Network lead at SDGC
Real User
Top 5
An easy to manage solution that needs to improve initial support
Pros and Cons
  • "The solution is not very complex and is easy to manage for people who may or may not have knowledge about Palo Alto Networks."
  • "The initial support team is not very good. Most of the time, I have found that they are one to three years experienced only. They don't have network expertise. They know about Palo Alto products but don't know how to troubleshoot the issues. We have to guide them most of the time to troubleshoot correctly since their approach is not developed."

What is most valuable?

The solution is not very complex and is easy to manage for people who may or may not have knowledge about Palo Alto Networks. 

What needs improvement?

The initial support team is not very good. Most of the time, I have found that they are one to three years experienced only. They don't have network expertise. They know about Palo Alto products but don't know how to troubleshoot the issues. We have to guide them most of the time to troubleshoot correctly since their approach is not developed. 

For how long have I used the solution?

I have been working with the solution for a few months. 

What do I think about the stability of the solution?

The solution is very stable. 

Buyer's Guide
Prisma Access by Palo Alto Networks
March 2024
Learn what your peers think about Prisma Access by Palo Alto Networks. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.

What do I think about the scalability of the solution?

We are a large team and work for multiple customers. 

How are customer service and support?

The senior engineers are very good and you need to escalate your issues to them. 

How was the initial setup?

The tool is very easy to set up. It will take some time since you need to plan all the things. You also need to think about the migration of the existing infrastructure. It is not like you can complete the installation in a week. We will collect information first on users and categorize them from a user perspective like the applications and services which will be connected to the product. We will make a plan once we understand the user requirements. It is a long process and we will ensure that everything is secure. A document will be created with the data flow. We will ensure 100 percent that everything is working fine. 

What other advice do I have?

Prisma Access is a good product and I would rate it a nine out of ten. 

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner
Flag as inappropriate
PeerSpot user
Global Network Tech Lead at a computer software company with 10,001+ employees
Real User
Makes us part of a bigger security ecosystem with updates taken care of for us, but pricing and support need work
Pros and Cons
  • "It protects all app traffic so that users can gain access to all apps. Unlike other solutions that only work from ports 80 and 443, which are predominantly for web traffic, Prisma Access covers all protocols and works on all traffic patterns... The most sophisticated attacks can arise from sources that are not behind 80/443."
  • "While Palo Alto has understood the essence of building capabilities around cloud technology and have come up with a CASB offering, that is a very new product. There are other companies that have better offerings for understanding cloud applications and have more graceful controls. That's something that Palo Alto needs to work on."

What is our primary use case?

We use Prisma Access, not only for our remote users, in a distributed workforce, but for our offices as well. Right now, because of COVID, there is a very limited footprint on the office side of it. But we would like to cover our offices so that when people are working in them and trying to access resources, whether those resources are hosted on public cloud, private cloud, in data centers, or on-prem, Prisma Access is involved.

Prisma Access is completely hosted on Google Cloud Platform. Palo Alto Panorama, which is the centralized management tool, is also hosted on a public cloud environment. So the entire solution lies in the cloud.

How has it helped my organization?

The fact that Prisma Access provides millions of security updates per day is really important because it takes care of the equivalent of preparing patches and pushing them to your environment, without the headaches of managing and maintaining those processes for your infrastructure. If you get security intelligence from different verticals and different alliances, or through some sort of open API integration where vulnerabilities arise at different times, it's going to be difficult to keep up. Subscribing to this service and having it take care of that is really phenomenal.

And the best part is that you know that you are part of a bigger ecosystem where this learning about security issues is happening, and things are made available to you on a scheduled basis every day. It automatically strengthens your security posture. We are quite happy with this feature and feel very confident that the Palo Alto security stack takes care of all of these things automatically. That is one of the salient features and was one of our evaluation parameters for choosing a solution.

Another benefit is that before, if we had to set up a restricted environment for a given project, the lead time was about a day to get everything functioning correctly and to get the go-ahead from the security team. Now, setting up these environments can literally happen in less than five minutes. It is already segmented. All you need to do is ensure the people who are part of the project are included in a single access-control list, which these days is based on GCP Identity-Aware. Based on that, it provides the right privileges required to access certain things. That is the building block of any SasS solution with zero cross-network access. And it is very easy now.

What is most valuable?

The Prisma Access remote side is pretty good with respect to the footprint that it covers. Because it is built on the Google platform, using the Google Premium Tier network, it is almost everywhere geographically. From wherever we initiate a connection, it connects with the nearest point of presence, which minimizes the latency. And we can access applications wherever they are hosted.

It protects all app traffic so that users can gain access to all apps. Unlike other solutions that only work from ports 80 and 443, which are predominantly for web traffic, Prisma Access covers all protocols and works on all traffic patterns. It is not only confined to web traffic. This is important because security is something that should always be baked in, rather than being an afterthought. The most sophisticated attacks can arise from sources that are not behind 80/443. They could come through bit-torrent traffic, which uses a non-standard port, altogether. We want to cover off those possibilities. We were very sure, from the start of our deployment when conducting PoCs, that the solution we picked should have coverage for all ports and protocols.

The fact that it secures not just web-based apps, but non-web apps as well, is important because the threat landscape is quite big. It not only includes public-facing applications that are accessible via web protocols, but it also includes many attacks that are being generated through non-standard protocols, like DNS tunneling and newly-registered domain control names. There are also a lot of critical applications being accessed on a point-to-point basis, and they might be vulnerable if those ports and protocols are not being inspected. You need to have the right security controls so that your data remains protected all the time.

In terms of the solution's ease-of-use, once you understand the way the various components stitch together, and once the effort of the initial configuration, setup, and rollout are done and you have set up the policies correctly, you're just monitoring certain things and you do not have to touch a lot of components. That makes it easy to manage a distributed workforce like ours in which there are 10,000-plus users. With all those users, we only have a handful of people, five to seven individuals, who are able to gracefully manage it, because the platform is easy to use. It does take considerable effort to get up to speed in configuring things during the initial deployment, but thereafter it is just a case of monitoring and it's very easy to manage.

