Prisma Access by Palo Alto Networks Reviews

During the COVID times, the firewalls that were the on-prem gateways couldn't handle SSL decryption and VPNs. After everyone started working from home, the company faced the issue of not having enough firewalls for gateway and SSL decryption services. That's why we started using Prisma Access.

I used version 2.2 while working last with it two or three months ago. In terms of deployment, it was a Prisma Access hybrid solution with Panorama where we had firewalls and Prisma Access. It was not cloud-native Prisma Access with only cloud-based aspects.

We started using Prisma Access after everyone started working from home during COVID. Its auto-scaling feature was helpful for our organization. Prisma Access could scale depending on how many users were working from home. When we had additional users, unlike on-prem firewalls, we didn't have to worry about CPU and other things. It was also cheaper than on-prem firewalls because to handle a large number of users working from home, in the case of on-prem firewalls, we would've had to buy big firewalls. 

With Prisma Access, there is auto-scaling. When there are fewer mobile users, there are fewer Prisma Access gateways, and when there are more mobile users, more mobile gateways are created automatically. For example, if you have a company with 10,000 people, you should be able to handle the VPN traffic of 10,000 people and SSL decryption of that traffic. So, you need to buy a big on-prem solution. After COVID, even when people start working from the office, you would need the biggest firewall to be prepared for the future. 

Nowadays, most companies have started allowing employees to work from home. Most people don't want to return to the office. In many companies, many people are still working from home. Even in such a scenario, companies are expected to have a solution that provides flexibility for the workforce to work from home. 

We were able to use Prisma Access as a VPN solution. We used it as a proxy, and all the traffic was going through it. We wanted the same capability as an on-prem VPN. It was nice to be able to VPN all the traffic that we wanted. We were able to secure what we wanted to secure.

Prisma Access has the same capabilities as an on-prem Palo Alto Firewall in terms of signatures and application IDs. You could do everything with Prisma Access to secure web apps and non-web apps. It is a cloud-native firewall. It seems they use containers in the background but with the same Palo Alto software that is on the firewalls.

It provides traffic analysis, threat prevention, URL filtering, and segmentation.

It supports auto-scaling for mobile users. It auto-scales depending on the mobile user traffic. For example, if 1,000 people are working from home today, and tomorrow, the number increases to 2,000, it is not going to be an issue. Prisma Access is automatically going to scale based on the users. This is really important because with on-prem firewalls, if you enable SSL decryption and VPN and many people join, logging becomes a big issue.

Prisma Access updates its signatures in the background, which is important because when you have on-prem firewalls, sometimes, the users forget to update signatures. With Prisma Access, this is not the issue because it automatically updates signatures.

Prisma Access provides the ability to make custom signatures, which is really important because if you want to block something, you can do it yourself. You don't have to call the vendor and ask for a custom signature to be made. When we compared it with Zscaler, Zscaler is not a bad solution, but it is quite simple. You can't add custom signatures for applications. With Palo Alto, irrespective of whether it is an on-prem firewall or Prisma Access, you can make many customizations, such as custom signatures. For example, you might want to write custom signatures for the Log4J attack. This is something you can't do with Zscaler.

It can be improved if some customers want to use Prisma Access only for web traffic. Currently, it is a bit limited. Zscaler works better for web traffic. Zscaler's agent application on your computer can configure the proxy settings automatically, whereas Palo Alto's GlobalProtect agent is only a VPN solution. You can't use it also as a secure gateway agent to force the computer to have the settings to send the data to Prisma Access. They suggest using other techniques to force the computer to use Prisma Access for a secure web gateway solution. So, Zscaler is more like a secure web gateway, and Prisma Access is more like a full VPN solution. I see the limitations of both vendors. Palo Alto needs to improve the GlobalProtect agent to work as a secure web gateway agent, not only as a VPN agent because some companies would want only a secure gateway. They wouldn't want a full VPN. So, Palo Alto has to make the VPN agent work as a secure web gateway agent for those customers who want only the secure web gateway solution. Other vendors' agents, including ForcePoint which I don't like at all, can do that. 

One feature that I find missing in Prisma Access, as well as Palo Alto firewalls, is that they can't insert the 644 header. I want to be able to see the IP address of the users basically. My understanding is that almost no firewall can do this. It is not only Palo Alto, but it would be good to have this feature. The only vendor that I know can insert it is FortiGate, but with them, many other things don't work.

I have been using this solution for almost three years. I have worked with this solution in two companies. One of the companies was a partner with Palo Alto for their Next-Generation firewall and Prisma Access solutions. I also used it for a few months in another organization. I am now in another company, and I'm not using Prisma Access in this company.

It has good stability because it is a Palo Alto firewall. Palo Alto has made firewalls for many years now. It is based on the same software. So, if Palo Alto firewalls are stable, Prisma Access is stable. It is not something so new as everyone is talking about. It is based on the Palo Alto firewalls which are the leader in the market. 

They had some issues before, but at that time, Prisma Access was only using Google Cloud. They had some latency issues, but now, Prisma Access is also using AWS. They can use Google Cloud or AWS in the background to provision your environment. The latency issues are now gone because AWS has better coverage than Google Cloud. Palo Alto understood that Google Cloud is not enough. So, they used AWS and Google Cloud as the providers for the Prisma Access solution.

It is a cloud solution. It auto-scales. It is using AWS and Google Cloud. They have a lot of coverage. It can be used anywhere AWS and Google Cloud have PoPs.

We had 1,000 to 2,000 people using it on a daily basis. 

When you are working from your home, you can go to Prisma Access or on-prem gateways depending on the configuration. Prisma Access can work together with Palo Alto on-prem gateways. For example, if there's an on-prem firewall in Germany, German users do not have to go to Prisma Access. They can go to the German VPN Palo Alto Gateway, but if you have users in other countries where there are no firewalls, they will go to Prisma Access. So, you have this capability.

