Prisma Access by Palo Alto Networks Reviews

I recently worked on a huge project for a new entity of a major semiconductor company. We had a greenfield deployment where we were building everything from scratch. The primary use case was to build a solution that meets the following requirements:

• Provides Zero Trust Network Access for all remote users.
  
• Provides seamless performance.
• Avoids all bottlenecks that the traditional VPN concentrators have with regards to being a single point of failure by putting the entire global traffic to a particular VPN concentrator. 

On the secondary front, we did a couple of integrations with Cisco Viptela. It is an SD-WAN solution for ensuring traffic optimization, traffic steering, branch-to-branch connectivity, and branch cloud connectivity. We had to ensure adequate performance and zero trust and have metrics and security compliance with all standard regulatory frameworks such as GDPR for the European region. This was a huge deployment with a budget of close to 2 million dollars.

The plugin version is 2.1.086 innovation, and the platform version is 2.1.

It protects all app traffic so that users can gain access to all apps. There are definitely a lot of integrations. Prisma Access also derives the App-ID capability from the Palo Alto Next-Gen firewalls, which is a USP of Palo Alto. So, it inherently has the capability to see and monitor all the traffic and understand all applications. If an application is being tunneled through different ports or protocols just to masquerade the traffic to bypass the traditional security controls, it won't work. Technically, you cannot bypass any of the security controls that Palo Alto has.

The Single Pass Parallel Processing (SP3) still works with Prisma Access. So, you can have all the integration that you want. It also integrates very well with Prisma SaaS, which is a new solution from Palo Alto.

It can build IPS tunnels with all vendors that you have. It could be a very small router or a firewall from any vendor. With regards to protocols, traditional IPS used to have a couple of restrictions in terms of inspection and other things, but Prisma Access understands every application and every packet. It can see the higher progress of a session. It is a great product to work with.

It secures both web-based and non-web-based apps. Traditionally, I used to have problems with web-based and non-web-based traffic. Prisma Access is a full tunnel, and it is fairly agnostic to the type of traffic. It recognizes everything such as a torrent, FTP, or UDP session. It recognizes web applications, non-web applications, or custom applications. We have a couple of applications that are Java-based, custom developed, and custom managed. It is capable of recognizing every application.

It understands all applications and all standard and custom signatures that you can configure. With regards to the data leaks, it has a network DLP functionality. So, you can potentially configure regex or something else to inspect the traffic and look for patterns, such as credit card numbers and social security numbers. You can define the patterns and put a monitor for notification.

It provides all capabilities in a single, cloud-delivered platform.

It provides traffic analysis, threat prevention, URL filtering, and segmentation. Its usage for segmentation is less because we are also using their firewalls. On the transport side, we are using SD-WAN. We cannot do away with any of these features simply because we expect this platform to provide Next-Gen filtering capabilities. URL filtering is definitely important because we don't want to buy another dedicated solution. Threat prevention is like antivirus and anti-spyware, and all IPS functionalities are absolutely mandatory for us. Technically, it does everything that a typical Next-Gen firewall is supposed to do, but it does that in the cloud. So, you get all the scalability and visibility. We absolutely want all these features, and that perhaps was one of the reasons why we went for Prisma Access instead of another product.

It provides millions of security updates per day, which is important to us. There is something called AutoFocus, which is their threat intel platform. We also get a lot of updates from Unit 42, which is their threat intel feed. We have incorporated that with our platform. It is absolutely essential for us to at least know all known threats so that we can take steps to fix them well in advance. There were recent attacks with regards to SolarWinds and other solutions, and we were able to get timely feeds and notifications from Palo Alto automatically through the signature updates. We also got proactive updates from the Palo Alto technical support. This is absolutely necessary for us, and it keeps all known threats at bay.

Our implementation is still in progress, and we use its Autonomous Digital Experience Management (ADEM) features for performance-based monitoring, checking the latency, and checking the end-user experience not only based upon a couple of traditional metrics but also based on the actual ones. We don't have a standard benchmark to compare it with, but we definitely have complete visibility of who is doing what and who is getting what type of end-user experience. If someone is working from Seattle and needs to connect to Oregon, we definitely don't want to have the traffic all the way to some data center and then take a zig-zag route. We want it to follow an optimal path. It does provide us actionable insights into what's happening, and we can take corrective measures in the long run.