In addition, whether traffic is destined for a public cloud environment, or for a private data center, or you are accessing east-west traffic, you can apply the same security policies and posture, and maintain the same sort of segmentation. Prisma Cloud offers threat prevention, URL filtering, and DNS protection, and east-west traffic segmentation. These features are the foundation of any security stack. There are two primary purposes for this kind of solution, in the big picture. One of them is handling the performance piece, providing ease of access for end-users, and the second is that it should handle security. All of these components are foundational to the security piece, not only to protect against insider threats but to protect things from the outside as well.

Prisma Access offers security on all ports and protocols. It covers the stack pretty well, leaving no stones unturned. The same unified protection is applied, irrespective of where you access things from or what you access. That also makes it a very compelling solution.

What needs improvement?

There are definitely a number of things that could be improved. 

One of them is geographic coverage. China is still an issue because the solution does not operate there properly due to government regulations. I believe Palo Alto is trying pretty hard to get into partnerships with Alibaba and other cloud providers, but they do not have the same compelling offering in China that they have in the rest of the world. Businesses that are operating within China have to be very sure to evaluate the solution before making a buying decision. It is not an issue with Palo Alto, rather it is predominantly the result of government rules, but it's something that Palo Alto needs to work on.

There is also room for improvement when it comes to latency in a couple of regions, including India and South America. They might have to increase their presence in those locations and come up with more modern cloud architectures.

The third area is that, while Palo Alto has understood the essence of building capabilities around cloud technology and have come up with a CASB offering, that is a very new product. There are other companies that have better offerings for understanding cloud applications and have more graceful controls. That's something that Palo Alto needs to work on.

For how long have I used the solution?

I've been using Prisma Access by Palo Alto for two to three years. We started deploying Palo Alto gear back in 2015 and, along the way we have looked into multiple tools from them and invested them.

What do I think about the stability of the solution?

On a scale of one to 10, I would give the stability a seven. There are a couple of reasons for that score. One is that when we make certain changes to configs, it takes about 14 to 15 minutes to populate. And there have been scenarios where it has taken about 45 minutes for the config changes to happen. When you sell a product by saying that it's cloud-native and that users can make all configuration changes on-the-fly, when those changes are made they should happen within a minute. They should not take that much time.

It might be that Palo Alto is still using a certain type of infrastructure in the backend that is causing these delays. If they pile on the cloud technologies, and work towards a more microservices-based architecture, I'm hopeful that they can bring this delay down to less than a minute.

What do I think about the scalability of the solution?

Going from one user to 10,000 or 15,000 users, we haven't faced a lot of problems. However, for companies that are considering investing in this solution, if they have more than 50,000 end-users, a config change could take 10 to 15 minutes. In an environment where 50,000 people are expecting certain things to work, those things might not work for them. Such companies have to look at the solution very thoroughly in terms of the cloud piece, the integration piece. But from one to 15,000 or 20,000 end-users, it is flawless. We don't tend to see a lot of issues. But beyond, say, 25,000, I would suggest doing a deeper analysis before purchasing the product, because there are some glitches.

How are customer service and support?

Initially, Palo Alto technical support was okay around sales discussions and getting up to speed on doing a PoC. But one once we deployed and then raised queries, those lead times increased quite a bit. Unless you take their premium support, where there is an SLA associated with every issue that you raise, it becomes very difficult to get hold of engineers to work on a Prisma Access case. If you just take some sort of partner support, you cannot expect the same level of support on your day-to-day issues that you would get with premium support.

Fundamentally, when a company sells a product, whether you are taking the premium support or some other level of support, the support metrics should be more or less the same, because you are trying to address problems that people are facing. Their response should be more prompt. And if they can't join a call, they should at least be prompt in replying via email or chat or some other medium, so that the customer feels more comfortable about the product and the support. If it takes time to resolve certain problems, post business hours, it can be very difficult for people to justify why they have deployed this product.

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

COVID was a surprise for us, just like for everyone else in the world. We had a solution from Palo Alto, but it was not a scalable one. We configured things in a more manual way because our requirements were not that high in terms of remote use cases. Post-COVID, the situation has completely changed for us and we have to think about a hybrid situation where we can still gracefully allow access to end-users in a more secure fashion. That led us to evaluate this solution from Palo Alto.

How was the initial setup?

The initial setup is not so straightforward. There is a learning curve involved because you need to understand which component fits where, with all of these modern, edge infrastructure secure-access services. You need to do capacity planning well, as well as a budgetary plan. You need to know the right elements for your business. Once you set that up, it is very simple to manage.

It took us about two to three months to deploy because we have a lot of geographical constraints. Different regions have different requirements. Accounting for all of those needs is why it took us that amount of time to set everything up.

What was our ROI?

We have to do an apples-to-apples comparison. If you had a very small set of people who had to create a dedicated setup like Prisma Access, and manage the infrastructure piece and the upgrading piece and the security piece, it would be a nightmare. Prisma Access offers that ease and flexibility so that even a handful of people, with the right knowledge, are still able to manage the configuration piece of it, because the infrastructure and other things are handled by Prisma Access. If you had to build that whole thing versus buying it, obviously Prisma offers a good ROI.

It all depends on your requirements. If your requirements enable you to do those things on a much smaller scale, then you need to be very cautious about which components of Prisma you actually pick for your use case. If you get all the components, you might not be getting the right ROI.

For our use case, we feel we are getting a return on investment, but it could be better.

What's my experience with pricing, setup cost, and licensing?

The most pricey solution is Zscaler, followed by Prisma Access, and then Netskope.

The initial prices of Prisma Access were okay. But as soon as you start deploying Palo Alto gear, the support prices and the recurring prices, which are the major operational costs, tend to increase over time. For example, if you go ahead with a one-year subscription, just for testing purposes to see how the whole solution works, and you plan to renew for the next two or three years, you tend to see that the solution gets really costly.

