Prisma Access by Palo Alto Networks Reviews

We are a partner of Palo Alto. We focus on healthcare customers, and we help them onboard and manage different Palo Alto solutions, including Prisma SaaS.

It gives you visibility and an understanding of what you have in your environment. A couple of years ago, all the information that you had in your SaaS environment was kind of a black box. You didn't have any information about what you or your employees had there. So, visibility is one use case, and another very important use case is the ability to review the way the files and information are shared. You can see if a confidential file is being shared. Having this information and awareness is important for the administrators of Office 365 and other environments so that they can make corrections.

With the use of the Data Loss Prevention (DLP) module, the scanning process scans all the files that you have in there and classifies them through the DLP engine. So, when you get your results, you would have files with the matching results, such as with credit card numbers or phone numbers. There are also data profiles or policies, such as PCI, PII, or GDPR compliance. Palo Alto is working on adding more profiles, such as HIPAA, based on different compliance standards in the industry.

It is a SaaS solution, and we are using its most recent version.

You get the control and visibility into what you have in your SaaS applications. It helps you to know what you have in your environment and then meet your compliance needs. You get to know whether all of them are on a single platform. You also get an understanding of what type of information you have and how it is disposed of. Based on the results that you get from the scanning process, you can accomplish goals, such as PCI compliance or GDPR compliance. Most of the customers are governed by their security information team and have an obligation to be compliant with different industry standards, such as PCI, PII, or GDPR. With this platform, you are a step ahead in knowing what you have in your environment and accomplishing the compliance goals.

You have the ability to create your own expressions for your data. Palo Alto understands that DLP is not the same for all consumers. You might have a particular need to fulfill, and they give you the opportunity to create a custom expression to match the specific format that you have. For a confidential file property that you have in your files, you can add a metadata field. It gives you that opportunity to create that.

Another thing that I really like is the Azure AD integration. You can integrate with Azure AD in order to apply what they call the groups in Azure AD. You can apply groups, and you can have different characteristics, but the most important thing for me is that you can select groups and put the groups into your policies because your DLP or the things that you want to catch may be different for different departments. Your requirements would be different for your HR department versus your development team. For the HR department, it would be more useful to have PII information because they are trying to work with new employees and information. So, it should be different. With Azure AD, you can make a differentiation between these two departments. I found that very useful.

They can add some new characteristics. For example, when an incident triggers, they can automatically send a template for a particular match that is related to the policy. We don't have that right now. It is something to improve. There could be more automation for certain actions. For example, for a particular group, it can send an administrator alert to their manager. It was one of the concerns of our customers. 

You have three types of rules in SaaS Security API. You have the asset policies. You have the user activity policies, and you have the security control rules. Asset policies are more general, and they are more focused on the general behavior of an asset, which is a file. The user activity rules control or alert about unusual user activity or compliance violations, such as when a user uploads a large number of files. It would be good if you can put User IDs for the asset rules. In the asset rules, you can use the Azure AD group, but you cannot use the User ID. That would be a good improvement. 

Palo Alto has a lot of different solutions, and it would be good if the DLP part can be integrated with other solutions as well.

I've been working with Prisma SaaS for two years.

In general, it is good, but everything could be a little bit better. For example, they are working on including more data to catch or trying to reduce the gaps between the matches. It is DLP, but it is not perfect. We're going to have a false positive. They are working on closing that gap and being more accurate, but in general, it gives you accurate and reliable information.

You can onboard certain applications, and if you add more and more files, it's going to continue scanning those files. If you take a business decision to purchase a new SaaS application for your team, such as Slack, you can onboard that new application. You don't have a particular limitation on that. So, if you want to grow and have more business applications, your only concern should be whether they are supported by SaaS Security API. That's because not all the applications work the same way or have the same characteristics, but it gives you an opportunity to grow.

We have had environments with 200 to 2,000 users. It depends on a customer's SaaS environment, and if they want to apply to all of it or a part of it. There was a requirement from a customer to be notified when there is a file share with certain domains, which were their competitor's domains. That way they would get to know when someone from inside the company is sharing information with the competitors. Another common requirement is to be notified or create an incident when I share a public file in my Office 365 account. 

