Prisma Access by Palo Alto Networks Reviews

We're migrating customers from existing Cisco AnyConnect VPN to Prisma Access GlobalProtect VPN.

GlobalProtect VPN is a brand new concept compared to Cisco AnyConnect VPN. The huge difference is that if a user is working from home and needs access to Office 365, the way traffic is usually sent will potentially increase the delay. Some companies open split tunneling for users and they are able to send a request to Office 365 directly, but there is a loss of control from the network and security perspectives.

Since we started using GlobalProtect VPN, all the traffic is monitored, even for a user who needs access to Office 365. The traffic from the user's PC will connect to the closed and available VPN boxes, depending on the location. The traffic from that box will head to Office 365, meaning it will meet the performance and as well as security requirements. So that's one, the huge difference.

The other difference, in my experience with Cisco VPN, is that we normally control traffic based on source address, destination address, and destination port. But with Prisma Access, and using a lot of features from Palo Alto firewalls, we control the source, in particular, with the user ID or an Active Directory Group, instead of an IP address. The benefit for the user of using the user ID or Active Directory Group is in the following scenario. Suppose a user is usually in the United States but goes on a business trip to the UK. With a regular VPN, the user in the U.S. has a subnet. But when they travel to the UK, the IP just will be changed and there will be a totally different subnet. The access they had in the States may be lost when connecting from the UK. But using the user ID or Active Directory Group, the ID is always there no matter whether they are in the States, the UK, or anywhere else. That makes it more flexible for a user who is working remotely, traveling, or roaming.

In addition, performance-wise, a lot of applications have improved because the cloud-based VPN, based on the geographical location, provides a more optimized path and potentially reduces the latency. That provides better performance, but it depends on the applications.

Being able to use the user ID or Active Directory Group is one of the great features for control and providing more flexibility without worrying about IP addresses. 

Prisma Access has a lot of other features. Instead of VPN, its gateway is able to decrypt traffic and, potentially, inspect it. This feature is more likely to be used by companies using Websense or a proxy server. Prisma Access or Prisma VPN has merged VPN, firewall, and some of the Websense-type and proxy functions. This means that four or five components have become one now.

The solution also protects all app traffic, meaning that users can access all apps. All traffic is sent through the Prisma devices. Even a user who reaches Office 365 with a load closed location is still controlled by the VPN boxes, and from the security and network perspectives, we can still see all of the traffic, meaning everything is under control.

In addition, there is something called Pre-logon with Prisma VPN, which means before you log in to the PC with the user ID, domain, and password, the PC automatically connects to the Prisma VPN. That means you already have some basic access, like to Office 365. In case the VPN box is having issues, the user still has access to Outlook, Teams, Word documents, et cetera. The Pre-logon features make things really convenient.

Another nice feature for users is that Prisma VPN saves the user session for seven days instead of, with Cisco VPN, only one day. As a result, the user doesn't need to connect to the VPN every day. After a week, once it expires, they will need to log in with the username and password, but it still keeps the security intact.

There is also the ability to do a HIP (Host Information Profile) check. We can check things like whether a device's operating systems are properly patched, that the antivirus software meets security requirements, and that the hard drive is encrypted. The latter is important because if the laptop is lost, the data can be stolen. A HIP check enables us to make sure the endpoint maintains the security requirements. That helps make things more secure.

And as a cloud-based solution, there are a lot of redundancies. I'm in Canada and have a gateway in Canada. In case the getaway or VPN box in Canada dies, they will automatically reroute me to New York or any other location that is available. In addition, if the cloud-based solution has an issue, we still have the on-prem firewall or VPN in place in our data centers, which means everything falls back to something that is just like Cisco VPN, but it is Palo Alto. But that is only happening in DR situations. The fact that Prisma Access is cloud-based also makes it easier to connect from our environment to cloud-computing environments.

I can't think of many things that need real improvement. But one thing that comes to mind is that when we deploy firewall rules via Panorama, we find it's a little bit slow. We have a global environment and might have 100 gateways or VPNs in the cloud. When we deploy something, it tries to deploy it one-by-one, and that can be slow. For example, one time we pushed a firewall change and the changes took about 10 minutes to finish up. If they could optimize the whole process to speed up that kind of deployment, that would be especially helpful.

I have been using Prisma Access by Palo Alto Networks for close to two years, including the testing and eventually working on it in the production environment.

As of now, we have deployed it for 25 percent of our employees globally and, so far, it has been stable. We haven't seen a situation where it is working one day and totally stops working the next. 

There are still some bugs and sometimes we encounter issues and we have to open a case with Palo Alto to ask them to fix things. Because this is a new solution in the market, having been introduced two or three years ago, the overall stability is good, but they can still enhance that aspect even more.

The scalability is pretty good. Since we bought it, we have added more and more users and had no issues. And because it's cloud-based, they can add VPN boxes in the cloud and, for us, that process is transparent, which is pretty good.

