Prisma Access by Palo Alto Networks Reviews

We could write a book about our use cases. It provides best-of-breed optimization in CASB and SASE together. Our primary use case is enabling users from all walks of life, and all over the planet, to have remote access in the most optimized way.

Prisma Access is a SASE-oriented solution, making it a hybrid and SaaS. Of course, it's built on Google's high-capacity backbone, but it is provider-neutral.

With the centralized remote access solution we had before, F5, we used to see a lot of latency and a lot of intermittent disconnects. But our people have reported that they like Prisma Access so much better in terms of speed and how it operates. The user experience is so much better in terms of throughput. They don't see as much lag. Of course, there are users who don't have the most stable internet connection, but even for those users, by optimizing data reduction, it works better. We can't really help users who have some sort of wireless connection, because if their underpinning link is not good, this overlay won't do much. But for users who are using a satisfactory type of connectivity, even for people who are on 10 Mbps, it works well.

In addition, from an application accessibility standpoint, the integrated features that come with the QoS mean you can choose what types of applications get higher priority than others. It optimizes applications for QoS prioritization.

At the end of the day, the most valuable feature of Prisma Access is user accessibility and performance. For us, it all comes down to how well this product performs.

In addition to that, we feel that the security is absolutely spot-on, really top-notch. It's the result of all the components that come together, such as the HIP [Host Information Profile] and components like Forcepoint, providing end-user content inspection, and antivirus. It incorporates DLP features and that's fantastic because Prisma Access makes sure that all of the essential prerequisites are in place before a user can log in or can be tunneled into. Until these requirements are met at a satisfactory level, it doesn't let you in. Once users are onboarded, they are going through Palo Alto's firewall inspection. Users' traffic is encapsulated and inspected well. It gives us the flexibility to apply various policies and inspections. All of these come into play and give us peace of mind that this platform is best-in-class in terms of security features and tool integration.

The architecture is essentially a fabric-type SASE-based architecture. From a technical leadership standpoint, we are very pleased and satisfied with how efficient the product is, especially, again, when it comes to security.

One of the features that we really like in Prisma Access is its integration capabilities with Palo Alto's other platforms such as Cortex Data Lake. The best thing about it is that it gives us visibility and clarity. We can say, "This is what our threat metrics framework looks like. Yesterday we had this many potential threats, and out of that, this many have been fended off or mitigated." It gives us a really good single pane of glass that tells us what our attack surface looks like and how things have been mitigated." It gives us data that we can utilize for the benefit of our users and our senior executives.

From a user standpoint, it's very easy and very usable. Our users have used F5's products and it's not much different. There can be intricacies in that you have to have your laptops' antivirus protection updated, but that's not a big deal. Those are the types of things that users have to comply with anyway.

Traffic analysis, threat prevention, URL filtering, and segmentation are some of the features that come with Palo Alto itself. On the cloud controller platforms you have the ability to enforce controls, including things like the application layer inspection, granular policy constructs, as well as app-ID-based and application layer inspection. The inspection engines, such as the antivirus, malware, spyware, and vulnerability protection, are integrated into Palo Alto's cloud services platform. These features are quintessential to our entire cloud services security fabric. Users are users. You never know what's going to happen to a user. If somebody goes to Madagascar or to Bali and gets compromised, it is our job to protect that user and the organization. All of these interrelated features come into play for those purposes.

The challenges we have faced are not connected with Prisma's core fabric, but more with the end-user. To use the GlobalProtect client and meet all the requirements, your laptop or your end-user system has to be at a point where things are up to date. It's not really Prisma's fault, but when you try to create exceptions you don't really have those abilities. You cannot say, on the management platform, "Hey, for these users I want to create these exceptions." That is one thing that I have gotten some complaints about, and we have faced some challenges there.

It's always a challenge when people at the executive level start complaining because they're using the latest version of the MacBook Pro and it's not playing very well with Prisma.

I used the predecessor to Prisma Access, which was GlobalProtect Cloud Services and I have been using Prisma Access for a good two years.

I wouldn't call their technical support a pain point, but they need to improve it. That is one of the biggest drawbacks.

It was pretty straightforward at the PoC level. But the rollout of something like this across an enterprise is never like a one-shot thing. We went through some bumps and bruises and roadblocks along the way, but, overall, it was a pretty straightforward path.

The entire onboarding took around four months for our approximately 20,000 users.

On a day-to-day basis, we have security engineers and SMEs managing the platform. But there are not as many intricacies and challenges as there are in some of the other products that we deal with. From administrative, operational, and management standpoints, the way Prisma has let us do it, things are pretty efficient.

We used Palo Alto's professional services.

It's pricey, it's not cheap. But you get what you pay for.

My most crucial advice to colleagues who are looking to purchase this product would be to look at it from a 50,000-foot point of view, and then narrow it down to 40,000, 30,000, 20,000, and 10,000. The reason I say that is because, at the 50,000-foot view, the executives care about the pricing and the costing model; it's all about budget and how they can save the organization money.

If you are in a high-end organization, this is the product you had better get, hands-down. If you are an executive at a highly visible bank, please get your head out of the sand and see what is best for your organization. If you are a manufacturing company that doesn't need this level of integrative security, go get something else, something cheaper, because you don't need this extensive level of security controls and throughput. But if you want to get the best-of-breed, then Palo Alto's product is what you should definitely get.

