Prisma Access by Palo Alto Networks Reviews

We are an integrator. We are providing the services to a partner of Palo Alto. We are using Prisma Access, Cortex XDR, and Cortex Data Lake.

We are using two kinds of services for security: one is Zscaler and the other one is Prisma Access. For Internet security, we are using Zscaler, and for SaaS applications security, we are using Prisma Access. 

By implementing Prisma Access, we wanted to secure the traffic for SaaS applications such as Office 365. We had SaaS application traffic that was already bypassed, but because it was UDP traffic, it was still going to the Internet. There were some internal customer applications over the cloud, and we wanted to secure the content of those applications over the cloud. That is why we are using Prisma Access.

Prisma Access provides comprehensive security. It provides URL filtering, application control, SSL, DLP, etc. It provides complete security for the cloud environment.

We are using IPSec. If you compare it with Zscaler, there is no limit for IPSec bandwidth or throughput. Zscaler provides only 400 Mbps, whereas, with Prisma Access, we are not facing any such issues. We are getting unlimited bandwidth for IPSec. This is one of the main benefits when it comes to the cloud because sometimes the backplane could be very high. In such cases, Prisma Access is very helpful for us.

For our data at rest, which is our data stored in the cloud, we are using the CASB properties of Prisma Access. It provides security to our data at rest.

The way the product is designed is good. It does not take much time to identify a problem and what is going on because we have zone-based and site-based configurations. Whenever we have something coming from users, we get reported about the issue. It is very easy to troubleshoot. With the integration of Prisma Access with Cortex XDR, we can easily identify what is going on.

The logs that Prisma Access provides are also very detailed, so it is very easy to identify the issue and the root cause for resolution. Once you have identified the issue, the solution does not take much time.

We have a centralized dashboard. In the same dashboard, they have integrated multiple parts, such as Cortex Data Lake, GlobalProtect, and Prisma Access for Internet security or cybersecurity as well. There is a single dashboard integrated with different tools. It provides comprehensive security and is easy to manage.

In our infrastructure, we are getting 200 to 300 alerts on a daily basis. We get alerts about all kinds of issues, such as when the tunnel is fluctuating, reports are not getting generated, or there is some compliance issue in configuration. The alerting part is very good in Prisma Access. We get alerts instantly whenever there is a fluctuation. We, as administrators, look into them and resolve them on a priority basis.

These alerts reduce the resolution time and provide insights to proactively resolve an issue. This is a very helpful part of Prisma Access, but this capability is there in every product these days.

We are able to implement security control over the SaaS application traffic. We are able to implement the security posture, and we are able to implement the IPSec tunnel. We are using GRE as well. We are able to implement security for multiple use cases with Prisma Access.

It provides SSL inspection for private or internal applications. That is one of the key features we are getting from Prisma Access. We are using GlobalProtect along with Prisma Access. Even for our SaaS applications, we are doing SSL.

Prisma Access is good. Its security is good. Everything is good, but the way the dashboard responds can be improved. It takes time to implement a policy. If you change only 2 or 3 lines and push the policy to make the change work, it takes 20 to 30 minutes even for a small change. That is something very irritating from the implementation perspective. The response time of the dashboard for configuring things needs to be improved. It should be quick.

Its implementation is also a bit complex.

We have been using this solution for 2.5 years. 

It is stable. I would rate it an 8 out of 10 for stability.

It is very scalable. I would rate it a 10 out of 10 for scalability.

Our clients are enterprises. 

Their TAC part is okay. It is not the best, and it is also not the worst. They are good. I would rate them an 8 out of 10.

Positive

We have been also using Zscaler, but we are moving to Prisma Access completely. The decision to move is taken by the management. Zscaler is a better product, but it is very expensive. 

Another thing is that management has decided to use the firewall solution of Palo Alto going forward. That is why they are proactively switching to Prisma Access. There will be better synchronization between security products. There will be GlobalProtect and Palo Alto Firewall in place going forward.

We had to define the architecture first. We were already using Zscaler, so it was a bit complex to shift the traffic to Prisma Access. It took months to implement this solution to segregate the traffic from Zscaler and move it to Prisma Access. It was not an easy task. It was a bit complex. Once it was implemented, it was good.

Its implementation could be difficult, but when it comes to operations, it is easy. The maintenance part is also good. Only the configuration part takes time. The portal also lags at times.

The implementation duration varies. An implementation can take weeks or months. It depends on your network, infrastructure, and applications. 