Their support is at a medium level. If you pay for premium support, they provide good support. Their normal support is not very good, but that's not only for Prisma Access, that is how Palo Alto works. 

I'm working a lot with F5's BIG-IP. They have one of the best support teams. Even if you don't have payment support, their support is quite good. It is better than Palo Alto's normal support. In general, most vendors have issues with support. The worst vendor that I have worked with is Forcepoint. Their support is extremely bad even for paying users.

Neutral

We have different technologies. We still have web application firewalls that we use in the company. Palo Alto Prisma Access is basically for coordinated firewalls, where you have your firewalls in the cloud. Everything you can do with on-prem firewalls can be done with Prisma Access, but this isn't the only solution you need. You would still need web application firewalls along with Prisma Access. The use case of Prisma Access is to secure your corporate employees. Its use case is not to secure your servers from inbound internet traffic. It is like a secure web gateway proxy to secure your corporate users.

It is easy, and I can't complain. It is a straightforward process. It takes about one hour. It is not so complex. It is a cloud solution. So, you just specify how many gateways you want, and with a few clicks, it gets deployed.

You don't need prior knowledge of the setup, but you should be a good network engineer and have the basic knowledge. It can't be done by someone who doesn't understand security networking. You need to have a good understanding of how much bandwidth you need because Prisma Access is taxed on bandwidth. So, you have to know how much bandwidth you need. You have to do static analysis before deploying Prisma Access to know how much bandwidth your users are using on average and how big the connection is going to be. You can increase the bandwidth later, but it is better to provision from the start based on the bandwidth requirements. The bandwidth analysis takes more time than the provisioning itself.

Palo Alto helped us with the initial deployment. In terms of maintenance, being a cloud solution, it requires next to no maintenance. If your company becomes bigger, you may have to push out more bandwidth from Prisma Access.

It is a little expensive. Because it is one of the best in the market, it is a little bit more expensive than other vendors. 

It is a little bit more expensive than Zscaler, but for a big company, this difference is not so big. Forcepoint has the cheapest support and the cheapest price. Forcepoint has a Cloud Security Gateway solution, but we ran away from them. If you want to go for the cheapest solution, go for Forcepoint and then complain as much as you want.

When comparing Prisma Access with Zscaler, you can't do much customization with Zscaler. That's why we selected Prisma Access. I like Prisma Access more than Zscaler because Zscaler doesn't have many capabilities. It doesn't let you do much customization, and you just have to depend on what the provider gives you as signatures.

For me, Zscaler is more for web traffic. Zscaler is comparable to Prisma Access when it comes to web filtering, like a secure web gateway proxy. If you want to filter out all your traffic, not only the web traffic, then you should definitely go for Prisma Access. Zscaler can be used as a firewall. They say it is similar to Prisma Access to filter out applications, not only web applications, but with Zscaler, you can't make custom signatures. They don't give you a lot of customization. You just enable the features and hope that they're enough. You can't do customizations that most big companies want. So, as a web filtering solution, it is comparable to Prisma Access, but if you want to filter out all the traffic and not only web traffic, then it is not so comparable to Prisma Access.

Zscaler also doesn't have application-level capabilities. Zscaler can't work with SIP traffic where you have to dynamically open FTP ports. For that, the solution should listen to the control plane traffic to know which port to open. Zscaler doesn't support that. So, it is quite limited for anything other than web traffic. However, Prisma Access is more limited when you use it as a secure web gateway solution.

Forcepoint also has a Cloud Security Gateway solution, but we ran away from them. Their cloud solution sometimes couldn't decrypt the web traffic. They had a bug when you want to decrypt one site from a category. For example, you want to decrypt Facebook, but you don't want to decrypt the social media category. In the Forcepoint GUI, you can specify that. In the GUI, it works, but in reality, it doesn't. There is a bug where the site will be decrypted or not decrypted only depending on the main category. You can't in reality change a site's decryption settings. Forcepoint didn't tell us they have this bug. They took two months to admit that and even got angry with me.

It is basically a Palo Alto firewall in the cloud. So, you can make custom applications and custom threat signatures. In terms of debugging, it is not as good as on-prem firewalls. With on-prem firewalls, you can do a lot more debugging, but you don't get a coordinated solution.

It is easy to use if you have experience with on-prem Palo Alto firewalls. Most customers who have Palo Alto on-prem firewalls have Panorama. Prisma Access integrates with Panorama just like on-prem firewalls. So, for customers who already have Palo Alto experience, it is quite easy. Palo Alto has another product for new customers, which is the Cloud Native Prisma Access, where you don't have on-prem firewalls. I have seen some videos about its web interface, and it seems very simple even for new customers. They can use Prisma Access without on-prem firewalls. They can use the cloud console, not Panorama. It seems even easier. So, newer customers would probably go with that technology and SD-WAN-based deployment, where almost all security is going to be in Prisma Access.

Prisma Access has two zones: an internal test zone and an external zone, which is basically the internet. It allows you to use segmentation. For example, if you're a customer of Prisma Access and you have many departments, you can create different tenants. So, different departments have different Prisma Access instances, but because we were a single company, we didn't use the tenant function. However, it provides the ability to split your organization's tenants so that different tenants get different policies. 

Prisma Access’ Autonomous Digital Experience Management (ADEM) is a good feature that you can't have with on-prem firewalls. I have not been using Prisma Access for a couple of months, but I'm still watching the Palo Alto channels. I saw that, with ADEM, they have an agent application that could be installed on the end-user devices. It provides visibility and helps identify any connectivity issues to an application over the VPN. The user gets to know if the issue is with Prisma Access or their ISP so that they don't call the IT department for simple things. For example, if you have a packet loss with Salesforce, you would know where the issue is happening. Is it with the Salesforce cloud application? Is it in Prisma Access between you and the Salesforce application? Is it with your internet service provider? That's the idea of Prisma Access ADEM.

Overall, I would rate it an eight out of ten. 