Our journey with Prisma Access started out with a battlecard comparison of what Prisma Access had to offer versus what ZPA [Zscaler Private Access], Symantec, and F5 had to offer. In doing all of these comparisons, we realized that Palo Alto had built a cloud services fabric that is user-first and security-first.

If I compare Zscaler and Prisma Access, not all of the security controls that are in place with Zscaler are inherent to their own fabric. Zscaler has done a fantastic job with ZPA in terms of putting the components together. But when it comes to security enforcement, they are lagging behind on some things. One of them is the native security control component enforcement on their fabric. We feel like that is not done as efficiently as Prisma access does.

In a simple scenario when doing a side-by-side comparison, if we were onboarding and providing access to an end-user using ZPA, they would be able to get on and do their job fine. But when it comes to interoperability, cross-platform integration, and security enforcement, we feel that ZPA lacks some of the next-gen, advanced features that Prisma Access has to offer. Prisma Access provides us with cross-platform integration with things like Palo Alto AutoFocus and Cortex Data Lake, which is great. ZPA does not provide all of these extensive security features that we need. In a side-by-side comparison, this is where Prisma Access outshines its competitors.

With all of that in mind, the big question in our minds was, "Well, can you prove it?" PoCs are just PoCs. Where the rubber meets the road is when you can prove your claims. Palo Alto said, "Okay, sure. Let us show you how you can integrate with your existing antivirus platform, your existing content filtering platform, and your existing DLP platforms." We gave it a try. And then, we did various types of pen testing ourselves to see if it was really working the way they said it would. For example, could you take an encrypted file and try to bypass the DLP features? The answer was no. Prisma Access made sure that all of the compensating controls were not only in place but also being enforced. "In place" means you have a security guard, but you have told him to just keep a watch on things. If you have a robbery going on, just watch and don't do anything. Let the robbers do whatever they want. Don't even call the police. Prisma Access doesn't just watch, it calls the police.

There are some encrypted traffic flows that you're not supposed to decrypt and intercept, but even for those we have constructs that give us at least some level of inspection. Once tunnels are established, we have policies to inspect them to a certain extent. We try to make sure that pretty much everything that needs to be inspected is inspected. All of this comes down to accountability and to protecting our users.

Organizations with a worldwide footprint and distributed-services architecture require best-in-class security. Health organizations and pharmaceutical companies also do, because they are dealing with highly sensitive patient data or customer data. Organizations like these that have public, internet-facing web applications, need top-of-the-line security. Prisma Access, from an interoperability standpoint, addresses the big question of how well their web-facing applications are protected from potential malicious attacks. And the answer is that it is all integrative, all a part of a fabric with interrelated components. It protects the users who are accessing the corporate network and the corporate network from any potential risk from those users. Prisma Access gives us the ability to design architectural artifacts, like zones and segments, that really make for effective protection for web-facing components and internal applications.

In terms of Prisma Access providing all its capabilities in a single, cloud-delivered platform, not everything gets on the cloud. You cannot take a mainframe and put it on the cloud. You have to understand the difference between Prisma Access and Prisma Cloud. Prisma Access is all about user accessibility to enterprise networks in the most secure way possible. Prisma Cloud is the platform to integrate various cloud environments into a unified fabric.

As for Prisma Access providing millions of security updates per day, I don't know if there are millions, but it is important. We take advantage of some of the automated features that Palo Alto has provided us. We try not to get into the granular level too much because it increases the administrative overhead. We don't have the time or the manpower to drill into millions of updates.

We use Prisma Access to build an allowlist that we put into Socks App, so we can gate access to what we want based on whether someone is allowed onto the VPN. Prisma is a SaaS product. We have the cloud-managed version that we use to access a mixture of on-prem, public cloud, and SaaS tools. 

We aren't using it extensively. There are only around six rules. I've had five hundred or a thousand rules in previous companies that used Palo Alto Networks. We have six, so we're not using the solution extensively. We're looking at various products for DNS filtering and security, so we will potentially get rid of Prisma Access in the future. It's a heavy-handed way of doing what we're trying to do.

Prisma helped us build a moat around our production systems. It's now impossible to log into our production from a non-MDM laptop. Prisma Access provides decent security overall.

Prisma Access protects all app traffic so users can access all our apps, which is crucial because we want this to be as transparent as possible. The ability to secure web-based and other apps is also critical. We use this as a gateway into production or specific systems. That might be over 443, HTTPS, DB, or any other protocol.

Prisma Access offers features in one cloud-delivered platform, which is pretty important. Anything we can do to reduce the complexity of this is good. It will get messed up at some point if there are too many moving parts.

The traffic analysis, threat prevention, and URL filtering features are pretty critical. Prisma Access is our frontline defense for our production environments. On top of that, it protects the engineering staff's endpoints, so it needs to provide essential URL scanning and WildFire AV detection.