It is gaining more popularity among different customers in the last year. Palo Alto is trying to focus and combine it with other types of solutions related to DLP in order to secure not only your SaaS environment but all of your perimeter. Palo Alto is going to be very focused on that, and its usage is going to increase. In the past, it was not something that a lot of customers required. Palo Alto is working on improving the platform and making it more attractive to meet customers' needs. The market is changing continuously, and Palo Alto is focused on having DLP in different environments.

I didn't use their support that much, but it is fine. Palo Alto has different teams that are focused on different types of solutions. They have a SaaS team for the SaaS API problems that can come. They are good, but sometimes, it would be good to have a quicker response from their side because you want to resolve an issue as fast as you can. They have a lot of companies, and it is kind of hard. You would find this problem with most of their partners, but they always come to you with a good disposition and try to solve it in the shortest time possible. So, overall, their support is good. I would rate them a four out of five.

I didn't use any similar solution previously. The company that I have been working for is very focused on Palo Alto solutions, and I didn't have the opportunity to work with other tools that are on the market.

In most cases, it is easy, but it depends on the application that the customers want to onboard. For example, if you want to onboard Office 365, Microsoft Teams, and Exchange, the onboarding is easy because you can use the same user account for these three solutions. The challenging part is that you need to create an account with the specific rights for communication and gathering the appropriate information. That's more complex. In some cases, the companies are not completely controlling their Office 365 environment. They have a leader company that gives you the rights, which can take a bit longer.

It could be challenging when you try to use the S3 bucket because you have to work with the IAM to get the exact privilege access to the bucket. That's a more complex part, but if you know what you are doing, it's not that hard.

For me, its implementation is very straightforward. I would rate it a four out of five in terms of ease. Its duration varies because it depends on the information that you have in your SaaS applications because it's going to communicate with your applications through API.  It depends on a lot of things, but in my experience, one week to one and a half weeks is generally enough time. It is not something set in stone. It can take less or more, but you obtain a lot of information once that is finished.

It is not necessary to have a consultant from Palo Alto. The activation part is straightforward. They send you a magic link to have access and configure it. It takes about 20 to 30 minutes to generate the tenant, if I am not wrong. After that, it's very straightforward. There is documentation about each application that you want to onboard.

Before implementing it, it is very important to have a conversation with the customer about the applications they want to onboard, and inside those applications, what type of information they want to catch. For example, a pharmaceutical company might not be as aware of all the compliances for HIPAA or PII. It is important to have that information in order to understand what they want to catch. You can have that covered with predefined ones. We might also have to create custom ones, but it is not that necessary to have someone from Palo Alto if you have a correct partner who knows about the platform.

After onboarding applications, we recommend testing the rules on specific owner files to verify that the results that you are obtaining are accurate and as expected. If they are good, you can go ahead and apply the rules for all. Because a rule is already tested, you don't have to modify it a lot later. If you have a new need, you can create a new rule. After that, the knowledge transfer with the customer is very important. It is not a complex application to manage for the customer, but they really need to understand what it's doing. This knowledge transfer is really important, and it is something that we care about a lot in the company.

After rebranding, its name now is SaaS Security API. My experience with the product is mostly good. Before going for this solution, it's very important to understand what the customer is looking for. In terms of visibility, it's very good because it's an opportunity to have a lot of visibility about the applications that you onboard. For example, you have all that information centralized, and you can apply policies for them. It is very good for that purpose, but it's communication through an API. So, it's not something like a firewall where you can block something instantaneously. It requires a different approach. You need to have an understanding and the objective to obtain visibility and gain more results.

You need to be very clear about what you are looking for and what type of information or compliance you want. Focus on not using it as an individual solution. It's a platform that generates more value when working together with other solutions. 

I would rate this solution an eight out of ten.

We use Prisma Access, not only for our remote users, in a distributed workforce, but for our offices as well. Right now, because of COVID, there is a very limited footprint on the office side of it. But we would like to cover our offices so that when people are working in them and trying to access resources, whether those resources are hosted on public cloud, private cloud, in data centers, or on-prem, Prisma Access is involved.

Prisma Access is completely hosted on Google Cloud Platform. Palo Alto Panorama, which is the centralized management tool, is also hosted on a public cloud environment. So the entire solution lies in the cloud.