Prisma Access is a solution for remote and mobile users. Following the pandemic, many employees now work from home, meaning many companies have extended remote locations. We use the product to secure the networks of our remote and mobile users, so they can safely access our company's intranet and network.

Panorama provides centralized management capabilities for all our firewalls and locations so that we can manage different data centers through a single device, a very valuable feature. We don't have to log into various devices to oversee them individually.

The solution's ease of use is excellent; the GUI is fantastic, well-designed, and easy to use, even for non-technical staff. The different tabs are clearly visible and straightforward to understand.  

The platform protects all app traffic; when we enable GlobalProtect on the cloud and user device, it provides a secure, private connection for users to access applications. That's very useful.  

Prisma Access secures not just web-based apps but non-web apps, which is very important to us. We can also secure URLs, API-based solutions, and API browser interfaces. 

The fact that the solution secures web and non-web-based apps reduces the risk of a data breach to an extent. When we make apps accessible only through a private network, the risk is reduced. 

The product provides traffic analysis, threat prevention, URL filtering, and segmentation; these features are essential for troubleshooting. The logs showing the traffic passing through Prisma Access show us what's getting blocked and allowed, while the threat prevention alerts us to any suspicious or malicious items. This gives us insight if there's a data breach and if traffic we want to be blocked is still hitting our devices.   

Overall, the security provided by Prisma Access is excellent; the chances of a data breach are minimal. It's a great product.   

We would like to see improvements in the licensing; currently, Palo Alto provides 500 to 1000 licenses for users, and we want to see 1500 to 2000 licenses for one version.

We have been using the solution for one year. 

Prisma Access is a stable product. 

We can scale the tool well, add devices as soon as our user count grows, and scale in line with our company growth.

Regarding users, we have 30 staff managing Prisma Access, and GlobalProtect is installed on every machine in the company. 

We contacted the Palo Alto support team on many occasions. The one issue is it can take a long time to connect, and they can be challenging to reach when we need immediate help. They're accommodating if we send them a planning notice within 24 hours. Once the ticket gets assigned and we get through to a support staff member, the service is excellent. The only issue is with immediate assistance; it can be difficult to get through to someone.

Positive

We previously used Zscaler and switched for two reasons: firstly, the cost, and secondly, Prisma Access offers additional features in one device. It also has simplified architecture and reduced MPLS lines.

The initial setup was complex, and only our network admin could install it. Once the solution is set up, it's straightforward, but the setup is arduous. We completed the deployment in a day. Our implementation strategy was to determine the number of users and ensure they all had the necessary information regarding the solution and GlobalProtect. Then, we deployed accordingly.

We have a team of 30 responsible for managing and maintaining the solution. 

The solution is definitely worth the money we pay for it. 

Prisma Access is one of the best compared to other products on the market. The cost is favorable, and Palo Alto provides a simple architecture, so I recommend the solution to anyone using a different product. There are no hidden costs besides the license; what you see is what you get. 

I rate the solution nine out of ten. 

It's important to us that Prisma Access provides all its capabilities in a single, cloud-delivered platform. We previously used different firewalls with a Zscaler proxy for particular purposes, but now we don't have to purchase dedicated hardware. Prisma offers most of the features we need in one solution, so it's like getting three or four products in one; we don't have to go for extra tools to secure our apps or get a VPN because it's already provided.  

That Prisma Access provides millions of security updates daily is significant for us; there are new challenges and threats every day. Palo Alto Networks must keep its security up to date to protect against new and developing threats, as this security is essential to our operation. 

We don't use the solution's Autonomous Digital Experience Management (ADEM) features, and it doesn't allow us to deliver better applications; instead, it makes our applications more secure.

The biggest lesson I've learned from using Prisma Access is how easy management becomes; we don't have to log into multiple devices, and everything is accessible from one GUI.

The product comes with a helpful guide, and I recommend reading that before using Prisma Access. It's pretty simple.

We propose solutions to customers. They face challenges in their existing setups like long troubleshooting durations, fault tolerances, security concerns, and management concerns. They had traditional setups, like Cisco routers, in their locations.

It took a long time to troubleshoot and resolve issues. The cost was a factor because they were using MPLS connections. MPLS is costly compared to the internet leased lines. Considering all these factors, we decided to go with Prisma's cloud solution.

It's a hybrid solution. We have a few sites on cloud and a few branch locations where the solution is deployed on-premises. The cloud provider is Azure.

We have more than 2,000 branches around the world. The solution is deployed across Europe and Asia. Between 7,000 and 9,000 ION boxes have been deployed. 

Before using this solution, the prime complaints were about voice applications, like RingCentral and GoTo. We reported these issues to the Palo Alto TAC teams, and they came up with more stable versions. Whatever we discuss with the Palo Alto engineering team, they come up with the solution very quickly. We had updates on a regular basis, and the client is very happy now because we have solved 95% of those problems. Everything is stable from a security point of view. 

Prisma SaaS helps us identify cloud applications that we were unaware of employees using. The solution helps us identify a lot of cloud apps, but we identified four to five applications that were the most useful.

The solution protects what our clients want it to protect. They haven't reported any threats or data attackers in their systems. We haven't received any complaints from clients about data security.

The time to value is quicker with Prisma SaaS.

This GUI is a good feature. The stacked policies, event policies, and routing policies are easy to understand for someone with general knowledge.

Securing new SaaS applications is really easy. There weren't any security risks. Prisma also has great reporting and alarming functions.

The data security is good. We don't have any complaints from clients. They're very satisfied with the solution.

It's very easy to write down the policies based on Cloud App-ID. The app detection and analytics are great features.

The Cloud App-ID technology has helped us identify and control shadow IT apps. It's a very important and exclusive feature that's available with Palo Alto.

The solution helps us keep pace with SaaS growth in the organization. It's very important to us. Prisma SaaS is integrated and easy to deploy.