I've had a ton of issues with Prisma Access. The UI is horrible and not intuitive. For example, error handling when applying configuration changes is atrocious. The UI itself is buggy and lags. The sales staff tried to be helpful, but they sold us the wrong license SKU, which broke our environment, and it took two months for them to fix it. Two months is an eternity for something as critical as this.

It applies commits to the firewalls slowly. There isn't an API you can use for anything. We've previously had trouble with the egress IP addresses though we expressed to engineering that those mustn't change. They changed several times without warning, causing a lot of headaches.

I have used Prisma Access for a year and a half. 

Prisma hasn't broken yet. There have been a lot of outages, but luckily only a handful have affected us.

Prisma is somewhat scalable. We want to use this as an allowlist for our external applications. However, other external tools don't allow you to add an arbitrary number of IPs. If we were going to put in the complete list of active and reserved IPs that we get from our seven points of presence, then that's roughly 41 IPs. That goes over the max of 40 that GKE and GCT use. We can't use it to gate Kubernetes pods because there are too many IPs.

We can't seem to remove them once they're added. I've opened several support cases, and we still have half. Half of this list is all reserved and unusable points of presence because they aren't assigned to anything. It is a bit cumbersome and not as agile or straightforward as I was led to believe.

I rate Palo Alto's support a four out of ten. When I put in a ticket for a problem, they will send me a link to documentation that is either for the wrong product or something that doesn't apply to me. I usually get on a Zoom call with an engineer, show them the problem, and wait a week or two before I get a solution.

Neutral

Setting up Prisma Access was relatively straightforward for our use case. We deployed some firewalls in our system and used the IP addresses we got from those to inform and allow this. So it was very straightforward to get it to work, but tweaking it over time has been cumbersome.

I was the only person from our company working on the deployment. I designed and implemented the architecture, then deployed the tool to the endpoints internally. I'm responsible for educating the users and troubleshooting problems they find. I do things like telling a guy, "No, there isn't a problem with the VPN. You shouldn't use the web version of Spotify because only crazy people do that."

We used CDW and Palo Alto professional services. It was fine. It wasn't the best engagement, but it wasn't the worst.

It's hard to say if we've seen an ROI. I imagine we have. We haven't been breached, so that's something.

There's no reason not to buy the enterprise version that gives you unlimited PoPs, but you must understand the limitations you impose on yourself if you do that. If you go crazy, that allowlist will be too big for Kubernetes clusters.

The API that pulls the egress IPs allocated to you should be updated by the minute or as often as possible. There's no forewarning of impending changes. That should be built into your CI/CD system so no one needs to update anything manually. It should just flow through. However, you need notifications because it's a slippery slope. If you're adding and changing IPs all the time, who knows what's what anymore.

I did demos of around 16 different products that do something similar, including Zscaler, Netskope, Fortinet, Twingate, and Tailscale. Palo Alto was the only solution that could give us dedicated egress IPs. 

I rate Prisma Access a four out of ten. There are many tools out there that can do the same actions. This is not the best tool to use if you're only looking for an allowlist for production. 

We use Prisma Compute for container monitoring and Prisma Cloud for cloud monitoring. Compute looks at workload security, and we use it for container security, build security, and assessments. Cloud looks at our AWS account and gives us input on any security issues with our AWS workload.

We now know if there's any vulnerabilities during runtime, which is not something we had before. We didn't used to have visibility into our cloud infrastructure or our container space once the containers were running but we do have that visibility now. We also have visibility into how the different pieces of our solution talk to each other, so we know which services talk to each other, and then we are able to pick up anomalies. For example, when service A is talking to service B and there's no reason why they should be talking to each other. That's been a real help.

The solution is pretty comprehensive across all three tenets of build, run, and software. This has improved our operations because, for example, at build time if there is an inability within dependencies or within the Docker images we're going to use, we are able to stop, build, and remediate at that point. Within our registries where we keep our containers, we are still able to look back and see how vulnerabilities were corrected over time. Sometimes you build images in a repository, so a vulnerability might get discovered on the internet and it's good to know whether you're still safe before you run your images. Also, once you are running, it's helpful to know that you are still running secure environments.

A feature I've found very helpful is run time security because most of the products on the market will look at security during the build time, and they don't really look at what happens once you're going into production. 

It's a perfect solution for protecting the full stack native cloud. There's been a lot of development over time, so it's gotten better during the time we've been using it. 

The solution provides visibility and it's pretty simple to use. The dashboard is very intuitive. The solution makes it easy because we can look at one screen and see vulnerabilities across the infrastructure.

There is room for improvement in the multi-environment visibility, especially around containers. The product easily gets confused if you have, for example, similar Docker images that are running in different environments. It does not have a way of isolating that even though it's the same image, it's running in a different environment. It just consolidates that reporting and makes it difficult to figure out how far your plus range is.

I don't think the solution has a preventative approach. I think most of it is really more fighting. I guess you could use what it finds to predict what might happen in the future, but I haven't seen any features that are preventative.

I've been using this solution for three years now. 

The solution is very stable. I think in the last year we've done around four upgrades and it's never missed a beat, even through those.

The solution scales quite easily. We've thrown a lot at it and it's still standing. Everything that we run goes through Prisma. 