As compared to other solutions, Prisma Access is much cheaper. It is probably 30% to 40% cheaper than other solutions, but I do not know the exact cost.

A customer is using 250,000 user licenses for Zscaler. You can understand what Palo Alto would offer to take over this kind of project. The price can be negotiated in many ways.

I am not sure if any other solution was evaluated, but I am pretty sure that PoC was not done for any other product. 

If you are looking for a cloud security solution, you need to know how many applications are there on the cloud and what is your budget. Prisma Access is overall beneficial. Zscaler could be more expensive or trickier to manage because it requires expertise. Prisma Access is easier.

We have not done any automation. Everything is manual. We have not integrated any of the REST APIs with Prisma Access. We know that REST API is supported in Prisma Access.

Overall, I would rate Prisma Access a 7 out of 10.

I'm a cloud security architect, but I joined this project because one of my teammates left. My manager asked me to join because I have prior experience with Cisco Systems and Dell security. 

Our client has 40 sites, and they used other products called Peruit and PescUmbrella. My colleague was helping them remove the products from their laptops and replace them with Cortex XDR and Prisma Access. 

Prisma Access is a better product than our client's previous solution, and it helps organizations work differently. It saves time, but I'm not sure about money. I had never considered that aspect because I'm not involved in the financial side. The solution helps us to operate efficiently. Everything we want to do is in there, including DNS, web, and URL security.

Endpoint Protection is something I use on my corporate laptop, and it's doing a wonderful job. I don't experience latency. Prisma has a massive number of secure gateways compared to any other product. All these gateways reduce latency and provide better bandwidth because they use cloud platforms. The scalability and efficiency are excellent so far. 

Prisma integrates well with Cortex XDR and Cortex Data Lake. My company has been also using Prisma Access in-house for nearly a year, and it integrates seamlessly. 

Another aspect I like about Prisma is its usability and control. You can do many functions from a single dashboard. It has more features than Zscaler. The look and feel are better. Prisma is a one-stop shop that does many tasks, like logging and monitoring. 

Having a cloud-based platform is essential because we're pushing all our customers to the cloud. Most of our customers will be using Prisma in the future. Prisma Access provides traffic analysis, threat prevention, URL filtering, and web filtering, which are critical features that our customers request. You don't need a separate administrator for each task. One admin with a little training can handle all of them on Prisma Access. The rest depends on how much you can play with the product.

The documentation is generally good, but they could provide a more detailed description of all the configuration steps. I have to search for information or call support. Palo Alto could add more knowledge base articles about configuration with screenshots and walkthroughs. That would be helpful. When configuring a product, you want to see examples of how it is done. 

I am using Prisma Access for two projects. I haven't been using it for more than six months. 

I haven't worked with Prisma for long, but my impression of the stability so far is good. 

Prisma Access is most suitable for large enterprises because it also includes posture management. It's comparable to Microsoft ESPM. Microsoft makes many of the tools I use as a cloud architect, so I see everything from that perspective.

I don't think smaller companies will have any issues with Prisma. My company has five offices in India and users in 55 countries. Prisma is excellent in terms of scalability, usability, readiness, and user experience. It also runs on older operating systems and new ones too. The laptop I initially got from the company was pretty old. It's a gen-three. I got a newer laptop, and it works on either. 

I rate Prisma Access support a nine out of ten. Their support is helpful. They have a large team of product managers, so they're always available to talk. The response times are excellent. 

I'm impressed. Their technical teams are knowledgeable about the product, and they have global support. You can get support around the clock no matter which time zone you are in. One of my clients is in the US, and the other is in India. Both can access support without a problem.

Positive

I worked with Cisco Fire and AnyConnect, which combines security and VPN. AnyConnect is a popular Cisco product clients use remotely to connect their machines to their offices. That was the first product. Cisco acquired Sourcefire and rebranded it to Fire, which is again a client-based solution.

The deployment is straightforward, and it's done via Prisma's console. I didn't find it to be tricky or have any difficulty finding what I needed. Everything is clearly labeled and intuitive. The more you play with that, the more comfortable you get.

It only takes a minute or two if you have everything configured and you simply need to push the config file. That also depends on how much configuration you push at once. A small configuration takes less than 30 seconds. A larger configuration like we've done in the past few days might take a minute or more. 

I rate Prisma Acess a nine out of ten. It's better than any other product in the market.

We need global connectivity because we are a software company, and we have a lot of contractors around the globe. We are using Prisma Access for them to be able to connect from anywhere and have access to our data center, which is on-premises. It is not in the cloud.