We understand that when you purchase a hardware component, the cost goes up because you have a physical asset that depreciates over time. But when you are getting a subscription-based service, the cost should tend to be reduced over time. With Prisma Access, the cost is increasing and that is something beyond any kind of logic. This is something that Palo Alto needs to work on if they want to be competitive in the market.

Which other solutions did I evaluate?

We evaluated other options like Zscaler and Netskope. Prisma Access has more coverage for ports and protocols. It doesn't only inspect web protocols but all ports and protocols, and that's an advantage. Other solutions are still relying on web protocols.

The positive side of these other solutions, because they came along a little later, is that they have understood the demerits of a solution like Prisma Access. They are using more cloud-native components and microservices architectures. That makes these solutions faster. As I said, some config changes in Prisma Access take 14 to 15 minutes, but these other solutions literally take a minute to make the same config changes happen.

It's a constant race.

What other advice do I have?

Put your business requirements up against the solution to see how it pans out. Look at the stability of the product, and at how much time it takes to make configurations and apply them in practice. And if you have a distributed workforce, like us, try to run this solution in southern countries where there is a latency issue or known issues with ISPs. You may not get the same set results that you tend to get in northern countries around the world.

We don't have a subscription to Prisma Access' Autonomous Digital Experience Management features, but we have done some testing of it. It's pretty good because it can help ease the work of an office helpdesk person who constantly gets tickets but has no visibility for monitoring things. With everybody conducting their work from home, it gets very difficult to know the setup of the internal environment and how people are accessing things and where the bottlenecks are. The ADEM tools are going to help immensely in that regard, because without having knowledge of the underlying infrastructure at every individual's home location, you can still identify whether a problem is specific to their home office or to the application the user is accessing or to the network that is causing the problem. That information is absolutely at your fingertips. Analyzing those types of things becomes really easy. 

ADEM will also help with the efficacy of troubleshooting and providing support to end-users. If there are certain applications that are critical to an organization, you could easily define a metric to see, out of all the people who are accessing those applications every day, how many of them are facing a problem. And if they're facing a problem, what the parameters of the problem are. Avoiding the problem could turn out to be something that people need to be educated about, or maybe there is something we can proactively tell users so that they can take precautionary measures to get a better experience. It is certainly going to help in enhancing the end-user experience.

Palo Alto's building blocks clearly illustrate an app-based model. It analyzes things based on an application so that we know what the controls are within an application. For example, if you want to block Facebook's chat but continue to allow basic Facebook to be browsed, that kind of understanding of the application would allow you to do so. That is way more graceful than completely blocking the end-user. It's not something that is specific to Palo Alto Prisma Access but it is a core component of Palo Alto.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Buyer's Guide
Prisma Access by Palo Alto Networks
March 2024
Learn what your peers think about Prisma Access by Palo Alto Networks. Get advice and tips from experienced pros sharing their opinions. Updated: March 2024.
765,234 professionals have used our research since 2012.
Senior Security Engineer at a manufacturing company with 501-1,000 employees
Real User
Top 20
We know instantly if somebody configures something in a way that's vulnerable
Pros and Cons
  • "Prisma's most valuable feature would be its ability to identify bad or risky configurations."
  • "Prisma would be a stronger solution if it could aggregate resources by project or by application. So say we have an application we've developed in AWS and five applications we've developed in Azure. The platform will group it according to those applications, but it's based on the tags we use in Azure, which means I have to rely on development teams to tag resources properly."

What is our primary use case?

We use it to monitor our cloud environments to get a real-time inventory of what's being stood up, what's being torn down, vulnerability management, risk management, and all of our cloud resources across all AWS, Azure, and GCP.

How has it helped my organization?

If somebody configures something in a way that's vulnerable, we know instantly. We'll get an alert and address it so that it's remediated and not left open. For example, if somebody stands up a new storage container and inadvertently makes it publicly accessible, that's something we'd want to know right away to prevent a breach. We could automate it to prevent it from being stood up with public access. 

We can prevent specifically forbidden configurations automatically by using this tool to never allow a resource storage container to be stood up and made publicly accessible. Automation is key there, and I'd say that would be an example of how Palo Alto has improved my organization.

Prisma SaaS helps us keep pace with SaaS growth in our organization. Everything's going to the cloud, and containers are being used more and more. As security professionals, we don't live in the development world, so we need to know what's going on in that realm, and the platform will help us identify those things and make sure that they're stood up securely. 

If there's something new, a new vulnerability, or a new standard, we'll be alerted about it. That's important because we don't speak developer language, and we, as security folks, consume the data. We must understand what's being stood up and how, and the platform will help us identify that and explain why it's vulnerable and needs to be fixed.

What is most valuable?

Prisma's most valuable feature would be its ability to identify bad or risky configurations. People stand up stuff in the cloud all the time, and as security professionals, we're not always aware of it. Prisma is critical for flagging real-time inventory and configuration risks, general vulnerabilities, and also issues in Kubernetes. Prisma is very effective for securing new SaaS applications. The code used to configure new SaaS applications is critical for identifying what we want as our security standards and confirming that they're being practiced.

What needs improvement?

Prisma would be a stronger solution if it could aggregate resources by project or by application. So say we have an application we've developed in AWS and five applications we've developed in Azure. The platform will group it according to those applications, but it's based on the tags we use in Azure, which means I have to rely on development teams to tag resources properly. If they don't do that, it doesn't group them properly in the platform. 

It would be nice if we could group the application according to the platform itself instead of relying on the development team to tag correctly in the cloud environment. My development team for one project might be different from the development team in another project. If I see a resource that needs to be fixed or changed, I need to know what project that resource is associated with. Ideally, I don't want to have to go into Azure and try to figure that out. So if I could tag it using the platform itself rather than relying on the tags that the development team uses in Azure, that would be extremely helpful. I wouldn't say Prisma is particularly useful for protecting data. It's hard to say. We're not looking at the data of the resources, so to speak, using Prisma. It's more like the resources that hold the data.

For how long have I used the solution?

I've been working with Prisma SaaS for about five years.

What do I think about the stability of the solution?

I'd say Prisma is extremely stable. We haven't had any issues there.