I think the support has a lot to improve on. Sometimes it's very difficult to get context around tickets, especially if they get keep on getting switched around, and then there are many issues. Not issues per se, but there are times when you need help and the person who is running the ticket is not able to service your ticket and then they have to push it on to engineering and that takes forever. I would rate the customer service as a five out of ten. 

Neutral

The initial setup was pretty straightforward. The product has very good documentation that is very easy to follow. Deployment took about a day. Rolling it out took longer, but that was because of internal challenges, not the product itself. 

We handled it all in-house. I actually did the deployment myself, and it went good. We used Terraform for deploying, and ran it in ECS, in our container environment. Our services are all running in AWS ECS, so we used their ECS module to plug our content environments into Prisma, and then we used their standalone agent for the rest of our systems that are not running container services.

We have seen an ROI because now it takes less time to identify vulnerabilities and fix them. When vulnerabilities are detected, the responsible teams are notified immediately, as opposed to having security go around once a week.

The pricing is very friendly and that's the reason why we renewed this solution. It was really just based on pricing, and the licensing is also pretty understandable. It's not confusing to figure out your workload and how much you'd be paying for the solution. 

We chose a mixed infrastructure where we have a bit on-prem and then also a direct cloud version. If you're running it on-prem, you have to meet infrastructure costs for the solution to run on your server in addition to standard licensing costs.

Before we did our last renewal we looked at a couple of other products. We chose to renew because of the pricing and licensing of this solution. 

The crux of why we're using the product is because of the automations. We are very confident that the product will keep us secure at all times. 

We are able to inject Prisma into our build jobs without it really affecting our build times or the developers.

The solution has reduced alerts investigation times by 60-70%.

I would rate this product as a nine out of ten. 

We use the solution for VPN connection for remote work.

The most important feature of the solution is that it works transparently, and you don't need to enter a new password after restarting the PC. Prisma Access by Palo Alto Networks is a seamless solution. People don't need to know how the infrastructure is working. It just seamlessly works for them.

The most valuable features of the solution are encryption, compliance, and stability.

The solution’s stability could be improved.

I have been using Prisma Access by Palo Alto Networks for one month.

I rate the solution a nine out of ten for stability.

Prisma Access by Palo Alto Networks is a scalable solution.

I rate the solution a nine out of ten for scalability.

The solution's initial setup is pretty straightforward. The solution is easy to implement.

The solution's deployment took two weeks. Compared to other products, the solution has a pretty fast deployment.

We have seen a positive return on investment with the solution because remote work is very important for us.

I would recommend Prisma Access by Palo Alto Networks to other users.

Overall, I rate the solution a nine out of ten.

Prisma Access is useful for organizations with hardware and firewalls that don't support their total number of users for remote working. If they need to increase this quantity, instead of increasing the hardware, they can use a solution as a firewall service.

A maximum of 200 people use this solution. We don't utilize all of the solution's capabilities.

I had a customer who needed to move all of their operations to work from home during the pandemic. They moved all of their configurations to Prisma Access, and we helped them enable permissions for their users to work from home.

Prisma Access provides better app performance. It allows all the traffic that's really needed for applications and internal resources without any impact on the hardware. It can be continuously scaled in case more resources are needed.

The most valuable feature is the ability to change the gateway. For example, if there's a problem with a specific region or vendor, we can make modifications. The solution is scalable, and there are different gateways that can be created depending on the demand.

Prisma Access supports all of the traffic that the user generates. We have the ability to send all of the traffic through the Prisma Access firewalls.

Prisma Access provides traffic analysis, threat prevention, URL filtering, and segmentation capabilities. It also provides DLP. If you have Panorama to manage firewalls and you have a device group that has some configurations with specific profiles for the spyware or antivirus, it's good to have the ability to replicate that in your Prisma Access environment without any compatibility issues.

It's important that Prisma Access provides millions of security updates per day because we have to be aware of attacks in the cybersecurity industry. It's very helpful to have these updates from Palo Alto because they can prevent the organization or customers from having issues.

Prisma Access gives us the ability to configure clientless VPN, which helps us address specific applications that are consumed through Prisma.

The Autonomous Digital Experience Management feature is helpful because it shows the source of a problem. One user could say that they have a problem with slowness or that some applications don't work that well. It could be a problem with Prisma or a problem with the user's internet provider.

The security provided by Prisma Access is very good because we have the same configurations and models that we have on our normal firewalls. If you have worked with Palo Alto before with firewalls or Panorama, it's very easy to create configurations to implement your security posture. It's on the same technology as Palo Alto, so it's compatible with firewalls. It's also very secure, and it has the same scalability options.

My organization has created different gateways, so they have two different cloud vendors. This redundancy on cloud is helpful. There is redundancy at different branches to provide a backup in case there is a problem with a vendor in a specific area.

I would like the solution to support a different type of authentication. We can't configure a secondary method for our portal.

I've worked with Prisma Access for about six months.

The stability is very good. I haven't had issues with the connection or dropping traffic.

I haven't had any issues with scalability. The solution allows us to define all of the resources that we need. For example, we can define the IP addresses that we need for the number of users that will be connected. If there's a large quantity of users, they can increase the resources. 

The technical support could be faster after we open up a case.