We are using its latest version. It is always up to date. 

It provides zero trust security and access to our resources. It brings security and provides access. The security provided by Prisma Access is very good. I would rate it a nine out of ten in terms of security.

Prisma Access provides all its capabilities in a single, cloud-delivered platform, which is very good. Before choosing Prisma Access, we did extensive research. A single console was very important for us. If we had gone for Cisco, we would have had to combine three different products of Cisco, and we would have had three different consoles to manage, which is not what we wanted.

Prisma Access provides traffic analysis, which is very important for us because we want to know what is happening with the traffic, who is connected, how they are connected, and what is happening with the endpoint during this connection. We are working with the current information, and it is very important. For threat prevention, we are going to implement Palo Alto WildFire.

Prisma Access provides millions of security updates per day. It is very important because if we have zero-day or any other type of breach, it would not be good. There should be regular updates.

Prisma Access' ADEM was another feature that made us go for Prisma Access as compared to the other vendors. It provides real and synthetic traffic analysis, but it also depends on how you tune up ADEM. You need to make rules in order to maintain certain services. If you are doing it right, it will be able to show you where the weak point to the connection is. ADEM does not affect the digital experience for end-users. They do not even know that it is there.

Prisma Access does not enable us to deliver better applications, but it has had an impact. It is stopping some applications that our people are using.

It is easy. There are service connections that they are using for connecting from the cloud to your data center. It is simple. 

There is a system for monitoring the traffic. You can monitor the traffic of the connected people and point out any issues on the connection part. 

The user interface could be better. They need to work a little bit on the console. It is similar to their firewalls but not exactly. They need to clean it up a bit.

Prisma Access' ADEM is good when it comes to segment-wise insights across the entire service delivery path. The only minus is that it is not supporting Linux. It is only for Windows and macOS.

We are not able to manage firewalls from the cloud. They have promised to make this feature available in the future where we will be able to manage firewalls from the cloud. Currently, we can only use Panorama to manage firewalls.

I have been using this solution for two months.

It is very stable. I would rate it a ten out of ten in terms of stability.

It is very scalable. We have 200 users. I would rate it a ten out of ten in terms of scalability. 

We use it very often. It has been okay so far.

We take the help of the integrator who is helping us. We still have questions regarding the product. They have provided a service engineer, and we work with him. We are able to call him directly for any help.

Positive

We did not use any other solution previously. 

It is straightforward because all the work is done by Palo Alto. They provide help for the initial setup to go without any issues or with minimum problems. They power up the machines, and they give us console access from there.

After Prisma Access was set up, it took us about a week to tune everything and connect our data centers to Prisma Access, etc.

We had two engineers for its setup. It does require maintenance. I am the only person handling the maintenance. It is not difficult to maintain.

We use an integrator. 

It is too early for that. We need a little bit more time to see the ROI.

It is not cheap. It is expensive. The good thing is that you are able to pay for what you need, but overall, it is not cheap. The pricing is not based on packages. You pay based on the features. If you want DLP, you only pay for DLP. They are very flexible. It is not cheap, but the licensing is flexible. There are no additional costs in addition to the standard licensing fees.

I would advise starting with the lowest package or minimum services, and then you can upgrade based on your needs. The full package is not cheap, and you might not need all the features.

Their cloud access router could be a little bit cheaper.

We evaluated Cato Networks, Cisco Umbrella, and Zscaler. We also had presentations from Perimeter 81 and CloudFlare.

We went for Prisma Access because it is able to integrate with their firewalls. They have very good connectivity. Palo Alto is a leader in the next-generation firewall, which means their security is good. 

Prisma Access has a lot of features, but we have been using it for only two months. We have not fully used it yet. We have not used the whole functionality.

The good thing is that they are providing a proof of concept. You can do a proof of concept and see if it is suitable for you. If you are already using Palo Alto firewalls, it will be better for you. It will be much easier for you to use Prisma Access.

If you are familiar with Palo Alto in general, it is easy to use because it is very similar to their operating system of firewalls. If you have previous experience with Palo Alto, it is much easier. Otherwise, it will take a little bit of time, but it is easy. The only thing that can be a bit complicated is the service connection. In Prisma Access, you have two types of connections: service connection and network connection. They do almost the same thing. They can create confusion if you are not familiar with them.

Prisma Access can secure not just web-based apps but non-web apps as well, but we are not using this feature currently. 

Overall, I would rate Prisma Access an eight out of ten. That is because we cannot manage firewalls from the cloud.