What do I think about the scalability of the solution?

Prisma is highly scalable. It's a cloud solution, so it automatically updates when new resources come out. We don't have to do anything. It just sees it and adjusts accordingly. I recently started a new role at a company, and we're planning on implementing it and using it more. Where I came from, we used it extensively and relied on it to monitor and manage our cloud environment.

How are customer service and support?

I rate Palo Alto tech support seven out of 10. The technical support used to be a lot better when they were a smaller company. Back when they were called Evident.io and then RedLock, they were more personable and provided good one-on-one technical support. Their support structure changed about a year and a half ago. Now, they're more like group support, and I don't think it's as thorough, but it's still okay. 

How would you rate customer service and support?

Neutral

How was the initial setup?

I would say the cloud SaaS part was extremely straightforward to set up. We had no problems there. Then there is the container compute area called Compute in Prisma. It's almost like a product within a product. You have to deploy the container section on an agent to your container host. That's a little more complicated because we have to rely on development teams to deploy the agent, but tying the platform to your cloud subscriptions was straightforward and took only 30 minutes to an hour. 

It is a little more involved to set up the Kubernetes containers and deploy the agent. That could take up to a day because you have to collaborate with other teams to get that deployed and make sure it's pulling the right data. Then again, it depends on how receptive your development team is to deploying the agents. That part usually takes around three hours. It takes one or two security engineers to deploy and maintain. 

What about the implementation team?

We did it in-house with some help from Palo Alto that we purchased through a support license.

What was our ROI?

I don't have specific metrics, but I will say that it helps us know what we don't know, and that's ideal from a security perspective—seeing things that we didn't realize were an issue. The return on that investment is significant because you can't secure what you don't know is there. Prisma accomplishes that pretty easily without having to be on the platform constantly responding to alerts.

Prisma integrates pretty nicely even if you aren't using other Palo Alto products. It's very effective for a CSP solution, and the time to value is almost instant. As soon as you stand it up, it shows value by telling you all the vulnerabilities or risks in that environment. I feel like Prisma is one of those things that is essential. If you have resources in the cloud, you're going to need something to monitor it, and it's not ridiculously priced. I'm not too involved in the budget, so it's one of those things that's a necessary evil. I feel like it's a reasonably priced necessary evil.

What's my experience with pricing, setup cost, and licensing?

Prisma is in the middle of the road. It's not the most expensive, but it's not the cheapest. There aren't any additional costs, to my knowledge. I know they have some extra modules, but we didn't use them. 

I'd say the price fits the solution. Prisma is capable of many other things, but Palo Alto doesn't charge you extra for those things, unlike other companies. You can use them or not. Because your environment grows, you may not use it now, you may not need it now, but you may in the future. Those capabilities are there without an additional cost for a different module where other companies will break it out, where you have to pay for those things.

Which other solutions did I evaluate?

We evaluated a few, including Sysdig, Threat Stack, and Lacework. The deciding factor was the ease of use. It's critical to understand what you're looking at and for the platform to provide value with reports. The data presentation in Prisma was more straightforward.

What other advice do I have?

I rate Prisma SaaS nine out of 10. Ideally, you want a platform that will save you time by giving you the information quickly so you can understand it and act on it. Many platforms have loads of colorful graphs or bells and whistles, but they don't help you get to the bottom of what you're looking at. I feel that Prisma does that. You can get so much information directly from the platform without the need to reach out to other teams or go into the cloud to understand what you're seeing.

Which deployment model are you using for this solution?

Public Cloud
Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Manager Network Design at a computer software company with 51-200 employees
Real User
Top 5Leaderboard
Along with a straightforward setup phase, the tool also offers exceptionally high stability
Pros and Cons
  • "The most valuable features of the solution stem from the fact that it offers stability and scalability while being a very secure product."
  • "The product's current price is an area of shortcoming where improvements are required."

What is our primary use case?

I use Prisma Access by Palo Alto Networks in our company for remote access, especially to help new users connect to corporate resources from over a distance, in other countries, or while they are not in the office.

How has it helped my organization?

I have seen some benefits from using the solution in our company since it offers mobility. My company has users around the world who connect to the resources remotely without any issues because of Prisma Access by Palo Alto Networks.

What is most valuable?

The most valuable features of the solution stem from the fact that it offers stability and scalability while being a very secure product.

What needs improvement?

Certain complications are related to the VPN part of the product, which can lead to a very deep and technical discussion. From an improvement perspective, I want the product to be integrated with SASE products.

Palo Alto Networks GlobalProtect or VPN in general with a cloud-based service would be a great improvement.

The product should be made more capable of offering more integration with the recent technologies introduced in the market. The product's integration capabilities with the already existing products in the market are good.

The product's current price is an area of shortcoming where improvements are required.

For how long have I used the solution?

I have been using Prisma Access by Palo Alto Networks for four years. As it is a security product, our company keeps it updated to the latest version.

What do I think about the stability of the solution?

It is a 100 percent stable solution. Stability-wise, I rate the solution a ten out of ten.

What do I think about the scalability of the solution?

It is a very scalable solution.

Around 800 people in my organization use Prisma Access by Palo Alto Networks. The solution can be scaled up to fit around 3,000 users at a time.

Prisma Access by Palo Alto Networks is used extensively twenty-four hours a day and seven days a week in my organization since we operate in different time zones.

How are customer service and support?

The support offered by Palo Alto Networks is amazing. Whenever my company opens a ticket with the support team of Palo Alto Networks, we get amazing support. The support team of Palo Alto Networks is fast, customer-friendly, and knowledgeable.

Which solution did I use previously and why did I switch?

I have experience with Cisco and Fortinet. I have experience with Cisco AnyConnect Secure Mobility Client. The last time we used Cisco AnyConnect Secure Mobility Client in our company was three years ago, after which it was phased out from the set of standard solutions we use. Based on my experience with Fortinet and FortiClient, I can say that the support is not at the same level as the one offered by Palo Alto Networks. Fortinet's technical support team is not as strong as the technical team of Palo Alto Networks. Only the prices of Fortinet and FortiClient were good compared to Palo Alto Networks.