Setup is very straightforward. Prisma Access has very extensive documentation. If you use that, it's easy to deploy the solution. You need to read a lot more for routing considerations, but I think it's easy for people with startup experience.

The amount of time it takes to deploy the solution depends on the complexity of the consumer's considerations. Normally, the basic implementation and policy authentication can be completed in two or three hours.

We require a few people for maintenance. One person provides support and two people do the implementation.

I received some help from engineers who had more experience in the company. They taught me how to configure it, and I was able to complete the deployment after that.

I would rate this solution as nine out of ten. 

Prisma Access protects all app traffic so that users can gain access to all apps. This is very important when you have multiple applications in your environment. You do not want any network traffic to get compromised. It inspects all the incoming traffic so that the user can access that traffic in a secure way.

It secures both non-web and web-based apps, which is very important. You have applications in your environment. So, you want them to be accessed in a secure manner. It also provides security on the internet when you are trying to access something, such as PaaS apps. It provides security to that as well with the security management policy. It has an inbuilt security management policy. You just need to enable that, and that's it. This security of the non-web and web-based apps reduces the data breach. It is good for our operations that our non-web apps as well as web-based apps are secured.

We have two ways to manage Prisma Access. One is Panorama, and the other one is the Cloud Managed application. The graphical UI is very easy to use. It has a user-friendly graphical user interface, and we have a graphical statistics page as well, which gives you an insight into what's happening. It is very user-friendly.

It makes it very easy that in a single interface, you get all the features, such as routing, security, decryption, and other application functionalities. So, in a single graphical interface, you get everything, and it's easy to manage.

It provides traffic analysis, threat prevention, URL filtering, and segmentation. These elements are very important because you do not want to allow all the URL categories in your environment. You can simply block the categories that you don't want your users to access in your network. That's where these features come in handy. We can simply block these URL categories, and we have that functionality in Prisma Access.

It provides millions of security updates per day. Technology is changing every day, and Palo Alto is providing regular updates so that we can keep ourselves up to the market level. Constant enhancements are provided with the help of the Prisma Access plugin version. New plugins and features are coming every month.

Autonomous Digital Experience Management (ADEM) features are very good. It's a very helpful application. It helps us to troubleshoot network-related issues. It makes the job easy. We get to know whether an issue is at the endpoint level, ISP level, or system Access level. It helps us to determine the issue so that we can isolate and focus on a specific area. It makes our job easy.

ADEM is very impressive, and the users are enjoying this application. If they're not that tech savvy, it helps to isolate the issue at a particular level, making the job easy.

It enables us to deliver better applications. It is helpful because I can connect all my branch offices. If I have one office in the US, one in Asia, and one in Europe, I can connect all my offices to Prisma Access. I can also connect my data center and my mobile users spread across the globe. In Prisma Access, we have more than 100 locations provided by Palo Alto. So, it is very easy.

We have different security profiles inside Prisma Access. We have file blocking. We have anti-spyware. We have antivirus, and we have vulnerability protection. We also have DoS protection. All of these features are provided by Palo Alto Prisma Access, and we can utilize these options to make our security even better.

GlobalProtect is one of the best features of Prisma Access. It provides a remote access VPN solution.

We have an application called ADEM that helps us troubleshoot network-related issues. It helps us to isolate an issue whether it is on the ISP level, endpoint level, or system access level.

The Cloud Managed Prisma Access needs some more enhancement. Its GUI needs to be updated with respect to the inside application of Prisma Access.

The BGP filtering options on Prisma Access should be improved.

It has been three years.

It is very stable. If one node goes down on Prisma Access, we always have a backup node so that the traffic is not impacted. A backup node is always available, and the traffic is not compromised.

It is a scalable solution. Many clients are using the Prisma Access solution. I have personally worked with clients from across the globe, such as Germany, Australia, and Asia. They all are enterprise customers. 

People who work with or manage it are cybersecurity architects and cybersecurity leads. 

Sometimes, there's a long wait, and it is hard to get technical support, but it's improving day by day. I would rate them a 7 out of 10.

Neutral

I didn't use any other solution. 

It's straightforward and very easy. The deployment duration depends on the client's infrastructure. It depends on how many branch offices they are going to have. They could have only 3 offices, or they could have 100 offices. On average, if they have only 4 offices, it will take a max of four sessions. If they have 10 offices, it would take about 20 hours with two hours for each session.

We need an infrastructure subnet so that we can create an infrastructure over Prisma Access. We need to decide on the routing part, whether we are going with BGP or traffic routing. We need to have the IP address information for the IPsec tunnel. Apart from that, we need to take care of the DNS and resolve internal domains, if they have any. 

From my end, only one consultant is assigned for delivering the solution to the customer.

I would advise choosing your options according to your company's needs. Just go for what you want and do not pay for anything extra in terms of licensing. You need to determine how much bandwidth is required in your company network, and according to that, you should pay for the license. The mobile user license is based on the number of users who are going to use the VPN solution. You need to determine how many mobile users you are going to have in your network, and you should pay according to that.

There are no other costs in addition to licensing, but if you go for the consultant services of Palo Alto networks to deliver the solution for you, then you need to pay something extra. That is not a part of licensing.

