Prisma Access by Palo Alto Networks Reviews

Prisma Access GlobalProtect is our always-on VPN. We use it for URL filtering, to make sure people don't go to websites that are not permissible according to our security policy, such as gambling and pornography sites. We also implement Data Loss Prevention and decrypt the packets so that we can analyze the inside and make sure that nobody is trying to exfiltrate data. It's always on and it doesn't matter if you're in an office or at home or in a coffee shop or a hotel. 

We also use their service connections to access our internal services through them.

Since everybody is on the network all the time, it's allowing us to eliminate the step of having to connect to a VPN. That's the whole premise of an always-on VPN. Nobody has to think, "Oh, I need to get on VPN before I can connect to that server," or, "Oh, my VPN timed out because I've been on for 12 hours." The whole premise is that you're constantly on a VPN and it's constantly securing the system. That has helped from an end-user perspective. It hasn't come without its challenge, but that is one thing that is definitely a benefit.

In terms of security, it's definitely better than what we had because a user could just disconnect from the VPN before. They couldn't shut off the cloud proxy, but the cloud proxy only handled web-based traffic. If they wanted to FTP to a server, when they were connected to the VPN, it would get blocked. But they could just disconnect from VPN and then connect to FTP. Now, it goes through more security controls. So we are definitely more secure because of it. But it's just a completely different technology; it's more because of that than the product itself.

It's also somewhat of an alternative to SD-WAN. We had been looking at SD-WAN solutions and, realistically, the way the users are connecting now with Prisma Access, there's really no need for it.

It's an always-on solution and it supports both Mac and Windows. We have one configuration globally, and the only area where we had to do something differently is China.

Prisma Access protects all app traffic, so that users can gain access to all apps and that's very important because we need to be able to access everything. 

It also allows us to access non-web apps; anything internal that we need access to, we can access. Because we're using it as a VPN solution, our users are always on the internal network, regardless of where they are. They can't do anything because we lock them down so that if GlobalProtect doesn't connect, they can't get out to the internet. It's helped in that there were things that people would work around in other ways with our old model, things that they can't work around with the new model.

Also, having a single cloud-delivered platform, a global solution, was a key requirement for us.

We use the solution's threat prevention, URL filtering, and segmentation and they're all extremely important, based on what we're doing with the product. It's also very important to the business that Prisma Access provides millions of security updates per day.

We've run into some challenges, having hit a lot of bugs over the past year in the deployment of GlobalProtect. We've had our fair share of issues that I haven't been happy with. We're working with the support organization to remediate them and waiting for updated releases. The response on getting the bugs fixed has not been what I would consider adequate for a product like this. We've had some very pointed discussions with the support organization and the development teams on those issues and on doing what we can to help remediate them as well. They have been more responsive now towards our needs but it's a work in progress. 

They're going from being an organization that supported physical hardware, the Palo Alto firewall, into the realm of a SaaS-based solution. As a result, they need to change their operating model, support model, and release model to support that SaaS-based solution. That is related to support, related to operational efficiency, and deployments of code. Those are the areas where they need to improve.

I've been using Prisma Access by Palo Alto for about a year.

I don't see issues yet in terms of its scalability. We have more capacity than we need, so I think it's fine. We have firewalls in every region and in every country that Palo Alto has available. It's fairly scalable.

We previously used Cisco AnyConnect for VPN and a cloud proxy solution for web-based security. We went from two products to one. The main purpose was to find a replacement for the cloud proxy solution. VPN just wound up being a good and positive outcome, in addition to it.

The initial setup was complex. It has taken us almost a year, but we have about 7,000 users. We're just finishing up the main deployment of 5,000-plus users. We had an acquisition earlier this year and that will add another couple of thousand users. There have been a lot of hurdles with the bugs that we hit in the product. The stability of the software has been our biggest challenge.

We did the deployment ourselves. In terms of maintenance, I manage the network engineering team globally, and our team is responsible for it.