ADEM provides real and synthetic traffic analysis. We do have a security operations team that tests and ingests into SIEM/SOAR platforms that do automatic remediation. This is quite crucial because if there is suboptimal routing, it totally destroys the end-user experience. We check for the concentration of the users. Especially at this time when most of the users are working from home or remotely, we need to have such insights so that we can enable all points of presence within Prisma Access to ensure a better end-user experience.

The model itself is great. It is a managed firewall. If you look at it purely from a technical standpoint, it is a globally distributed and managed firewall platform that sits on top of Google Cloud and AWS. It has a global presence, and that is one of the most important things because this particular client for whom I was building this design has a presence across the globe, including China, where there are few constraints. Its presence and performance are super awesome. 

It is a natural transition from Palo Alto Next-Gen firewalls. Of course, people who would be managing this platform need some knowledge transfer and training, but it is not a huge leap. That's the beauty of it.

It is geographically dispersed, and it sits on top of Google and AWS platforms. Therefore, you don't face the standard issues, such as latency or bandwidth issues, that you usually face in the case of on-prem data centers.

It is fairly simple in terms of administration. It is derived from Palo Alto Next-Gen firewalls that have been in the market for more than a decade. It has evolved from Palo Alto Next-Gen firewalls, and there is only the difference of naming convention. The web interface and the way of managing things are fairly easy.  

It does whatever they're promising about this particular product. It has all the features that they say. We are leveraging quite a few features, and there are not many features that we are not using. All the features work the way they say. 

Whatever we've configured is working as promised in terms of security, and I'm fairly certain about the security that it provides. From the security aspect, I would rate it a 10 out of 10.

It is a managed firewall. When you run into issues and have to troubleshoot, there is a fair amount of restriction. You run into a couple of restrictions where you don't have any visibility on what is happening on the Palo Alto managed infrastructure, and you need to get on a call to get technical assistance from Palo Alto's technical support. You have to get them to work with you to fix the problem. I would definitely like them to work on the visibility into what happens inside Palo Alto's infrastructure. It is not about getting our hands onto their infrastructure to do troubleshooting or fixing problems; it is just about getting more visibility. This will help us in guiding technical support folks to the area where they need to work. 

I've been using this solution for about one and a half to two years. I've been extensively designing, implementing, troubleshooting, and working with Palo Alto for feature edits and update suggestions.

The solution itself is fairly stable. We never faced any outages because of the underlying platform. So, its stability has been good, but I would like more visibility into what is going on inside Palo Alto's infrastructure. 

They have also been fine in terms of the maintenance that they have been doing outside the maintenance window.

It is scalable. It sits on top of Google Cloud and Amazon AWS, so it is geographically distributed. The only place where we have connection issues is in China, but this is not because of Prisma Access. It is more related to the data privacy and regulatory restrictions that China has. 

When we started, which was two months ago, we had about 5,500 users. We probably have more than 1,000 concurrent users. We have 15 or 16 sites. We're going up at quite a good pace, and we would have somewhere close to 30 sites.

We have a premium/enterprise license. We never had any problems with getting support, especially on weekdays. Having a premium/enterprise license definitely adds a few points. I would rate them somewhere between a seven and an eight. That's because there is a lack of visibility into what happens inside the infrastructure, and because we can't pinpoint a specific area to them, they need some time to look at where things are wrong.

With regards to backend maintenance, they have their own schedule of maintenance for their infrastructure. They keep us updated about that well in advance. The preventative maintenance and the communication from them have been fairly smooth, and we never had any issues. 

It was fairly straightforward. We started with a couple of proof of concepts, and we've been adding things. We are gradually getting new locations, new sites, and new deployments, and we never faced any challenges in terms of the capabilities of the platform. It has been fairly smooth.

This was a huge implementation with a couple of dozen sites, and it involved designing, bill of materials, procurement, and implementation. The designing phase took about two months. The implementation took about a month.

The beauty of it is that we just have a team of five people managing the entire implementation. When it goes to the operation stage, we would definitely need more people because there are different pieces to it, but for the design implementation, we just have five people to manage everything.

We implemented it ourselves. 

This was a greenfield deployment, and we built it from scratch. So, there isn't much of a comparison between what used to happen in the past and what is happening now. However, because it is an OpEx-based or typical cloud-based model where you get charged for whatever you are using, it would potentially bring down the cost of consumption in terms of bandwidth. For example, if we have currently enabled all features, and tomorrow, we find a feature to be redundant and we don't want to use it for a particular location or data stream, we can do away with a couple of controls. We will only get charged for what we are using. It is security as a service and network as a service. As of now, I don't have the exact numbers for the savings that we are looking at, but down the line, it would definitely translate to huge savings in terms of OpEx and CapEx.