If you have a company with branch offices, you do not need to have your own data center. You can simply connect your branch offices as well as your remote VPN users to the Prisma Palo Alto data center. You do not need to maintain your own data center. It will save your LAN cost, electricity cost, and labor cost.

Make sure that you are familiar with your company's network design and your design is compatible with Prisma Access. Make sure that the design is properly done and every use case or scenario is properly discussed. After that only go for the Prisma Access solution.

I would rate Prisma Access an 8 out of 10.

I recently worked on a huge project for a new entity of a major semiconductor company. We had a greenfield deployment where we were building everything from scratch. The primary use case was to build a solution that meets the following requirements:

• Provides Zero Trust Network Access for all remote users.
  
• Provides seamless performance.
• Avoids all bottlenecks that the traditional VPN concentrators have with regards to being a single point of failure by putting the entire global traffic to a particular VPN concentrator. 

On the secondary front, we did a couple of integrations with Cisco Viptela. It is an SD-WAN solution for ensuring traffic optimization, traffic steering, branch-to-branch connectivity, and branch cloud connectivity. We had to ensure adequate performance and zero trust and have metrics and security compliance with all standard regulatory frameworks such as GDPR for the European region. This was a huge deployment with a budget of close to 2 million dollars.

The plugin version is 2.1.086 innovation, and the platform version is 2.1.

It protects all app traffic so that users can gain access to all apps. There are definitely a lot of integrations. Prisma Access also derives the App-ID capability from the Palo Alto Next-Gen firewalls, which is a USP of Palo Alto. So, it inherently has the capability to see and monitor all the traffic and understand all applications. If an application is being tunneled through different ports or protocols just to masquerade the traffic to bypass the traditional security controls, it won't work. Technically, you cannot bypass any of the security controls that Palo Alto has.

The Single Pass Parallel Processing (SP3) still works with Prisma Access. So, you can have all the integration that you want. It also integrates very well with Prisma SaaS, which is a new solution from Palo Alto.

It can build IPS tunnels with all vendors that you have. It could be a very small router or a firewall from any vendor. With regards to protocols, traditional IPS used to have a couple of restrictions in terms of inspection and other things, but Prisma Access understands every application and every packet. It can see the higher progress of a session. It is a great product to work with.

It secures both web-based and non-web-based apps. Traditionally, I used to have problems with web-based and non-web-based traffic. Prisma Access is a full tunnel, and it is fairly agnostic to the type of traffic. It recognizes everything such as a torrent, FTP, or UDP session. It recognizes web applications, non-web applications, or custom applications. We have a couple of applications that are Java-based, custom developed, and custom managed. It is capable of recognizing every application.

It understands all applications and all standard and custom signatures that you can configure. With regards to the data leaks, it has a network DLP functionality. So, you can potentially configure regex or something else to inspect the traffic and look for patterns, such as credit card numbers and social security numbers. You can define the patterns and put a monitor for notification.

It provides all capabilities in a single, cloud-delivered platform.

It provides traffic analysis, threat prevention, URL filtering, and segmentation. Its usage for segmentation is less because we are also using their firewalls. On the transport side, we are using SD-WAN. We cannot do away with any of these features simply because we expect this platform to provide Next-Gen filtering capabilities. URL filtering is definitely important because we don't want to buy another dedicated solution. Threat prevention is like antivirus and anti-spyware, and all IPS functionalities are absolutely mandatory for us. Technically, it does everything that a typical Next-Gen firewall is supposed to do, but it does that in the cloud. So, you get all the scalability and visibility. We absolutely want all these features, and that perhaps was one of the reasons why we went for Prisma Access instead of another product.

It provides millions of security updates per day, which is important to us. There is something called AutoFocus, which is their threat intel platform. We also get a lot of updates from Unit 42, which is their threat intel feed. We have incorporated that with our platform. It is absolutely essential for us to at least know all known threats so that we can take steps to fix them well in advance. There were recent attacks with regards to SolarWinds and other solutions, and we were able to get timely feeds and notifications from Palo Alto automatically through the signature updates. We also got proactive updates from the Palo Alto technical support. This is absolutely necessary for us, and it keeps all known threats at bay.

Our implementation is still in progress, and we use its Autonomous Digital Experience Management (ADEM) features for performance-based monitoring, checking the latency, and checking the end-user experience not only based upon a couple of traditional metrics but also based on the actual ones. We don't have a standard benchmark to compare it with, but we definitely have complete visibility of who is doing what and who is getting what type of end-user experience. If someone is working from Seattle and needs to connect to Oregon, we definitely don't want to have the traffic all the way to some data center and then take a zig-zag route. We want it to follow an optimal path. It does provide us actionable insights into what's happening, and we can take corrective measures in the long run.

ADEM provides real and synthetic traffic analysis. We do have a security operations team that tests and ingests into SIEM/SOAR platforms that do automatic remediation. This is quite crucial because if there is suboptimal routing, it totally destroys the end-user experience. We check for the concentration of the users. Especially at this time when most of the users are working from home or remotely, we need to have such insights so that we can enable all points of presence within Prisma Access to ensure a better end-user experience.

