we havent experience any problems yet. 

As with any infrastructure where the managent plane is in the cloud, we can know schedule an upgrade and the Prisma will take care the rest. No more complicated upgrade processes that could lead to outages and downtimes. 

A few days ago the Prisma Access dataplane was upgraded. We had zero downtime and the auto-procwss went smoothly (as expected).

As for scalability, you can easily bring more users to the platform; you would just need to buy additional licenses.

There is no need for purchasing new and more powerful hardware. Palo Alto will scale your platform up to support your infrastructure.

Simple integration with LDAP, SAML can help us to provision 100s of users quickly and onboard more users are the company is getting out of the pandemic freeze period.

I think Palo Alto has great technical support in terms of the time of response and the efficiency of response.

Over the past few months we raised multiple tickets (P2-P4). On all of them the responses were quick within the SLA timelines. All the support Engineers had deep knowledge of the product, and always went above and beyond not only by fixing our issues, but also by trying to explain us why was misconfigured or what actually went wrong. Everyone had great communication skills, they were patient and listening our needs and requirements.

We used local Cisco ASA Firewalls that were located in our two UK offices.Normally we had around 10-15 % of our users working remotely. During the pandemic we had to setup around 500 users to connect to the VPN. Unfortunately our ASAs had limited capabilities (250 max users for the 5515-X and 100 for the 5508-X). Our temporary solution was to use the AWS VPN solution for the remaining users. 

At that point we realised that we need a flexible and scalable solution. In addition the company has embraced the cloud first approach a few years back by moving all our servers to the cloud, so utilising a VPN as a Service (offered by Prisma Access) was an expected next  step. 

In my team there are Cisco certified engineers and we have been using Cisco products for many years, but for my opinion when it comes to security and NGFWs, but they haven't reached the level of Prisma Access by Palo Alto Networks. I believe Palo Alto is the key player in the market. 

We had a mixture of different applications and vendors, and we wanted to merge everything under Prisma Access. The terminology is a bit different between Palo Alto and Cisco ASA, and between their local firewalls and the Prisma Access firewalls. It took us about a month to wrap our heads around it and understand how things worked. Once we did that, it was easy to implement. We have gradually migrated all our services. We did our MPLS and the connection to AWS, and now, we're slowly migrating the users. No one has noticed, so it has been seamless.

We don't have a big infrastructure and did the migration piece by piece, and it was really easy and seamless.

To set up the infrastructure with the team, it took us less than a week. The gradual migration took us three weeks, but the basic setup takes less than a week.

We used the Palo Alto professional services, which mainly help us though multiple Zoom sessions to understand all the Prisma components and also to configure the core Prisma setup. The fine tuning was done by the in-house team. 

We had a great experience. All the Palo Alto consultants had a great knowledge of the product and they were very helpful, making it very simple for us to understand this new Platform. They were never leaving any questions unanswered and they were always providing accurate documentation and references for my team to get the required knowledge and to understand / follow up during the Setup.

I think the ROI has been good. We no longer need people to maintain the whole infrastructure, and we do not need to spend money on different services that we no longer use like MPLS or other kinds of support.

Also, the fact that we can quickly scale up without worrying about buying additional licensing is great for us.

The price has been good for the ROI during these difficult times for the cruise industry. With Prisma, you need three types of licenses

- Palo Alto support

- Number of Remote Users that are connected to VPN (concurrent connections)

- Total Bandwidth between Remote Sites offices and Prisma. If you have three or fewer DCs then you don't have to purchase additional connections or bandwidth.

There are no hidden costs; what the product offers is what you get.

We didn't run any PoC with other vendors. Before we were introduced to Prisma Access we were thinking of moving also our Firewalls to Meraki (as we will do with our switches). I believe no other vendor can offer what Palo Alto with Prisma provides, at least at this moment.

In my experience, Prisma Access is a great platform. However, since SASE is a new fairly new concept, it was a bit confusing to understand all the  different components and how all of them work together. On top of that if you are not very familiar with Palo Alto firewalls and especially Palo Alto Panorama, additional training would be recommended. Of course the same concepts of a NGFW from any other vendor are applied. 

 Once you grasp how Prisma Access works, then it's really a piece of cake to set everything up.