All such platforms require skilled professionals, and because it is derived from traditional Palo Alto firewalls, it is easy to learn. You don't need to spend a lot on training, and as of now, that's definitely a very important factor for us.

We created a bill of materials and passed it on to a third party. It probably was WWT, but it was sourced by the client itself.

Based on what I have heard from others, it is a pricey solution as compared to its peers, but I am not sure. However, considering the features that it offers, it is a break-even point. You get whatever they are promising.

We had used Zscaler for a proof of concept, but we wanted segmentation capabilities within the data center as well as for on-prem locations. We wanted to have local segmentation capabilities. We wanted a solution that scales inside the cloud but also on-prem. Zscaler didn't have that model in the past, so we went ahead with Prisma Access. That was the only PoC that we did in addition to Prisma Access.

With regards to other integrations, the integrations with Cisco SD-WAN still exist, but these are not a competitor of Prisma Access. These are just integrations.

If it is a natural transition from a purely on-premises model to a hybrid model where you have a significant number of sites or you are moving towards Zero Trust Network Access for providing a decentralized VPN solution, you should definitely go for it. It provides the entire security stack, so you don't have to keep on adding different solutions and then try permutations to make them work together. Prisma Access does everything beautifully. You don't need a lot of training or develop a lot of skills to manage the solution because it has evolved from Palo Alto Next-Gen firewalls.

For DLP, we are not using Prisma Access because it is a network DLP. Being a semiconductor company, we needed a couple of controls to ensure that the entire flow of the communication is very well defined. Therefore, we are using different tools that auto-discover, and then we put controls. For example, we have endpoint DLP, network DLP, and email DLP. We don't want to rely on Prisma Access because it sits outside of our perimeter. We want to have as much close control over the source as we can.

It didn't enable us to deliver better applications because this implementation was done in a silo. This project was not done very sequentially. It has been quite sporadic. The way the solution was built, applications were not at the center. We built it with a top-down approach. It was our first cloud-deployment model, and we haven't faced any problems with any of the standard applications. All the custom apps that we are bringing from the original plan are working the way they're supposed to. So, we never faced any challenges with regards to the performance or the security after deploying these applications. The entire setup is fairly agnostic to the types of applications that we already have, and a couple of them are not standard applications like Office 365, Workday, etc. They are fairly custom apps that you use in your lab environment or manufacturing utilities, and it works with them.

I would rate it a nine out of 10. Except for the visibility part, it is great. I am taking a few other client projects that are for Fortune 100 companies, and I am doing a lot of refreshes for them. Prisma Access is definitely going to be at the top of my list. It is not because I know this product inside out; it is because of the experience that our clients are getting with it, the security it provides, and the proactive updates that Palo Alto is pushing for Prisma Access.

We could write a book about our use cases. It provides best-of-breed optimization in CASB and SASE together. Our primary use case is enabling users from all walks of life, and all over the planet, to have remote access in the most optimized way.

Prisma Access is a SASE-oriented solution, making it a hybrid and SaaS. Of course, it's built on Google's high-capacity backbone, but it is provider-neutral.

With the centralized remote access solution we had before, F5, we used to see a lot of latency and a lot of intermittent disconnects. But our people have reported that they like Prisma Access so much better in terms of speed and how it operates. The user experience is so much better in terms of throughput. They don't see as much lag. Of course, there are users who don't have the most stable internet connection, but even for those users, by optimizing data reduction, it works better. We can't really help users who have some sort of wireless connection, because if their underpinning link is not good, this overlay won't do much. But for users who are using a satisfactory type of connectivity, even for people who are on 10 Mbps, it works well.

In addition, from an application accessibility standpoint, the integrated features that come with the QoS mean you can choose what types of applications get higher priority than others. It optimizes applications for QoS prioritization.

At the end of the day, the most valuable feature of Prisma Access is user accessibility and performance. For us, it all comes down to how well this product performs.

In addition to that, we feel that the security is absolutely spot-on, really top-notch. It's the result of all the components that come together, such as the HIP [Host Information Profile] and components like Forcepoint, providing end-user content inspection, and antivirus. It incorporates DLP features and that's fantastic because Prisma Access makes sure that all of the essential prerequisites are in place before a user can log in or can be tunneled into. Until these requirements are met at a satisfactory level, it doesn't let you in. Once users are onboarded, they are going through Palo Alto's firewall inspection. Users' traffic is encapsulated and inspected well. It gives us the flexibility to apply various policies and inspections. All of these come into play and give us peace of mind that this platform is best-in-class in terms of security features and tool integration.