The model itself is great. It is a managed firewall. If you look at it purely from a technical standpoint, it is a globally distributed and managed firewall platform that sits on top of Google Cloud and AWS. It has a global presence, and that is one of the most important things because this particular client for whom I was building this design has a presence across the globe, including China, where there are few constraints. Its presence and performance are super awesome. 

It is a natural transition from Palo Alto Next-Gen firewalls. Of course, people who would be managing this platform need some knowledge transfer and training, but it is not a huge leap. That's the beauty of it.

It is geographically dispersed, and it sits on top of Google and AWS platforms. Therefore, you don't face the standard issues, such as latency or bandwidth issues, that you usually face in the case of on-prem data centers.

It is fairly simple in terms of administration. It is derived from Palo Alto Next-Gen firewalls that have been in the market for more than a decade. It has evolved from Palo Alto Next-Gen firewalls, and there is only the difference of naming convention. The web interface and the way of managing things are fairly easy.  

It does whatever they're promising about this particular product. It has all the features that they say. We are leveraging quite a few features, and there are not many features that we are not using. All the features work the way they say. 

Whatever we've configured is working as promised in terms of security, and I'm fairly certain about the security that it provides. From the security aspect, I would rate it a 10 out of 10.

It is a managed firewall. When you run into issues and have to troubleshoot, there is a fair amount of restriction. You run into a couple of restrictions where you don't have any visibility on what is happening on the Palo Alto managed infrastructure, and you need to get on a call to get technical assistance from Palo Alto's technical support. You have to get them to work with you to fix the problem. I would definitely like them to work on the visibility into what happens inside Palo Alto's infrastructure. It is not about getting our hands onto their infrastructure to do troubleshooting or fixing problems; it is just about getting more visibility. This will help us in guiding technical support folks to the area where they need to work. 

I've been using this solution for about one and a half to two years. I've been extensively designing, implementing, troubleshooting, and working with Palo Alto for feature edits and update suggestions.

The solution itself is fairly stable. We never faced any outages because of the underlying platform. So, its stability has been good, but I would like more visibility into what is going on inside Palo Alto's infrastructure. 

They have also been fine in terms of the maintenance that they have been doing outside the maintenance window.

It is scalable. It sits on top of Google Cloud and Amazon AWS, so it is geographically distributed. The only place where we have connection issues is in China, but this is not because of Prisma Access. It is more related to the data privacy and regulatory restrictions that China has. 

When we started, which was two months ago, we had about 5,500 users. We probably have more than 1,000 concurrent users. We have 15 or 16 sites. We're going up at quite a good pace, and we would have somewhere close to 30 sites.

We have a premium/enterprise license. We never had any problems with getting support, especially on weekdays. Having a premium/enterprise license definitely adds a few points. I would rate them somewhere between a seven and an eight. That's because there is a lack of visibility into what happens inside the infrastructure, and because we can't pinpoint a specific area to them, they need some time to look at where things are wrong.

With regards to backend maintenance, they have their own schedule of maintenance for their infrastructure. They keep us updated about that well in advance. The preventative maintenance and the communication from them have been fairly smooth, and we never had any issues. 

It was fairly straightforward. We started with a couple of proof of concepts, and we've been adding things. We are gradually getting new locations, new sites, and new deployments, and we never faced any challenges in terms of the capabilities of the platform. It has been fairly smooth.

This was a huge implementation with a couple of dozen sites, and it involved designing, bill of materials, procurement, and implementation. The designing phase took about two months. The implementation took about a month.

The beauty of it is that we just have a team of five people managing the entire implementation. When it goes to the operation stage, we would definitely need more people because there are different pieces to it, but for the design implementation, we just have five people to manage everything.

We implemented it ourselves. 

This was a greenfield deployment, and we built it from scratch. So, there isn't much of a comparison between what used to happen in the past and what is happening now. However, because it is an OpEx-based or typical cloud-based model where you get charged for whatever you are using, it would potentially bring down the cost of consumption in terms of bandwidth. For example, if we have currently enabled all features, and tomorrow, we find a feature to be redundant and we don't want to use it for a particular location or data stream, we can do away with a couple of controls. We will only get charged for what we are using. It is security as a service and network as a service. As of now, I don't have the exact numbers for the savings that we are looking at, but down the line, it would definitely translate to huge savings in terms of OpEx and CapEx.

All such platforms require skilled professionals, and because it is derived from traditional Palo Alto firewalls, it is easy to learn. You don't need to spend a lot on training, and as of now, that's definitely a very important factor for us.

We created a bill of materials and passed it on to a third party. It probably was WWT, but it was sourced by the client itself.

Based on what I have heard from others, it is a pricey solution as compared to its peers, but I am not sure. However, considering the features that it offers, it is a break-even point. You get whatever they are promising.

We had used Zscaler for a proof of concept, but we wanted segmentation capabilities within the data center as well as for on-prem locations. We wanted to have local segmentation capabilities. We wanted a solution that scales inside the cloud but also on-prem. Zscaler didn't have that model in the past, so we went ahead with Prisma Access. That was the only PoC that we did in addition to Prisma Access.

With regards to other integrations, the integrations with Cisco SD-WAN still exist, but these are not a competitor of Prisma Access. These are just integrations.

