Senior Manager for Infrastructure at a computer software company with 5,001-10,000 employees
Real User
Top 20
2024-11-20T13:40:58Z
Nov 20, 2024
GlobalProtect can face challenges with latency, especially when remote workers connect to centralized locations. Hosting it in the cloud can mitigate these issues by allowing connection through the nearest Palo Alto or Prisma Cloud regional hub. Overall, no specific issues with the product itself have been observed, but the need for cloud adoption is noted.
Principal Cyber Security Technologist at a computer software company with 51-200 employees
Real User
Top 5
2024-09-16T09:39:00Z
Sep 16, 2024
The Prisma Access could improve in terms of adding more machine learning and AI capabilities to automate tasks such as incident response. This would enhance the overall security posture by enabling better and faster management of security threats.
From any improvement perspective, the product's compatibility issues with Linux need to be resolved. The response from the support team needs to be made faster.
It wasn't so satisfying to work with it. There is room for improvement in the policy management. It is difficult to cover the entire scenery through Palo Alto products. In future releases, more focus on integrations would be beneficial, along with improvements in policy management.
Connectivity Platform Cyber Security Specialist at BASF Business Services GmbH
Real User
Top 5
2024-03-06T12:07:34Z
Mar 6, 2024
The tools' scalability is subject to some limitations when done on-premise due to the need for additional licenses. However, in other scenarios, increasing scalability involves expanding infrastructure to accommodate more third-party VPN access. It is scalable as long as you pay the money. Also, it needs to improve security.
Learn what your peers think about Prisma Access by Palo Alto Networks. Get advice and tips from experienced pros sharing their opinions. Updated: December 2024.
Solution Consultant at a tech services company with 1,001-5,000 employees
Consultant
Top 20
2024-03-06T05:48:26Z
Mar 6, 2024
The product's price is an area of concern where improvements are required. The solution's price should be lowered. Our company faces some issues during the product's configuration phase. The product's configuration part is slow and not very effective. In my company, we have to change the configuration multiple times to make it effective. The configuration part of the product can be improved. The product's support team needs to improve the quality of services offered.
Certain complications are related to the VPN part of the product, which can lead to a very deep and technical discussion. From an improvement perspective, I want the product to be integrated with SASE products. Palo Alto Networks GlobalProtect or VPN in general with a cloud-based service would be a great improvement. The product should be made more capable of offering more integration with the recent technologies introduced in the market. The product's integration capabilities with the already existing products in the market are good. The product's current price is an area of shortcoming where improvements are required.
Solution Architect // Network Consultant at a consultancy with 501-1,000 employees
Consultant
Top 20
2023-09-13T07:57:39Z
Sep 13, 2023
Though the monitoring is fine, the solution should improve its application graphs and interface monitoring. Additionally, the pricing could be improved.
Its integration with non-Palo Alto products can be improved. Currently, it is easy to integrate it with other Palo Alto products such as Cortex XDR. It integrates well with other Palo Alto products. A major part of our network is based on Palo Alto products, but for those companies that use multi-vendor products in their infrastructure, Palo Alto should optimize the integration of Prisma Access with the network devices from other vendors. They should also increase their support team. There is scope to optimize their support.
System Administrator at a computer software company with 501-1,000 employees
Real User
Top 10
2023-05-04T08:08:00Z
May 4, 2023
The user interface could be better. They need to work a little bit on the console. It is similar to their firewalls but not exactly. They need to clean it up a bit. Prisma Access' ADEM is good when it comes to segment-wise insights across the entire service delivery path. The only minus is that it is not supporting Linux. It is only for Windows and macOS. We are not able to manage firewalls from the cloud. They have promised to make this feature available in the future where we will be able to manage firewalls from the cloud. Currently, we can only use Panorama to manage firewalls.
We would like to see improvements in the licensing; currently, Palo Alto provides 500 to 1000 licenses for users, and we want to see 1500 to 2000 licenses for one version.
There should be a dedicated portal or SASE-based solution. They're trying to add a plugin but it needs a dedicated portal because it is now an enterprise solution for multiple organizations. People should be able to directly log in to a dedicated page for Prisma Access, rather than going into a Panorama plugin, and always having to update the plugin. An administrator should be able to look at it from a configuration perspective and not the management and maintenance perspectives.