We did look at other vendors when we were deciding on our VPN software and we went with Palo Alto for security reasons. 

My advice would be to wait until they fix the bugs. We've been on a pretty stable version for the past several months and haven't had any issues. But other users who are on the same version have hit bugs on a regular basis, and it has been a nightmare to try to support. We're waiting on the final update of version 5.2.9 to get some of these issues fixed, and we're also waiting on 5.2.10 to support Windows 11 and the new version of Mac.

It's a balancing act in terms of security and nothing is perfect. We do have Palo Alto hardware as well as the Prisma Access solution, so we're reliant on Palo Alto's security for a lot of our security needs. I think the security is adequate.

I like the product in principle and I would rate it pretty high, but the bugs that we've hit pull the score down a bit. And then there are the operational support issues that we've had with Palo Alto, in general, that contribute to the score of six out of 10, as well.

We use it to monitor our cloud environments to get a real-time inventory of what's being stood up, what's being torn down, vulnerability management, risk management, and all of our cloud resources across all AWS, Azure, and GCP.

If somebody configures something in a way that's vulnerable, we know instantly. We'll get an alert and address it so that it's remediated and not left open. For example, if somebody stands up a new storage container and inadvertently makes it publicly accessible, that's something we'd want to know right away to prevent a breach. We could automate it to prevent it from being stood up with public access. 

We can prevent specifically forbidden configurations automatically by using this tool to never allow a resource storage container to be stood up and made publicly accessible. Automation is key there, and I'd say that would be an example of how Palo Alto has improved my organization.

Prisma SaaS helps us keep pace with SaaS growth in our organization. Everything's going to the cloud, and containers are being used more and more. As security professionals, we don't live in the development world, so we need to know what's going on in that realm, and the platform will help us identify those things and make sure that they're stood up securely. 

If there's something new, a new vulnerability, or a new standard, we'll be alerted about it. That's important because we don't speak developer language, and we, as security folks, consume the data. We must understand what's being stood up and how, and the platform will help us identify that and explain why it's vulnerable and needs to be fixed.

Prisma's most valuable feature would be its ability to identify bad or risky configurations. People stand up stuff in the cloud all the time, and as security professionals, we're not always aware of it. Prisma is critical for flagging real-time inventory and configuration risks, general vulnerabilities, and also issues in Kubernetes. Prisma is very effective for securing new SaaS applications. The code used to configure new SaaS applications is critical for identifying what we want as our security standards and confirming that they're being practiced.

Prisma would be a stronger solution if it could aggregate resources by project or by application. So say we have an application we've developed in AWS and five applications we've developed in Azure. The platform will group it according to those applications, but it's based on the tags we use in Azure, which means I have to rely on development teams to tag resources properly. If they don't do that, it doesn't group them properly in the platform. 

It would be nice if we could group the application according to the platform itself instead of relying on the development team to tag correctly in the cloud environment. My development team for one project might be different from the development team in another project. If I see a resource that needs to be fixed or changed, I need to know what project that resource is associated with. Ideally, I don't want to have to go into Azure and try to figure that out. So if I could tag it using the platform itself rather than relying on the tags that the development team uses in Azure, that would be extremely helpful. I wouldn't say Prisma is particularly useful for protecting data. It's hard to say. We're not looking at the data of the resources, so to speak, using Prisma. It's more like the resources that hold the data.

I've been working with Prisma SaaS for about five years.

I'd say Prisma is extremely stable. We haven't had any issues there.

Prisma is highly scalable. It's a cloud solution, so it automatically updates when new resources come out. We don't have to do anything. It just sees it and adjusts accordingly. I recently started a new role at a company, and we're planning on implementing it and using it more. Where I came from, we used it extensively and relied on it to monitor and manage our cloud environment.