The architecture is essentially a fabric-type SASE-based architecture. From a technical leadership standpoint, we are very pleased and satisfied with how efficient the product is, especially, again, when it comes to security.

One of the features that we really like in Prisma Access is its integration capabilities with Palo Alto's other platforms such as Cortex Data Lake. The best thing about it is that it gives us visibility and clarity. We can say, "This is what our threat metrics framework looks like. Yesterday we had this many potential threats, and out of that, this many have been fended off or mitigated." It gives us a really good single pane of glass that tells us what our attack surface looks like and how things have been mitigated." It gives us data that we can utilize for the benefit of our users and our senior executives.

From a user standpoint, it's very easy and very usable. Our users have used F5's products and it's not much different. There can be intricacies in that you have to have your laptops' antivirus protection updated, but that's not a big deal. Those are the types of things that users have to comply with anyway.

Traffic analysis, threat prevention, URL filtering, and segmentation are some of the features that come with Palo Alto itself. On the cloud controller platforms you have the ability to enforce controls, including things like the application layer inspection, granular policy constructs, as well as app-ID-based and application layer inspection. The inspection engines, such as the antivirus, malware, spyware, and vulnerability protection, are integrated into Palo Alto's cloud services platform. These features are quintessential to our entire cloud services security fabric. Users are users. You never know what's going to happen to a user. If somebody goes to Madagascar or to Bali and gets compromised, it is our job to protect that user and the organization. All of these interrelated features come into play for those purposes.

The challenges we have faced are not connected with Prisma's core fabric, but more with the end-user. To use the GlobalProtect client and meet all the requirements, your laptop or your end-user system has to be at a point where things are up to date. It's not really Prisma's fault, but when you try to create exceptions you don't really have those abilities. You cannot say, on the management platform, "Hey, for these users I want to create these exceptions." That is one thing that I have gotten some complaints about, and we have faced some challenges there.

It's always a challenge when people at the executive level start complaining because they're using the latest version of the MacBook Pro and it's not playing very well with Prisma.

I used the predecessor to Prisma Access, which was GlobalProtect Cloud Services and I have been using Prisma Access for a good two years.

I wouldn't call their technical support a pain point, but they need to improve it. That is one of the biggest drawbacks.

It was pretty straightforward at the PoC level. But the rollout of something like this across an enterprise is never like a one-shot thing. We went through some bumps and bruises and roadblocks along the way, but, overall, it was a pretty straightforward path.

The entire onboarding took around four months for our approximately 20,000 users.

On a day-to-day basis, we have security engineers and SMEs managing the platform. But there are not as many intricacies and challenges as there are in some of the other products that we deal with. From administrative, operational, and management standpoints, the way Prisma has let us do it, things are pretty efficient.

We used Palo Alto's professional services.

It's pricey, it's not cheap. But you get what you pay for.

My most crucial advice to colleagues who are looking to purchase this product would be to look at it from a 50,000-foot point of view, and then narrow it down to 40,000, 30,000, 20,000, and 10,000. The reason I say that is because, at the 50,000-foot view, the executives care about the pricing and the costing model; it's all about budget and how they can save the organization money.

If you are in a high-end organization, this is the product you had better get, hands-down. If you are an executive at a highly visible bank, please get your head out of the sand and see what is best for your organization. If you are a manufacturing company that doesn't need this level of integrative security, go get something else, something cheaper, because you don't need this extensive level of security controls and throughput. But if you want to get the best-of-breed, then Palo Alto's product is what you should definitely get.

Our journey with Prisma Access started out with a battlecard comparison of what Prisma Access had to offer versus what ZPA [Zscaler Private Access], Symantec, and F5 had to offer. In doing all of these comparisons, we realized that Palo Alto had built a cloud services fabric that is user-first and security-first.

If I compare Zscaler and Prisma Access, not all of the security controls that are in place with Zscaler are inherent to their own fabric. Zscaler has done a fantastic job with ZPA in terms of putting the components together. But when it comes to security enforcement, they are lagging behind on some things. One of them is the native security control component enforcement on their fabric. We feel like that is not done as efficiently as Prisma access does.

In a simple scenario when doing a side-by-side comparison, if we were onboarding and providing access to an end-user using ZPA, they would be able to get on and do their job fine. But when it comes to interoperability, cross-platform integration, and security enforcement, we feel that ZPA lacks some of the next-gen, advanced features that Prisma Access has to offer. Prisma Access provides us with cross-platform integration with things like Palo Alto AutoFocus and Cortex Data Lake, which is great. ZPA does not provide all of these extensive security features that we need. In a side-by-side comparison, this is where Prisma Access outshines its competitors.