For example, we are a small team of three people, and I'm the senior network engineer. My VPN knowledge was not good because we've mainly had MPLS. Still, it was very easy to set everything up.

You setup everything through the web GUI (Palo Alto Panorama). You don't need to know a lot about CLI. With Cisco devices, you have to be an expert in CLI to set up a few things.

On a scale from one to ten, I would rate Prisma Access by Palo Alto Networks at ten because it's an innovative product. They “invented” the whole concept (SASE), and they're way ahead of other competitors.

It made VPN easy with the ability to build distributed VPN gateways. The cost of IT deployment is a bit less because you just need a VPN-capable device at the branch, as against the full stack, before leveraging the firewall service feature. There is also better latency for the clients in terms of talking to resources back at the data center.

It's Panorama-managed. Using Panorama makes it easy for me in terms of pulling policies and doing things on the fly.

It's pretty similar to the native physical firewalls. The only difference is that with SaaS security, we're able to get a little more detail about shadow IT SaaS applications and properly categorize them, which is helpful to decide what we need to do with those applications. It affects which applications we would want to see running over the network and which applications we need to restrict from users.

Similarly, in terms of protecting data and preventing zero-day threats, it's the same thing that I get with my physical firewalls. The data is sent to Wildfire. All the features are all pulled from the same intelligence sensors. The only difference is that this is in the cloud.

Prisma SaaS helps to keep pace with SaaS growth in our organization, but it's not a big deal for us. Mostly, we're looking through or sifting through identified SaaS applications, and it's a good thing to have that visibility. That's what we're enjoying right now, and then probably with time, we might be relying on it to make decisions in terms of setting restrictions to some SaaS applications, especially those that are not sanctioned by IT.

It's hard for me to pinpoint a certain feature against the other. The product makes more sense as a whole. Overall, the cost savings, ease of deployment, and better VPN user experience and performance are valuable.

It helps to identify and control shadow IT apps. In terms of its impact on our organization's security, it has been like a sword with two edges. Sometimes, it has proved to be helpful in securing workloads, and sometimes, especially when there are modifications to App-IDs pushed through the content database, we find some things messed up. We've come to a point where we have our ways of managing these things, but all in all, App-ID has been very helpful, especially in detecting tunneled applications.

At the end of the day, it's simply an operational thing. Sometimes, you have these notifications sent out about changes in App-IDs, modifications in App-IDs, or even the introduction of entirely new App-IDs to replace. Sometimes, the recommendations are followed, but even then, when the package is installed on the firewall, it gets messed up. I remember a particular one was with Tableau, and suddenly, people weren't able to use Tableau, which is an analytics tool for business. So, it can get messed up, but it doesn't happen often.

I have been using it for about two years.

So far, it has been stable. We get all those notifications around changes. I haven't seen a lot of IT changes that need some kind of manual effort. 

Being on the global license package and being able to spin up a VPN gateway just like that has been a huge benefit. If I have new users in Berlin, I can make life better and just spin up something close to Berlin for them to connect to. If there's an office coming up somewhere in Poland and there are some supply chain issues. If I have a router somewhere there, I can just leverage on that easily without worrying about, "Oh, when am I going to get my stack deployed? How soon can I complete a project so that users are able to start working from that office?" Those are the things that I don't need to bother about anymore because I can easily spin up a complete node close to their location, and I can tunnel between them, do my routing, and they're good. They can talk to whatever resources we need them to talk to remotely and connect to the cloud from there for internally protected cloud workloads. Scalability is obviously a huge factor.

The Cloud App-ID technology is something I am still observing. It takes us back to SaaS security. App-ID is a critical and fundamental part of being able to identify SaaS applications. So far, the applications identified have been true positives. It seems to work so far, but with time, we'll see how it's able to help with identifying SaaS applications better. 

It helped to identify cloud applications that we were unaware that our employees were using. I don't have the metrics, but we do generate reports from time to time just to see what's going on and how we compare with the industry in terms of application usage. Similarly, for risk identification, I don't have metrics. We are just reviewing and sifting through these applications. We don't, or we haven't, put a risk score on them yet. Until that's done, it's almost impossible for me to say if these are bad actors or not. We have visibility now. The SaaS applications that have been used at the moment are not of concern based on the last review we did. As time goes on, we might start considering some as risky or start categorizing the risks in some of these SaaS applications. Currently, it's all open. We mostly have mobile users, and we have another solution for endpoint security and Internet-based applications that go through their home Internet. There are few who do visit the office. Probably less than 10% of the organization goes into the office, so there's no huge concern at the moment because of those very low numbers.