I've had a ton of issues with Prisma Access. The UI is horrible and not intuitive. For example, error handling when applying configuration changes is atrocious. The UI itself is buggy and lags. The sales staff tried to be helpful, but they sold us the wrong license SKU, which broke our environment, and it took two months for them to fix it. Two months is an eternity for something as critical as this. It applies commits to the firewalls slowly. There isn't an API you can use for anything. We've previously had trouble with the egress IP addresses though we expressed to engineering that those mustn't change. They changed several times without warning, causing a lot of headaches.
There is room for improvement in the multi-environment visibility, especially around containers. The product easily gets confused if you have, for example, similar Docker images that are running in different environments. It does not have a way of isolating that even though it's the same image, it's running in a different environment. It just consolidates that reporting and makes it difficult to figure out how far your plus range is. I don't think the solution has a preventative approach. I think most of it is really more fighting. I guess you could use what it finds to predict what might happen in the future, but I haven't seen any features that are preventative.
Professional Services Consultant at Infinity Labs India
Real User
2022-09-21T06:57:00Z
Sep 21, 2022
The Cloud Managed Prisma Access needs some more enhancement. Its GUI needs to be updated with respect to the inside application of Prisma Access. The BGP filtering options on Prisma Access should be improved.
Network Security Engineer at a tech services company with 10,001+ employees
Real User
2021-12-21T12:40:00Z
Dec 21, 2021
I haven't seen any SD-WAN configuration capability. If Prisma Access would support SD-WAN, that would help. There are some trending technologies in networking with SD-WAN. SD-WAN is nothing more than optimizing your WAN. SD-WAN devices should be able to reach Prisma Access, and Palo Alto should support different, vendor-specific devices, not just Palo Alto devices, for SD-WAN configuration. Also, Palo Alto only provides corporate licenses. If they would give a license to a non-corporate email ID, for testing and a pre-trial, that would be really great for users to practice with it. Everybody could explore it. Or, for people who are not working in a corporate environment and who want to explore this kind of setup, it would enable that type of test access on a personal email account.
Professional Services Consultant at Infinity Labs India
Real User
2021-12-15T20:27:00Z
Dec 15, 2021
The Cloud Management application has room for improvement. There are a lot of things on the roadmap for that application; things are going to happen soon.
Sr. Cloud Security Architect at tejain@deloitte.com
Real User
Top 5
2021-12-05T23:23:00Z
Dec 5, 2021
It is a managed firewall. When you run into issues and have to troubleshoot, there is a fair amount of restriction. You run into a couple of restrictions where you don't have any visibility on what is happening on the Palo Alto managed infrastructure, and you need to get on a call to get technical assistance from Palo Alto's technical support. You have to get them to work with you to fix the problem. I would definitely like them to work on the visibility into what happens inside Palo Alto's infrastructure. It is not about getting our hands onto their infrastructure to do troubleshooting or fixing problems; it is just about getting more visibility. This will help us in guiding technical support folks to the area where they need to work.
Prisma should implement industry updates in near real-time. Also, Prisma's integration between operational technology and IT should be more seamless. Right now, it requires additional setup and maintenance.
The challenges we have faced are not connected with Prisma's core fabric, but more with the end-user. To use the GlobalProtect client and meet all the requirements, your laptop or your end-user system has to be at a point where things are up to date. It's not really Prisma's fault, but when you try to create exceptions you don't really have those abilities. You cannot say, on the management platform, "Hey, for these users I want to create these exceptions." That is one thing that I have gotten some complaints about, and we have faced some challenges there. It's always a challenge when people at the executive level start complaining because they're using the latest version of the MacBook Pro and it's not playing very well with Prisma.