I rate Palo Alto tech support seven out of 10. The technical support used to be a lot better when they were a smaller company. Back when they were called Evident.io and then RedLock, they were more personable and provided good one-on-one technical support. Their support structure changed about a year and a half ago. Now, they're more like group support, and I don't think it's as thorough, but it's still okay. 

Neutral

I would say the cloud SaaS part was extremely straightforward to set up. We had no problems there. Then there is the container compute area called Compute in Prisma. It's almost like a product within a product. You have to deploy the container section on an agent to your container host. That's a little more complicated because we have to rely on development teams to deploy the agent, but tying the platform to your cloud subscriptions was straightforward and took only 30 minutes to an hour. 

It is a little more involved to set up the Kubernetes containers and deploy the agent. That could take up to a day because you have to collaborate with other teams to get that deployed and make sure it's pulling the right data. Then again, it depends on how receptive your development team is to deploying the agents. That part usually takes around three hours. It takes one or two security engineers to deploy and maintain. 

We did it in-house with some help from Palo Alto that we purchased through a support license.

I don't have specific metrics, but I will say that it helps us know what we don't know, and that's ideal from a security perspective—seeing things that we didn't realize were an issue. The return on that investment is significant because you can't secure what you don't know is there. Prisma accomplishes that pretty easily without having to be on the platform constantly responding to alerts.

Prisma integrates pretty nicely even if you aren't using other Palo Alto products. It's very effective for a CSP solution, and the time to value is almost instant. As soon as you stand it up, it shows value by telling you all the vulnerabilities or risks in that environment. I feel like Prisma is one of those things that is essential. If you have resources in the cloud, you're going to need something to monitor it, and it's not ridiculously priced. I'm not too involved in the budget, so it's one of those things that's a necessary evil. I feel like it's a reasonably priced necessary evil.

Prisma is in the middle of the road. It's not the most expensive, but it's not the cheapest. There aren't any additional costs, to my knowledge. I know they have some extra modules, but we didn't use them. 

I'd say the price fits the solution. Prisma is capable of many other things, but Palo Alto doesn't charge you extra for those things, unlike other companies. You can use them or not. Because your environment grows, you may not use it now, you may not need it now, but you may in the future. Those capabilities are there without an additional cost for a different module where other companies will break it out, where you have to pay for those things.

We evaluated a few, including Sysdig, Threat Stack, and Lacework. The deciding factor was the ease of use. It's critical to understand what you're looking at and for the platform to provide value with reports. The data presentation in Prisma was more straightforward.

I rate Prisma SaaS nine out of 10. Ideally, you want a platform that will save you time by giving you the information quickly so you can understand it and act on it. Many platforms have loads of colorful graphs or bells and whistles, but they don't help you get to the bottom of what you're looking at. I feel that Prisma does that. You can get so much information directly from the platform without the need to reach out to other teams or go into the cloud to understand what you're seeing.

The tool's consolidation is pretty quick.

Prisma Access by Palo Alto Networks should consolidate the portals into a single portal. It is slow and takes more than ten seconds to load a page.

I have been working with the product for two years.

I rate Prisma Access by Palo Alto Networks' stability a seven out of ten.

I rate the tool's scalability an eight out of ten. My company has around 10-15 users.

Prisma Access by Palo Alto Networks' technical team responds fast.

Neutral

The tool's deployment difficulty is in the middle.

Prisma Access by Palo Alto Networks has flexible licensing models with different categories. It comes with different features which can be removed if not needed. However, its pricing is high.

I rate Prisma Access by Palo Alto Networks an eight out of ten.

My clients used Prisma Access essentially for security in the cloud. We integrated their SD-WAN into Prisma Access.

Palo Alto Firewall is one of the best firewalls in the world. It's very clear about the policies and all the security features they have. Also, the user integration works very well in Palo Alto. The WiFi, anti-threat, web filtering features and IT/OT separation are also good.

Though the monitoring is fine, the solution should improve its application graphs and interface monitoring. Additionally, the pricing could be improved.