With all of that in mind, the big question in our minds was, "Well, can you prove it?" PoCs are just PoCs. Where the rubber meets the road is when you can prove your claims. Palo Alto said, "Okay, sure. Let us show you how you can integrate with your existing antivirus platform, your existing content filtering platform, and your existing DLP platforms." We gave it a try. And then, we did various types of pen testing ourselves to see if it was really working the way they said it would. For example, could you take an encrypted file and try to bypass the DLP features? The answer was no. Prisma Access made sure that all of the compensating controls were not only in place but also being enforced. "In place" means you have a security guard, but you have told him to just keep a watch on things. If you have a robbery going on, just watch and don't do anything. Let the robbers do whatever they want. Don't even call the police. Prisma Access doesn't just watch, it calls the police.

There are some encrypted traffic flows that you're not supposed to decrypt and intercept, but even for those we have constructs that give us at least some level of inspection. Once tunnels are established, we have policies to inspect them to a certain extent. We try to make sure that pretty much everything that needs to be inspected is inspected. All of this comes down to accountability and to protecting our users.

Organizations with a worldwide footprint and distributed-services architecture require best-in-class security. Health organizations and pharmaceutical companies also do, because they are dealing with highly sensitive patient data or customer data. Organizations like these that have public, internet-facing web applications, need top-of-the-line security. Prisma Access, from an interoperability standpoint, addresses the big question of how well their web-facing applications are protected from potential malicious attacks. And the answer is that it is all integrative, all a part of a fabric with interrelated components. It protects the users who are accessing the corporate network and the corporate network from any potential risk from those users. Prisma Access gives us the ability to design architectural artifacts, like zones and segments, that really make for effective protection for web-facing components and internal applications.

In terms of Prisma Access providing all its capabilities in a single, cloud-delivered platform, not everything gets on the cloud. You cannot take a mainframe and put it on the cloud. You have to understand the difference between Prisma Access and Prisma Cloud. Prisma Access is all about user accessibility to enterprise networks in the most secure way possible. Prisma Cloud is the platform to integrate various cloud environments into a unified fabric.

As for Prisma Access providing millions of security updates per day, I don't know if there are millions, but it is important. We take advantage of some of the automated features that Palo Alto has provided us. We try not to get into the granular level too much because it increases the administrative overhead. We don't have the time or the manpower to drill into millions of updates.

We use the product to access resources from outside networks.

They could add more flexibility and improve product performance.

I've been using Prisma Access by Palo Alto Networks for about one or two years.

The technical support services are good, and they provide faster responses. However, there is room for improvement regarding the support for local languages.

Neutral

Competitors' advantages for the product lie in their ability to cover different security aspects, such as DDoS protection, DNS security, and WAF.

The setup is relatively straightforward. Typically, distributors or partners handle the implementation process.

Palo Alto products are expensive, but they offer efficient features. We have to pay additional costs for maintenance and support services.

I typically recommend Prisma Access to private companies, especially small or medium-sized ones.

Integrating the product with other tools is easy as it offers APIs. I rate it a seven out of ten.

I use the solution in my company for our remote workers and branch access.

The product's price is an area of concern where improvements are required. The solution's price should be lowered.

Our company faces some issues during the product's configuration phase. The product's configuration part is slow and not very effective. In my company, we have to change the configuration multiple times to make it effective. The configuration part of the product can be improved.

The product's support team needs to improve the quality of services offered.

I have been using Prisma Access by Palo Alto Networks for a year.

Stability-wise, I rate the solution a seven out of ten.

Scalability-wise, I rate the solution a ten out of ten.

The product is suitable for medium to large-sized companies.

I have experience with the solution's technical support. I rate the technical support an eight out of ten.

Positive

I have experience with Fortinet FortiEDR.

The product's initial setup phase is simple.

The solution is deployed on the cloud.

The solution can be deployed in a couple of hours.

Zscaler is a good product. In terms of features, Prisma Access by Palo Alto Networks and Zscaler are at the same level. Prisma Access by Palo Alto Networks may have an advantage over Zscaler in terms of security. Palo Alto Networks comes from security vendors, and Zscaler is available from cloud vendors. When it comes to simplicity and connectivity, Zscaler is better than Prisma Access by Palo Alto Networks.