The frequency of updates could be reduced. The updates are necessary, but they occur too frequently. The updates require devices to be rebooted, so there's downtime in the production environment. It's difficult to ask for downtime in a critical production environment every time there is an update.

The software versions should be stable for longer durations. For example, six months or a year.

I used this solution in a technical support role for about seven months.

It's stable. About three months ago, we had some issues with stability, but it's been stable since then. The throughput is very high. At the data center location, it's performing really well.

The scalability is one of the best features. It's an elastic solution. We can stretch whatever we need to for our requirements.

I would rate this solution as eight out of ten.

We previously used a different solution. The main reason why we switched to Prisma SaaS was because of its scalability.

Setup was very easy. It's just plug and play. Deployment took between two and three hours. There wasn't a lot of physical technical intervention.

To deploy Prisma SaaS, we had to turn it on in our Palo Alto Prisma Axis.

Deploying Prisma takes a tenth of the time that it takes to deploy traditional CASB solutions in the market.

The complexity of the solution depends on how it's designed. Anyone who has a basic knowledge of networking can understand Prisma and administer it. It was quite difficult to manage, and it has a lot of components involved. Their onboarding process took a long time.

It has drastically reduced the total cost of ownership. Our costs have been reduced by 40%.

I would rate this solution as eight out of ten. 

My advice for those who are looking for a SaaS solution is to use Prisma. It's one of the best solutions in the industry at the moment. It's simpler and really easy to deploy. Palo Alto has its own support team. It's a very trustworthy solution.

To a colleague or another company who says, "We don't want to use Palo Alto Next Generation Firewall or Prisma Access as an enforcement solution, we just want a CASB product to secure our cloud adoption," I would say you're losing the best features of this product.

Our primary use case of Prisma Access is to provide secure Internet access for users regardless of their location. 

It is also used for secure access to internal applications and secure SaaS applications, ensuring the same level of security whether users are working from home, the office, or any other location.

Prisma Access has allowed us to reduce the number of agents from multiple to just one single agent. It integrates several components, such as IPS, DLP, remote VPN, and SWG, into a single console, which has helped reduce costs and improve the return on investment.

The most valuable feature of Prisma Access is its ability to provide enterprise-class security for both Internet and internal application access. Unlike other OEMs that can only secure Internet access, Prisma Access can secure both internal and Internet-based application access.

The Prisma Access could improve in terms of adding more machine learning and AI capabilities to automate tasks such as incident response. This would enhance the overall security posture by enabling better and faster management of security threats.

I have been working with Prisma Access for the last five-plus years.

In terms of scalability, Prisma Access has adapted well to our organization's growth needs. Most customers are either planning to move to SASE solutions or have already moved, making Prisma Access an excellent choice for scalability.

I would rate their technical support a nine out of ten.

Positive

Before using Prisma Access, we used multiple products for remote VPN, SWG from vendors like McAfee and Forcepoint Proxy, and other VPN clients from vendors like Pulse Secure VPN, Fortinet, and Palo Alto. We switched to Prisma Access for its integrated approach.

Prisma Access has significantly improved our ROI by combining multiple technologies into one single solution. It reduces the need for multiple agents and products, which brings down the overall cost for our customers.

The licensing cost of Prisma Access is calculated per unique user, with each user being able to connect up to eight devices. If a user is no longer active after thirty days, that license becomes free. There is flexibility in terms of exceeding the license count, as it operates on a trust-based license model.

Prisma Access is best suited for enterprise and mid-level customers. It may not be the best fit for the SMB market due to higher pricing. I'd rate the solution nine out of ten.

I use Prisma Access by Palo Alto Networks in our company for remote access, especially to help new users connect to corporate resources from over a distance, in other countries, or while they are not in the office.

I have seen some benefits from using the solution in our company since it offers mobility. My company has users around the world who connect to the resources remotely without any issues because of Prisma Access by Palo Alto Networks.

The most valuable features of the solution stem from the fact that it offers stability and scalability while being a very secure product.

Certain complications are related to the VPN part of the product, which can lead to a very deep and technical discussion. From an improvement perspective, I want the product to be integrated with SASE products.

Palo Alto Networks GlobalProtect or VPN in general with a cloud-based service would be a great improvement.

The product should be made more capable of offering more integration with the recent technologies introduced in the market. The product's integration capabilities with the already existing products in the market are good.

The product's current price is an area of shortcoming where improvements are required.

I have been using Prisma Access by Palo Alto Networks for four years. As it is a security product, our company keeps it updated to the latest version.

It is a 100 percent stable solution. Stability-wise, I rate the solution a ten out of ten.

It is a very scalable solution.

Around 800 people in my organization use Prisma Access by Palo Alto Networks. The solution can be scaled up to fit around 3,000 users at a time.

Prisma Access by Palo Alto Networks is used extensively twenty-four hours a day and seven days a week in my organization since we operate in different time zones.

The support offered by Palo Alto Networks is amazing. Whenever my company opens a ticket with the support team of Palo Alto Networks, we get amazing support. The support team of Palo Alto Networks is fast, customer-friendly, and knowledgeable.

I have experience with Cisco and Fortinet. I have experience with Cisco AnyConnect Secure Mobility Client. The last time we used Cisco AnyConnect Secure Mobility Client in our company was three years ago, after which it was phased out from the set of standard solutions we use. Based on my experience with Fortinet and FortiClient, I can say that the support is not at the same level as the one offered by Palo Alto Networks. Fortinet's technical support team is not as strong as the technical team of Palo Alto Networks. Only the prices of Fortinet and FortiClient were good compared to Palo Alto Networks.

The product's initial setup phase was very straightforward.

The deployment process involves identifying the user profiling and figuring out what exactly its users need, meaning there are some prerequisites involved in the deployment's preparation phase, and it is the most important process critical for the product's success.

The solution is deployed on an on-premises model.

The solution can be deployed in two days.

The deployment can be carried out with the help of our company's in-house team.