Our primary use case for Prisma Access by Palo Alto Networks is to control the internet and serve as an internet proxy. Additionally, we use it for secure remote work.

One of the most valuable features of Prisma Access by Palo Alto Networks is the ability to manage on-premise firewalls. We can push policies directly from Prisma Access to FortiGate, which makes managing our on-premise firewall easier and more efficient.

There is a lack of integration with third-party solutions like CrowdStrike or SentinelOne in Prisma Access by Palo Alto Networks. Although they have a tight ecosystem with their products, opening up for integration with other solutions would be beneficial.

I have been working with Prisma Access by Palo Alto Networks for more than two years now.

I think the stability of Prisma Access by Palo Alto Networks is excellent, and I would rate it ten out of ten. There are no notable issues with stability.

Prisma Access by Palo Alto Networks is a cloud-based solution, and from my experience, there are no issues with scalability.

I find customer service and support to be very good, and I would rate them ten out of ten.

Positive

The initial setup was simple and not complex.

From my experience, Palo Alto is more expensive compared to solutions like Netskope and Triscale.

I evaluated Triscale and Netskope as other solutions.

For companies with at least one thousand users, I recommend Prisma Access by Palo Alto Networks. I rate the solution 9.8 out of 10.

Prisma Access is a solution for remote and mobile users. Following the pandemic, many employees now work from home, meaning many companies have extended remote locations. We use the product to secure the networks of our remote and mobile users, so they can safely access our company's intranet and network.

Panorama provides centralized management capabilities for all our firewalls and locations so that we can manage different data centers through a single device, a very valuable feature. We don't have to log into various devices to oversee them individually.

The solution's ease of use is excellent; the GUI is fantastic, well-designed, and easy to use, even for non-technical staff. The different tabs are clearly visible and straightforward to understand.  

The platform protects all app traffic; when we enable GlobalProtect on the cloud and user device, it provides a secure, private connection for users to access applications. That's very useful.  

Prisma Access secures not just web-based apps but non-web apps, which is very important to us. We can also secure URLs, API-based solutions, and API browser interfaces. 

The fact that the solution secures web and non-web-based apps reduces the risk of a data breach to an extent. When we make apps accessible only through a private network, the risk is reduced. 

The product provides traffic analysis, threat prevention, URL filtering, and segmentation; these features are essential for troubleshooting. The logs showing the traffic passing through Prisma Access show us what's getting blocked and allowed, while the threat prevention alerts us to any suspicious or malicious items. This gives us insight if there's a data breach and if traffic we want to be blocked is still hitting our devices.   

Overall, the security provided by Prisma Access is excellent; the chances of a data breach are minimal. It's a great product.   

We would like to see improvements in the licensing; currently, Palo Alto provides 500 to 1000 licenses for users, and we want to see 1500 to 2000 licenses for one version.

We have been using the solution for one year. 

Prisma Access is a stable product. 

We can scale the tool well, add devices as soon as our user count grows, and scale in line with our company growth.

Regarding users, we have 30 staff managing Prisma Access, and GlobalProtect is installed on every machine in the company. 

We contacted the Palo Alto support team on many occasions. The one issue is it can take a long time to connect, and they can be challenging to reach when we need immediate help. They're accommodating if we send them a planning notice within 24 hours. Once the ticket gets assigned and we get through to a support staff member, the service is excellent. The only issue is with immediate assistance; it can be difficult to get through to someone.

Positive

We previously used Zscaler and switched for two reasons: firstly, the cost, and secondly, Prisma Access offers additional features in one device. It also has simplified architecture and reduced MPLS lines.

The initial setup was complex, and only our network admin could install it. Once the solution is set up, it's straightforward, but the setup is arduous. We completed the deployment in a day. Our implementation strategy was to determine the number of users and ensure they all had the necessary information regarding the solution and GlobalProtect. Then, we deployed accordingly.

We have a team of 30 responsible for managing and maintaining the solution. 

The solution is definitely worth the money we pay for it. 

Prisma Access is one of the best compared to other products on the market. The cost is favorable, and Palo Alto provides a simple architecture, so I recommend the solution to anyone using a different product. There are no hidden costs besides the license; what you see is what you get. 

I rate the solution nine out of ten. 

It's important to us that Prisma Access provides all its capabilities in a single, cloud-delivered platform. We previously used different firewalls with a Zscaler proxy for particular purposes, but now we don't have to purchase dedicated hardware. Prisma offers most of the features we need in one solution, so it's like getting three or four products in one; we don't have to go for extra tools to secure our apps or get a VPN because it's already provided.  