The product is secure for remote workers since it has many cloud-based facilities that can offer protection.

The product can provide improved access to those clients who do not directly go to SaaS applications but prefer to use such applications via Prisma Access since it provides security policies to help secure the network traffic.

For security needs, the product's security profile is good.

I have experience with the product's GlobalProtect VPN feature, and I feel that it works fine. The feature also allows the customer or client to go through a tunnel to Prisma Access.

The integration of Prisma Access with Palo Alto Networks can provide a better security posture. The integration of Prisma Access with Palo Alto Cortex XDR is the best, especially when our company sends the logs from Prisma Access to Cortex Data Lake. My company gets a full view of the attack part, consolidation, and timeline of the attacks in Palo Alto Cortex XDR.

I recommend the product to those who plan to use it.

I rate the tool an eight out of ten.

The solution is not very complex and is easy to manage for people who may or may not have knowledge about Palo Alto Networks. 

The initial support team is not very good. Most of the time, I have found that they are one to three years experienced only. They don't have network expertise. They know about Palo Alto products but don't know how to troubleshoot the issues. We have to guide them most of the time to troubleshoot correctly since their approach is not developed. 

I have been working with the solution for a few months. 

The solution is very stable. 

We are a large team and work for multiple customers. 

The senior engineers are very good and you need to escalate your issues to them. 

The tool is very easy to set up. It will take some time since you need to plan all the things. You also need to think about the migration of the existing infrastructure. It is not like you can complete the installation in a week. We will collect information first on users and categorize them from a user perspective like the applications and services which will be connected to the product. We will make a plan once we understand the user requirements. It is a long process and we will ensure that everything is secure. A document will be created with the data flow. We will ensure 100 percent that everything is working fine. 

Prisma Access is a good product and I would rate it a nine out of ten. 

Our use case started with the pandemic. Before the pandemic, our users worked in our office, but when the pandemic started our users were at home. They wanted to have the same kind of access that they had on-premises. We deployed a network and mobile services for them so that they could have the same experience sitting at home and access all the infra in the office. We use mobile access to connect to Prisma Access, and from Prisma Access we built a site-to-site VPN to connect to the office network so that they would have the same kind of access.

It is very helpful because it is protecting the applications that are behind it. It has so many components that we can use to secure our applications.

Prisma Access has all the features from Palo Alto. But the visibility perspective is pretty cool. If I want to know how much data is being used for a specific project, I can look at how much data has been used, from which region, and which users have been connected. That visibility is very good so that I can see how many licenses we have and how many are used. It gives a great view of what is happening, of everyone who is connected. That is one of the things I like.

It provides traffic analysis, threat prevention, and URL filtering, although I'm not sure if it provides segmentation. These features are very important. We wanted to filter traffic according to our standards. The URL filtering helps to filter the traffic so that we only send the traffic we want to on-premises or the internet. Without this, it would be very tough.

Also, it protects all your app traffic. It's like a next-generation firewall. It does everything.

For a non-technical guy, the reporting of Prisma Access is very easy. You need to know the navigation tabs, but it only has so many of them and you can do many things in the tabs. It is pretty easy because there aren't that many pages or options.

And the updates, like URL updates, IPS, IDS, and any WildFire subscription updates are very helpful for protecting our infra.

There should be a dedicated portal or SASE-based solution. They're trying to add a plugin but it needs a dedicated portal because it is now an enterprise solution for multiple organizations. People should be able to directly log in to a dedicated page for Prisma Access, rather than going into a Panorama plugin, and always having to update the plugin. An administrator should be able to look at it from a configuration perspective and not the management and maintenance perspectives.

We started using Prisma Access by Palo Alto Networks with the pandemic in 2019, so I have been using it for over three years.

Initially, they were coming up with a new plugin every one or two months, and you would have to download it. But now, I don't see that. Their team continues to work on it, but as a customer, I see it as stable. 

They're using the resources of GCP so if GCP in a specific region has some issues, it will impact Prisma Access. They have to look at some kind of backup.

I don't see it as a scalable solution because it is running on top of VMs. They say it is scalable, but we didn't see it working that way for one or two incidents that we had. But later, they had more firewalls in the cloud and kept them on standby. Since then, I haven't seen that issue.

I have implemented the solution for 100,000-plus users, and most of them are connecting from home. It reduces the load on our on-premises firewall, handling posturing and VPN. It is a dedicated project, meaning everyone, all of our employees, uses the same solution to connect to the infra.

When I started working with their support, the product was new for them as well so they were not all that familiar with it. They need to improve the technical support staff.