I worked as a consultant on Prisma Access for one year for one integration project.

The product is very stable.

The product is scalable. Our clients are medium-sized businesses. There are 1,500 users worldwide.

The support is good. I rate the support an eight or nine out of ten.

Positive

The solution is not easy to implement. The first setup is a bit more difficult, but it gets better. The solution is easy to maintain.

A global partner did the setup.

I'm still comparing, but the solution is quite expensive.

I recommend people try the product out because it's really good. I rate Prisma Access an eight out of ten.

It made VPN easy with the ability to build distributed VPN gateways. The cost of IT deployment is a bit less because you just need a VPN-capable device at the branch, as against the full stack, before leveraging the firewall service feature. There is also better latency for the clients in terms of talking to resources back at the data center.

It's Panorama-managed. Using Panorama makes it easy for me in terms of pulling policies and doing things on the fly.

It's pretty similar to the native physical firewalls. The only difference is that with SaaS security, we're able to get a little more detail about shadow IT SaaS applications and properly categorize them, which is helpful to decide what we need to do with those applications. It affects which applications we would want to see running over the network and which applications we need to restrict from users.

Similarly, in terms of protecting data and preventing zero-day threats, it's the same thing that I get with my physical firewalls. The data is sent to Wildfire. All the features are all pulled from the same intelligence sensors. The only difference is that this is in the cloud.

Prisma SaaS helps to keep pace with SaaS growth in our organization, but it's not a big deal for us. Mostly, we're looking through or sifting through identified SaaS applications, and it's a good thing to have that visibility. That's what we're enjoying right now, and then probably with time, we might be relying on it to make decisions in terms of setting restrictions to some SaaS applications, especially those that are not sanctioned by IT.

It's hard for me to pinpoint a certain feature against the other. The product makes more sense as a whole. Overall, the cost savings, ease of deployment, and better VPN user experience and performance are valuable.

It helps to identify and control shadow IT apps. In terms of its impact on our organization's security, it has been like a sword with two edges. Sometimes, it has proved to be helpful in securing workloads, and sometimes, especially when there are modifications to App-IDs pushed through the content database, we find some things messed up. We've come to a point where we have our ways of managing these things, but all in all, App-ID has been very helpful, especially in detecting tunneled applications.

At the end of the day, it's simply an operational thing. Sometimes, you have these notifications sent out about changes in App-IDs, modifications in App-IDs, or even the introduction of entirely new App-IDs to replace. Sometimes, the recommendations are followed, but even then, when the package is installed on the firewall, it gets messed up. I remember a particular one was with Tableau, and suddenly, people weren't able to use Tableau, which is an analytics tool for business. So, it can get messed up, but it doesn't happen often.

I have been using it for about two years.

So far, it has been stable. We get all those notifications around changes. I haven't seen a lot of IT changes that need some kind of manual effort. 

Being on the global license package and being able to spin up a VPN gateway just like that has been a huge benefit. If I have new users in Berlin, I can make life better and just spin up something close to Berlin for them to connect to. If there's an office coming up somewhere in Poland and there are some supply chain issues. If I have a router somewhere there, I can just leverage on that easily without worrying about, "Oh, when am I going to get my stack deployed? How soon can I complete a project so that users are able to start working from that office?" Those are the things that I don't need to bother about anymore because I can easily spin up a complete node close to their location, and I can tunnel between them, do my routing, and they're good. They can talk to whatever resources we need them to talk to remotely and connect to the cloud from there for internally protected cloud workloads. Scalability is obviously a huge factor.

The Cloud App-ID technology is something I am still observing. It takes us back to SaaS security. App-ID is a critical and fundamental part of being able to identify SaaS applications. So far, the applications identified have been true positives. It seems to work so far, but with time, we'll see how it's able to help with identifying SaaS applications better. 