Prisma Access by Palo Alto Networks is an expensive solution, especially when compared to other solutions like Cisco. There are no additional charges apart from the standard licensing costs attached to the solution.

Those who plan to use the solution should ensure very good user profiling is carried out, after which they should link the product with the corporate security policy. Prisma Access by Palo Alto Networks is a very flexible solution, and you need to know exactly what you want out of the solution, which should align with the policies in your company as it is an area that differs from one corporate entity to another.

Considering the cost of the solution, I rate the overall tool a nine out of ten.

I'm a cloud security architect, but I joined this project because one of my teammates left. My manager asked me to join because I have prior experience with Cisco Systems and Dell security. 

Our client has 40 sites, and they used other products called Peruit and PescUmbrella. My colleague was helping them remove the products from their laptops and replace them with Cortex XDR and Prisma Access. 

Prisma Access is a better product than our client's previous solution, and it helps organizations work differently. It saves time, but I'm not sure about money. I had never considered that aspect because I'm not involved in the financial side. The solution helps us to operate efficiently. Everything we want to do is in there, including DNS, web, and URL security.

Endpoint Protection is something I use on my corporate laptop, and it's doing a wonderful job. I don't experience latency. Prisma has a massive number of secure gateways compared to any other product. All these gateways reduce latency and provide better bandwidth because they use cloud platforms. The scalability and efficiency are excellent so far. 

Prisma integrates well with Cortex XDR and Cortex Data Lake. My company has been also using Prisma Access in-house for nearly a year, and it integrates seamlessly. 

Another aspect I like about Prisma is its usability and control. You can do many functions from a single dashboard. It has more features than Zscaler. The look and feel are better. Prisma is a one-stop shop that does many tasks, like logging and monitoring. 

Having a cloud-based platform is essential because we're pushing all our customers to the cloud. Most of our customers will be using Prisma in the future. Prisma Access provides traffic analysis, threat prevention, URL filtering, and web filtering, which are critical features that our customers request. You don't need a separate administrator for each task. One admin with a little training can handle all of them on Prisma Access. The rest depends on how much you can play with the product.

The documentation is generally good, but they could provide a more detailed description of all the configuration steps. I have to search for information or call support. Palo Alto could add more knowledge base articles about configuration with screenshots and walkthroughs. That would be helpful. When configuring a product, you want to see examples of how it is done. 

I am using Prisma Access for two projects. I haven't been using it for more than six months. 

I haven't worked with Prisma for long, but my impression of the stability so far is good. 

Prisma Access is most suitable for large enterprises because it also includes posture management. It's comparable to Microsoft ESPM. Microsoft makes many of the tools I use as a cloud architect, so I see everything from that perspective.

I don't think smaller companies will have any issues with Prisma. My company has five offices in India and users in 55 countries. Prisma is excellent in terms of scalability, usability, readiness, and user experience. It also runs on older operating systems and new ones too. The laptop I initially got from the company was pretty old. It's a gen-three. I got a newer laptop, and it works on either. 

I rate Prisma Access support a nine out of ten. Their support is helpful. They have a large team of product managers, so they're always available to talk. The response times are excellent. 

I'm impressed. Their technical teams are knowledgeable about the product, and they have global support. You can get support around the clock no matter which time zone you are in. One of my clients is in the US, and the other is in India. Both can access support without a problem.

Positive

I worked with Cisco Fire and AnyConnect, which combines security and VPN. AnyConnect is a popular Cisco product clients use remotely to connect their machines to their offices. That was the first product. Cisco acquired Sourcefire and rebranded it to Fire, which is again a client-based solution.

The deployment is straightforward, and it's done via Prisma's console. I didn't find it to be tricky or have any difficulty finding what I needed. Everything is clearly labeled and intuitive. The more you play with that, the more comfortable you get.

It only takes a minute or two if you have everything configured and you simply need to push the config file. That also depends on how much configuration you push at once. A small configuration takes less than 30 seconds. A larger configuration like we've done in the past few days might take a minute or more. 

I rate Prisma Acess a nine out of ten. It's better than any other product in the market.

We use Prisma Access, not only for our remote users, in a distributed workforce, but for our offices as well. Right now, because of COVID, there is a very limited footprint on the office side of it. But we would like to cover our offices so that when people are working in them and trying to access resources, whether those resources are hosted on public cloud, private cloud, in data centers, or on-prem, Prisma Access is involved.

Prisma Access is completely hosted on Google Cloud Platform. Palo Alto Panorama, which is the centralized management tool, is also hosted on a public cloud environment. So the entire solution lies in the cloud.

The fact that Prisma Access provides millions of security updates per day is really important because it takes care of the equivalent of preparing patches and pushing them to your environment, without the headaches of managing and maintaining those processes for your infrastructure. If you get security intelligence from different verticals and different alliances, or through some sort of open API integration where vulnerabilities arise at different times, it's going to be difficult to keep up. Subscribing to this service and having it take care of that is really phenomenal.

And the best part is that you know that you are part of a bigger ecosystem where this learning about security issues is happening, and things are made available to you on a scheduled basis every day. It automatically strengthens your security posture. We are quite happy with this feature and feel very confident that the Palo Alto security stack takes care of all of these things automatically. That is one of the salient features and was one of our evaluation parameters for choosing a solution.

Another benefit is that before, if we had to set up a restricted environment for a given project, the lead time was about a day to get everything functioning correctly and to get the go-ahead from the security team. Now, setting up these environments can literally happen in less than five minutes. It is already segmented. All you need to do is ensure the people who are part of the project are included in a single access-control list, which these days is based on GCP Identity-Aware. Based on that, it provides the right privileges required to access certain things. That is the building block of any SasS solution with zero cross-network access. And it is very easy now.

The Prisma Access remote side is pretty good with respect to the footprint that it covers. Because it is built on the Google platform, using the Google Premium Tier network, it is almost everywhere geographically. From wherever we initiate a connection, it connects with the nearest point of presence, which minimizes the latency. And we can access applications wherever they are hosted.