How was the initial setup?

The product's initial setup phase was very straightforward.

The deployment process involves identifying the user profiling and figuring out what exactly its users need, meaning there are some prerequisites involved in the deployment's preparation phase, and it is the most important process critical for the product's success.

The solution is deployed on an on-premises model.

The solution can be deployed in two days.

What about the implementation team?

The deployment can be carried out with the help of our company's in-house team.

What's my experience with pricing, setup cost, and licensing?

Prisma Access by Palo Alto Networks is an expensive solution, especially when compared to other solutions like Cisco. There are no additional charges apart from the standard licensing costs attached to the solution.

What other advice do I have?

Those who plan to use the solution should ensure very good user profiling is carried out, after which they should link the product with the corporate security policy. Prisma Access by Palo Alto Networks is a very flexible solution, and you need to know exactly what you want out of the solution, which should align with the policies in your company as it is an area that differs from one corporate entity to another.

Considering the cost of the solution, I rate the overall tool a nine out of ten.

Which deployment model are you using for this solution?

On-premises
Disclosure: I am a real user, and this review is based on my own experience and opinions.
Flag as inappropriate
PeerSpot user
General manager at a tech services company with 201-500 employees
Real User
The solution improved the consistency of our security controls, but the pricing model is inflexible
Pros and Cons
  • "The solution improved the consistency of our security controls and the BCP. There has been a 20 percent reduction in TCO. Prisma Access also enabled us to deliver better applications by centralizing security management."
  • "The licensing model isn't flexible enough. It's an all-or-nothing model. Other providers in the market allow you to buy modules or add-ons separately. With Prisma Access, you have to purchase the same module for all users."

What is our primary use case?

We use Prisma Access to enhance security control on endpoints in a hybrid workplace. Everyone in my company uses Prisma. It's about 500 users.

How has it helped my organization?

Prisma covers web-based and non-web apps, reducing data breach risks. In addition to protecting web traffic, it can replace the VPN. Instead of using a separate VPN, we can route all the traffic to our office through Prisma Access. 

The solution improved the consistency of our security controls and the BCP. There has been a 20 percent reduction in TCO. Prisma Access also enabled us to deliver better applications by centralizing security management. Because it is a SaaS solution, the system admins don't need to worry about technical implementation, updates, or anything happening on the backend. 

What is most valuable?

The most valuable features are the Secure Web Gateway and firewall as a service. Prisma Access protects all internet traffic. It isn't limited to apps. Currently, it covers more than 90 percent of our web traffic.

Autonomous digital experience management is another essential feature that provides a level of end-to-end visibility that most other solutions cannot offer. ADEM's real and synthetic traffic analysis is highly useful.

The benefit ADEM provides to the end-user is pretty indirect. It gives a system admin some evidence to show the user that the problem may not be on the user's side rather than a system issue.

Prisma Access features like traffic analysis, threat protection, URL filtering, and segmentation are critical because our use case is a hybrid workplace. Users are working worldwide, so we expect security to be consistent anywhere, not just in the office.

It updates weekly. Because it's a SaaS solution, they don't tell you what is updated on their side, but if an update is on the user side, then they update it once weekly or biweekly.

What needs improvement?

If I had to rate Prisma Access for ease of use, I'd give it two out of ten. It's easy for the users, but it's difficult for admins to configure. 

For how long have I used the solution?

I have been using Prisma Access for less than a year.

What do I think about the stability of the solution?

Prisma Access is stable. 

What do I think about the scalability of the solution?

Prisma Access is scalable. 

How are customer service and support?

I rate Palo Alto support seven out of ten. They sometimes take a long time to resolve complicated issues. 

How would you rate customer service and support?

Neutral

Which solution did I use previously and why did I switch?

We tried Zscaler, but we switched to Prisma because of the price, and Palo Alto was better suited to our business requirements. Palo Alto is one of the best choices for regional deployment, but Zscaler is better for a global use case.

How was the initial setup?

Setting up Prisma Access is complex. You cannot deploy it without help from Palo Alto or a Palo Alto partner. They are the only ones who can do the configuration. It took us about four months to get the solution up and running. We need about two IT staff to provide user support for Prisma, but Palo Alto handles all the updates. 

What's my experience with pricing, setup cost, and licensing?

The licensing model isn't flexible enough. It's an all-or-nothing model. Other providers in the market allow you to buy modules or add-ons separately. With Prisma Access, you have to purchase the same module for all users.

Which other solutions did I evaluate?

In addition to Zscaler, we looked at Netskope and Cato Networks.

What other advice do I have?

I rate Palo Alto Prisma Access a seven out of ten. It's not suitable for organizations whose users are primarily in mainland China. Prisma Access is excellent if you use most Palo Alto products, but Prisma Access might not be the best solution if you only use one of their products. 

It's crucial to define your business requirements well from the start because a Palo Alto solution can't quickly adapt to the changes that you need. If Palo Alto satisfies your initial conditions, it may be the cheapest solution at the time. However, if you need to make a change in the middle, the price can go up drastically. 

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Team lead at a tech services company with 10,001+ employees
Real User
Top 20
Supports both data and voice, unlike other solutions, and enables us to do URL filtering
Pros and Cons
  • "The visibility perspective is pretty cool. If I want to know how much data is being used for a specific project, I can look at how much data has been used, from which region, and which users have been connected. That visibility is very good so that I can see how many licenses we have and how many are used."
  • "There should be a dedicated portal or SASE-based solution. They're trying to add a plugin but it needs a dedicated portal because it is now an enterprise solution for multiple organizations. People should be able to directly log in to a dedicated page for Prisma Access, rather than going into a Panorama plugin, and always having to update the plugin."

What is our primary use case?

Our use case started with the pandemic. Before the pandemic, our users worked in our office, but when the pandemic started our users were at home. They wanted to have the same kind of access that they had on-premises. We deployed a network and mobile services for them so that they could have the same experience sitting at home and access all the infra in the office. We use mobile access to connect to Prisma Access, and from Prisma Access we built a site-to-site VPN to connect to the office network so that they would have the same kind of access.