For the parts and the features that I use, which are mostly remote branch and mobile gateway, I would rate it an eight out of ten.

We are using Prisma SaaS for products. We use many content-based platforms and we were using this product to perform policy detection. If someone is sharing something publicly, externally, from our domain, which is risky. This product allows you to write policies, and those policies will detect content, which captures them in the policy category or in the criteria. You then can add remediation action for protection.

We deploy the solution using their infrastructure and we connected that solution with our applications.

Prisma SaaS has helped the way our organization has functioned. Before the used the solution, we needed to write API calls for every platform to receive data out of it. It's a tedious task because we have 20 products and you need to write 20 application API calls. Once you receive the API calls, you need to massage and manipulate the data, search, and filter it. We need to write the full-fledged application. However, this product does it all, it gives you everything.

Instead of writing applications, we only need to go into one place, one URL, and we are able to do whatever we need to. In terms of hours, it saved us a lot of time and hours to do similar tasks previously, which we used to do using API calls to the product.

This is a one-stop solution. They have multiple features for every product, you don't need to purchase different products for each platform. When you purchase one Prisma SaaS you can connect to 10 different things. You can write different policies, attach different policies, search, and export the data out. There are many capabilities of this solution.

The solution has all its capabilities in a single cloud delivery platform which is great and it provides overall good protection.

If you compare Prisma SaaS against other products, such as Cloud Log, it's a little bit tricky to understand, but it offers different functionality that other products don't have. From a user usability point of view, you need some training for this product, as an admin, you need a couple of demos.

The reports and setting the policies could improve, they are important. Their UI is a little bit confusing when you create the policy section. There are times when it looks like you are in one section, but you're technically in another section and you're saving something else. The need to make it more clear in the UI for policy creation and setup.

I have been using Prisma SaaS for approximately one year.

The stability of the solution is a little bit slow when you do searching. However, I have never seen an error on the application for over one year. It is stable.

The scalability of Prisma SaaS is very good.

We plan to increase the usage of this solution. We are working with the compliance team and we are trying to find more policies and more products where we can use Prisma SaaS. We have recently renewed the solution for three more years.

If we open a private ticket, they're pretty fast. They get back to us in a timely manner and we work with them actively.

I would rate the technical support a seven out of ten.

We have two solutions that we use. We also use CloudLock for a specific product. These products are usually application-based, and if you compare BetterCloud and CloudLock, CloudLock is good for Google. Similarly, BetterCloud is good for Dropbox because their EPA's are more integrated. Prisma SaaS is good for receiving data from OneDrive, Office365, and a lot of other products. We have multiple products depending on the use case.

The initial setup is straightforward. It's a SaaS product, we only need to log in and integrate our apps using our administrative rights.

The full deployment takes a couple of weeks. The deployment is easy, but the scanning takes time. If you connect a product and that product is having a terabyte of data, the scanning will take time. However, deployment connecting to the products, it's fairly easy.

We implement the solution in a sandbox environment and a production environment. The sandbox environment is connected to our sandbox applications, and production is connected to production applications. Whenever we are trying to launch a new policy, we used to try a new sandbox first. If it goes well, we send it to a production environment. We upload a sample of corrupted files to see if the policies are acting as they are supposed to.

We used an integrator and we worked with them directly.

We use approximately 40 hours a week for the maintenance of the solution to get everything done.

The pricing can be difficult because it came to us with another agreement, but it can be negotiated. I highly recommend people to compare this product's performance and pricing against BetterCloud, because I feel BetterCloud is better than Prisma SaaS if they're starting from scratch.

The auditing does not protect all application traffic. It's more content-based. For example, if I uploaded a file and that file has sensitive information, Prisma will detect it. It will tell me where that file has been uploaded, how it's shared, whose current external parties were accessed. Anything which is bound to my user base, I will receive the report, but not the audit log. It won't tell me when users log into the platform, or if they log out. However,  it will tell me if they upload anything and take any action on that content.