It protects all app traffic so that users can gain access to all apps. Unlike other solutions that only work from ports 80 and 443, which are predominantly for web traffic, Prisma Access covers all protocols and works on all traffic patterns. It is not only confined to web traffic. This is important because security is something that should always be baked in, rather than being an afterthought. The most sophisticated attacks can arise from sources that are not behind 80/443. They could come through bit-torrent traffic, which uses a non-standard port, altogether. We want to cover off those possibilities. We were very sure, from the start of our deployment when conducting PoCs, that the solution we picked should have coverage for all ports and protocols.

The fact that it secures not just web-based apps, but non-web apps as well, is important because the threat landscape is quite big. It not only includes public-facing applications that are accessible via web protocols, but it also includes many attacks that are being generated through non-standard protocols, like DNS tunneling and newly-registered domain control names. There are also a lot of critical applications being accessed on a point-to-point basis, and they might be vulnerable if those ports and protocols are not being inspected. You need to have the right security controls so that your data remains protected all the time.

In terms of the solution's ease-of-use, once you understand the way the various components stitch together, and once the effort of the initial configuration, setup, and rollout are done and you have set up the policies correctly, you're just monitoring certain things and you do not have to touch a lot of components. That makes it easy to manage a distributed workforce like ours in which there are 10,000-plus users. With all those users, we only have a handful of people, five to seven individuals, who are able to gracefully manage it, because the platform is easy to use. It does take considerable effort to get up to speed in configuring things during the initial deployment, but thereafter it is just a case of monitoring and it's very easy to manage.

In addition, whether traffic is destined for a public cloud environment, or for a private data center, or you are accessing east-west traffic, you can apply the same security policies and posture, and maintain the same sort of segmentation. Prisma Cloud offers threat prevention, URL filtering, and DNS protection, and east-west traffic segmentation. These features are the foundation of any security stack. There are two primary purposes for this kind of solution, in the big picture. One of them is handling the performance piece, providing ease of access for end-users, and the second is that it should handle security. All of these components are foundational to the security piece, not only to protect against insider threats but to protect things from the outside as well.

Prisma Access offers security on all ports and protocols. It covers the stack pretty well, leaving no stones unturned. The same unified protection is applied, irrespective of where you access things from or what you access. That also makes it a very compelling solution.

There are definitely a number of things that could be improved. 

One of them is geographic coverage. China is still an issue because the solution does not operate there properly due to government regulations. I believe Palo Alto is trying pretty hard to get into partnerships with Alibaba and other cloud providers, but they do not have the same compelling offering in China that they have in the rest of the world. Businesses that are operating within China have to be very sure to evaluate the solution before making a buying decision. It is not an issue with Palo Alto, rather it is predominantly the result of government rules, but it's something that Palo Alto needs to work on.

There is also room for improvement when it comes to latency in a couple of regions, including India and South America. They might have to increase their presence in those locations and come up with more modern cloud architectures.

The third area is that, while Palo Alto has understood the essence of building capabilities around cloud technology and have come up with a CASB offering, that is a very new product. There are other companies that have better offerings for understanding cloud applications and have more graceful controls. That's something that Palo Alto needs to work on.

I've been using Prisma Access by Palo Alto for two to three years. We started deploying Palo Alto gear back in 2015 and, along the way we have looked into multiple tools from them and invested them.

On a scale of one to 10, I would give the stability a seven. There are a couple of reasons for that score. One is that when we make certain changes to configs, it takes about 14 to 15 minutes to populate. And there have been scenarios where it has taken about 45 minutes for the config changes to happen. When you sell a product by saying that it's cloud-native and that users can make all configuration changes on-the-fly, when those changes are made they should happen within a minute. They should not take that much time.

It might be that Palo Alto is still using a certain type of infrastructure in the backend that is causing these delays. If they pile on the cloud technologies, and work towards a more microservices-based architecture, I'm hopeful that they can bring this delay down to less than a minute.

Going from one user to 10,000 or 15,000 users, we haven't faced a lot of problems. However, for companies that are considering investing in this solution, if they have more than 50,000 end-users, a config change could take 10 to 15 minutes. In an environment where 50,000 people are expecting certain things to work, those things might not work for them. Such companies have to look at the solution very thoroughly in terms of the cloud piece, the integration piece. But from one to 15,000 or 20,000 end-users, it is flawless. We don't tend to see a lot of issues. But beyond, say, 25,000, I would suggest doing a deeper analysis before purchasing the product, because there are some glitches.

Initially, Palo Alto technical support was okay around sales discussions and getting up to speed on doing a PoC. But one once we deployed and then raised queries, those lead times increased quite a bit. Unless you take their premium support, where there is an SLA associated with every issue that you raise, it becomes very difficult to get hold of engineers to work on a Prisma Access case. If you just take some sort of partner support, you cannot expect the same level of support on your day-to-day issues that you would get with premium support.

Fundamentally, when a company sells a product, whether you are taking the premium support or some other level of support, the support metrics should be more or less the same, because you are trying to address problems that people are facing. Their response should be more prompt. And if they can't join a call, they should at least be prompt in replying via email or chat or some other medium, so that the customer feels more comfortable about the product and the support. If it takes time to resolve certain problems, post business hours, it can be very difficult for people to justify why they have deployed this product.

Neutral

COVID was a surprise for us, just like for everyone else in the world. We had a solution from Palo Alto, but it was not a scalable one. We configured things in a more manual way because our requirements were not that high in terms of remote use cases. Post-COVID, the situation has completely changed for us and we have to think about a hybrid situation where we can still gracefully allow access to end-users in a more secure fashion. That led us to evaluate this solution from Palo Alto.

The initial setup is not so straightforward. There is a learning curve involved because you need to understand which component fits where, with all of these modern, edge infrastructure secure-access services. You need to do capacity planning well, as well as a budgetary plan. You need to know the right elements for your business. Once you set that up, it is very simple to manage.