The fact that Prisma Access provides millions of security updates per day is really important because it takes care of the equivalent of preparing patches and pushing them to your environment, without the headaches of managing and maintaining those processes for your infrastructure. If you get security intelligence from different verticals and different alliances, or through some sort of open API integration where vulnerabilities arise at different times, it's going to be difficult to keep up. Subscribing to this service and having it take care of that is really phenomenal.

And the best part is that you know that you are part of a bigger ecosystem where this learning about security issues is happening, and things are made available to you on a scheduled basis every day. It automatically strengthens your security posture. We are quite happy with this feature and feel very confident that the Palo Alto security stack takes care of all of these things automatically. That is one of the salient features and was one of our evaluation parameters for choosing a solution.

Another benefit is that before, if we had to set up a restricted environment for a given project, the lead time was about a day to get everything functioning correctly and to get the go-ahead from the security team. Now, setting up these environments can literally happen in less than five minutes. It is already segmented. All you need to do is ensure the people who are part of the project are included in a single access-control list, which these days is based on GCP Identity-Aware. Based on that, it provides the right privileges required to access certain things. That is the building block of any SasS solution with zero cross-network access. And it is very easy now.

The Prisma Access remote side is pretty good with respect to the footprint that it covers. Because it is built on the Google platform, using the Google Premium Tier network, it is almost everywhere geographically. From wherever we initiate a connection, it connects with the nearest point of presence, which minimizes the latency. And we can access applications wherever they are hosted.

It protects all app traffic so that users can gain access to all apps. Unlike other solutions that only work from ports 80 and 443, which are predominantly for web traffic, Prisma Access covers all protocols and works on all traffic patterns. It is not only confined to web traffic. This is important because security is something that should always be baked in, rather than being an afterthought. The most sophisticated attacks can arise from sources that are not behind 80/443. They could come through bit-torrent traffic, which uses a non-standard port, altogether. We want to cover off those possibilities. We were very sure, from the start of our deployment when conducting PoCs, that the solution we picked should have coverage for all ports and protocols.

The fact that it secures not just web-based apps, but non-web apps as well, is important because the threat landscape is quite big. It not only includes public-facing applications that are accessible via web protocols, but it also includes many attacks that are being generated through non-standard protocols, like DNS tunneling and newly-registered domain control names. There are also a lot of critical applications being accessed on a point-to-point basis, and they might be vulnerable if those ports and protocols are not being inspected. You need to have the right security controls so that your data remains protected all the time.

In terms of the solution's ease-of-use, once you understand the way the various components stitch together, and once the effort of the initial configuration, setup, and rollout are done and you have set up the policies correctly, you're just monitoring certain things and you do not have to touch a lot of components. That makes it easy to manage a distributed workforce like ours in which there are 10,000-plus users. With all those users, we only have a handful of people, five to seven individuals, who are able to gracefully manage it, because the platform is easy to use. It does take considerable effort to get up to speed in configuring things during the initial deployment, but thereafter it is just a case of monitoring and it's very easy to manage.

In addition, whether traffic is destined for a public cloud environment, or for a private data center, or you are accessing east-west traffic, you can apply the same security policies and posture, and maintain the same sort of segmentation. Prisma Cloud offers threat prevention, URL filtering, and DNS protection, and east-west traffic segmentation. These features are the foundation of any security stack. There are two primary purposes for this kind of solution, in the big picture. One of them is handling the performance piece, providing ease of access for end-users, and the second is that it should handle security. All of these components are foundational to the security piece, not only to protect against insider threats but to protect things from the outside as well.

Prisma Access offers security on all ports and protocols. It covers the stack pretty well, leaving no stones unturned. The same unified protection is applied, irrespective of where you access things from or what you access. That also makes it a very compelling solution.

There are definitely a number of things that could be improved. 

One of them is geographic coverage. China is still an issue because the solution does not operate there properly due to government regulations. I believe Palo Alto is trying pretty hard to get into partnerships with Alibaba and other cloud providers, but they do not have the same compelling offering in China that they have in the rest of the world. Businesses that are operating within China have to be very sure to evaluate the solution before making a buying decision. It is not an issue with Palo Alto, rather it is predominantly the result of government rules, but it's something that Palo Alto needs to work on.

There is also room for improvement when it comes to latency in a couple of regions, including India and South America. They might have to increase their presence in those locations and come up with more modern cloud architectures.