That Prisma Access provides millions of security updates daily is significant for us; there are new challenges and threats every day. Palo Alto Networks must keep its security up to date to protect against new and developing threats, as this security is essential to our operation. 

We don't use the solution's Autonomous Digital Experience Management (ADEM) features, and it doesn't allow us to deliver better applications; instead, it makes our applications more secure.

The biggest lesson I've learned from using Prisma Access is how easy management becomes; we don't have to log into multiple devices, and everything is accessible from one GUI.

The product comes with a helpful guide, and I recommend reading that before using Prisma Access. It's pretty simple.

We use this solution for container security. We use it in an environment with 200 developers.

We use its latest version and the version prior to the latest one.

It helps with container security. Month by month, developer accounts in the company are increasing. Prisma Access supported and helped us very effectively in securing their workstations and working environment.

Prisma Access is good for securing access and privileges. Our developers have a security background, and they have knowledge of cybersecurity. It gives us assurance that they would not be able to do anything as an insider cyber attacker. They would not be able to use their environment to jump to other servers because such functions are prevented by this solution.

Prisma Access can protect all app traffic, but we classify the apps inside the company and choose the critical and the medium-risk level apps. This protection is important security-wise. On the IT side, it is important. It is also important on the business side, but they are only concerned about the price. We tried to connect with Palo Alto to get a discount on the first and second years to make the company get the maximum benefit and see the benefit of this solution. After that, they can remove the discounts, and it will be the decision of the company whether to continue with this solution or not.

Prisma Access secures not just web-based apps but non-web apps as well. However, about 70% of our applications are web-based applications. If they do not get the discounts, we will only use them for critical web-based applications. Based on my experience, Prisma Access is good not only for web-based but also for non-web applications. It is effective.

Prisma Access provides traffic analysis. We are also using Cortex XDR. It is Palo Alto's XDR solution that also supports us for traffic analysis. By using both of them in one environment, we have an end-to-end, more holistic, and zero-trust approach.

Prisma Access provides millions of security updates per day. We are also from the cybersecurity side, so we understand that it is a new product. It has only been around for two or three years. In every new product, such updates are welcomed, but we hope that in the next few years, there will be fewer such updates and more targeted updates.

Prisma Access enables us to deliver better applications on the security side but not the business and IT side. We are now more confident that our applications are secure.

Its front end is user-friendly. It is easy to use for us. We are familiar with other Palo Alto products. Its interface is similar to other products of Palo Alto, so it is familiar and easy to use for us.

My experience with Prisma Access has been perfect. It is good considering the fact that our networks are mainly based on Palo Alto products. We are using Palo Alto's next-generation firewalls and Cortex XDR, so it is good to have Prisma Access in the infrastructure to get a fast network environment.

Its integration with non-Palo Alto products can be improved. Currently, it is easy to integrate it with other Palo Alto products such as Cortex XDR. It integrates well with other Palo Alto products. A major part of our network is based on Palo Alto products, but for those companies that use multi-vendor products in their infrastructure, Palo Alto should optimize the integration of Prisma Access with the network devices from other vendors.

They should also increase their support team. There is scope to optimize their support.

We have been using this solution for about eight months.

Stability depends on the company that has developed a solution. As a vendor, we see Palo Alto as a stable company. Their stock value has increased year by year. Based on our communication with the headquarters of Palo Alto, we see that they are investing more and more in their cybersecurity solutions in terms of financials, features, and talent. Therefore, it is one of the stable solutions.

It is scalable for now. It has only been eight months since we have applied this solution in our environment.

On the client side, there are about 200 users. Overall, there are 500 users on the client side and our side. Most of them are developers and network security and IT security people. In our SOC center, they are monitoring this solution too.

It is being used on a daily basis. We have integrated this solution with the SIEM solution, and when an incident or a request comes, we focus on this. On a daily basis, we have some alerts and incidents coming.

Their technical support is good, but in some cases, when we asked them some questions, they took several days or hours to discuss that internally and come up with the answers from their side. However, it is acceptable because we know that it is a new product.

We did not have any solution for providing a secure environment on the developer's side. It is our first year, and it has been surprising and effective for us. 

The deployment of the key features of the product took about three months, but that was because of the delays from our side and the client's side. 

It was a standard deployment. We took sample applications and tested it on them as a PoC. We became familiar with the security function of the product, and we realized its benefits. We then applied it part by part to other web applications and non-web applications.

It is deployed on the cloud. We use Google and other clouds.