All in all, tech support has satisfied us. We are a big customer, and they have two tech engineers working with us when we deploy and when we do a migration. We always have them with us, especially via conference calls.

The support is timely, but there is still some room for improvement because, when we open cases with them, some agents are not as timely about fixing problems as others.

But overall, we are satisfied with their services.

The initial setup was not too complicated, but it still took a little time to get familiar with it. The good thing is that Prisma VPN uses our existing Panorama centralized management tool, which we use to manage Palo Alto firewalls and VPNs. Because the centralized management tool is very familiar to us, it helped us in using the new solution. But, of course, since it is a cloud-based VPN, it did take a little bit of time to get used to, but after we got used to it, it became straightforward.

It is pretty expensive. We have to balance the cost of some features. They need to work on some of the services and products, price-wise.

The importance of the combination of the solution's traffic analysis, threat prevention, URL filtering, and segmentation depends on the business. Some business lines are very critical so we might potentially apply more features to them, but everything has pros and cons. Applying more features potentially slows down the performance, so we have to balance between security and performance. But so far, in most situations, we don't have any concerns because we already apply the HIP check to make sure the laptop side meets all kinds of security requirements, based on our internal policies. Also, we are able to see all the traffic logs. Even though it's a huge amount of data, and we're not currently doing so, we're potentially able to investigate or analyze things. 

It is a good solution and a new direction for many companies, especially big companies with global offices. Overall, the security that Prisma Access provides definitely meets our security requirements. Otherwise, we wouldn't be using this solution. The majority of companies, including a bank or any other financial company, should be happy with this solution.

In this pandemic, users want to work remotely and that means we need centralized control of remote users, our branch offices, and the head office. Prisma Access collects everything together and provides us with centralized management, enabling us to manage all our locations and users globally.

It manages on-premises networks, but it has its own infra in the cloud.

The ability to manage networks reduces costs for our organization. Suppose I have four offices and all four have a firewall device. All of those firewalls will have separate licenses, and each office will have a separate internet connection. The Prisma Access solution means we only need one router at each office and all the internet connectivity will go through the solution. That definitely cuts our internet costs.

It is also very important that Prisma Access provides all its capabilities in a single, cloud-delivered platform. For mobile users, without Prisma Access, I would have to control their traffic through on-premises networks and give them on-premises internet. Suppose that one of those users does not connect through the on-premises VPN. That user would then have access to and control of whatever he wants. The system might be compromised through unauthorized access. That's why, from a security perspective, it is very important to control this type of situation. We could control the system without Prisma Access, but that would require additional solutions. We would have to add another security client to the user's system. With Prisma Access, instead of having two solutions, we have one solution.

Prisma Access gives us security from a single point. It controls mobile users and determines how secure their networks will be, including from where they will get internet access. We can optimize things and add security profiles centrally.

Another valuable feature for mobile users is the GP VPN access. It provides security and a firewall as a service, including threat and vulnerability protection. From a security perspective, it is very good.

I haven't seen any SD-WAN configuration capability. If Prisma Access would support SD-WAN, that would help. There are some trending technologies in networking with SD-WAN. SD-WAN is nothing more than optimizing your WAN. SD-WAN devices should be able to reach Prisma Access, and Palo Alto should support different, vendor-specific devices, not just Palo Alto devices, for SD-WAN configuration.

Also, Palo Alto only provides corporate licenses. If they would give a license to a non-corporate email ID, for testing and a pre-trial, that would be really great for users to practice with it. Everybody could explore it. Or, for people who are not working in a corporate environment and who want to explore this kind of setup, it would enable that type of test access on a personal email account.

I have been working in networking and security for eight-plus years. I work on various infra including routers, switches, firewalls, and different cloud services. I work on various vendors' solutions, such as Fortinet, SonicWall, Sophos, and for the last four years, on Palo Alto.

Prisma Access is a subset of Palo Alto Networks and is a product they recently introduced. We just recently heard that our organization was planning to use the Prisma Access solution.

I cannot evaluate the stability based on my limited experience, but I recently called a colleague in a different organization who has been running Prisma Access, and he said it is going well and that he has seen good stability.

We have more than 10,000 users and 40 Palo Alto firewalls, located in different regions. They were involved in the PoC. In the future, we are planning on having Prisma in production.

Palo Alto support is very responsive. They respond immediately and they are very kind and very knowledgeable. They work on cases by priority. In general, when we call them, we are able to talk with them without much delay and they provide solutions that have met our expectations. 

I would rate their support at eight out of 10. I deducted two points because sometimes they do have a very busy schedule and every engineer is busy. Once we reach them, everything works fine.

Positive

This is a new implementation for SASE in our organization.

The license activation process is very straightforward. When we purchased Prisma Access, they provided a link and, from there, we had to add the serial number of our existing Panorama. After that, everything happened automatically. Once that management setup was done, we were easily able to add a rule and do other configurations.