If it is a natural transition from a purely on-premises model to a hybrid model where you have a significant number of sites or you are moving towards Zero Trust Network Access for providing a decentralized VPN solution, you should definitely go for it. It provides the entire security stack, so you don't have to keep on adding different solutions and then try permutations to make them work together. Prisma Access does everything beautifully. You don't need a lot of training or develop a lot of skills to manage the solution because it has evolved from Palo Alto Next-Gen firewalls.

For DLP, we are not using Prisma Access because it is a network DLP. Being a semiconductor company, we needed a couple of controls to ensure that the entire flow of the communication is very well defined. Therefore, we are using different tools that auto-discover, and then we put controls. For example, we have endpoint DLP, network DLP, and email DLP. We don't want to rely on Prisma Access because it sits outside of our perimeter. We want to have as much close control over the source as we can.

It didn't enable us to deliver better applications because this implementation was done in a silo. This project was not done very sequentially. It has been quite sporadic. The way the solution was built, applications were not at the center. We built it with a top-down approach. It was our first cloud-deployment model, and we haven't faced any problems with any of the standard applications. All the custom apps that we are bringing from the original plan are working the way they're supposed to. So, we never faced any challenges with regards to the performance or the security after deploying these applications. The entire setup is fairly agnostic to the types of applications that we already have, and a couple of them are not standard applications like Office 365, Workday, etc. They are fairly custom apps that you use in your lab environment or manufacturing utilities, and it works with them.

I would rate it a nine out of 10. Except for the visibility part, it is great. I am taking a few other client projects that are for Fortune 100 companies, and I am doing a lot of refreshes for them. Prisma Access is definitely going to be at the top of my list. It is not because I know this product inside out; it is because of the experience that our clients are getting with it, the security it provides, and the proactive updates that Palo Alto is pushing for Prisma Access.

I use the solution in my company to work with the remote access VPN. With the tool, users connect their office network and data center networks with the infrastructure from outside places, like home and other sites, so our company can use the remote access of the tool.

The most valuable features of the solution are in the areas of the secure remote access it provides while also being user-friendly.

From any improvement perspective, the product's compatibility issues with Linux need to be resolved.

The response from the support team needs to be made faster.

I have been using Prisma Access by Palo Alto Networks for three years. In my previous organization, I used the solution for two years.

The stability of the product is good. Stability-wise, I rate the solution a nine out of ten.

The scalability features of the product are available in a package. GlobalProtect will serve even if you purchase a device with a capacity of two hundred users. You can't increase the capacity above two hundred users. Basically, with the device capabilities, you can include 200 users in GlobalProtect, so it all depends on your hardware model.

In my previous company, there were around 150 users of the tool with Linux. I feel that there were almost 200 users of the product.

The technical support for the solution is good, but it is not like Cisco's support services. Sometimes, there is a delay in response from the support team's end, but during emergency cases, it is okay.

The product's initial setup phase is neither straightforward nor complex, making it a process that lies in the middle. I will say that it is very easy to deploy.

The tool's configuration can be done in one day. In my previous organization, my colleague and I were the two people who deployed the product, tested it, and found the results, and then we delivered it to our clients.

As per my previous experience, after I gave the solution to the company's customer, I took care of one custom configuration for a particular purpose. I read the tool's documentation to see how to configure it and how to set up GlobalProtect on the client machines, after which I made a documentation explaining the way to deploy it and install GlobalProtect.

For deployment and maintenance purposes, one or two people are enough.

In terms of the ROI, the tool is secure for official data. If someone wants security, GlobalProtect SSL VPN is something that I would recommend. With the tool, it is not possible to count how much revenue it helped generate since it basically protects your data from home to your office network and communicates with lots of data. The tool is secure. From a security perspective, GlobalProtect is good.

In comparison with GlobalProtect, there could be FortiClient. If some users cannot afford Palo Alto Networks, then they can choose FortiClient.

My company didn't receive any support from Palo Alto to connect securely to our organization's branch offices. The tool is very easy to deploy. Another co-engineer and I in my company completed the deployment task for the solution. The deployment is not very difficult, especially if you have Palo Alto's Next-Generation Firewalls since with it, you can really get the VPN connection for Windows and other operating systems, but my company had faced some challenges with Linux, so we had to purchase another license only for it. For Windows and Mac devices, the tool is free. If I purchase Palo Alto's Next-Generation Firewalls, it is free for Windows and Mac, but a license is required to use Prisma Access on Linux.

I haven't used the cloud-based nature of Palo Alto Networks to simplify our company's network security management. I have only used the on-premises version in our company's infrastructure for GlobalProtect. I don't have any idea about the cloud Security in the product.

The performance and reliability of the product are good.

For the integration process, you first have to configure the firewall with the default management port IP, or alternatively, users can configure it through the console, which includes the CLI mode and GUI mode. Okay. After logging into the firewall from the CLI or GUI, you can configure GlobalProtect by taking into consideration the outside and inside zones, which we want to give access to via the tool. I am experienced with the tool's GUI mode. I configured it through the GUI mode. The first thing you have to learn about Palo Alto GUI mode is how to configure GlobalProtect.

In general, I rate the tool an eight and a half to nine out of ten.