For the initial setup, we got support from the Palo Alto support team, so it was good. We are satisfied with them.

In our cyber team, we have around 40 experts. As a project team, they also engage. We use their support too.

For its deployment and maintenance, we have about 12 people who are actively engaged, but overall, there are 30 people engaged with this project.

In terms of pricing, considering that it is a two or three years old solution, they should apply big discounts for the next two or three years. This approach will be better for them to capture the market.

There are no additional costs. After purchasing and acquiring this solution, we also got support. 

We evaluated Cato Networks, Check Point, and Prisma Access. We went for Prisma Access because of its features and its integration with other cybersecurity solutions. Its integration is easy, and it takes less time to integrate it with other cybersecurity solutions. 

There are also open-source applications. They are also good, but they need more tuning and more time to get to the level of solutions like Prisma Access. A benefit of these open-source solutions is that you can tune them according to your environment. They are also free, so there is a cost-benefit.

It is one of the top solutions in the market. I hope that they will continue to tune and optimize their product based on the feedback that they get from the users. This way, it will keep its place among the top ten solutions in the global market.

Overall, I would rate Prisma Access an eight out of ten. It is good, but they should improve their support and its integration with non-Palo Alto solutions.

We are a partner of Palo Alto. We focus on healthcare customers, and we help them onboard and manage different Palo Alto solutions, including Prisma SaaS.

It gives you visibility and an understanding of what you have in your environment. A couple of years ago, all the information that you had in your SaaS environment was kind of a black box. You didn't have any information about what you or your employees had there. So, visibility is one use case, and another very important use case is the ability to review the way the files and information are shared. You can see if a confidential file is being shared. Having this information and awareness is important for the administrators of Office 365 and other environments so that they can make corrections.

With the use of the Data Loss Prevention (DLP) module, the scanning process scans all the files that you have in there and classifies them through the DLP engine. So, when you get your results, you would have files with the matching results, such as with credit card numbers or phone numbers. There are also data profiles or policies, such as PCI, PII, or GDPR compliance. Palo Alto is working on adding more profiles, such as HIPAA, based on different compliance standards in the industry.

It is a SaaS solution, and we are using its most recent version.

You get the control and visibility into what you have in your SaaS applications. It helps you to know what you have in your environment and then meet your compliance needs. You get to know whether all of them are on a single platform. You also get an understanding of what type of information you have and how it is disposed of. Based on the results that you get from the scanning process, you can accomplish goals, such as PCI compliance or GDPR compliance. Most of the customers are governed by their security information team and have an obligation to be compliant with different industry standards, such as PCI, PII, or GDPR. With this platform, you are a step ahead in knowing what you have in your environment and accomplishing the compliance goals.

You have the ability to create your own expressions for your data. Palo Alto understands that DLP is not the same for all consumers. You might have a particular need to fulfill, and they give you the opportunity to create a custom expression to match the specific format that you have. For a confidential file property that you have in your files, you can add a metadata field. It gives you that opportunity to create that.

Another thing that I really like is the Azure AD integration. You can integrate with Azure AD in order to apply what they call the groups in Azure AD. You can apply groups, and you can have different characteristics, but the most important thing for me is that you can select groups and put the groups into your policies because your DLP or the things that you want to catch may be different for different departments. Your requirements would be different for your HR department versus your development team. For the HR department, it would be more useful to have PII information because they are trying to work with new employees and information. So, it should be different. With Azure AD, you can make a differentiation between these two departments. I found that very useful.

They can add some new characteristics. For example, when an incident triggers, they can automatically send a template for a particular match that is related to the policy. We don't have that right now. It is something to improve. There could be more automation for certain actions. For example, for a particular group, it can send an administrator alert to their manager. It was one of the concerns of our customers. 

You have three types of rules in SaaS Security API. You have the asset policies. You have the user activity policies, and you have the security control rules. Asset policies are more general, and they are more focused on the general behavior of an asset, which is a file. The user activity rules control or alert about unusual user activity or compliance violations, such as when a user uploads a large number of files. It would be good if you can put User IDs for the asset rules. In the asset rules, you can use the Azure AD group, but you cannot use the User ID. That would be a good improvement. 

Palo Alto has a lot of different solutions, and it would be good if the DLP part can be integrated with other solutions as well.

I've been working with Prisma SaaS for two years.

In general, it is good, but everything could be a little bit better. For example, they are working on including more data to catch or trying to reduce the gaps between the matches. It is DLP, but it is not perfect. We're going to have a false positive. They are working on closing that gap and being more accurate, but in general, it gives you accurate and reliable information.