It helped to identify cloud applications that we were unaware that our employees were using. I don't have the metrics, but we do generate reports from time to time just to see what's going on and how we compare with the industry in terms of application usage. Similarly, for risk identification, I don't have metrics. We are just reviewing and sifting through these applications. We don't, or we haven't, put a risk score on them yet. Until that's done, it's almost impossible for me to say if these are bad actors or not. We have visibility now. The SaaS applications that have been used at the moment are not of concern based on the last review we did. As time goes on, we might start considering some as risky or start categorizing the risks in some of these SaaS applications. Currently, it's all open. We mostly have mobile users, and we have another solution for endpoint security and Internet-based applications that go through their home Internet. There are few who do visit the office. Probably less than 10% of the organization goes into the office, so there's no huge concern at the moment because of those very low numbers.

For the parts and the features that I use, which are mostly remote branch and mobile gateway, I would rate it an eight out of ten.

The use case for our clients is that they have branch office locations all over the world. Users can connect over the internet and inspection of their traffic will happen on the Prisma infrastructure. Remote users can also connect to the VPN through Prisma infrastructure, and they can connect their data center with the Prisma infrastructure as well.

It's a cloud solution from Palo Alto Networks. Customers just need to establish an IPSec tunnel from their on-prem device with Palo Alto's closest location, which they have all over the world—100-plus locations.

The benefit of using Prisma Access is that the customer doesn't need to have their own data center. They just need to purchase a Prisma Access license. The customer will save on the labor cost associated with the data center, on the electricity cost, and they will save on the land cost as well. The data center infrastructure is provided by Palo Alto Networks.

Prisma Access is a big change for our customers. Not having to have data centers, and not having to deploy a firewall at each location, makes things simpler.

The solution also enables customers to deliver better applications. It helps them save on costs. It is easy to manage with fewer resources.

It's easy to manage. Our customers do not need to worry about what is happening in the data center. With legacy networks, they have to worry about things like the firewall being down and having to go to the data center to replace it. With Prisma Access, they do not need to worry about that. Palo Alto takes care of it. If something goes down in the infrastructure, the Palo Alto team will take care of it.

Prisma Access protects all app traffic, so that users can gain access to all apps. It is important for our clients that all traffic coming through the firewall is inspected. Prisma inspects all the traffic, and if a customer wants to make an exception for certain traffic, that is also possible.

It also inspects both web-based apps and non web-based apps.

In addition, it's really easy to manage. If customers have Panorama they can use it to manage Prisma Access. There is also a cloud application which provides a single console to manage it. Changes can be made on that console and pushed to the customer's environment, which is another way they make it easy to manage. The customer can opt for Panorama or the cloud management application. The latter is free.

Prisma Access provides traffic analysis, threat prevention, URL filtering, and segmentation, as well as vulnerability protection, DLP, anti-spyware, antivirus, URL filtering, and file blocking. It provides everything. This combination is very important. When a customer wants to block certain URL categories, they can block them. If they want to exclude any entertainment websites from their environment, they can block them. What we implement depends totally on the customer's environment and what they need. We can play with it and modify things.

Another benefit is that if any vulnerability is detected, such as a Zero-day attack, Palo Alto provides an update dynamically. The patch is installed so that the network is not exploited.

The Autonomous Digital Experience Management (ADEM) offered by Palo Alto is a good reporting tool. It gives insights into how things are going within the network. It takes all the data from the users' endpoints and does an analysis, and it suggests changes as well. The ADEM analysis of various tests will give the user feedback such as, "Okay, I'm seeing latency here." We or the customer can then improve on that. If something is blocked that shouldn't be, we can make a change in the policy. It's a good tool to have. It makes the user experience better.

The Cloud Management application has room for improvement. There are a lot of things on the roadmap for that application; things are going to happen soon.

I have been using Palo Alto Networks Prisma Access for around one year, as a consultant. I have deployed the solution for clients all over the world.

