Prisma Access by Palo Alto Networks Reviews

It can be used for remote access to web applications and to grant secure access to users.

I've mainly used their solutions for VPN connections from mobile devices. 

It's quite reliable and performs well for users.

It wasn't so satisfying to work with it. There is room for improvement in the policy management. It is difficult to cover the entire scenery through Palo Alto products. 

In future releases, more focus on integrations would be beneficial, along with improvements in policy management.

I am familiar with this product. 

It seemed quite a stable product. 

We have a couple of customers using this solution. 

The initial setup was relatively easy, but there were complexities due to the policies we had to generate. 

I was more of a user than an administrator. However, the deployment process seemed quick.

Primarily setting up the software. The team involved in the setup handled the rest.

One person is enough for the deployment. 

From the management side, I'm sure there are several people involved. From an end-user perspective, it's very simple. It likely doesn't need more than one person to manage it.

Overall, I would rate the solution a seven out of ten.

It made VPN easy with the ability to build distributed VPN gateways. The cost of IT deployment is a bit less because you just need a VPN-capable device at the branch, as against the full stack, before leveraging the firewall service feature. There is also better latency for the clients in terms of talking to resources back at the data center.

It's Panorama-managed. Using Panorama makes it easy for me in terms of pulling policies and doing things on the fly.

It's pretty similar to the native physical firewalls. The only difference is that with SaaS security, we're able to get a little more detail about shadow IT SaaS applications and properly categorize them, which is helpful to decide what we need to do with those applications. It affects which applications we would want to see running over the network and which applications we need to restrict from users.

Similarly, in terms of protecting data and preventing zero-day threats, it's the same thing that I get with my physical firewalls. The data is sent to Wildfire. All the features are all pulled from the same intelligence sensors. The only difference is that this is in the cloud.

Prisma SaaS helps to keep pace with SaaS growth in our organization, but it's not a big deal for us. Mostly, we're looking through or sifting through identified SaaS applications, and it's a good thing to have that visibility. That's what we're enjoying right now, and then probably with time, we might be relying on it to make decisions in terms of setting restrictions to some SaaS applications, especially those that are not sanctioned by IT.

It's hard for me to pinpoint a certain feature against the other. The product makes more sense as a whole. Overall, the cost savings, ease of deployment, and better VPN user experience and performance are valuable.

It helps to identify and control shadow IT apps. In terms of its impact on our organization's security, it has been like a sword with two edges. Sometimes, it has proved to be helpful in securing workloads, and sometimes, especially when there are modifications to App-IDs pushed through the content database, we find some things messed up. We've come to a point where we have our ways of managing these things, but all in all, App-ID has been very helpful, especially in detecting tunneled applications.

At the end of the day, it's simply an operational thing. Sometimes, you have these notifications sent out about changes in App-IDs, modifications in App-IDs, or even the introduction of entirely new App-IDs to replace. Sometimes, the recommendations are followed, but even then, when the package is installed on the firewall, it gets messed up. I remember a particular one was with Tableau, and suddenly, people weren't able to use Tableau, which is an analytics tool for business. So, it can get messed up, but it doesn't happen often.

I have been using it for about two years.

So far, it has been stable. We get all those notifications around changes. I haven't seen a lot of IT changes that need some kind of manual effort. 

Being on the global license package and being able to spin up a VPN gateway just like that has been a huge benefit. If I have new users in Berlin, I can make life better and just spin up something close to Berlin for them to connect to. If there's an office coming up somewhere in Poland and there are some supply chain issues. If I have a router somewhere there, I can just leverage on that easily without worrying about, "Oh, when am I going to get my stack deployed? How soon can I complete a project so that users are able to start working from that office?" Those are the things that I don't need to bother about anymore because I can easily spin up a complete node close to their location, and I can tunnel between them, do my routing, and they're good. They can talk to whatever resources we need them to talk to remotely and connect to the cloud from there for internally protected cloud workloads. Scalability is obviously a huge factor.

The Cloud App-ID technology is something I am still observing. It takes us back to SaaS security. App-ID is a critical and fundamental part of being able to identify SaaS applications. So far, the applications identified have been true positives. It seems to work so far, but with time, we'll see how it's able to help with identifying SaaS applications better. 