It took us about two to three months to deploy because we have a lot of geographical constraints. Different regions have different requirements. Accounting for all of those needs is why it took us that amount of time to set everything up.

We have to do an apples-to-apples comparison. If you had a very small set of people who had to create a dedicated setup like Prisma Access, and manage the infrastructure piece and the upgrading piece and the security piece, it would be a nightmare. Prisma Access offers that ease and flexibility so that even a handful of people, with the right knowledge, are still able to manage the configuration piece of it, because the infrastructure and other things are handled by Prisma Access. If you had to build that whole thing versus buying it, obviously Prisma offers a good ROI.

It all depends on your requirements. If your requirements enable you to do those things on a much smaller scale, then you need to be very cautious about which components of Prisma you actually pick for your use case. If you get all the components, you might not be getting the right ROI.

For our use case, we feel we are getting a return on investment, but it could be better.

The most pricey solution is Zscaler, followed by Prisma Access, and then Netskope.

The initial prices of Prisma Access were okay. But as soon as you start deploying Palo Alto gear, the support prices and the recurring prices, which are the major operational costs, tend to increase over time. For example, if you go ahead with a one-year subscription, just for testing purposes to see how the whole solution works, and you plan to renew for the next two or three years, you tend to see that the solution gets really costly.

We understand that when you purchase a hardware component, the cost goes up because you have a physical asset that depreciates over time. But when you are getting a subscription-based service, the cost should tend to be reduced over time. With Prisma Access, the cost is increasing and that is something beyond any kind of logic. This is something that Palo Alto needs to work on if they want to be competitive in the market.

We evaluated other options like Zscaler and Netskope. Prisma Access has more coverage for ports and protocols. It doesn't only inspect web protocols but all ports and protocols, and that's an advantage. Other solutions are still relying on web protocols.

The positive side of these other solutions, because they came along a little later, is that they have understood the demerits of a solution like Prisma Access. They are using more cloud-native components and microservices architectures. That makes these solutions faster. As I said, some config changes in Prisma Access take 14 to 15 minutes, but these other solutions literally take a minute to make the same config changes happen.

It's a constant race.

Put your business requirements up against the solution to see how it pans out. Look at the stability of the product, and at how much time it takes to make configurations and apply them in practice. And if you have a distributed workforce, like us, try to run this solution in southern countries where there is a latency issue or known issues with ISPs. You may not get the same set results that you tend to get in northern countries around the world.

We don't have a subscription to Prisma Access' Autonomous Digital Experience Management features, but we have done some testing of it. It's pretty good because it can help ease the work of an office helpdesk person who constantly gets tickets but has no visibility for monitoring things. With everybody conducting their work from home, it gets very difficult to know the setup of the internal environment and how people are accessing things and where the bottlenecks are. The ADEM tools are going to help immensely in that regard, because without having knowledge of the underlying infrastructure at every individual's home location, you can still identify whether a problem is specific to their home office or to the application the user is accessing or to the network that is causing the problem. That information is absolutely at your fingertips. Analyzing those types of things becomes really easy. 

ADEM will also help with the efficacy of troubleshooting and providing support to end-users. If there are certain applications that are critical to an organization, you could easily define a metric to see, out of all the people who are accessing those applications every day, how many of them are facing a problem. And if they're facing a problem, what the parameters of the problem are. Avoiding the problem could turn out to be something that people need to be educated about, or maybe there is something we can proactively tell users so that they can take precautionary measures to get a better experience. It is certainly going to help in enhancing the end-user experience.

Palo Alto's building blocks clearly illustrate an app-based model. It analyzes things based on an application so that we know what the controls are within an application. For example, if you want to block Facebook's chat but continue to allow basic Facebook to be browsed, that kind of understanding of the application would allow you to do so. That is way more graceful than completely blocking the end-user. It's not something that is specific to Palo Alto Prisma Access but it is a core component of Palo Alto.

We are a partner of Palo Alto. We focus on healthcare customers, and we help them onboard and manage different Palo Alto solutions, including Prisma SaaS.

It gives you visibility and an understanding of what you have in your environment. A couple of years ago, all the information that you had in your SaaS environment was kind of a black box. You didn't have any information about what you or your employees had there. So, visibility is one use case, and another very important use case is the ability to review the way the files and information are shared. You can see if a confidential file is being shared. Having this information and awareness is important for the administrators of Office 365 and other environments so that they can make corrections.

With the use of the Data Loss Prevention (DLP) module, the scanning process scans all the files that you have in there and classifies them through the DLP engine. So, when you get your results, you would have files with the matching results, such as with credit card numbers or phone numbers. There are also data profiles or policies, such as PCI, PII, or GDPR compliance. Palo Alto is working on adding more profiles, such as HIPAA, based on different compliance standards in the industry.

It is a SaaS solution, and we are using its most recent version.

You get the control and visibility into what you have in your SaaS applications. It helps you to know what you have in your environment and then meet your compliance needs. You get to know whether all of them are on a single platform. You also get an understanding of what type of information you have and how it is disposed of. Based on the results that you get from the scanning process, you can accomplish goals, such as PCI compliance or GDPR compliance. Most of the customers are governed by their security information team and have an obligation to be compliant with different industry standards, such as PCI, PII, or GDPR. With this platform, you are a step ahead in knowing what you have in your environment and accomplishing the compliance goals.

You have the ability to create your own expressions for your data. Palo Alto understands that DLP is not the same for all consumers. You might have a particular need to fulfill, and they give you the opportunity to create a custom expression to match the specific format that you have. For a confidential file property that you have in your files, you can add a metadata field. It gives you that opportunity to create that.