How has it helped my organization?

It is very helpful because it is protecting the applications that are behind it. It has so many components that we can use to secure our applications.

What is most valuable?

Prisma Access has all the features from Palo Alto. But the visibility perspective is pretty cool. If I want to know how much data is being used for a specific project, I can look at how much data has been used, from which region, and which users have been connected. That visibility is very good so that I can see how many licenses we have and how many are used. It gives a great view of what is happening, of everyone who is connected. That is one of the things I like.

It provides traffic analysis, threat prevention, and URL filtering, although I'm not sure if it provides segmentation. These features are very important. We wanted to filter traffic according to our standards. The URL filtering helps to filter the traffic so that we only send the traffic we want to on-premises or the internet. Without this, it would be very tough.

Also, it protects all your app traffic. It's like a next-generation firewall. It does everything.

For a non-technical guy, the reporting of Prisma Access is very easy. You need to know the navigation tabs, but it only has so many of them and you can do many things in the tabs. It is pretty easy because there aren't that many pages or options.

And the updates, like URL updates, IPS, IDS, and any WildFire subscription updates are very helpful for protecting our infra.

What needs improvement?

There should be a dedicated portal or SASE-based solution. They're trying to add a plugin but it needs a dedicated portal because it is now an enterprise solution for multiple organizations. People should be able to directly log in to a dedicated page for Prisma Access, rather than going into a Panorama plugin, and always having to update the plugin. An administrator should be able to look at it from a configuration perspective and not the management and maintenance perspectives.

For how long have I used the solution?

We started using Prisma Access by Palo Alto Networks with the pandemic in 2019, so I have been using it for over three years.

What do I think about the stability of the solution?

Initially, they were coming up with a new plugin every one or two months, and you would have to download it. But now, I don't see that. Their team continues to work on it, but as a customer, I see it as stable. 

They're using the resources of GCP so if GCP in a specific region has some issues, it will impact Prisma Access. They have to look at some kind of backup.

What do I think about the scalability of the solution?

I don't see it as a scalable solution because it is running on top of VMs. They say it is scalable, but we didn't see it working that way for one or two incidents that we had. But later, they had more firewalls in the cloud and kept them on standby. Since then, I haven't seen that issue.

I have implemented the solution for 100,000-plus users, and most of them are connecting from home. It reduces the load on our on-premises firewall, handling posturing and VPN. It is a dedicated project, meaning everyone, all of our employees, uses the same solution to connect to the infra.

How are customer service and support?

When I started working with their support, the product was new for them as well so they were not all that familiar with it. They need to improve the technical support staff.

How would you rate customer service and support?

Positive

Which solution did I use previously and why did I switch?

We were using Cisco AnyConnect but we replaced it, in part, with Zscaler and mostly with Prisma Access.

How was the initial setup?

Prisma Access works on Panorama which we have on a virtual machine on GCP. As with anything, if you don't know it, it is complicated, but once you understand it, it is very easy. If I look at it as a combination of before and after, the setup is of average difficulty. You can learn things very fast. It's not that difficult or complicated, but you should know the purpose of each part. Then it is easy.

When I did my initial deployment of Prisma Access in 2019, it took around five days. But by the time I had done two or three deployments, it was taking me 20 minutes to deploy.

The implementation strategy is totally dependent on the requirements. Some customers say they want the same feeling at home that they have in the office. Some customers say they want Prisma Access to reduce the burden on the existing on-premises firewall. The posture checks have to be done on Prisma Access and, once done, the traffic is forwarded.

Once you understand the product, two to three guys should be able to handle it for configuration, and then they can move on. But for operations, you need a team.

Which other solutions did I evaluate?

We evaluated Zscaler Private Access and multiple other cloud solutions.

Compared to Zscaler and other services, the advantage of Prisma Access is that it supports both data and voice. The other vendors don't support voice. With Prisma Access, we don't need to look for any other services or solutions. It supports your data and voice services as well and that is one of our most important requirements.

What other advice do I have?

At the end of the day, Prisma Access is nothing but a firewall that is hosted in the cloud. It depends on your capacity, the users that are connecting, and the VM you are running in the backend. It has all the capabilities and subscriptions that we were using on-premises. I don't see any challenges in terms of security. It is secure. They haven't compromised on anything with Prisma Access. It tries to protect us as much as possible.

It's crucial for us and is helping us a lot if you look at it from a business perspective.

We can do a lot with it and use it for eight to nine use cases. It supports your data and voice and, as I noted, I haven't seen any other product support both. Prisma Access is the best product. It depends on what you're looking for. But if you have a lot of requirements, you should go with Prisma Access.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Senior Network Consultant at a tech services company with 10,001+ employees
MSP
Top 20
Enables us to meet performance and security requirements for Office 365 traffic
Pros and Cons
  • "Being able to use the user ID or Active Directory Group is one of the great features for control and providing more flexibility without worrying about IP addresses."
  • "When we deploy firewall rules via Panorama, we find it's a little bit slow. We have a global environment and might have 100 gateways or VPNs in the cloud. When we deploy something, it tries to deploy it one-by-one, and that can be slow."

What is our primary use case?

We're migrating customers from existing Cisco AnyConnect VPN to Prisma Access GlobalProtect VPN.

How has it helped my organization?

GlobalProtect VPN is a brand new concept compared to Cisco AnyConnect VPN. The huge difference is that if a user is working from home and needs access to Office 365, the way traffic is usually sent will potentially increase the delay. Some companies open split tunneling for users and they are able to send a request to Office 365 directly, but there is a loss of control from the network and security perspectives.

Since we started using GlobalProtect VPN, all the traffic is monitored, even for a user who needs access to Office 365. The traffic from the user's PC will connect to the closed and available VPN boxes, depending on the location. The traffic from that box will head to Office 365, meaning it will meet the performance and as well as security requirements. So that's one, the huge difference.