It helped to identify cloud applications that we were unaware that our employees were using. I don't have the metrics, but we do generate reports from time to time just to see what's going on and how we compare with the industry in terms of application usage. Similarly, for risk identification, I don't have metrics. We are just reviewing and sifting through these applications. We don't, or we haven't, put a risk score on them yet. Until that's done, it's almost impossible for me to say if these are bad actors or not. We have visibility now. The SaaS applications that have been used at the moment are not of concern based on the last review we did. As time goes on, we might start considering some as risky or start categorizing the risks in some of these SaaS applications. Currently, it's all open. We mostly have mobile users, and we have another solution for endpoint security and Internet-based applications that go through their home Internet. There are few who do visit the office. Probably less than 10% of the organization goes into the office, so there's no huge concern at the moment because of those very low numbers.

For the parts and the features that I use, which are mostly remote branch and mobile gateway, I would rate it an eight out of ten.

As a Palo Alto provider, their Platform as a Service (PaaS) for their Prisma Cloud-Native product, is offered as a hosted or Software as a Service (SaaS) version. As a user their product should scan and manage cloud container images to identify vulnerabilities. It's a key feature for identifying CI/CD development issues for remediation. 

The most valuable feature of Prisma Cloud-Native, in my opinion, is that it assists in identifying, analyzing, and remediating vulnerabilities.

Palo Alto does a great job on managing updates to their products. It can be difficult managing all the subscription updates, especially if they are manual. There should be a process in place. 

One area of challenge is for them to stay on top of current CVEs on their platform. Anything in the lines of compliance should be current from potential attacks. They have a URL link where customers can make recommendations to map to specific compliance frameworks or standards. That's great, but instead of having the customer identify those, they should make sure they're using the most recent version. The NIST SP 800-53 Rev. 4, should be mapped to NIST SP 800-53 Rev. 5 current version. Many people are unaware of this change. Should use the most current version, unless you have an exception for legacy systems.

I have been using Palo Alto Prisma Cloud for about a year now.

I'm currently supporting a Prisma Cloud-Native re-configuration project. It's their Software-as-a-Service (SaaS) version in the Cloud to scan for vulnerabilities. 

Prisma Palo Alto Networks is an optimal solution. They use the Amazon platform. They have some extremely talented engineers who keep the product up to date. Version updates could be a challenge as some versions are not automated. They don't always push you to update unless you're maybe using the hosted version. If you are unaware of this, you may have been using an older version for an extended period of time. There will be bugs and issues, and it will not perform optimally. It's important to use the most current version. 

Palo Alot support is great. There are no complaints.

I am familiar with Trend Micro, and WatchGuard solutions. I really like Trend Micro. They are excellent, in my opinion. They are great for anti-malware, as well as scanning your desktops and computers for personal or business use.

Proofpoint is another product that I really like for DLP Endpoint Security. They do an excellent job.

I didn't do the original configuration, but I am doing some of the re-configuration. It is important to understand your organization's infrastructure, cloud containers, and all the various types of administrative access controls. It all comes down to having the knowledge and visibility to configure it with your environment. 

The pricing is reasonable for Palo Alto. They price their products using credit modules. There are various types of modules in each section. I believe there are four different modules. If you want to ensure that you are saving on cost, you should develop a very good DevOps or DevSecOps process with the cloud engineers and development team. Meaning, when the development team is no longer creating apps or working in their CI/CD environment, they must scale down, repave and decommission or it could increase your costs significantly.

We use it for remote access VPN. When our users are working remotely, from home, they can use it to connect to our IT environment.

An important aspect is that Prisma Access provides all its capabilities in a single cloud-delivered platform. It would be very inconvenient for us if we had to go to multiple places. It gives us centralized operations, and centralized configuration and management that enable us to be more efficient. We don't have to reference or go to multiple places or systems to maintain things and operate.

It has also improved our remote access. We deployed it to replace an older remote-access VPN that we had been using. That is where the usefulness of the product is for us. It provides security and allows our remote users to connect to our environments.

Remote access is the most valuable feature, giving remote users secure access to our IT environment. That is the specific feature that we are using it for. Prisma Access provides secure access to the environment, including apps, and some non-apps systems, such as system administration. This ability is very important, almost a mandatory requirement for some of our systems.