Our deployment did not take a long time. However, our infra is very big. While the initial setup was done in four to five hours, finishing everything took us one week.

If you are planning on using the SASE model for your organization, I would recommend Palo Alto Prisma Access. It works well, based on my experience.

I have come across many firewalls and I have hands-on experience with various devices, but Palo Alto is the best for everything. It is the best device for infra security. It not only has security, but it works well when it comes to routing and switching.

Overall I would rate Prisma Access at 8 out of 10. It gives us centralized management and reliability, scalability, and ease of configuration.

One of our use cases is that it is used by our internal users, our employees, when they need to work remotely. They'll be out in the field and, wherever they have an internet connection, they run the GlobalProtect client, connect, and they can access our resources as if they're in our building. For example, we have health inspectors who go to different sites.

Of course, we're doing more teleworking like everyone right now. Also, our admins all use it because that's how we get in and do remote work. And, periodically, we have contractors or vendors who need remote access. We'll build an account in AD and either have them download the client and connect to us, or if they currently use the GlobalProtect client for some other VPN connection, we can just provide our gateway and they can use their existing client to connect to the resources that we allow them.

We also have a clientless VPN by Palo Alto. It's a website where you can enter your AD credentials, and it will publish internal web apps that you can access through a browser. We have some users, and a set of contractors, who use that to access some of our internal systems for COVID response.

It's a cloud-based VPN, but it's managed from our Panorama instance, which is on-site. There's the GlobalProtect client that gets installed, that's the VPN client on your laptop, and that automatically updates from the cloud when a new version is available.

Prisma Access is our first cloud-based VPN solution. I like that aspect because I don't have all the traffic hitting my firewall interface directly. Users go to the cloud, wherever they are, and connect to some kind of cloud. It will grab their config, and our firewall doesn't see any extra traffic from that. That's awesome.

Because we are in the health sector, the clientless, web-based VPN that we're using has allowed us to partner with some external companies to do contact tracing for COVID. That means that if someone is positive for COVID, those companies track back to the people they have been in contact with and try to find the source. The fact that the only way a couple of hundred of our employees can access our records at any time is through the web-based VPN has really improved our ability to respond to the pandemic.

I like it because it's very easy to use. You install the client and you have to know your gateway, but that's something we give to our users. Beyond that, it takes about three seconds to train them on how to use it. And it just works well. That's great for us because it means less administrative time.

It's also nice that Prisma Access provides all its capabilities in a single, cloud-delivered platform. 

The thick client secures non-web apps in addition to web-based apps. If you have the client installed on your laptop, it's a completely secure VPN connection and anything you run will be secured by it. The clientless VPN, the web-based one, only allows you to redirect to URLs; it's only web. Being able to access non-web apps is important to us because it's how we get our remote work done. Not everything is web-based. We have to run applications and access Windows shares and the like. 

This ability helps decrease the risk of data breach. Information security is more and more a huge concern for everyone. Knowing that everything's going across an encrypted tunnel, and that we can manage what is accessed by which user, are huge benefits.

Another important aspect is that Prisma Access provides millions of security updates per day, because security has really become our number-one focus lately. That feature is very good.

I've been using Prisma Access by Palo Alto Networks for about two years, maybe a little longer.

It has been very stable. We've had a couple of small outages, but overall it's very trustworthy and stable.

It's cloud-based, so it's infinitely scalable. For us, it has worked fine. We went from a few users at first and we built up to hundreds.

It's our clientless VPN that really builds up our user count. It is consistently between 300 and 400 users. It rises and falls depending on what kind of campaign we're doing. If a new COVID variant is discovered and we have to ramp things up because of CDC guidance, the user count will bump up.

The one thing that I've been a little bit disappointed with is when we have had to open cases with Palo Alto about Prisma Access issues. Versus their other platforms, like their firewalls, where we tend to get really quick responses and very definitive answers, the few tickets I've had to open for Prisma Access have taken them longer to respond to. And they haven't necessarily given me the kind of answer I was looking for, meaning a fix to the problem. Maybe this technology is not as cut and dry as some of their other technologies. But I think they could improve their support offering for Prisma a little bit and put more expertise in place.

Overall, I'm very happy with Palo Alto's support. I'm not saying that their Prisma support is awful. It just hasn't been quite up to par with other support I've seen from them, which has been pretty phenomenal.

Positive

For VPN, we used Cisco AnyConnect. The switch to Prisma Cloud was part of a platform switch from Cisco ASA to Palo Alto firewalls.

We also have other solutions, such as a virtual desktop solution that is available externally. Some of our users use that and others use the VPN.

The setup was medium complex. Because of the way we're doing it through our Panorama, it's a little more complex than it would be on the cloud-only solution. There is definitely some  complexity to it.

I wasn't involved in the initial deployment of it, but our organization worked with a vendor called CompuNet, a company with Palo Alto expertise. I would guess it took one to two days to get through everything and test it. 