We can connect the solution to AWS F3, which you can be considered not web-based because it has both products. From the F3 bucket, you can access it through different mechanisms. We are using it for some products which are not purely web-based.

We use SaaS products. That means infrastructure is not in our control and if you upload something into those platforms, such as Dropbox, any content that is put into the data system, we need to make sure that our data is protected and not shared outside. This product and its processes allow us to monitor it. We can create a policy, and limit the action. A person does not need to wait and then take action. For example, if someone uploaded something critical, a Saas policy gets triggered, and it automatically brings that operation down. If someone shares a file publicly, the policy triggers and detects the file and removes the public sharing. This is how we are protecting our data within our platform using this product.

I have learned from using this solution we should have more policies created as per compliance and security to utilize the features of this product better. If you have this product and if you're not writing a policy, then this product is useless. Right now we have basic policies, four and five, which I feel we have the potential to increase to 15 or 20.

I rate Prisma SaaS by Palo Alto Networks a seven out of ten.

We use it to monitor our cloud environments to get a real-time inventory of what's being stood up, what's being torn down, vulnerability management, risk management, and all of our cloud resources across all AWS, Azure, and GCP.

If somebody configures something in a way that's vulnerable, we know instantly. We'll get an alert and address it so that it's remediated and not left open. For example, if somebody stands up a new storage container and inadvertently makes it publicly accessible, that's something we'd want to know right away to prevent a breach. We could automate it to prevent it from being stood up with public access. 

We can prevent specifically forbidden configurations automatically by using this tool to never allow a resource storage container to be stood up and made publicly accessible. Automation is key there, and I'd say that would be an example of how Palo Alto has improved my organization.

Prisma SaaS helps us keep pace with SaaS growth in our organization. Everything's going to the cloud, and containers are being used more and more. As security professionals, we don't live in the development world, so we need to know what's going on in that realm, and the platform will help us identify those things and make sure that they're stood up securely. 

If there's something new, a new vulnerability, or a new standard, we'll be alerted about it. That's important because we don't speak developer language, and we, as security folks, consume the data. We must understand what's being stood up and how, and the platform will help us identify that and explain why it's vulnerable and needs to be fixed.

Prisma's most valuable feature would be its ability to identify bad or risky configurations. People stand up stuff in the cloud all the time, and as security professionals, we're not always aware of it. Prisma is critical for flagging real-time inventory and configuration risks, general vulnerabilities, and also issues in Kubernetes. Prisma is very effective for securing new SaaS applications. The code used to configure new SaaS applications is critical for identifying what we want as our security standards and confirming that they're being practiced.

Prisma would be a stronger solution if it could aggregate resources by project or by application. So say we have an application we've developed in AWS and five applications we've developed in Azure. The platform will group it according to those applications, but it's based on the tags we use in Azure, which means I have to rely on development teams to tag resources properly. If they don't do that, it doesn't group them properly in the platform. 

It would be nice if we could group the application according to the platform itself instead of relying on the development team to tag correctly in the cloud environment. My development team for one project might be different from the development team in another project. If I see a resource that needs to be fixed or changed, I need to know what project that resource is associated with. Ideally, I don't want to have to go into Azure and try to figure that out. So if I could tag it using the platform itself rather than relying on the tags that the development team uses in Azure, that would be extremely helpful. I wouldn't say Prisma is particularly useful for protecting data. It's hard to say. We're not looking at the data of the resources, so to speak, using Prisma. It's more like the resources that hold the data.

I've been working with Prisma SaaS for about five years.

I'd say Prisma is extremely stable. We haven't had any issues there.

Prisma is highly scalable. It's a cloud solution, so it automatically updates when new resources come out. We don't have to do anything. It just sees it and adjusts accordingly. I recently started a new role at a company, and we're planning on implementing it and using it more. Where I came from, we used it extensively and relied on it to monitor and manage our cloud environment.

I rate Palo Alto tech support seven out of 10. The technical support used to be a lot better when they were a smaller company. Back when they were called Evident.io and then RedLock, they were more personable and provided good one-on-one technical support. Their support structure changed about a year and a half ago. Now, they're more like group support, and I don't think it's as thorough, but it's still okay. 