It not only protects web-based apps, but non-web-based apps as well. Again, that's important, because for this kind of access, the traffic has to be protected and secure. The fact that it secures not just web-based apps but non-web apps indirectly reduces the risk of a data breach. If all the traffic can be seen it should help keep things from getting into the hands of hackers, helping prevent data from being compromised and preventing access to systems as well. We don't want our systems to be compromised, as they are critical to our services and to our customers.

The solution also provides traffic analysis, threat prevention, URL filtering, and segmentation. That combination is important because it enhances the protection and makes the traffic more secure. It also keeps things more up-to-date, enabling us to deal with more of the current threats.

In addition, Prisma Access provides security updates for threat prevention. Those updates are important in general, of course, for security reasons. The more up-to-date you are, the better you are protected.

It's not very easy to use. Sometimes it's buggy and there are problems when doing updates. The user interface is okay, but some configuration items are difficult. I would like it to be less buggy and easier to configure, to better streamline the user experience.

I have been using Prisma Access by Palo Alto Networks for a little more than one and half years.

The stability is pretty good. There are certain portions that are not very stable, but the core is pretty good.

I think the scalability is pretty good too, although we are a small company so I don't know how big we can scale, but for us, it's pretty good.

We have about a dozen users on it and most of them are technical staff, such as engineers and software engineers. Outside of the IT personnel, even finance people use it because they need access to the systems and applications. We are using it for one part of our environment, but we plan to expand it from 1,000 users to about 5,000 users.

The technical support is pretty good, as is the post-sales support. They are both very good and very attentive. Although the software is buggy, and sometimes it's hard to fix, they do provide the appropriate support levels to help us through.

Positive

We have used Cisco VPN, and I have used Juniper and Meraki. We switched because we are standardized on Palo Alto firewalls, so we wanted to use the same vendor for more interoperability.

The initial setup of the solution was complex. The configuration is not easy to understand and requires a lot of expertise from the Palo Alto side. The terms that they use in the product require quite a bit of explanation and clarification.

We used a phased approach. The first deployment we did, as a milestone, took us at least six months. For the deployment, we needed at least two to three engineers: someone from security, someone from networking, and someone from the end-user side. All parties had to be involved.

We used a contractor to help us.

The return on investment is that it allows our remote users to access our environment.

The licensing model for this product is complicated and changes all the time, making it very hard for the user to comprehend the configuration.

My advice would be to directly test it before you purchase it to see if the user experience and the complexity of the networking component are things you are able to handle.

The biggest lesson we learned from using the solution is not specific to the solution: We needed to do more proper planning in the beginning. Because the process is complicated, without good planning, it becomes more difficult during the process. The configuration involves many templates. Without planning ahead, they are created in a messy and disorganized way, and that causes further problems when we need to grow and do more setups. Now, we have to go back and correct those messy configurations, and that is something we are still doing.

Overall, the security provided by Prisma Access is very good. It provides the authentication, protection, and encryption that we are looking for for our remote users.

In this pandemic, users want to work remotely and that means we need centralized control of remote users, our branch offices, and the head office. Prisma Access collects everything together and provides us with centralized management, enabling us to manage all our locations and users globally.

It manages on-premises networks, but it has its own infra in the cloud.

The ability to manage networks reduces costs for our organization. Suppose I have four offices and all four have a firewall device. All of those firewalls will have separate licenses, and each office will have a separate internet connection. The Prisma Access solution means we only need one router at each office and all the internet connectivity will go through the solution. That definitely cuts our internet costs.

It is also very important that Prisma Access provides all its capabilities in a single, cloud-delivered platform. For mobile users, without Prisma Access, I would have to control their traffic through on-premises networks and give them on-premises internet. Suppose that one of those users does not connect through the on-premises VPN. That user would then have access to and control of whatever he wants. The system might be compromised through unauthorized access. That's why, from a security perspective, it is very important to control this type of situation. We could control the system without Prisma Access, but that would require additional solutions. We would have to add another security client to the user's system. With Prisma Access, instead of having two solutions, we have one solution.

Prisma Access gives us security from a single point. It controls mobile users and determines how secure their networks will be, including from where they will get internet access. We can optimize things and add security profiles centrally.

Another valuable feature for mobile users is the GP VPN access. It provides security and a firewall as a service, including threat and vulnerability protection. From a security perspective, it is very good.