Senior Network Security Lead at a tech services company with 10,001+ employees
Real User
2021-03-29T19:07:59Z
Mar 29, 2021
Our security team had a concern that they are not able to filter out a few things. There is some particular traffic that the security team wants to filter out and apply their own policies and they cannot. Earlier, we used our on-prem solution for that, however, when it is in the cloud, the problem is that it has to be done manually. When we do changes on the on-prem, it will not automatically sync to the cloud. Therefore, manually, the admin has to do changes on the on-prem for spam filtering and at the same time on the cloud as well. We actually faced some a problem with using the failure of authentication. Our primary authentication happens through a RADIUS server, to a non-IP solution, so that there is a double-factor authentication. In that double-factor authentication, we are using three different RADIUS servers. Apart from that our requirement was that if all our RADIUS servers failed, we wanted the authentication of users to fall back to LDAR. The problem we faced is that each RADIUS server was consuming 40 seconds each for the timeout, and then only will it go to LDAR. However, the total timeout of the global product timeout, we are not able to adjust. If you take an on-prem Palo Alto device, you can adjust or increase the Global Protect time out value from 30 seconds to up to 125 seconds or 150 seconds. Later, we were able to resolve this by reducing the timeout value for each RADIUS server. Technical support could be a lot better.
Head of Pre-Sales at a tech services company with 51-200 employees
Real User
2020-12-30T14:20:10Z
Dec 30, 2020
When it comes to the VPN, it uses the global protect VPN functionality to connect remotely, but it has a feature limitation for assigning multiple IP subnets to different user groups. It would be much better if we are able to assign the current IP blocks for the subnets based on the user groups.
Endpoint Security Manager at Catholic Health Initiatives
Real User
2020-10-06T06:57:36Z
Oct 6, 2020
The solution needs to be more compatible with other solutions. This is specifically a problem for us when it comes to healthcare applications. They have proprietary connection types and things of that nature that make compatibility a challenge sometimes. The scaling can be a bit tricky, depending on the setup.
Senior Security Architecture Specialist at a computer software company with 201-500 employees
Reseller
2020-09-27T04:10:13Z
Sep 27, 2020
It is integrated with the MDM solution but it is not a VPN, so this is something that can be improved. Better integration with the MDM solution would be useful.
IT Security at a real estate/law firm with 1,001-5,000 employees
Real User
2019-07-17T07:31:00Z
Jul 17, 2019
I would like to see better pricing and an easier logging process. Also, if there was a way to log a global log, everything could go onto the system. It would be better if there was a third log, otherwise one would have to do everything manually.
Consultant at a political organization with 201-500 employees
Consultant
2019-06-26T05:25:00Z
Jun 26, 2019
The dependencies of applications sometimes are a bit confusing. All the dependencies you have between applications can be confusing when you fill in things. It's mostly the configuration with the different applications. Extra guidance in using applications and things like that might be helpful. In terms of features, at the moment, the features we use are all in there. But we don't even use the full feature set at the moment. So I don't really have any need for anything else. For now, there's not really anything missing.
Director at a tech services company with 51-200 employees
Real User
2019-06-24T12:13:00Z
Jun 24, 2019
They could improve the proactive service on this application and application tracking in their next release. Their next release should provide solutions for the mobile environment.
Prisma Access by Palo Alto Networks provides consistent security for all users and applications across your remote networks. Prisma Access grants users safe access to the cloud and data center applications and the internet as well. In addition, the solution combines all of your security and networking capabilities into a single cloud-delivered platform, enabling flexible hybrid workforces.
Prisma Access can be managed two ways:
Cloud Managed
Panorama Managed
Prisma Access delivers both...
GlobalProtect can face challenges with latency, especially when remote workers connect to centralized locations. Hosting it in the cloud can mitigate these issues by allowing connection through the nearest Palo Alto or Prisma Cloud regional hub. Overall, no specific issues with the product itself have been observed, but the need for cloud adoption is noted.
The Prisma Access could improve in terms of adding more machine learning and AI capabilities to automate tasks such as incident response. This would enhance the overall security posture by enabling better and faster management of security threats.
They could add more flexibility and improve product performance.
From any improvement perspective, the product's compatibility issues with Linux need to be resolved. The response from the support team needs to be made faster.
It wasn't so satisfying to work with it. There is room for improvement in the policy management. It is difficult to cover the entire scenery through Palo Alto products. In future releases, more focus on integrations would be beneficial, along with improvements in policy management.