Neutral

I would say the cloud SaaS part was extremely straightforward to set up. We had no problems there. Then there is the container compute area called Compute in Prisma. It's almost like a product within a product. You have to deploy the container section on an agent to your container host. That's a little more complicated because we have to rely on development teams to deploy the agent, but tying the platform to your cloud subscriptions was straightforward and took only 30 minutes to an hour. 

It is a little more involved to set up the Kubernetes containers and deploy the agent. That could take up to a day because you have to collaborate with other teams to get that deployed and make sure it's pulling the right data. Then again, it depends on how receptive your development team is to deploying the agents. That part usually takes around three hours. It takes one or two security engineers to deploy and maintain. 

We did it in-house with some help from Palo Alto that we purchased through a support license.

I don't have specific metrics, but I will say that it helps us know what we don't know, and that's ideal from a security perspective—seeing things that we didn't realize were an issue. The return on that investment is significant because you can't secure what you don't know is there. Prisma accomplishes that pretty easily without having to be on the platform constantly responding to alerts.

Prisma integrates pretty nicely even if you aren't using other Palo Alto products. It's very effective for a CSP solution, and the time to value is almost instant. As soon as you stand it up, it shows value by telling you all the vulnerabilities or risks in that environment. I feel like Prisma is one of those things that is essential. If you have resources in the cloud, you're going to need something to monitor it, and it's not ridiculously priced. I'm not too involved in the budget, so it's one of those things that's a necessary evil. I feel like it's a reasonably priced necessary evil.

Prisma is in the middle of the road. It's not the most expensive, but it's not the cheapest. There aren't any additional costs, to my knowledge. I know they have some extra modules, but we didn't use them. 

I'd say the price fits the solution. Prisma is capable of many other things, but Palo Alto doesn't charge you extra for those things, unlike other companies. You can use them or not. Because your environment grows, you may not use it now, you may not need it now, but you may in the future. Those capabilities are there without an additional cost for a different module where other companies will break it out, where you have to pay for those things.

We evaluated a few, including Sysdig, Threat Stack, and Lacework. The deciding factor was the ease of use. It's critical to understand what you're looking at and for the platform to provide value with reports. The data presentation in Prisma was more straightforward.

I rate Prisma SaaS nine out of 10. Ideally, you want a platform that will save you time by giving you the information quickly so you can understand it and act on it. Many platforms have loads of colorful graphs or bells and whistles, but they don't help you get to the bottom of what you're looking at. I feel that Prisma does that. You can get so much information directly from the platform without the need to reach out to other teams or go into the cloud to understand what you're seeing.

We primarily use the solution for mobile users and mainly mobile laptops. In some cases, we use the solution for cloud tenant portals in Azure. We use it to connect those back into the network.

Overall, it's a great solution that works quite well.

The solution's most valuable feature is the posture checking. 

It's great that we can make sure a machine meets the minimum requirements before users are allowed to log in.

The solution needs to be more compatible with other solutions. This is specifically a problem for us when it comes to healthcare applications. They have proprietary connection types and things of that nature that make compatibility a challenge sometimes.

The scaling can be a bit tricky, depending on the setup.

I've probably been using the solution for four years at this point.

The stability is quite good. We haven't had any issues in that sense. It's reliable. There aren't bugs or glitches. It doesn't fail.

The solution is scalable. However, it's more of kind-of piecemeal scalability. I didn't actually deploy it. I just know a lot about it. It depends on how your network is set up. If you have a single egress, it's easy. If you have 70 egresses, it can be very, very difficult. 

You may have those many email egresses because you're geologically spread out and you need people to connect with certain portals based on where they are. Of course, we want users to connect to their closest portal. There's complexity there and the cloud doesn't really solve it because the cloud still has to do load balancing and hand it off to the concentrator.

On average, we have about 8,000 users between IT, finance, HR, and, of course, house and home users. 

I can't speak to the acceptability of technical support. I've never had to contact them.

We were using AnyConnect. It was limited in terms of egresses, so we decided to switch.

For us, the initial setup was not straightforward. It was very complex due to the fact that we're a very large company. That said, I don't mind the complexity.