I haven't seen any SD-WAN configuration capability. If Prisma Access would support SD-WAN, that would help. There are some trending technologies in networking with SD-WAN. SD-WAN is nothing more than optimizing your WAN. SD-WAN devices should be able to reach Prisma Access, and Palo Alto should support different, vendor-specific devices, not just Palo Alto devices, for SD-WAN configuration.

Also, Palo Alto only provides corporate licenses. If they would give a license to a non-corporate email ID, for testing and a pre-trial, that would be really great for users to practice with it. Everybody could explore it. Or, for people who are not working in a corporate environment and who want to explore this kind of setup, it would enable that type of test access on a personal email account.

I have been working in networking and security for eight-plus years. I work on various infra including routers, switches, firewalls, and different cloud services. I work on various vendors' solutions, such as Fortinet, SonicWall, Sophos, and for the last four years, on Palo Alto.

Prisma Access is a subset of Palo Alto Networks and is a product they recently introduced. We just recently heard that our organization was planning to use the Prisma Access solution.

I cannot evaluate the stability based on my limited experience, but I recently called a colleague in a different organization who has been running Prisma Access, and he said it is going well and that he has seen good stability.

We have more than 10,000 users and 40 Palo Alto firewalls, located in different regions. They were involved in the PoC. In the future, we are planning on having Prisma in production.

Palo Alto support is very responsive. They respond immediately and they are very kind and very knowledgeable. They work on cases by priority. In general, when we call them, we are able to talk with them without much delay and they provide solutions that have met our expectations. 

I would rate their support at eight out of 10. I deducted two points because sometimes they do have a very busy schedule and every engineer is busy. Once we reach them, everything works fine.

Positive

This is a new implementation for SASE in our organization.

The license activation process is very straightforward. When we purchased Prisma Access, they provided a link and, from there, we had to add the serial number of our existing Panorama. After that, everything happened automatically. Once that management setup was done, we were easily able to add a rule and do other configurations.

Our deployment did not take a long time. However, our infra is very big. While the initial setup was done in four to five hours, finishing everything took us one week.

If you are planning on using the SASE model for your organization, I would recommend Palo Alto Prisma Access. It works well, based on my experience.

I have come across many firewalls and I have hands-on experience with various devices, but Palo Alto is the best for everything. It is the best device for infra security. It not only has security, but it works well when it comes to routing and switching.

Overall I would rate Prisma Access at 8 out of 10. It gives us centralized management and reliability, scalability, and ease of configuration.

This is a CASB product that we use to protect data that is in the cloud. We work with our client to protect them from unknown threats, as well as known threats such as the inadvertent sharing of files. An example of this is the uploading of a file by an admin that contains sensitive data that was not intended to be shared with anyone who is external to the organization, such as a Gmail address. This solution offers protection from these kinds of problems.

From my client's perspective, I can say that they had no control over their cloud data that they needed to protect. They had solutions that can handle their on-premise DLP, such as determining whether a particular service is malware-free. When it was on the cloud, such as Google Cloud, Google Drive, ServiceNow, or others, they were not sure how to protect it. With this solution, they are able to protect themselves, and also with data at rest. It has helped to protect against the propagation of malware from the cloud to the premises.

There are two features that I find very good. This solution provides a DLP on the cloud and very few people have a scanning device for data at rest. The second feature that I really like about this solution is the notifications that it provides. It provides me with timely notifications so that I can consider things such as whether actions are trusted or untrusted and I can quarantine the data on the fly.

There are a lot of cloud-based applications that are supported, such as Box, Skype, Google Drive, and SharePoint, but there are many more than have not been totally integrated. They cannot use in-house apps because they are not generic services. I would like to see support for custom applications. 

There are also certain storage services that are not integrated, like AWS S3. If the services are created by the customer then it would be very nice to have those protected too.

Right now, this is a data at rest CASB, but it would be nice if it included features such as forward proxy or reverse proxy. It would be able to provide the OTP to those gateways and anyone who can integrate with Aperture can send the data to have it authenticated, via Aperture to the cloud, rather than just scanned. Essentially, if it can be made to act as an auth server, to automatically handle the forward proxy CASB, it would be good.

Six months.

It seems to be a pretty stable product. It has been six months and we haven't seen many problems yet.