The availability of Prisma Access is good. I haven't seen any major issues yet.

It is scalable. We scale the solution based on the customer's requirements, after getting their technical design and discussing how they want to deploy it.

I would rate their customer support at nine out of 10. The one point I have deducted is because it is very hard to get support sometimes. There are times when the customer has to wait a long time in the queue. But once they get an engineer, they get the proper support. The Palo Alto engineers are good. It's just that it's very hard to get the engineer on time, sometimes. I believe this is because the solution has expanded a lot. Users are purchasing it but the support is not keeping pace. They are working on that and the support is going to be increased in the future.

Positive

The deployment is simple.

The time it takes for deployment of Prisma Access depends on how big the environment is. One company may have 120 or 130 branch sites, while another company may have just six or seven. It varies on that number of sites or on the number of data centers they have. If there are only five or six branch office locations, then the deployment can be completed in five or six days.

I'm not involved on the financial side, but I believe the solution is costly.

In the same way a customer manages their on-prem firewalls that are not on Prisma Access, they can manage Prisma Access infrastructure through Panorama. That makes it easy for them. The customer is already familiar with how to manage things with Panorama, so there isn't much that is new. There are little changes but that's it. If a customer is already using Palo Alto, we recommend going with Panorama.

Overall, the security provided by Prisma Access is top-notch. It is the same firewall that Palo Alto provides for a local setup. It's the best firewall, per the industry review ratings.

As a Palo Alto provider, their Platform as a Service (PaaS) for their Prisma Cloud-Native product, is offered as a hosted or Software as a Service (SaaS) version. As a user their product should scan and manage cloud container images to identify vulnerabilities. It's a key feature for identifying CI/CD development issues for remediation. 

The most valuable feature of Prisma Cloud-Native, in my opinion, is that it assists in identifying, analyzing, and remediating vulnerabilities.

Palo Alto does a great job on managing updates to their products. It can be difficult managing all the subscription updates, especially if they are manual. There should be a process in place. 

One area of challenge is for them to stay on top of current CVEs on their platform. Anything in the lines of compliance should be current from potential attacks. They have a URL link where customers can make recommendations to map to specific compliance frameworks or standards. That's great, but instead of having the customer identify those, they should make sure they're using the most recent version. The NIST SP 800-53 Rev. 4, should be mapped to NIST SP 800-53 Rev. 5 current version. Many people are unaware of this change. Should use the most current version, unless you have an exception for legacy systems.

I have been using Palo Alto Prisma Cloud for about a year now.

I'm currently supporting a Prisma Cloud-Native re-configuration project. It's their Software-as-a-Service (SaaS) version in the Cloud to scan for vulnerabilities. 

Prisma Palo Alto Networks is an optimal solution. They use the Amazon platform. They have some extremely talented engineers who keep the product up to date. Version updates could be a challenge as some versions are not automated. They don't always push you to update unless you're maybe using the hosted version. If you are unaware of this, you may have been using an older version for an extended period of time. There will be bugs and issues, and it will not perform optimally. It's important to use the most current version. 

Palo Alot support is great. There are no complaints.

I am familiar with Trend Micro, and WatchGuard solutions. I really like Trend Micro. They are excellent, in my opinion. They are great for anti-malware, as well as scanning your desktops and computers for personal or business use.

Proofpoint is another product that I really like for DLP Endpoint Security. They do an excellent job.

I didn't do the original configuration, but I am doing some of the re-configuration. It is important to understand your organization's infrastructure, cloud containers, and all the various types of administrative access controls. It all comes down to having the knowledge and visibility to configure it with your environment. 

The pricing is reasonable for Palo Alto. They price their products using credit modules. There are various types of modules in each section. I believe there are four different modules. If you want to ensure that you are saving on cost, you should develop a very good DevOps or DevSecOps process with the cloud engineers and development team. Meaning, when the development team is no longer creating apps or working in their CI/CD environment, they must scale down, repave and decommission or it could increase your costs significantly.