The deployment was easy. It was just a matter of handling the configuration for different regions and hospitals. We had to figure out what egress they come in on or what device they come in on and things like that and that decide upon what's the most efficient means for them to connect back into the network.

I don't deal with licensing in the company. I'm not sure what the pricing is.

My understanding is that it's a bit more expensive only because it's part of the framework of the Palo Alto solution. It's more sensitive than if we just went and got some free VPN or some ad hoc solution, and so it's a bit more costly.

We're just a customer. We don't have a business relationship with the company.

I'd advise others that the solution is largely based on the complexity of your environment. It's not that deployment's difficult. It's just that you want to put it where it's most efficient. You've got to take the time to figure out where your users are and how they connect and where they're connecting from.

Overall, I'd rate the solution eight out of ten.

We use Prisma Access, not only for our remote users, in a distributed workforce, but for our offices as well. Right now, because of COVID, there is a very limited footprint on the office side of it. But we would like to cover our offices so that when people are working in them and trying to access resources, whether those resources are hosted on public cloud, private cloud, in data centers, or on-prem, Prisma Access is involved.

Prisma Access is completely hosted on Google Cloud Platform. Palo Alto Panorama, which is the centralized management tool, is also hosted on a public cloud environment. So the entire solution lies in the cloud.

The fact that Prisma Access provides millions of security updates per day is really important because it takes care of the equivalent of preparing patches and pushing them to your environment, without the headaches of managing and maintaining those processes for your infrastructure. If you get security intelligence from different verticals and different alliances, or through some sort of open API integration where vulnerabilities arise at different times, it's going to be difficult to keep up. Subscribing to this service and having it take care of that is really phenomenal.

And the best part is that you know that you are part of a bigger ecosystem where this learning about security issues is happening, and things are made available to you on a scheduled basis every day. It automatically strengthens your security posture. We are quite happy with this feature and feel very confident that the Palo Alto security stack takes care of all of these things automatically. That is one of the salient features and was one of our evaluation parameters for choosing a solution.

Another benefit is that before, if we had to set up a restricted environment for a given project, the lead time was about a day to get everything functioning correctly and to get the go-ahead from the security team. Now, setting up these environments can literally happen in less than five minutes. It is already segmented. All you need to do is ensure the people who are part of the project are included in a single access-control list, which these days is based on GCP Identity-Aware. Based on that, it provides the right privileges required to access certain things. That is the building block of any SasS solution with zero cross-network access. And it is very easy now.

The Prisma Access remote side is pretty good with respect to the footprint that it covers. Because it is built on the Google platform, using the Google Premium Tier network, it is almost everywhere geographically. From wherever we initiate a connection, it connects with the nearest point of presence, which minimizes the latency. And we can access applications wherever they are hosted.

It protects all app traffic so that users can gain access to all apps. Unlike other solutions that only work from ports 80 and 443, which are predominantly for web traffic, Prisma Access covers all protocols and works on all traffic patterns. It is not only confined to web traffic. This is important because security is something that should always be baked in, rather than being an afterthought. The most sophisticated attacks can arise from sources that are not behind 80/443. They could come through bit-torrent traffic, which uses a non-standard port, altogether. We want to cover off those possibilities. We were very sure, from the start of our deployment when conducting PoCs, that the solution we picked should have coverage for all ports and protocols.

The fact that it secures not just web-based apps, but non-web apps as well, is important because the threat landscape is quite big. It not only includes public-facing applications that are accessible via web protocols, but it also includes many attacks that are being generated through non-standard protocols, like DNS tunneling and newly-registered domain control names. There are also a lot of critical applications being accessed on a point-to-point basis, and they might be vulnerable if those ports and protocols are not being inspected. You need to have the right security controls so that your data remains protected all the time.

In terms of the solution's ease-of-use, once you understand the way the various components stitch together, and once the effort of the initial configuration, setup, and rollout are done and you have set up the policies correctly, you're just monitoring certain things and you do not have to touch a lot of components. That makes it easy to manage a distributed workforce like ours in which there are 10,000-plus users. With all those users, we only have a handful of people, five to seven individuals, who are able to gracefully manage it, because the platform is easy to use. It does take considerable effort to get up to speed in configuring things during the initial deployment, but thereafter it is just a case of monitoring and it's very easy to manage.