Given that it is in the cloud, I don't think that there is an issue with the scalability. You can just add agents or perform more integration very easily and it will work. Unless the price model changes because it is already a bit pricey from the perspective of the end-user, it is not a problem.

The scalability is based on devices rather than users, but I can say that there are perhaps six cloud accounts with around ten or fifteen apps that they are trying to protect.

The technical support is very friendly. They are aware of the solution and they can definitely help you if you are stuck with a problem.

Our customer was not aware of how to protect their cloud data, and this is the first solution that they chose.

The initial setup is simple. You just need to log into the Aperture cloud with your user ID and password, apply the license and you are done. After this, you just need to know how to integrate, but they already have documentation that can help you out.

The time required for deployment depends on how complex you are making the environment. If it's a very simple one, such as a Box or a Google Drive, then it will take around a day or two, maximum a week.

I would say that a complex environment may take between three and four weeks. It depends on the use case. If you want to do a POC setup on VPC or Google Drive then it may take less time. On the other hand, if you are integrating more services then it will take longer because you have to learn the product from scratch. There are no similar services.

Once this solution is configured, there is very little that you have to do unless the customer requests something new. If you integrate it with WildFire and AutoFocus, it will automatically get the latest volume or latest signatures, and it will notify you whenever that happens. If somebody is properly trained then one person can handle the maintenance.

We deployed this solution for our customer. We also used agents, provided with Aperture, on the local devices so that they could be easily connected to the cloud.

The pricing for this solution is on the higher end. Our customer felt that the solution was a bit overpriced but they had nothing that offered them better protection.

The licensing fees are on a yearly basis, and there are no additional costs.

There are now more vendors doing this, such as Oracle, but when we started there were very few. This is one of the reasons for choosing this solution.

This is a fairly good product if you are looking for something to protect data at rest. There are alternatives, like Oracle and McAfee, that also provide similar solutions, but you should do a POC with them first. In fact, you should always start with a POC because everyone has different needs. 

If you take the training that is available then you will be able to handle the maintenance yourself. There can be challenges when there are compliance issues, like somebody putting a file into quarantine. It will have to be taken out manually, and if the user is untrained then they will require technical help for this.

I would rate this solution eight and a half out of ten.

We are a solution provider and we work with our customers to provide them with cloud-based solutions. One of the categories we provide is in the security-related space, and Prisma SaaS is one that we are promoting.

One of the primary use cases is to create a more secure tunnel between home and office, allowing people to more securely work remotely from home.

We use the central monitoring tool from Palo Alto, which gives us good visibility on our network.

The performance is good.

The price can be reduced to make it more competitive.

We have been working with Prisma SaaS for the last six months.

Stability-wise, we have not had any problems.

We have had no issues with scalability.

We work with a variety of security vendors including Check Point and Fortinet. For cloud-based solutions, we work with Barracuda.

The suitability of a particular product or vendor will depend on the client's requirements, situation, and budget.

Compared to other products, the price is slightly high. In fact, sometimes there is a large pricing gap.

This is the best product that I have looked at, out of all of the competitors. We are still testing it, but from what I have seen, it is really good compared to the others.

I would rate this solution a ten out of ten.

We are a system integrator and Prisma Access is one of the security products that we implement for our clients. We handle all products, from high-level to low-level, and we propose an end-to-end solution for each customer. I am a pre-sales architect and engineer.

Prisma Access is the name of the GlobalProtect Cloud Service.

Normally, it is sold to users who want to use a VPN agent.

The most valuable feature is the ability to join your network and provide access through the VPN.

It is integrated with the MDM solution but it is not a VPN, so this is something that can be improved. Better integration with the MDM solution would be useful.

We don't hear from customers for a long time when they have this solution, so I think that it is stable.

Scaling is easy because it is just a license that you extend.

Our clients for this solution are typically small to medium-sized companies.

We work with similar solutions from a number of vendors including Fortinet, F5, Trend Micro, and others.

We have an in-house team that is responsible for implementing products for our clients.

We also perform the required maintenance, as well as technical support.

This is not an expensive product and everything is included with one license. We normally sell GlobalProtect bundled with a firewall if the customer wants an endpoint solution.

We have to pitch it to smaller customers. When it comes to medium-sized organizations, they are almost dedicated to a VPN solution. This is a good solution and I can recommend it, although it would be improved with better MDM integration.

I would rate this solution a seven out of ten.