We use it for remote access VPN. When our users are working remotely, from home, they can use it to connect to our IT environment.

An important aspect is that Prisma Access provides all its capabilities in a single cloud-delivered platform. It would be very inconvenient for us if we had to go to multiple places. It gives us centralized operations, and centralized configuration and management that enable us to be more efficient. We don't have to reference or go to multiple places or systems to maintain things and operate.

It has also improved our remote access. We deployed it to replace an older remote-access VPN that we had been using. That is where the usefulness of the product is for us. It provides security and allows our remote users to connect to our environments.

Remote access is the most valuable feature, giving remote users secure access to our IT environment. That is the specific feature that we are using it for. Prisma Access provides secure access to the environment, including apps, and some non-apps systems, such as system administration. This ability is very important, almost a mandatory requirement for some of our systems.

It not only protects web-based apps, but non-web-based apps as well. Again, that's important, because for this kind of access, the traffic has to be protected and secure. The fact that it secures not just web-based apps but non-web apps indirectly reduces the risk of a data breach. If all the traffic can be seen it should help keep things from getting into the hands of hackers, helping prevent data from being compromised and preventing access to systems as well. We don't want our systems to be compromised, as they are critical to our services and to our customers.

The solution also provides traffic analysis, threat prevention, URL filtering, and segmentation. That combination is important because it enhances the protection and makes the traffic more secure. It also keeps things more up-to-date, enabling us to deal with more of the current threats.

In addition, Prisma Access provides security updates for threat prevention. Those updates are important in general, of course, for security reasons. The more up-to-date you are, the better you are protected.

It's not very easy to use. Sometimes it's buggy and there are problems when doing updates. The user interface is okay, but some configuration items are difficult. I would like it to be less buggy and easier to configure, to better streamline the user experience.

I have been using Prisma Access by Palo Alto Networks for a little more than one and half years.

The stability is pretty good. There are certain portions that are not very stable, but the core is pretty good.

I think the scalability is pretty good too, although we are a small company so I don't know how big we can scale, but for us, it's pretty good.

We have about a dozen users on it and most of them are technical staff, such as engineers and software engineers. Outside of the IT personnel, even finance people use it because they need access to the systems and applications. We are using it for one part of our environment, but we plan to expand it from 1,000 users to about 5,000 users.

The technical support is pretty good, as is the post-sales support. They are both very good and very attentive. Although the software is buggy, and sometimes it's hard to fix, they do provide the appropriate support levels to help us through.

Positive

We have used Cisco VPN, and I have used Juniper and Meraki. We switched because we are standardized on Palo Alto firewalls, so we wanted to use the same vendor for more interoperability.

The initial setup of the solution was complex. The configuration is not easy to understand and requires a lot of expertise from the Palo Alto side. The terms that they use in the product require quite a bit of explanation and clarification.

We used a phased approach. The first deployment we did, as a milestone, took us at least six months. For the deployment, we needed at least two to three engineers: someone from security, someone from networking, and someone from the end-user side. All parties had to be involved.

We used a contractor to help us.

The return on investment is that it allows our remote users to access our environment.

The licensing model for this product is complicated and changes all the time, making it very hard for the user to comprehend the configuration.

My advice would be to directly test it before you purchase it to see if the user experience and the complexity of the networking component are things you are able to handle.

The biggest lesson we learned from using the solution is not specific to the solution: We needed to do more proper planning in the beginning. Because the process is complicated, without good planning, it becomes more difficult during the process. The configuration involves many templates. Without planning ahead, they are created in a messy and disorganized way, and that causes further problems when we need to grow and do more setups. Now, we have to go back and correct those messy configurations, and that is something we are still doing.

Overall, the security provided by Prisma Access is very good. It provides the authentication, protection, and encryption that we are looking for for our remote users.