In addition, whether traffic is destined for a public cloud environment, or for a private data center, or you are accessing east-west traffic, you can apply the same security policies and posture, and maintain the same sort of segmentation. Prisma Cloud offers threat prevention, URL filtering, and DNS protection, and east-west traffic segmentation. These features are the foundation of any security stack. There are two primary purposes for this kind of solution, in the big picture. One of them is handling the performance piece, providing ease of access for end-users, and the second is that it should handle security. All of these components are foundational to the security piece, not only to protect against insider threats but to protect things from the outside as well.

Prisma Access offers security on all ports and protocols. It covers the stack pretty well, leaving no stones unturned. The same unified protection is applied, irrespective of where you access things from or what you access. That also makes it a very compelling solution.

There are definitely a number of things that could be improved. 

One of them is geographic coverage. China is still an issue because the solution does not operate there properly due to government regulations. I believe Palo Alto is trying pretty hard to get into partnerships with Alibaba and other cloud providers, but they do not have the same compelling offering in China that they have in the rest of the world. Businesses that are operating within China have to be very sure to evaluate the solution before making a buying decision. It is not an issue with Palo Alto, rather it is predominantly the result of government rules, but it's something that Palo Alto needs to work on.

There is also room for improvement when it comes to latency in a couple of regions, including India and South America. They might have to increase their presence in those locations and come up with more modern cloud architectures.

The third area is that, while Palo Alto has understood the essence of building capabilities around cloud technology and have come up with a CASB offering, that is a very new product. There are other companies that have better offerings for understanding cloud applications and have more graceful controls. That's something that Palo Alto needs to work on.

I've been using Prisma Access by Palo Alto for two to three years. We started deploying Palo Alto gear back in 2015 and, along the way we have looked into multiple tools from them and invested them.

On a scale of one to 10, I would give the stability a seven. There are a couple of reasons for that score. One is that when we make certain changes to configs, it takes about 14 to 15 minutes to populate. And there have been scenarios where it has taken about 45 minutes for the config changes to happen. When you sell a product by saying that it's cloud-native and that users can make all configuration changes on-the-fly, when those changes are made they should happen within a minute. They should not take that much time.

It might be that Palo Alto is still using a certain type of infrastructure in the backend that is causing these delays. If they pile on the cloud technologies, and work towards a more microservices-based architecture, I'm hopeful that they can bring this delay down to less than a minute.

Going from one user to 10,000 or 15,000 users, we haven't faced a lot of problems. However, for companies that are considering investing in this solution, if they have more than 50,000 end-users, a config change could take 10 to 15 minutes. In an environment where 50,000 people are expecting certain things to work, those things might not work for them. Such companies have to look at the solution very thoroughly in terms of the cloud piece, the integration piece. But from one to 15,000 or 20,000 end-users, it is flawless. We don't tend to see a lot of issues. But beyond, say, 25,000, I would suggest doing a deeper analysis before purchasing the product, because there are some glitches.

Initially, Palo Alto technical support was okay around sales discussions and getting up to speed on doing a PoC. But one once we deployed and then raised queries, those lead times increased quite a bit. Unless you take their premium support, where there is an SLA associated with every issue that you raise, it becomes very difficult to get hold of engineers to work on a Prisma Access case. If you just take some sort of partner support, you cannot expect the same level of support on your day-to-day issues that you would get with premium support.

Fundamentally, when a company sells a product, whether you are taking the premium support or some other level of support, the support metrics should be more or less the same, because you are trying to address problems that people are facing. Their response should be more prompt. And if they can't join a call, they should at least be prompt in replying via email or chat or some other medium, so that the customer feels more comfortable about the product and the support. If it takes time to resolve certain problems, post business hours, it can be very difficult for people to justify why they have deployed this product.

Neutral

COVID was a surprise for us, just like for everyone else in the world. We had a solution from Palo Alto, but it was not a scalable one. We configured things in a more manual way because our requirements were not that high in terms of remote use cases. Post-COVID, the situation has completely changed for us and we have to think about a hybrid situation where we can still gracefully allow access to end-users in a more secure fashion. That led us to evaluate this solution from Palo Alto.