Positive

We were using Cisco AnyConnect but we replaced it, in part, with Zscaler and mostly with Prisma Access.

Prisma Access works on Panorama which we have on a virtual machine on GCP. As with anything, if you don't know it, it is complicated, but once you understand it, it is very easy. If I look at it as a combination of before and after, the setup is of average difficulty. You can learn things very fast. It's not that difficult or complicated, but you should know the purpose of each part. Then it is easy.

When I did my initial deployment of Prisma Access in 2019, it took around five days. But by the time I had done two or three deployments, it was taking me 20 minutes to deploy.

The implementation strategy is totally dependent on the requirements. Some customers say they want the same feeling at home that they have in the office. Some customers say they want Prisma Access to reduce the burden on the existing on-premises firewall. The posture checks have to be done on Prisma Access and, once done, the traffic is forwarded.

Once you understand the product, two to three guys should be able to handle it for configuration, and then they can move on. But for operations, you need a team.

We evaluated Zscaler Private Access and multiple other cloud solutions.

Compared to Zscaler and other services, the advantage of Prisma Access is that it supports both data and voice. The other vendors don't support voice. With Prisma Access, we don't need to look for any other services or solutions. It supports your data and voice services as well and that is one of our most important requirements.

At the end of the day, Prisma Access is nothing but a firewall that is hosted in the cloud. It depends on your capacity, the users that are connecting, and the VM you are running in the backend. It has all the capabilities and subscriptions that we were using on-premises. I don't see any challenges in terms of security. It is secure. They haven't compromised on anything with Prisma Access. It tries to protect us as much as possible.

It's crucial for us and is helping us a lot if you look at it from a business perspective.

We can do a lot with it and use it for eight to nine use cases. It supports your data and voice and, as I noted, I haven't seen any other product support both. Prisma Access is the best product. It depends on what you're looking for. But if you have a lot of requirements, you should go with Prisma Access.

In my first company, we encountered some problems with endpoints because we had colleagues working out of country and we didn't know what happened to their clients. We used Prisma Access for information regarding the client status and the client programs because it can check and control client operations.

In that company, before Prisma Access, we used public access and we encountered many attacks from outside. Our DevOps and software engineers always connected from outside. When I came to that company I changed things, but without Prisma Access but it was very difficult. I had to do IAM per user. But when we integrated Prisma Access we could grant access by integrating the identity storage. I could grant access very quickly and see the behavior of my developers and software engineers. Sometimes they would come with new requests and Prisma Access provided quick policy deployment.

The solution helped us immediately solve the problem with our colleagues' endpoints when we encountered it.

When we integrated with Palo Alto's Cortex application in the cloud, it provided threat analysis and we didn't worry about malware or malicious traffic from Prisma Access. It was analyzing and blocking things after the Prisma Access analysis. When we used traditional VPN applications, there was no threat analysis and we counted on that from the firewall. But with Prisma Access working as a firewall and VPN, the security engineer could see everything in one portal. That meant we could analyze and block things immediately.

For my company, the features and remote accessibility were an improvement over the more traditional VPN applications. With Prisma Access we could grant more security than our public access allowed. We had more tracking of the client side. We could see and calculate their work shift time. We didn't have these features in traditional VPN tools.

We had new vulnerabilities or threats coming up daily. Using a traditional firewall or VPN, updates depended on a schedule, but Prisma Access updated itself by checking the threat database and protected us that way.

The biggest thing I learned from using Prisma Access was that, compared to conventional VPN applications, where we didn't know how users were behaving or when they were connecting, we could see how they were behaving and when they were connected. We could see what they encountered, the problems, before they complained.

The cloud VPN features mean we can connect everywhere and track where all our users are connecting. It's a helpful feature for us. We used to use traditional VPN tools, not cloud-based VPN, but Prisma Access came out with new, innovative features, including client-tracking, which was more valuable for our company. It was very impressive for us. The solution's VPN connection provided a lot of protection and was proactive. It was a better option for us. 

Also, we can split our web application and client internet traffic with Prisma Access so that it is protecting both web applications and our specific, non-web applications. The protection for web-based applications was helpful for my colleagues who didn't want a particular application on their devices. And the non-web access protection was more for our developers because they were writing and building code on their computers. Prisma Access was able to protect them.

Sometimes, we encountered a portal crash. When we told Palo Alto they said it might be the browser or cache, but I think they need to improve it on their side.

I have been using Prisma Access by Palo Alto for four years. I integrated it for my first company and I implemented it for a proof of concept for another company and they love it.