The evaluation happened before my time here, but we had people who had worked with Palo Alto previously. They knew its reputation and were happy with it. I think the switch happened directly.

It functions like a lot of other VPN solutions. It's not special in that sense. It just works.

I have spoken with another agency that was looking at Prisma Access. The one thing they weren't aware of was the clientless, web-based VPN that is part of the product. They were pretty excited when I explained to them how we use it. So make sure you review the full feature set that Prisma Access offers. It may be broader than you expected.

We are using it as a hybrid solution where we manage it through our onsite firewall. There is a Prisma Access full-cloud solution where you do all the management there. If we were to start over again today, I would probably go full-cloud. That would ease the management a little bit. People who are using the cloud-only solution probably have fewer hoops to jump through to get certain things accomplished. But we've been fine.

The biggest issue I've run into is that most of the documentation for Prisma Access is based on the full-cloud model, as opposed to our hybrid implementation. It's a little trickier to find out how to implement some of those changes through Panorama. There are also some connectors you have to set up to make sure that your Panorama is talking to the cloud the way it should. Those wouldn't be necessary in the cloud version, and that means it's probably a little easier to sync your AD, set up your users in the cloud, and you're done. Everything is already on the cloud.

Overall, I'm very happy with the security provided by Prisma Access. Palo Alto is a security company and is always working on ways to make things more secure. I feel very confident that our data is safe using the solution, which is the whole point.

My customers are military and federal government agencies. They're really interested in Secure Access Service Edge technology for their endpoints. Palo Alto Prisma is one of the solutions we use to make the SASE solution work for endpoints. For our customers, we normally do SD-WAN, Zero Trust, SWG, and SWaaS. Nobody has really asked for ADEM yet.

Prisma Access lets us compete in the cloud space.

Prisma isn't hard for the average system admin to use, and our customers are interested in Prisma's SD-WAN and Zero Trust capabilities. Government customers are particularly interested in the CASB capability. Prisma protects all app traffic, so our customers can access all of our apps, which is essential. That's one of the main reasons my business and customers use this technology, especially in the COVID-19 environment.

My military customers have users who need secure access to their information from all over the world. If they're using Microsoft Office products or some other app that isn't web-based, they can still access them through the web whether they're using their corporate devices or working on their personal devices using corporate information. Prisma will still protect that from phishing or other attacks.

Having all of these capabilities on a single cloud-delivered platform was extremely important to us. We also liked how well Prisma integrates with other solutions. Other solutions offer the same functionalities Prisma does when it comes to Zero Trust, CASB, and SD-WAN within the Microsoft Cloud. Prisma helps us protect our customers when a user isn't going to the Microsoft Cloud. 

Prisma also helps with traffic analysis, and that is controlled through the Manager. We can see what websites individuals within organizations are going to. For example, we can do cybersecurity analysis, such as phishing and so forth, to determine the cybersecurity risk of a particular site. While Prisma is doing that, we're also sending those Prisma files to our security operations, and they're also doing the analysis. In addition to threat detection, we're doing threat prevention. URL filtering fits into that category because we can determine what website an individual was able to access.

Prisma does segmentation either through the management of user groups or according to network access. Prisma provides millions of security updates per day, which is crucial for my government customers and business partners. It helps us keep up with security violations or phishing attacks by bad state actors. These threats are dynamic.

Prisma should implement industry updates in near real-time. Also, Prisma's integration between operational technology and IT should be more seamless. Right now, it requires additional setup and maintenance.

We've been using Prisma Access for about a year.

Prisma is stable. It works as advertised.

Prisma is highly scalable and global.

I rate Palo Alto's tech support 10 out of 10. It's outstanding. But I'd like to highlight the difference between technical support and government technical support because it's two different beasts. I'm talking about Palo Alto's government technical support. They have a separate set of personnel inside the organization that handles government customers.

Positive

Setting up Prisma is pretty straightforward. It takes around an hour to get it up and running. The amount of time needed to fully deploy Prisma depends on the size of the enterprise and the number of units, groups, endpoints, etc. Pre-deployment preparation also varies according to the size of the enterprise. It takes about a couple of days for a medium-size organization. You have to set up the architecture, determine who the users are, set up the IP schema, establish your Zero Trust scheme, set up network access, and send your log files over to the site. All of that takes about three days. Two network engineers can handle setup and deployment. After that, Prisma can be maintained by normal networking staff and at least one engineer.

Integrators from our partners at Tech Data help us deploy. We also get help integrating from my engineers over at TOSIBOX, our proprietary VPN solution.

We're now able to go after contracts that require a Zero Trust solution and Prisma's other technology solutions. 

We looked at other competitors, including Aruba, HP, Cisco, and Microsoft Enterprise solutions. 

I rate Prisma Access nine out of 10. It has been constantly changing since it was released. Palo Alto is the leader in all these technologies on the Gartner Magic Quadrant. 