The third area is that, while Palo Alto has understood the essence of building capabilities around cloud technology and have come up with a CASB offering, that is a very new product. There are other companies that have better offerings for understanding cloud applications and have more graceful controls. That's something that Palo Alto needs to work on.

I've been using Prisma Access by Palo Alto for two to three years. We started deploying Palo Alto gear back in 2015 and, along the way we have looked into multiple tools from them and invested them.

On a scale of one to 10, I would give the stability a seven. There are a couple of reasons for that score. One is that when we make certain changes to configs, it takes about 14 to 15 minutes to populate. And there have been scenarios where it has taken about 45 minutes for the config changes to happen. When you sell a product by saying that it's cloud-native and that users can make all configuration changes on-the-fly, when those changes are made they should happen within a minute. They should not take that much time.

It might be that Palo Alto is still using a certain type of infrastructure in the backend that is causing these delays. If they pile on the cloud technologies, and work towards a more microservices-based architecture, I'm hopeful that they can bring this delay down to less than a minute.

Going from one user to 10,000 or 15,000 users, we haven't faced a lot of problems. However, for companies that are considering investing in this solution, if they have more than 50,000 end-users, a config change could take 10 to 15 minutes. In an environment where 50,000 people are expecting certain things to work, those things might not work for them. Such companies have to look at the solution very thoroughly in terms of the cloud piece, the integration piece. But from one to 15,000 or 20,000 end-users, it is flawless. We don't tend to see a lot of issues. But beyond, say, 25,000, I would suggest doing a deeper analysis before purchasing the product, because there are some glitches.

Initially, Palo Alto technical support was okay around sales discussions and getting up to speed on doing a PoC. But one once we deployed and then raised queries, those lead times increased quite a bit. Unless you take their premium support, where there is an SLA associated with every issue that you raise, it becomes very difficult to get hold of engineers to work on a Prisma Access case. If you just take some sort of partner support, you cannot expect the same level of support on your day-to-day issues that you would get with premium support.

Fundamentally, when a company sells a product, whether you are taking the premium support or some other level of support, the support metrics should be more or less the same, because you are trying to address problems that people are facing. Their response should be more prompt. And if they can't join a call, they should at least be prompt in replying via email or chat or some other medium, so that the customer feels more comfortable about the product and the support. If it takes time to resolve certain problems, post business hours, it can be very difficult for people to justify why they have deployed this product.

Neutral

COVID was a surprise for us, just like for everyone else in the world. We had a solution from Palo Alto, but it was not a scalable one. We configured things in a more manual way because our requirements were not that high in terms of remote use cases. Post-COVID, the situation has completely changed for us and we have to think about a hybrid situation where we can still gracefully allow access to end-users in a more secure fashion. That led us to evaluate this solution from Palo Alto.

The initial setup is not so straightforward. There is a learning curve involved because you need to understand which component fits where, with all of these modern, edge infrastructure secure-access services. You need to do capacity planning well, as well as a budgetary plan. You need to know the right elements for your business. Once you set that up, it is very simple to manage.

It took us about two to three months to deploy because we have a lot of geographical constraints. Different regions have different requirements. Accounting for all of those needs is why it took us that amount of time to set everything up.

We have to do an apples-to-apples comparison. If you had a very small set of people who had to create a dedicated setup like Prisma Access, and manage the infrastructure piece and the upgrading piece and the security piece, it would be a nightmare. Prisma Access offers that ease and flexibility so that even a handful of people, with the right knowledge, are still able to manage the configuration piece of it, because the infrastructure and other things are handled by Prisma Access. If you had to build that whole thing versus buying it, obviously Prisma offers a good ROI.

It all depends on your requirements. If your requirements enable you to do those things on a much smaller scale, then you need to be very cautious about which components of Prisma you actually pick for your use case. If you get all the components, you might not be getting the right ROI.

For our use case, we feel we are getting a return on investment, but it could be better.

The most pricey solution is Zscaler, followed by Prisma Access, and then Netskope.

The initial prices of Prisma Access were okay. But as soon as you start deploying Palo Alto gear, the support prices and the recurring prices, which are the major operational costs, tend to increase over time. For example, if you go ahead with a one-year subscription, just for testing purposes to see how the whole solution works, and you plan to renew for the next two or three years, you tend to see that the solution gets really costly.