The tools' scalability is subject to some limitations when done on-premise due to the need for additional licenses. However, in other scenarios, increasing scalability involves expanding infrastructure to accommodate more third-party VPN access. It is scalable as long as you pay the money. Also, it needs to improve security.
The product's price is an area of concern where improvements are required. The solution's price should be lowered. Our company faces some issues during the product's configuration phase. The product's configuration part is slow and not very effective. In my company, we have to change the configuration multiple times to make it effective. The configuration part of the product can be improved. The product's support team needs to improve the quality of services offered.
Prisma Access by Palo Alto Networks should consolidate the portals into a single portal. It is slow and takes more than ten seconds to load a page.
Certain complications are related to the VPN part of the product, which can lead to a very deep and technical discussion. From an improvement perspective, I want the product to be integrated with SASE products. Palo Alto Networks GlobalProtect or VPN in general with a cloud-based service would be a great improvement. The product should be made more capable of offering more integration with the recent technologies introduced in the market. The product's integration capabilities with the already existing products in the market are good. The product's current price is an area of shortcoming where improvements are required.
Though the monitoring is fine, the solution should improve its application graphs and interface monitoring. Additionally, the pricing could be improved.
Its integration with non-Palo Alto products can be improved. Currently, it is easy to integrate it with other Palo Alto products such as Cortex XDR. It integrates well with other Palo Alto products. A major part of our network is based on Palo Alto products, but for those companies that use multi-vendor products in their infrastructure, Palo Alto should optimize the integration of Prisma Access with the network devices from other vendors. They should also increase their support team. There is scope to optimize their support.
The user interface could be better. They need to work a little bit on the console. It is similar to their firewalls but not exactly. They need to clean it up a bit. Prisma Access' ADEM is good when it comes to segment-wise insights across the entire service delivery path. The only minus is that it is not supporting Linux. It is only for Windows and macOS. We are not able to manage firewalls from the cloud. They have promised to make this feature available in the future where we will be able to manage firewalls from the cloud. Currently, we can only use Panorama to manage firewalls.
We would like to see improvements in the licensing; currently, Palo Alto provides 500 to 1000 licenses for users, and we want to see 1500 to 2000 licenses for one version.
There should be a dedicated portal or SASE-based solution. They're trying to add a plugin but it needs a dedicated portal because it is now an enterprise solution for multiple organizations. People should be able to directly log in to a dedicated page for Prisma Access, rather than going into a Panorama plugin, and always having to update the plugin. An administrator should be able to look at it from a configuration perspective and not the management and maintenance perspectives.
I've had a ton of issues with Prisma Access. The UI is horrible and not intuitive. For example, error handling when applying configuration changes is atrocious. The UI itself is buggy and lags. The sales staff tried to be helpful, but they sold us the wrong license SKU, which broke our environment, and it took two months for them to fix it. Two months is an eternity for something as critical as this. It applies commits to the firewalls slowly. There isn't an API you can use for anything. We've previously had trouble with the egress IP addresses though we expressed to engineering that those mustn't change. They changed several times without warning, causing a lot of headaches.
There is room for improvement in the multi-environment visibility, especially around containers. The product easily gets confused if you have, for example, similar Docker images that are running in different environments. It does not have a way of isolating that even though it's the same image, it's running in a different environment. It just consolidates that reporting and makes it difficult to figure out how far your plus range is. I don't think the solution has a preventative approach. I think most of it is really more fighting. I guess you could use what it finds to predict what might happen in the future, but I haven't seen any features that are preventative.
I would like the solution to support a different type of authentication. We can't configure a secondary method for our portal.
The Cloud Managed Prisma Access needs some more enhancement. Its GUI needs to be updated with respect to the inside application of Prisma Access. The BGP filtering options on Prisma Access should be improved.
I haven't seen any SD-WAN configuration capability. If Prisma Access would support SD-WAN, that would help. There are some trending technologies in networking with SD-WAN. SD-WAN is nothing more than optimizing your WAN. SD-WAN devices should be able to reach Prisma Access, and Palo Alto should support different, vendor-specific devices, not just Palo Alto devices, for SD-WAN configuration. Also, Palo Alto only provides corporate licenses. If they would give a license to a non-corporate email ID, for testing and a pre-trial, that would be really great for users to practice with it. Everybody could explore it. Or, for people who are not working in a corporate environment and who want to explore this kind of setup, it would enable that type of test access on a personal email account.