I would advise anyone considering Prisma to look at their endpoint protection and evaluate how it fits in the overall enterprise solution, including integration with operational technology.

We are a small team of ITOps Engineers. With Prisma, we can manage all our Edge Network Infrastructure (Mobile Users, Remote Networks, and Data Centers) in one location.

We also decommissioned our  legacy MPLS connections and moved to VPN. If we need to expand to more offices, different countries, and different regions, it would be much simpler to do it with Prisma Access because the only things required are an internet connection and a pair of firewalls. 

On our IT team, we now have a single interface (using Palo Alto Panorama) where we can monitor our whole infrastructure. The office and Data Center Firewalls, as well as, the Remote User VPN, forward all the traffic to the Prisma Access Infrastructure. There we can apply deep packet inspection and allow or deny traffic, and also apply additional security features like threat prevention, DNS security, malware and anti-virus protection etc.

For remote users, the VPN connection is more secure and much faster than the legacy solutions. Some of our users are located in different European countries. Now they can pick their closest location and connect to a VPN "concentrator" near their region. Whereas before, they needed to connect with one of our data centers in the UK. 

Since everything is connected to Prisma, now we are able to be more proactive, detect end-user or site connectivity issues much faster. Before we were running multiple applications (NMS, Syslog, Netflow) that required a lot of engineering overhead to manage those, but also to extract the information needed. Now a lot of those tasks can be picked by the Service Desk team. 

In addition, similarly to any other Cloud "Platform" the administrative tasks have been dramatically decreased. The upgrade process is very simple compared with any on-premise solution.

I don't think we have actually fully utilised all the functions of Prisma yet. The main concept of Prisma Access is what really help us to transition our infrastructure from a legacy and complex approach to a more simple and easy to manage and maintain one.

Prisma Access has three major components / connections: 

- Remote connections: The links to the Remote Offices 

- Mobile Users 

- Service Connections : The links to the Data Centers. 

You connect everything by establishing VPN tunnels with the Prisma Access Infrastructure. Prisma is now the “brain” of the infrastructure. All edge devices send all traffic to Prisma and Prisma has the knowledge to route the traffic to the correct destination. In addition you can also apply all the additional security features a NGFW can offer. 

Since this is a cloud platform you can easily scale up adding more mobile users or new remote offices. Prisma will simple auto-run (if needed) additional instances in the cloud to support your load 

Also,  because everything's on the cloud, we don't have to worry about patching; we get all the new features as they come in. One of the biggest problems for us used to be to upgrade our VPN application. Now, it can be done with a click of a button. The administrative overhead has been reduced, and we are able to focus on things that actually matter.

The only drawback at the moment is that a “Cloud” solution like Prisma Access requires Palo Alto Panorama, which is normally a VM that sits in your DataCenter. Panorama is used for monitoring and mainly for configuring the different components of Prisma Access.

For the configuration part, Palo Alto has recently introduced an equivalent cloud application, but not all features are available yet. Also at this moment if you enable Prisma Access with Panorama you cannot migrate to the Cloud version.

I've been working with the Palo Alto team since the beginning of the year (2021), when we started the initial setup. It took us around 2 months (multiple weekly sessions) to complete the setup. And the last 2 months we are fully utilising the Prisma components (Remote Networks, Service Connections and Mobile Users)

We have utilised Prisma Access for the late couple of months. Now we are in the process of migrating all our Remote users from the on premise Firewalls to the Prisma Access VPN as a Service solution. 

Over this period we haven't faced any connectivity issues. Prisma Access underlying infrastructure is high available and scalable. 

As any major Cloud Vendors line Google or AWS we may face outages in the future, but we havent experience any problems yet. 

As with any infrastructure where the managent plane is in the cloud, we can know schedule an upgrade and the Prisma will take care the rest. No more complicated upgrade processes that could lead to outages and downtimes. 

A few days ago the Prisma Access dataplane was upgraded. We had zero downtime and the auto-procwss went smoothly (as expected).

As for scalability, you can easily bring more users to the platform; you would just need to buy additional licenses.

There is no need for purchasing new and more powerful hardware. Palo Alto will scale your platform up to support your infrastructure.

Simple integration with LDAP, SAML can help us to provision 100s of users quickly and onboard more users are the company is getting out of the pandemic freeze period.

I think Palo Alto has great technical support in terms of the time of response and the efficiency of response.

Over the past few months we raised multiple tickets (P2-P4). On all of them the responses were quick within the SLA timelines. All the support Engineers had deep knowledge of the product, and always went above and beyond not only by fixing our issues, but also by trying to explain us why was misconfigured or what actually went wrong. Everyone had great communication skills, they were patient and listening our needs and requirements.