In my current company, we are not using it because this company is working on-prem, but we have a digital transformation plan for next year.

It's reliable.

It provides scalability in terms of the features and they are giving a bonus depending on the number of users. In my previous company we had 2,000 users.

I am always tracking the new technologies and features. I see there are many AI and digital technologies and I believe Prisma Access will use these more effectively. It may integrate with AI technologies and some of the analysis, as well as policies and access, will be done automatically by Prisma Access.

They have a separate technical team for Prisma Access. Normally, Palo Alto has TAC engineers working on their different products, but they have a specific Prisma Access support team in my country. When we called or created tickets they supported us immensely. I expected to hear from them within one hour.

Positive

We used a traditional VPN solution, but nothing like Prisma Access.

The initial setup is very easy. I have deployed it three times and it was integrated within two hours.

One network engineer, one network security engineer, and a system engineer are enough for the deployment and maintenance.

The implementation strategy was designed by Palo Alto engineers. They have good tech support guys who assisted us and explained all steps. They gave us some options and helped us choose the most effective way.

When they configured it from our requirements it worked the first time. Normally things didn't work like that before, but with Prisma Access it was integrated on the first try.

Where I'm working now we have FortiGate but at my old company, we didn't prefer that. When Palo Alto did the presentation at my old company, we understood they were professionals and that their features were more valuable than FortiGate.

You don't need to worry because it will be integrated very quickly when you work with the Prisma Access support team. Be sure to ask many questions to understand the Prisma Access features and you will be able to use it very effectively.

We use Prisma Access to enhance security control on endpoints in a hybrid workplace. Everyone in my company uses Prisma. It's about 500 users.

Prisma covers web-based and non-web apps, reducing data breach risks. In addition to protecting web traffic, it can replace the VPN. Instead of using a separate VPN, we can route all the traffic to our office through Prisma Access. 

The solution improved the consistency of our security controls and the BCP. There has been a 20 percent reduction in TCO. Prisma Access also enabled us to deliver better applications by centralizing security management. Because it is a SaaS solution, the system admins don't need to worry about technical implementation, updates, or anything happening on the backend. 

The most valuable features are the Secure Web Gateway and firewall as a service. Prisma Access protects all internet traffic. It isn't limited to apps. Currently, it covers more than 90 percent of our web traffic.

Autonomous digital experience management is another essential feature that provides a level of end-to-end visibility that most other solutions cannot offer. ADEM's real and synthetic traffic analysis is highly useful.

The benefit ADEM provides to the end-user is pretty indirect. It gives a system admin some evidence to show the user that the problem may not be on the user's side rather than a system issue.

Prisma Access features like traffic analysis, threat protection, URL filtering, and segmentation are critical because our use case is a hybrid workplace. Users are working worldwide, so we expect security to be consistent anywhere, not just in the office.

It updates weekly. Because it's a SaaS solution, they don't tell you what is updated on their side, but if an update is on the user side, then they update it once weekly or biweekly.

If I had to rate Prisma Access for ease of use, I'd give it two out of ten. It's easy for the users, but it's difficult for admins to configure. 

I have been using Prisma Access for less than a year.

Prisma Access is stable. 

Prisma Access is scalable. 

I rate Palo Alto support seven out of ten. They sometimes take a long time to resolve complicated issues. 

Neutral

We tried Zscaler, but we switched to Prisma because of the price, and Palo Alto was better suited to our business requirements. Palo Alto is one of the best choices for regional deployment, but Zscaler is better for a global use case.

Setting up Prisma Access is complex. You cannot deploy it without help from Palo Alto or a Palo Alto partner. They are the only ones who can do the configuration. It took us about four months to get the solution up and running. We need about two IT staff to provide user support for Prisma, but Palo Alto handles all the updates. 

The licensing model isn't flexible enough. It's an all-or-nothing model. Other providers in the market allow you to buy modules or add-ons separately. With Prisma Access, you have to purchase the same module for all users.

In addition to Zscaler, we looked at Netskope and Cato Networks.

I rate Palo Alto Prisma Access a seven out of ten. It's not suitable for organizations whose users are primarily in mainland China. Prisma Access is excellent if you use most Palo Alto products, but Prisma Access might not be the best solution if you only use one of their products. 

It's crucial to define your business requirements well from the start because a Palo Alto solution can't quickly adapt to the changes that you need. If Palo Alto satisfies your initial conditions, it may be the cheapest solution at the time. However, if you need to make a change in the middle, the price can go up drastically.