The other difference, in my experience with Cisco VPN, is that we normally control traffic based on source address, destination address, and destination port. But with Prisma Access, and using a lot of features from Palo Alto firewalls, we control the source, in particular, with the user ID or an Active Directory Group, instead of an IP address. The benefit for the user of using the user ID or Active Directory Group is in the following scenario. Suppose a user is usually in the United States but goes on a business trip to the UK. With a regular VPN, the user in the U.S. has a subnet. But when they travel to the UK, the IP just will be changed and there will be a totally different subnet. The access they had in the States may be lost when connecting from the UK. But using the user ID or Active Directory Group, the ID is always there no matter whether they are in the States, the UK, or anywhere else. That makes it more flexible for a user who is working remotely, traveling, or roaming.

In addition, performance-wise, a lot of applications have improved because the cloud-based VPN, based on the geographical location, provides a more optimized path and potentially reduces the latency. That provides better performance, but it depends on the applications.

What is most valuable?

Being able to use the user ID or Active Directory Group is one of the great features for control and providing more flexibility without worrying about IP addresses. 

Prisma Access has a lot of other features. Instead of VPN, its gateway is able to decrypt traffic and, potentially, inspect it. This feature is more likely to be used by companies using Websense or a proxy server. Prisma Access or Prisma VPN has merged VPN, firewall, and some of the Websense-type and proxy functions. This means that four or five components have become one now.

The solution also protects all app traffic, meaning that users can access all apps. All traffic is sent through the Prisma devices. Even a user who reaches Office 365 with a load closed location is still controlled by the VPN boxes, and from the security and network perspectives, we can still see all of the traffic, meaning everything is under control.

In addition, there is something called Pre-logon with Prisma VPN, which means before you log in to the PC with the user ID, domain, and password, the PC automatically connects to the Prisma VPN. That means you already have some basic access, like to Office 365. In case the VPN box is having issues, the user still has access to Outlook, Teams, Word documents, et cetera. The Pre-logon features make things really convenient.

Another nice feature for users is that Prisma VPN saves the user session for seven days instead of, with Cisco VPN, only one day. As a result, the user doesn't need to connect to the VPN every day. After a week, once it expires, they will need to log in with the username and password, but it still keeps the security intact.

There is also the ability to do a HIP (Host Information Profile) check. We can check things like whether a device's operating systems are properly patched, that the antivirus software meets security requirements, and that the hard drive is encrypted. The latter is important because if the laptop is lost, the data can be stolen. A HIP check enables us to make sure the endpoint maintains the security requirements. That helps make things more secure.

And as a cloud-based solution, there are a lot of redundancies. I'm in Canada and have a gateway in Canada. In case the getaway or VPN box in Canada dies, they will automatically reroute me to New York or any other location that is available. In addition, if the cloud-based solution has an issue, we still have the on-prem firewall or VPN in place in our data centers, which means everything falls back to something that is just like Cisco VPN, but it is Palo Alto. But that is only happening in DR situations. The fact that Prisma Access is cloud-based also makes it easier to connect from our environment to cloud-computing environments.

What needs improvement?

I can't think of many things that need real improvement. But one thing that comes to mind is that when we deploy firewall rules via Panorama, we find it's a little bit slow. We have a global environment and might have 100 gateways or VPNs in the cloud. When we deploy something, it tries to deploy it one-by-one, and that can be slow. For example, one time we pushed a firewall change and the changes took about 10 minutes to finish up. If they could optimize the whole process to speed up that kind of deployment, that would be especially helpful.

For how long have I used the solution?

I have been using Prisma Access by Palo Alto Networks for close to two years, including the testing and eventually working on it in the production environment.

What do I think about the stability of the solution?

As of now, we have deployed it for 25 percent of our employees globally and, so far, it has been stable. We haven't seen a situation where it is working one day and totally stops working the next. 

There are still some bugs and sometimes we encounter issues and we have to open a case with Palo Alto to ask them to fix things. Because this is a new solution in the market, having been introduced two or three years ago, the overall stability is good, but they can still enhance that aspect even more.

What do I think about the scalability of the solution?

The scalability is pretty good. Since we bought it, we have added more and more users and had no issues. And because it's cloud-based, they can add VPN boxes in the cloud and, for us, that process is transparent, which is pretty good.

How are customer service and support?

All in all, tech support has satisfied us. We are a big customer, and they have two tech engineers working with us when we deploy and when we do a migration. We always have them with us, especially via conference calls.

The support is timely, but there is still some room for improvement because, when we open cases with them, some agents are not as timely about fixing problems as others.

But overall, we are satisfied with their services.

How would you rate customer service and support?

Positive

How was the initial setup?

The initial setup was not too complicated, but it still took a little time to get familiar with it. The good thing is that Prisma VPN uses our existing Panorama centralized management tool, which we use to manage Palo Alto firewalls and VPNs. Because the centralized management tool is very familiar to us, it helped us in using the new solution. But, of course, since it is a cloud-based VPN, it did take a little bit of time to get used to, but after we got used to it, it became straightforward.

What's my experience with pricing, setup cost, and licensing?

It is pretty expensive. We have to balance the cost of some features. They need to work on some of the services and products, price-wise.

What other advice do I have?

The importance of the combination of the solution's traffic analysis, threat prevention, URL filtering, and segmentation depends on the business. Some business lines are very critical so we might potentially apply more features to them, but everything has pros and cons. Applying more features potentially slows down the performance, so we have to balance between security and performance. But so far, in most situations, we don't have any concerns because we already apply the HIP check to make sure the laptop side meets all kinds of security requirements, based on our internal policies. Also, we are able to see all the traffic logs. Even though it's a huge amount of data, and we're not currently doing so, we're potentially able to investigate or analyze things. 

It is a good solution and a new direction for many companies, especially big companies with global offices. Overall, the security that Prisma Access provides definitely meets our security requirements. Otherwise, we wouldn't be using this solution. The majority of companies, including a bank or any other financial company, should be happy with this solution.