You can onboard certain applications, and if you add more and more files, it's going to continue scanning those files. If you take a business decision to purchase a new SaaS application for your team, such as Slack, you can onboard that new application. You don't have a particular limitation on that. So, if you want to grow and have more business applications, your only concern should be whether they are supported by SaaS Security API. That's because not all the applications work the same way or have the same characteristics, but it gives you an opportunity to grow.

We have had environments with 200 to 2,000 users. It depends on a customer's SaaS environment, and if they want to apply to all of it or a part of it. There was a requirement from a customer to be notified when there is a file share with certain domains, which were their competitor's domains. That way they would get to know when someone from inside the company is sharing information with the competitors. Another common requirement is to be notified or create an incident when I share a public file in my Office 365 account. 

It is gaining more popularity among different customers in the last year. Palo Alto is trying to focus and combine it with other types of solutions related to DLP in order to secure not only your SaaS environment but all of your perimeter. Palo Alto is going to be very focused on that, and its usage is going to increase. In the past, it was not something that a lot of customers required. Palo Alto is working on improving the platform and making it more attractive to meet customers' needs. The market is changing continuously, and Palo Alto is focused on having DLP in different environments.

I didn't use their support that much, but it is fine. Palo Alto has different teams that are focused on different types of solutions. They have a SaaS team for the SaaS API problems that can come. They are good, but sometimes, it would be good to have a quicker response from their side because you want to resolve an issue as fast as you can. They have a lot of companies, and it is kind of hard. You would find this problem with most of their partners, but they always come to you with a good disposition and try to solve it in the shortest time possible. So, overall, their support is good. I would rate them a four out of five.

Positive

I didn't use any similar solution previously. The company that I have been working for is very focused on Palo Alto solutions, and I didn't have the opportunity to work with other tools that are on the market.

In most cases, it is easy, but it depends on the application that the customers want to onboard. For example, if you want to onboard Office 365, Microsoft Teams, and Exchange, the onboarding is easy because you can use the same user account for these three solutions. The challenging part is that you need to create an account with the specific rights for communication and gathering the appropriate information. That's more complex. In some cases, the companies are not completely controlling their Office 365 environment. They have a leader company that gives you the rights, which can take a bit longer.

It could be challenging when you try to use the S3 bucket because you have to work with the IAM to get the exact privilege access to the bucket. That's a more complex part, but if you know what you are doing, it's not that hard.

For me, its implementation is very straightforward. I would rate it a four out of five in terms of ease. Its duration varies because it depends on the information that you have in your SaaS applications because it's going to communicate with your applications through API.  It depends on a lot of things, but in my experience, one week to one and a half weeks is generally enough time. It is not something set in stone. It can take less or more, but you obtain a lot of information once that is finished.

It is not necessary to have a consultant from Palo Alto. The activation part is straightforward. They send you a magic link to have access and configure it. It takes about 20 to 30 minutes to generate the tenant, if I am not wrong. After that, it's very straightforward. There is documentation about each application that you want to onboard.

Before implementing it, it is very important to have a conversation with the customer about the applications they want to onboard, and inside those applications, what type of information they want to catch. For example, a pharmaceutical company might not be as aware of all the compliances for HIPAA or PII. It is important to have that information in order to understand what they want to catch. You can have that covered with predefined ones. We might also have to create custom ones, but it is not that necessary to have someone from Palo Alto if you have a correct partner who knows about the platform.

After onboarding applications, we recommend testing the rules on specific owner files to verify that the results that you are obtaining are accurate and as expected. If they are good, you can go ahead and apply the rules for all. Because a rule is already tested, you don't have to modify it a lot later. If you have a new need, you can create a new rule. After that, the knowledge transfer with the customer is very important. It is not a complex application to manage for the customer, but they really need to understand what it's doing. This knowledge transfer is really important, and it is something that we care about a lot in the company.

After rebranding, its name now is SaaS Security API. My experience with the product is mostly good. Before going for this solution, it's very important to understand what the customer is looking for. In terms of visibility, it's very good because it's an opportunity to have a lot of visibility about the applications that you onboard. For example, you have all that information centralized, and you can apply policies for them. It is very good for that purpose, but it's communication through an API. So, it's not something like a firewall where you can block something instantaneously. It requires a different approach. You need to have an understanding and the objective to obtain visibility and gain more results.

You need to be very clear about what you are looking for and what type of information or compliance you want. Focus on not using it as an individual solution. It's a platform that generates more value when working together with other solutions. 