We used local Cisco ASA Firewalls that were located in our two UK offices.Normally we had around 10-15 % of our users working remotely. During the pandemic we had to setup around 500 users to connect to the VPN. Unfortunately our ASAs had limited capabilities (250 max users for the 5515-X and 100 for the 5508-X). Our temporary solution was to use the AWS VPN solution for the remaining users. 

At that point we realised that we need a flexible and scalable solution. In addition the company has embraced the cloud first approach a few years back by moving all our servers to the cloud, so utilising a VPN as a Service (offered by Prisma Access) was an expected next  step. 

In my team there are Cisco certified engineers and we have been using Cisco products for many years, but for my opinion when it comes to security and NGFWs, but they haven't reached the level of Prisma Access by Palo Alto Networks. I believe Palo Alto is the key player in the market. 

We had a mixture of different applications and vendors, and we wanted to merge everything under Prisma Access. The terminology is a bit different between Palo Alto and Cisco ASA, and between their local firewalls and the Prisma Access firewalls. It took us about a month to wrap our heads around it and understand how things worked. Once we did that, it was easy to implement. We have gradually migrated all our services. We did our MPLS and the connection to AWS, and now, we're slowly migrating the users. No one has noticed, so it has been seamless.

We don't have a big infrastructure and did the migration piece by piece, and it was really easy and seamless.

To set up the infrastructure with the team, it took us less than a week. The gradual migration took us three weeks, but the basic setup takes less than a week.

We used the Palo Alto professional services, which mainly help us though multiple Zoom sessions to understand all the Prisma components and also to configure the core Prisma setup. The fine tuning was done by the in-house team. 

We had a great experience. All the Palo Alto consultants had a great knowledge of the product and they were very helpful, making it very simple for us to understand this new Platform. They were never leaving any questions unanswered and they were always providing accurate documentation and references for my team to get the required knowledge and to understand / follow up during the Setup.

I think the ROI has been good. We no longer need people to maintain the whole infrastructure, and we do not need to spend money on different services that we no longer use like MPLS or other kinds of support.

Also, the fact that we can quickly scale up without worrying about buying additional licensing is great for us.

The price has been good for the ROI during these difficult times for the cruise industry. With Prisma, you need three types of licenses

- Palo Alto support

- Number of Remote Users that are connected to VPN (concurrent connections)

- Total Bandwidth between Remote Sites offices and Prisma. If you have three or fewer DCs then you don't have to purchase additional connections or bandwidth.

There are no hidden costs; what the product offers is what you get.

We didn't run any PoC with other vendors. Before we were introduced to Prisma Access we were thinking of moving also our Firewalls to Meraki (as we will do with our switches). I believe no other vendor can offer what Palo Alto with Prisma provides, at least at this moment.

In my experience, Prisma Access is a great platform. However, since SASE is a new fairly new concept, it was a bit confusing to understand all the  different components and how all of them work together. On top of that if you are not very familiar with Palo Alto firewalls and especially Palo Alto Panorama, additional training would be recommended. Of course the same concepts of a NGFW from any other vendor are applied. 

 Once you grasp how Prisma Access works, then it's really a piece of cake to set everything up.

For example, we are a small team of three people, and I'm the senior network engineer. My VPN knowledge was not good because we've mainly had MPLS. Still, it was very easy to set everything up.

You setup everything through the web GUI (Palo Alto Panorama). You don't need to know a lot about CLI. With Cisco devices, you have to be an expert in CLI to set up a few things.

On a scale from one to ten, I would rate Prisma Access by Palo Alto Networks at ten because it's an innovative product. They “invented” the whole concept (SASE), and they're way ahead of other competitors.

One of the main advantages we have found of Prisma Access is that it has gateways across multiple continents. Due to that, many users can connect from different parts of the world will be able to access everything very fast. Also, internet access through VPN has become much simpler in getting the traffic to our on-prem data center.

The main example is my particular client that has employees working from different parts of the world - Malaysia, Singapore, India, Europe, and even the Middle East. The use of multiple continental gateways has helped us a lot. The users who are working in different parts of India can connect to different gateways. There are four gateways, including in India itself, the Middle East, and Europe as well.

The WildFire Analysis is one of the good features we observed. Due to the fact that the traffic from the user to the internet is not passing under our on-prem, there is generally less control over it. With the help of WildFire Analysis, we are able to make sure the users are not downloading or accessing any malicious sites or any malware or anything.

The use of Microsoft Teams from a VPN used to give some issues earlier, however, with the Prisma Cloud, that has improved quite a lot. Even if you're tunneling the traffic of MS Teams through this Prisma terminal, there has been no issues yet. The VPN access it allows for is great.

The stability of the solution is very good.

The scalability of the solution is excellent.

Our security team had a concern that they are not able to filter out a few things. There is some particular traffic that the security team wants to filter out and apply their own policies and they cannot. Earlier, we used our on-prem solution for that, however, when it is in the cloud, the problem is that it has to be done manually. When we do changes on the on-prem, it will not automatically sync to the cloud. Therefore, manually, the admin has to do changes on the on-prem for spam filtering and at the same time on the cloud as well.