The Cloud Management application has room for improvement. There are a lot of things on the roadmap for that application; things are going to happen soon.
It is a managed firewall. When you run into issues and have to troubleshoot, there is a fair amount of restriction. You run into a couple of restrictions where you don't have any visibility on what is happening on the Palo Alto managed infrastructure, and you need to get on a call to get technical assistance from Palo Alto's technical support. You have to get them to work with you to fix the problem. I would definitely like them to work on the visibility into what happens inside Palo Alto's infrastructure. It is not about getting our hands onto their infrastructure to do troubleshooting or fixing problems; it is just about getting more visibility. This will help us in guiding technical support folks to the area where they need to work.
Prisma should implement industry updates in near real-time. Also, Prisma's integration between operational technology and IT should be more seamless. Right now, it requires additional setup and maintenance.
The challenges we have faced are not connected with Prisma's core fabric, but more with the end-user. To use the GlobalProtect client and meet all the requirements, your laptop or your end-user system has to be at a point where things are up to date. It's not really Prisma's fault, but when you try to create exceptions you don't really have those abilities. You cannot say, on the management platform, "Hey, for these users I want to create these exceptions." That is one thing that I have gotten some complaints about, and we have faced some challenges there. It's always a challenge when people at the executive level start complaining because they're using the latest version of the MacBook Pro and it's not playing very well with Prisma.
There can be some latency issues with the solution that should be improved.
Our security team had a concern that they are not able to filter out a few things. There is some particular traffic that the security team wants to filter out and apply their own policies and they cannot. Earlier, we used our on-prem solution for that, however, when it is in the cloud, the problem is that it has to be done manually. When we do changes on the on-prem, it will not automatically sync to the cloud. Therefore, manually, the admin has to do changes on the on-prem for spam filtering and at the same time on the cloud as well. We actually faced some a problem with using the failure of authentication. Our primary authentication happens through a RADIUS server, to a non-IP solution, so that there is a double-factor authentication. In that double-factor authentication, we are using three different RADIUS servers. Apart from that our requirement was that if all our RADIUS servers failed, we wanted the authentication of users to fall back to LDAR. The problem we faced is that each RADIUS server was consuming 40 seconds each for the timeout, and then only will it go to LDAR. However, the total timeout of the global product timeout, we are not able to adjust. If you take an on-prem Palo Alto device, you can adjust or increase the Global Protect time out value from 30 seconds to up to 125 seconds or 150 seconds. Later, we were able to resolve this by reducing the timeout value for each RADIUS server. Technical support could be a lot better.
When it comes to the VPN, it uses the global protect VPN functionality to connect remotely, but it has a feature limitation for assigning multiple IP subnets to different user groups. It would be much better if we are able to assign the current IP blocks for the subnets based on the user groups.
The solution needs to be more compatible with other solutions. This is specifically a problem for us when it comes to healthcare applications. They have proprietary connection types and things of that nature that make compatibility a challenge sometimes. The scaling can be a bit tricky, depending on the setup.
It is integrated with the MDM solution but it is not a VPN, so this is something that can be improved. Better integration with the MDM solution would be useful.
I would like to see an increase in third-party integration, in terms of identity and access management, or strong authentication.
I would like to see better pricing and an easier logging process. Also, if there was a way to log a global log, everything could go onto the system. It would be better if there was a third log, otherwise one would have to do everything manually.
The dependencies of applications sometimes are a bit confusing. All the dependencies you have between applications can be confusing when you fill in things. It's mostly the configuration with the different applications. Extra guidance in using applications and things like that might be helpful. In terms of features, at the moment, the features we use are all in there. But we don't even use the full feature set at the moment. So I don't really have any need for anything else. For now, there's not really anything missing.
They could improve the proactive service on this application and application tracking in their next release. Their next release should provide solutions for the mobile environment.