We understand that when you purchase a hardware component, the cost goes up because you have a physical asset that depreciates over time. But when you are getting a subscription-based service, the cost should tend to be reduced over time. With Prisma Access, the cost is increasing and that is something beyond any kind of logic. This is something that Palo Alto needs to work on if they want to be competitive in the market.

We evaluated other options like Zscaler and Netskope. Prisma Access has more coverage for ports and protocols. It doesn't only inspect web protocols but all ports and protocols, and that's an advantage. Other solutions are still relying on web protocols.

The positive side of these other solutions, because they came along a little later, is that they have understood the demerits of a solution like Prisma Access. They are using more cloud-native components and microservices architectures. That makes these solutions faster. As I said, some config changes in Prisma Access take 14 to 15 minutes, but these other solutions literally take a minute to make the same config changes happen.

It's a constant race.

Put your business requirements up against the solution to see how it pans out. Look at the stability of the product, and at how much time it takes to make configurations and apply them in practice. And if you have a distributed workforce, like us, try to run this solution in southern countries where there is a latency issue or known issues with ISPs. You may not get the same set results that you tend to get in northern countries around the world.

We don't have a subscription to Prisma Access' Autonomous Digital Experience Management features, but we have done some testing of it. It's pretty good because it can help ease the work of an office helpdesk person who constantly gets tickets but has no visibility for monitoring things. With everybody conducting their work from home, it gets very difficult to know the setup of the internal environment and how people are accessing things and where the bottlenecks are. The ADEM tools are going to help immensely in that regard, because without having knowledge of the underlying infrastructure at every individual's home location, you can still identify whether a problem is specific to their home office or to the application the user is accessing or to the network that is causing the problem. That information is absolutely at your fingertips. Analyzing those types of things becomes really easy. 

ADEM will also help with the efficacy of troubleshooting and providing support to end-users. If there are certain applications that are critical to an organization, you could easily define a metric to see, out of all the people who are accessing those applications every day, how many of them are facing a problem. And if they're facing a problem, what the parameters of the problem are. Avoiding the problem could turn out to be something that people need to be educated about, or maybe there is something we can proactively tell users so that they can take precautionary measures to get a better experience. It is certainly going to help in enhancing the end-user experience.

Palo Alto's building blocks clearly illustrate an app-based model. It analyzes things based on an application so that we know what the controls are within an application. For example, if you want to block Facebook's chat but continue to allow basic Facebook to be browsed, that kind of understanding of the application would allow you to do so. That is way more graceful than completely blocking the end-user. It's not something that is specific to Palo Alto Prisma Access but it is a core component of Palo Alto.

Our primary use case of Prisma Access is to provide secure Internet access for users regardless of their location. 

It is also used for secure access to internal applications and secure SaaS applications, ensuring the same level of security whether users are working from home, the office, or any other location.

Prisma Access has allowed us to reduce the number of agents from multiple to just one single agent. It integrates several components, such as IPS, DLP, remote VPN, and SWG, into a single console, which has helped reduce costs and improve the return on investment.

The most valuable feature of Prisma Access is its ability to provide enterprise-class security for both Internet and internal application access. Unlike other OEMs that can only secure Internet access, Prisma Access can secure both internal and Internet-based application access.

The Prisma Access could improve in terms of adding more machine learning and AI capabilities to automate tasks such as incident response. This would enhance the overall security posture by enabling better and faster management of security threats.

I have been working with Prisma Access for the last five-plus years.

In terms of scalability, Prisma Access has adapted well to our organization's growth needs. Most customers are either planning to move to SASE solutions or have already moved, making Prisma Access an excellent choice for scalability.

I would rate their technical support a nine out of ten.

Positive

Before using Prisma Access, we used multiple products for remote VPN, SWG from vendors like McAfee and Forcepoint Proxy, and other VPN clients from vendors like Pulse Secure VPN, Fortinet, and Palo Alto. We switched to Prisma Access for its integrated approach.

Prisma Access has significantly improved our ROI by combining multiple technologies into one single solution. It reduces the need for multiple agents and products, which brings down the overall cost for our customers.

The licensing cost of Prisma Access is calculated per unique user, with each user being able to connect up to eight devices. If a user is no longer active after thirty days, that license becomes free. There is flexibility in terms of exceeding the license count, as it operates on a trust-based license model.

Prisma Access is best suited for enterprise and mid-level customers. It may not be the best fit for the SMB market due to higher pricing. I'd rate the solution nine out of ten.