We actually faced some a problem with using the failure of authentication. Our primary authentication happens through a RADIUS server, to a non-IP solution, so that there is a double-factor authentication. In that double-factor authentication, we are using three different RADIUS servers. Apart from that our requirement was that if all our RADIUS servers failed, we wanted the authentication of users to fall back to LDAR.

The problem we faced is that each RADIUS server was consuming 40 seconds each for the timeout, and then only will it go to LDAR. However, the total timeout of the global product timeout, we are not able to adjust. If you take an on-prem Palo Alto device, you can adjust or increase the Global Protect time out value from 30 seconds to up to 125 seconds or 150 seconds. Later, we were able to resolve this by reducing the timeout value for each RADIUS server.

Technical support could be a lot better.

We have deployed the Prisma solution and environment almost six months ago and we have been using it for the last six months.

The solution is very stable. It doesn't have bugs and glitches. It doesn't crash or freeze.

So far, we haven't observed any such issues. We have been closely monitoring for the last six months but there have been no issues with latency or anything. The only thing we are worried about is that what if something goes from the cloud if the cloud set up as an issue. So far, we haven't encountered such an issue yet, however, the client is always worried about that point as all these things are happening externally to our own firm. That said, so far it hasn't given any trouble.

Scalability-wise it's a very good solution as we will be able to increase the number of users or decrease the number of users or even the bandwidth. Scalability-wise it's a perfect solution.

This solution is used by little over 8,000 users in our intranet and the user roles span from high-level management up to the contacts and their employees who are supporting the calls and the suppliers for the telecom. It is being used by a lot of different variety of users, management, IT, admin, business users, call center users, everyone.

When we decode, we decode it for 10,000 users. So far, we haven't increased it yet. In the future, if our number of user accounts increases or if the Work from Home situation due to COVID continues, then maybe our client will think about increasing it.

Technical support for this solution is via one of our third-party vendors. One problem is that the third-party vendor is not able to resolve all the issues. They will have to go to Palo Alto technical support via their exclusive support. One problem is ASP. Palo Alto is taking a lot of time for coming online and supporting that could be for a minor issue or a major issue. The time taken by Palo Alto Support to get online and support us has been a pain area. We're not really that satisfied.

Before Prisma, we were using the Palo Alto on-prem solution, Global Protect Solution. We had Palo Alto firewalls in our on-prem which we were using for VPN and before that, we used a few VPN solutions.

The initial setup was a mix of difficult and straightforward. We did the deployment in phases for users across different continents. By the time we finished the deployment, which took nearly six months, it was in our case a stable solution and simple to use as well. However, it took a while as we were working on different continents and moving from one to the other in a particular order.

The team was a combination. The team was a combination of one of the vendors in Malaysia and my team, who's from a client end. So there was a total of seven members in the team.

Our implementation strategy was as follows: we already had one Palo Alto Global Protect Retail Solution, so it was not big trouble for us to migrate it to a cloud. We started implementing, planning the redundancy for such two different sites. We established the IP set terminals with our two different sites, which will terminate from the cloud to Palo Alto VPN Box on our on-prem. Then, we gradually migrated the users from on-prem to the cloud.

In terms of maintenance, first of all, we have to keep on monitoring it. If there is something wrong with the cloud, we will have to get the alert and act accordingly. Maintenance-wise so far we have increased the bandwidth for internet links. At that time we had set up redundancy and there was no trouble with that. Apart from that, so far, no other maintenance has been done.

We had a vendor assist us a bit during the implementation.

I can't speak to the licensing costs. We had a two-year license, which we are still on.

We're just customers and end-users.

We are using a SaaS version of the solution.

I will definitely recommend implementing this product as it has a very good scalable solution. Considering this work from home scenario in COVID, it is one of the best solutions one can implement. However, my advice would be to make sure you have enough internet bandwidth while implementing and also make sure there is site-level redundancy at your end. If you are a client then you won't implement it. Make sure there are two separate IP set terminals published from the client to your end. That way, if something goes wrong, your internet goes down or something, the VPN will be accessible.

One good lesson I have learned is that earlier in my thought process related to VPN was very narrow. I never thought that you can put it across multiple continental gateways and allow users to access it so fast. 

I'd rate the solution nine out of ten.

We primarily use the solution for mobile users and mainly mobile laptops. In some cases, we use the solution for cloud tenant portals in Azure. We use it to connect those back into the network.

Overall, it's a great solution that works quite well.

The solution's most valuable feature is the posture checking. 

It's great that we can make sure a machine meets the minimum requirements before users are allowed to log in.

The solution needs to be more compatible with other solutions. This is specifically a problem for us when it comes to healthcare applications. They have proprietary connection types and things of that nature that make compatibility a challenge sometimes.

The scaling can be a bit tricky, depending on the setup.