The initial setup is not so straightforward. There is a learning curve involved because you need to understand which component fits where, with all of these modern, edge infrastructure secure-access services. You need to do capacity planning well, as well as a budgetary plan. You need to know the right elements for your business. Once you set that up, it is very simple to manage.

It took us about two to three months to deploy because we have a lot of geographical constraints. Different regions have different requirements. Accounting for all of those needs is why it took us that amount of time to set everything up.

We have to do an apples-to-apples comparison. If you had a very small set of people who had to create a dedicated setup like Prisma Access, and manage the infrastructure piece and the upgrading piece and the security piece, it would be a nightmare. Prisma Access offers that ease and flexibility so that even a handful of people, with the right knowledge, are still able to manage the configuration piece of it, because the infrastructure and other things are handled by Prisma Access. If you had to build that whole thing versus buying it, obviously Prisma offers a good ROI.

It all depends on your requirements. If your requirements enable you to do those things on a much smaller scale, then you need to be very cautious about which components of Prisma you actually pick for your use case. If you get all the components, you might not be getting the right ROI.

For our use case, we feel we are getting a return on investment, but it could be better.

The most pricey solution is Zscaler, followed by Prisma Access, and then Netskope.

The initial prices of Prisma Access were okay. But as soon as you start deploying Palo Alto gear, the support prices and the recurring prices, which are the major operational costs, tend to increase over time. For example, if you go ahead with a one-year subscription, just for testing purposes to see how the whole solution works, and you plan to renew for the next two or three years, you tend to see that the solution gets really costly.

We understand that when you purchase a hardware component, the cost goes up because you have a physical asset that depreciates over time. But when you are getting a subscription-based service, the cost should tend to be reduced over time. With Prisma Access, the cost is increasing and that is something beyond any kind of logic. This is something that Palo Alto needs to work on if they want to be competitive in the market.

We evaluated other options like Zscaler and Netskope. Prisma Access has more coverage for ports and protocols. It doesn't only inspect web protocols but all ports and protocols, and that's an advantage. Other solutions are still relying on web protocols.

The positive side of these other solutions, because they came along a little later, is that they have understood the demerits of a solution like Prisma Access. They are using more cloud-native components and microservices architectures. That makes these solutions faster. As I said, some config changes in Prisma Access take 14 to 15 minutes, but these other solutions literally take a minute to make the same config changes happen.

It's a constant race.

Put your business requirements up against the solution to see how it pans out. Look at the stability of the product, and at how much time it takes to make configurations and apply them in practice. And if you have a distributed workforce, like us, try to run this solution in southern countries where there is a latency issue or known issues with ISPs. You may not get the same set results that you tend to get in northern countries around the world.

We don't have a subscription to Prisma Access' Autonomous Digital Experience Management features, but we have done some testing of it. It's pretty good because it can help ease the work of an office helpdesk person who constantly gets tickets but has no visibility for monitoring things. With everybody conducting their work from home, it gets very difficult to know the setup of the internal environment and how people are accessing things and where the bottlenecks are. The ADEM tools are going to help immensely in that regard, because without having knowledge of the underlying infrastructure at every individual's home location, you can still identify whether a problem is specific to their home office or to the application the user is accessing or to the network that is causing the problem. That information is absolutely at your fingertips. Analyzing those types of things becomes really easy. 

ADEM will also help with the efficacy of troubleshooting and providing support to end-users. If there are certain applications that are critical to an organization, you could easily define a metric to see, out of all the people who are accessing those applications every day, how many of them are facing a problem. And if they're facing a problem, what the parameters of the problem are. Avoiding the problem could turn out to be something that people need to be educated about, or maybe there is something we can proactively tell users so that they can take precautionary measures to get a better experience. It is certainly going to help in enhancing the end-user experience.

Palo Alto's building blocks clearly illustrate an app-based model. It analyzes things based on an application so that we know what the controls are within an application. For example, if you want to block Facebook's chat but continue to allow basic Facebook to be browsed, that kind of understanding of the application would allow you to do so. That is way more graceful than completely blocking the end-user. It's not something that is specific to Palo Alto Prisma Access but it is a core component of Palo Alto.