Another thing that I really like is the Azure AD integration. You can integrate with Azure AD in order to apply what they call the groups in Azure AD. You can apply groups, and you can have different characteristics, but the most important thing for me is that you can select groups and put the groups into your policies because your DLP or the things that you want to catch may be different for different departments. Your requirements would be different for your HR department versus your development team. For the HR department, it would be more useful to have PII information because they are trying to work with new employees and information. So, it should be different. With Azure AD, you can make a differentiation between these two departments. I found that very useful.

They can add some new characteristics. For example, when an incident triggers, they can automatically send a template for a particular match that is related to the policy. We don't have that right now. It is something to improve. There could be more automation for certain actions. For example, for a particular group, it can send an administrator alert to their manager. It was one of the concerns of our customers. 

You have three types of rules in SaaS Security API. You have the asset policies. You have the user activity policies, and you have the security control rules. Asset policies are more general, and they are more focused on the general behavior of an asset, which is a file. The user activity rules control or alert about unusual user activity or compliance violations, such as when a user uploads a large number of files. It would be good if you can put User IDs for the asset rules. In the asset rules, you can use the Azure AD group, but you cannot use the User ID. That would be a good improvement. 

Palo Alto has a lot of different solutions, and it would be good if the DLP part can be integrated with other solutions as well.

I've been working with Prisma SaaS for two years.

In general, it is good, but everything could be a little bit better. For example, they are working on including more data to catch or trying to reduce the gaps between the matches. It is DLP, but it is not perfect. We're going to have a false positive. They are working on closing that gap and being more accurate, but in general, it gives you accurate and reliable information.

You can onboard certain applications, and if you add more and more files, it's going to continue scanning those files. If you take a business decision to purchase a new SaaS application for your team, such as Slack, you can onboard that new application. You don't have a particular limitation on that. So, if you want to grow and have more business applications, your only concern should be whether they are supported by SaaS Security API. That's because not all the applications work the same way or have the same characteristics, but it gives you an opportunity to grow.

We have had environments with 200 to 2,000 users. It depends on a customer's SaaS environment, and if they want to apply to all of it or a part of it. There was a requirement from a customer to be notified when there is a file share with certain domains, which were their competitor's domains. That way they would get to know when someone from inside the company is sharing information with the competitors. Another common requirement is to be notified or create an incident when I share a public file in my Office 365 account. 

It is gaining more popularity among different customers in the last year. Palo Alto is trying to focus and combine it with other types of solutions related to DLP in order to secure not only your SaaS environment but all of your perimeter. Palo Alto is going to be very focused on that, and its usage is going to increase. In the past, it was not something that a lot of customers required. Palo Alto is working on improving the platform and making it more attractive to meet customers' needs. The market is changing continuously, and Palo Alto is focused on having DLP in different environments.

I didn't use their support that much, but it is fine. Palo Alto has different teams that are focused on different types of solutions. They have a SaaS team for the SaaS API problems that can come. They are good, but sometimes, it would be good to have a quicker response from their side because you want to resolve an issue as fast as you can. They have a lot of companies, and it is kind of hard. You would find this problem with most of their partners, but they always come to you with a good disposition and try to solve it in the shortest time possible. So, overall, their support is good. I would rate them a four out of five.

Positive

I didn't use any similar solution previously. The company that I have been working for is very focused on Palo Alto solutions, and I didn't have the opportunity to work with other tools that are on the market.

In most cases, it is easy, but it depends on the application that the customers want to onboard. For example, if you want to onboard Office 365, Microsoft Teams, and Exchange, the onboarding is easy because you can use the same user account for these three solutions. The challenging part is that you need to create an account with the specific rights for communication and gathering the appropriate information. That's more complex. In some cases, the companies are not completely controlling their Office 365 environment. They have a leader company that gives you the rights, which can take a bit longer.

It could be challenging when you try to use the S3 bucket because you have to work with the IAM to get the exact privilege access to the bucket. That's a more complex part, but if you know what you are doing, it's not that hard.

For me, its implementation is very straightforward. I would rate it a four out of five in terms of ease. Its duration varies because it depends on the information that you have in your SaaS applications because it's going to communicate with your applications through API.  It depends on a lot of things, but in my experience, one week to one and a half weeks is generally enough time. It is not something set in stone. It can take less or more, but you obtain a lot of information once that is finished.

It is not necessary to have a consultant from Palo Alto. The activation part is straightforward. They send you a magic link to have access and configure it. It takes about 20 to 30 minutes to generate the tenant, if I am not wrong. After that, it's very straightforward. There is documentation about each application that you want to onboard.

Before implementing it, it is very important to have a conversation with the customer about the applications they want to onboard, and inside those applications, what type of information they want to catch. For example, a pharmaceutical company might not be as aware of all the compliances for HIPAA or PII. It is important to have that information in order to understand what they want to catch. You can have that covered with predefined ones. We might also have to create custom ones, but it is not that necessary to have someone from Palo Alto if you have a correct partner who knows about the platform.

After onboarding applications, we recommend testing the rules on specific owner files to verify that the results that you are obtaining are accurate and as expected. If they are good, you can go ahead and apply the rules for all. Because a rule is already tested, you don't have to modify it a lot later. If you have a new need, you can create a new rule. After that, the knowledge transfer with the customer is very important. It is not a complex application to manage for the customer, but they really need to understand what it's doing. This knowledge transfer is really important, and it is something that we care about a lot in the company.

After rebranding, its name now is SaaS Security API. My experience with the product is mostly good. Before going for this solution, it's very important to understand what the customer is looking for. In terms of visibility, it's very good because it's an opportunity to have a lot of visibility about the applications that you onboard. For example, you have all that information centralized, and you can apply policies for them. It is very good for that purpose, but it's communication through an API. So, it's not something like a firewall where you can block something instantaneously. It requires a different approach. You need to have an understanding and the objective to obtain visibility and gain more results.

You need to be very clear about what you are looking for and what type of information or compliance you want. Focus on not using it as an individual solution. It's a platform that generates more value when working together with other solutions. 

I would rate this solution an eight out of ten.