I've probably been using the solution for four years at this point.

The stability is quite good. We haven't had any issues in that sense. It's reliable. There aren't bugs or glitches. It doesn't fail.

The solution is scalable. However, it's more of kind-of piecemeal scalability. I didn't actually deploy it. I just know a lot about it. It depends on how your network is set up. If you have a single egress, it's easy. If you have 70 egresses, it can be very, very difficult. 

You may have those many email egresses because you're geologically spread out and you need people to connect with certain portals based on where they are. Of course, we want users to connect to their closest portal. There's complexity there and the cloud doesn't really solve it because the cloud still has to do load balancing and hand it off to the concentrator.

On average, we have about 8,000 users between IT, finance, HR, and, of course, house and home users. 

I can't speak to the acceptability of technical support. I've never had to contact them.

We were using AnyConnect. It was limited in terms of egresses, so we decided to switch.

For us, the initial setup was not straightforward. It was very complex due to the fact that we're a very large company. That said, I don't mind the complexity.

The deployment was easy. It was just a matter of handling the configuration for different regions and hospitals. We had to figure out what egress they come in on or what device they come in on and things like that and that decide upon what's the most efficient means for them to connect back into the network.

I don't deal with licensing in the company. I'm not sure what the pricing is.

My understanding is that it's a bit more expensive only because it's part of the framework of the Palo Alto solution. It's more sensitive than if we just went and got some free VPN or some ad hoc solution, and so it's a bit more costly.

We're just a customer. We don't have a business relationship with the company.

I'd advise others that the solution is largely based on the complexity of your environment. It's not that deployment's difficult. It's just that you want to put it where it's most efficient. You've got to take the time to figure out where your users are and how they connect and where they're connecting from.

Overall, I'd rate the solution eight out of ten.

It can be used for remote access to web applications and to grant secure access to users.

I've mainly used their solutions for VPN connections from mobile devices. 

It's quite reliable and performs well for users.

It wasn't so satisfying to work with it. There is room for improvement in the policy management. It is difficult to cover the entire scenery through Palo Alto products. 

In future releases, more focus on integrations would be beneficial, along with improvements in policy management.

I am familiar with this product. 

It seemed quite a stable product. 

We have a couple of customers using this solution. 

The initial setup was relatively easy, but there were complexities due to the policies we had to generate. 

I was more of a user than an administrator. However, the deployment process seemed quick.

Primarily setting up the software. The team involved in the setup handled the rest.

One person is enough for the deployment. 

From the management side, I'm sure there are several people involved. From an end-user perspective, it's very simple. It likely doesn't need more than one person to manage it.

Overall, I would rate the solution a seven out of ten.

We use the solution for VPN connection for remote work.

The most important feature of the solution is that it works transparently, and you don't need to enter a new password after restarting the PC. Prisma Access by Palo Alto Networks is a seamless solution. People don't need to know how the infrastructure is working. It just seamlessly works for them.

The most valuable features of the solution are encryption, compliance, and stability.

The solution’s stability could be improved.

I have been using Prisma Access by Palo Alto Networks for one month.

I rate the solution a nine out of ten for stability.

Prisma Access by Palo Alto Networks is a scalable solution.

I rate the solution a nine out of ten for scalability.

The solution's initial setup is pretty straightforward. The solution is easy to implement.

The solution's deployment took two weeks. Compared to other products, the solution has a pretty fast deployment.

We have seen a positive return on investment with the solution because remote work is very important for us.

I would recommend Prisma Access by Palo Alto Networks to other users.

Overall, I rate the solution a nine out of ten.

This solution helps us with visibility of the data stored in the cloud and it even scans our files. If a user is trying to upload any kind of malware file or a script, Prisma SaaS scans those files and helps us identify anything malicious. If it finds something, it directly cleans the file. We are partners with Prisma SaaS.

I've evaluated multiple solutions on the market but to quarantine and clean a malware file is something I haven't seen anywhere else. It's a great feature and provides a lot of security.  

I would like to see a hybrid model which has API plus in-line security, where the user's data is controlled via an API call and also controlled in-line. 

We been using this solution for over a year. 

We've never had any issues in terms of stability. 

In terms of scalability, we initially went with the out-of-the-box solution which was able to support around 40 to 50 users and it was fine. There was no need for any add-ons. We now have a license for 200 users and it scales well. 

Technical support is responsive. We contacted them a few times and they were helpful. 

The initial setup was straightforward. It was completely on cloud and easily activated, and we were up and running quite quickly.

The licensing of this solution is a little expensive and is paid on an annual basis. 

If a company is looking for an API-based technology to control their SaaS data uses and user access, then Prisma SaaS is a good product but if they're looking for a complete CASB solution, then this is not suitable. The solution provides a lot of security but when you look at it in terms of the high cost for licensing, then it is not cost effective to spend that amount just to protect the data stored by the user.

I rate this solution a six out of 10.