We use the solution for VPN connection for remote work.

The most important feature of the solution is that it works transparently, and you don't need to enter a new password after restarting the PC. Prisma Access by Palo Alto Networks is a seamless solution. People don't need to know how the infrastructure is working. It just seamlessly works for them.

The most valuable features of the solution are encryption, compliance, and stability.

The solution’s stability could be improved.

I have been using Prisma Access by Palo Alto Networks for one month.

I rate the solution a nine out of ten for stability.

Prisma Access by Palo Alto Networks is a scalable solution.

I rate the solution a nine out of ten for scalability.

The solution's initial setup is pretty straightforward. The solution is easy to implement.

The solution's deployment took two weeks. Compared to other products, the solution has a pretty fast deployment.

We have seen a positive return on investment with the solution because remote work is very important for us.

I would recommend Prisma Access by Palo Alto Networks to other users.

Overall, I rate the solution a nine out of ten.

We use Prisma Access to build an allowlist that we put into Socks App, so we can gate access to what we want based on whether someone is allowed onto the VPN. Prisma is a SaaS product. We have the cloud-managed version that we use to access a mixture of on-prem, public cloud, and SaaS tools. 

We aren't using it extensively. There are only around six rules. I've had five hundred or a thousand rules in previous companies that used Palo Alto Networks. We have six, so we're not using the solution extensively. We're looking at various products for DNS filtering and security, so we will potentially get rid of Prisma Access in the future. It's a heavy-handed way of doing what we're trying to do.

Prisma helped us build a moat around our production systems. It's now impossible to log into our production from a non-MDM laptop. Prisma Access provides decent security overall.

Prisma Access protects all app traffic so users can access all our apps, which is crucial because we want this to be as transparent as possible. The ability to secure web-based and other apps is also critical. We use this as a gateway into production or specific systems. That might be over 443, HTTPS, DB, or any other protocol.

Prisma Access offers features in one cloud-delivered platform, which is pretty important. Anything we can do to reduce the complexity of this is good. It will get messed up at some point if there are too many moving parts.

The traffic analysis, threat prevention, and URL filtering features are pretty critical. Prisma Access is our frontline defense for our production environments. On top of that, it protects the engineering staff's endpoints, so it needs to provide essential URL scanning and WildFire AV detection.

I've had a ton of issues with Prisma Access. The UI is horrible and not intuitive. For example, error handling when applying configuration changes is atrocious. The UI itself is buggy and lags. The sales staff tried to be helpful, but they sold us the wrong license SKU, which broke our environment, and it took two months for them to fix it. Two months is an eternity for something as critical as this.

It applies commits to the firewalls slowly. There isn't an API you can use for anything. We've previously had trouble with the egress IP addresses though we expressed to engineering that those mustn't change. They changed several times without warning, causing a lot of headaches.

I have used Prisma Access for a year and a half. 

Prisma hasn't broken yet. There have been a lot of outages, but luckily only a handful have affected us.

Prisma is somewhat scalable. We want to use this as an allowlist for our external applications. However, other external tools don't allow you to add an arbitrary number of IPs. If we were going to put in the complete list of active and reserved IPs that we get from our seven points of presence, then that's roughly 41 IPs. That goes over the max of 40 that GKE and GCT use. We can't use it to gate Kubernetes pods because there are too many IPs.

We can't seem to remove them once they're added. I've opened several support cases, and we still have half. Half of this list is all reserved and unusable points of presence because they aren't assigned to anything. It is a bit cumbersome and not as agile or straightforward as I was led to believe.

I rate Palo Alto's support a four out of ten. When I put in a ticket for a problem, they will send me a link to documentation that is either for the wrong product or something that doesn't apply to me. I usually get on a Zoom call with an engineer, show them the problem, and wait a week or two before I get a solution.

Neutral

Setting up Prisma Access was relatively straightforward for our use case. We deployed some firewalls in our system and used the IP addresses we got from those to inform and allow this. So it was very straightforward to get it to work, but tweaking it over time has been cumbersome.

I was the only person from our company working on the deployment. I designed and implemented the architecture, then deployed the tool to the endpoints internally. I'm responsible for educating the users and troubleshooting problems they find. I do things like telling a guy, "No, there isn't a problem with the VPN. You shouldn't use the web version of Spotify because only crazy people do that."