Disclosure: I am a real user, and this review is based on my own experience and opinions.
PeerSpot user
Global Leader Network Engineering at a financial services firm with 5,001-10,000 employees
Real User
Always-on VPN is constantly securing our system, but bugs and response to them have been challenging
Pros and Cons
  • "Prisma Access protects all app traffic, so that users can gain access to all apps and that's very important because we need to be able to access everything. It also allows us to access non-web apps; anything internal that we need access to, we can access."
  • "We've run into some challenges, having hit a lot of bugs over the past year in the deployment of GlobalProtect. We've had our fair share of issues that I haven't been happy with. We're working with the support organization to remediate them and waiting for updated releases. The response on getting the bugs fixed has not been what I would consider adequate for a product like this."

What is our primary use case?

Prisma Access GlobalProtect is our always-on VPN. We use it for URL filtering, to make sure people don't go to websites that are not permissible according to our security policy, such as gambling and pornography sites. We also implement Data Loss Prevention and decrypt the packets so that we can analyze the inside and make sure that nobody is trying to exfiltrate data. It's always on and it doesn't matter if you're in an office or at home or in a coffee shop or a hotel. 

We also use their service connections to access our internal services through them.

How has it helped my organization?

Since everybody is on the network all the time, it's allowing us to eliminate the step of having to connect to a VPN. That's the whole premise of an always-on VPN. Nobody has to think, "Oh, I need to get on VPN before I can connect to that server," or, "Oh, my VPN timed out because I've been on for 12 hours." The whole premise is that you're constantly on a VPN and it's constantly securing the system. That has helped from an end-user perspective. It hasn't come without its challenge, but that is one thing that is definitely a benefit.

In terms of security, it's definitely better than what we had because a user could just disconnect from the VPN before. They couldn't shut off the cloud proxy, but the cloud proxy only handled web-based traffic. If they wanted to FTP to a server, when they were connected to the VPN, it would get blocked. But they could just disconnect from VPN and then connect to FTP. Now, it goes through more security controls. So we are definitely more secure because of it. But it's just a completely different technology; it's more because of that than the product itself.

It's also somewhat of an alternative to SD-WAN. We had been looking at SD-WAN solutions and, realistically, the way the users are connecting now with Prisma Access, there's really no need for it.

What is most valuable?

It's an always-on solution and it supports both Mac and Windows. We have one configuration globally, and the only area where we had to do something differently is China.

Prisma Access protects all app traffic, so that users can gain access to all apps and that's very important because we need to be able to access everything. 

It also allows us to access non-web apps; anything internal that we need access to, we can access. Because we're using it as a VPN solution, our users are always on the internal network, regardless of where they are. They can't do anything because we lock them down so that if GlobalProtect doesn't connect, they can't get out to the internet. It's helped in that there were things that people would work around in other ways with our old model, things that they can't work around with the new model.

Also, having a single cloud-delivered platform, a global solution, was a key requirement for us.

We use the solution's threat prevention, URL filtering, and segmentation and they're all extremely important, based on what we're doing with the product. It's also very important to the business that Prisma Access provides millions of security updates per day.

What needs improvement?

We've run into some challenges, having hit a lot of bugs over the past year in the deployment of GlobalProtect. We've had our fair share of issues that I haven't been happy with. We're working with the support organization to remediate them and waiting for updated releases. The response on getting the bugs fixed has not been what I would consider adequate for a product like this. We've had some very pointed discussions with the support organization and the development teams on those issues and on doing what we can to help remediate them as well. They have been more responsive now towards our needs but it's a work in progress. 

They're going from being an organization that supported physical hardware, the Palo Alto firewall, into the realm of a SaaS-based solution. As a result, they need to change their operating model, support model, and release model to support that SaaS-based solution. That is related to support, related to operational efficiency, and deployments of code. Those are the areas where they need to improve.

For how long have I used the solution?

I've been using Prisma Access by Palo Alto for about a year.

What do I think about the scalability of the solution?

I don't see issues yet in terms of its scalability. We have more capacity than we need, so I think it's fine. We have firewalls in every region and in every country that Palo Alto has available. It's fairly scalable.

Which solution did I use previously and why did I switch?

We previously used Cisco AnyConnect for VPN and a cloud proxy solution for web-based security. We went from two products to one. The main purpose was to find a replacement for the cloud proxy solution. VPN just wound up being a good and positive outcome, in addition to it.

How was the initial setup?

The initial setup was complex. It has taken us almost a year, but we have about 7,000 users. We're just finishing up the main deployment of 5,000-plus users. We had an acquisition earlier this year and that will add another couple of thousand users. There have been a lot of hurdles with the bugs that we hit in the product. The stability of the software has been our biggest challenge.

What about the implementation team?

We did the deployment ourselves. In terms of maintenance, I manage the network engineering team globally, and our team is responsible for it.

Which other solutions did I evaluate?

We did look at other vendors when we were deciding on our VPN software and we went with Palo Alto for security reasons. 

What other advice do I have?

My advice would be to wait until they fix the bugs. We've been on a pretty stable version for the past several months and haven't had any issues. But other users who are on the same version have hit bugs on a regular basis, and it has been a nightmare to try to support. We're waiting on the final update of version 5.2.9 to get some of these issues fixed, and we're also waiting on 5.2.10 to support Windows 11 and the new version of Mac.

It's a balancing act in terms of security and nothing is perfect. We do have Palo Alto hardware as well as the Prisma Access solution, so we're reliant on Palo Alto's security for a lot of our security needs. I think the security is adequate.

I like the product in principle and I would rate it pretty high, but the bugs that we've hit pull the score down a bit. And then there are the operational support issues that we've had with Palo Alto, in general, that contribute to the score of six out of 10, as well.

Disclosure: PeerSpot contacted the reviewer to collect the review and to validate authenticity. The reviewer was referred by the vendor, but the review is not subject to editing or approval by the vendor.
PeerSpot user
Buyer's Guide
Download our free Prisma Access by Palo Alto Networks Report and get advice and tips from experienced pros sharing their opinions.
Updated: March 2024
Buyer's Guide
Download our free Prisma Access by Palo Alto Networks Report and get advice and tips from experienced pros sharing their opinions.