I would rate this solution an eight out of ten.

We use Prisma Access to build an allowlist that we put into Socks App, so we can gate access to what we want based on whether someone is allowed onto the VPN. Prisma is a SaaS product. We have the cloud-managed version that we use to access a mixture of on-prem, public cloud, and SaaS tools. 

We aren't using it extensively. There are only around six rules. I've had five hundred or a thousand rules in previous companies that used Palo Alto Networks. We have six, so we're not using the solution extensively. We're looking at various products for DNS filtering and security, so we will potentially get rid of Prisma Access in the future. It's a heavy-handed way of doing what we're trying to do.

Prisma helped us build a moat around our production systems. It's now impossible to log into our production from a non-MDM laptop. Prisma Access provides decent security overall.

Prisma Access protects all app traffic so users can access all our apps, which is crucial because we want this to be as transparent as possible. The ability to secure web-based and other apps is also critical. We use this as a gateway into production or specific systems. That might be over 443, HTTPS, DB, or any other protocol.

Prisma Access offers features in one cloud-delivered platform, which is pretty important. Anything we can do to reduce the complexity of this is good. It will get messed up at some point if there are too many moving parts.

The traffic analysis, threat prevention, and URL filtering features are pretty critical. Prisma Access is our frontline defense for our production environments. On top of that, it protects the engineering staff's endpoints, so it needs to provide essential URL scanning and WildFire AV detection.

I've had a ton of issues with Prisma Access. The UI is horrible and not intuitive. For example, error handling when applying configuration changes is atrocious. The UI itself is buggy and lags. The sales staff tried to be helpful, but they sold us the wrong license SKU, which broke our environment, and it took two months for them to fix it. Two months is an eternity for something as critical as this.

It applies commits to the firewalls slowly. There isn't an API you can use for anything. We've previously had trouble with the egress IP addresses though we expressed to engineering that those mustn't change. They changed several times without warning, causing a lot of headaches.

I have used Prisma Access for a year and a half. 

Prisma hasn't broken yet. There have been a lot of outages, but luckily only a handful have affected us.

Prisma is somewhat scalable. We want to use this as an allowlist for our external applications. However, other external tools don't allow you to add an arbitrary number of IPs. If we were going to put in the complete list of active and reserved IPs that we get from our seven points of presence, then that's roughly 41 IPs. That goes over the max of 40 that GKE and GCT use. We can't use it to gate Kubernetes pods because there are too many IPs.

We can't seem to remove them once they're added. I've opened several support cases, and we still have half. Half of this list is all reserved and unusable points of presence because they aren't assigned to anything. It is a bit cumbersome and not as agile or straightforward as I was led to believe.

I rate Palo Alto's support a four out of ten. When I put in a ticket for a problem, they will send me a link to documentation that is either for the wrong product or something that doesn't apply to me. I usually get on a Zoom call with an engineer, show them the problem, and wait a week or two before I get a solution.

Neutral

Setting up Prisma Access was relatively straightforward for our use case. We deployed some firewalls in our system and used the IP addresses we got from those to inform and allow this. So it was very straightforward to get it to work, but tweaking it over time has been cumbersome.

I was the only person from our company working on the deployment. I designed and implemented the architecture, then deployed the tool to the endpoints internally. I'm responsible for educating the users and troubleshooting problems they find. I do things like telling a guy, "No, there isn't a problem with the VPN. You shouldn't use the web version of Spotify because only crazy people do that."

We used CDW and Palo Alto professional services. It was fine. It wasn't the best engagement, but it wasn't the worst.

It's hard to say if we've seen an ROI. I imagine we have. We haven't been breached, so that's something.

There's no reason not to buy the enterprise version that gives you unlimited PoPs, but you must understand the limitations you impose on yourself if you do that. If you go crazy, that allowlist will be too big for Kubernetes clusters.

The API that pulls the egress IPs allocated to you should be updated by the minute or as often as possible. There's no forewarning of impending changes. That should be built into your CI/CD system so no one needs to update anything manually. It should just flow through. However, you need notifications because it's a slippery slope. If you're adding and changing IPs all the time, who knows what's what anymore.

I did demos of around 16 different products that do something similar, including Zscaler, Netskope, Fortinet, Twingate, and Tailscale. Palo Alto was the only solution that could give us dedicated egress IPs. 

I rate Prisma Access a four out of ten. There are many tools out there that can do the same actions. This is not the best tool to use if you're only looking for an allowlist for production.