We used CDW and Palo Alto professional services. It was fine. It wasn't the best engagement, but it wasn't the worst.

It's hard to say if we've seen an ROI. I imagine we have. We haven't been breached, so that's something.

There's no reason not to buy the enterprise version that gives you unlimited PoPs, but you must understand the limitations you impose on yourself if you do that. If you go crazy, that allowlist will be too big for Kubernetes clusters.

The API that pulls the egress IPs allocated to you should be updated by the minute or as often as possible. There's no forewarning of impending changes. That should be built into your CI/CD system so no one needs to update anything manually. It should just flow through. However, you need notifications because it's a slippery slope. If you're adding and changing IPs all the time, who knows what's what anymore.

I did demos of around 16 different products that do something similar, including Zscaler, Netskope, Fortinet, Twingate, and Tailscale. Palo Alto was the only solution that could give us dedicated egress IPs. 

I rate Prisma Access a four out of ten. There are many tools out there that can do the same actions. This is not the best tool to use if you're only looking for an allowlist for production. 

Prisma Access is useful for organizations with hardware and firewalls that don't support their total number of users for remote working. If they need to increase this quantity, instead of increasing the hardware, they can use a solution as a firewall service.

A maximum of 200 people use this solution. We don't utilize all of the solution's capabilities.

I had a customer who needed to move all of their operations to work from home during the pandemic. They moved all of their configurations to Prisma Access, and we helped them enable permissions for their users to work from home.

Prisma Access provides better app performance. It allows all the traffic that's really needed for applications and internal resources without any impact on the hardware. It can be continuously scaled in case more resources are needed.

The most valuable feature is the ability to change the gateway. For example, if there's a problem with a specific region or vendor, we can make modifications. The solution is scalable, and there are different gateways that can be created depending on the demand.

Prisma Access supports all of the traffic that the user generates. We have the ability to send all of the traffic through the Prisma Access firewalls.

Prisma Access provides traffic analysis, threat prevention, URL filtering, and segmentation capabilities. It also provides DLP. If you have Panorama to manage firewalls and you have a device group that has some configurations with specific profiles for the spyware or antivirus, it's good to have the ability to replicate that in your Prisma Access environment without any compatibility issues.

It's important that Prisma Access provides millions of security updates per day because we have to be aware of attacks in the cybersecurity industry. It's very helpful to have these updates from Palo Alto because they can prevent the organization or customers from having issues.

Prisma Access gives us the ability to configure clientless VPN, which helps us address specific applications that are consumed through Prisma.

The Autonomous Digital Experience Management feature is helpful because it shows the source of a problem. One user could say that they have a problem with slowness or that some applications don't work that well. It could be a problem with Prisma or a problem with the user's internet provider.

The security provided by Prisma Access is very good because we have the same configurations and models that we have on our normal firewalls. If you have worked with Palo Alto before with firewalls or Panorama, it's very easy to create configurations to implement your security posture. It's on the same technology as Palo Alto, so it's compatible with firewalls. It's also very secure, and it has the same scalability options.

My organization has created different gateways, so they have two different cloud vendors. This redundancy on cloud is helpful. There is redundancy at different branches to provide a backup in case there is a problem with a vendor in a specific area.

I would like the solution to support a different type of authentication. We can't configure a secondary method for our portal.

I've worked with Prisma Access for about six months.

The stability is very good. I haven't had issues with the connection or dropping traffic.

I haven't had any issues with scalability. The solution allows us to define all of the resources that we need. For example, we can define the IP addresses that we need for the number of users that will be connected. If there's a large quantity of users, they can increase the resources. 

The technical support could be faster after we open up a case.

Setup is very straightforward. Prisma Access has very extensive documentation. If you use that, it's easy to deploy the solution. You need to read a lot more for routing considerations, but I think it's easy for people with startup experience.

The amount of time it takes to deploy the solution depends on the complexity of the consumer's considerations. Normally, the basic implementation and policy authentication can be completed in two or three hours.

We require a few people for maintenance. One person provides support and two people do the implementation.

I received some help from engineers who had more experience in the company. They taught me how to configure it, and I was able to complete the deployment after that.

I would rate this solution as nine out of ten. 

We use Prisma Compute for container monitoring and Prisma Cloud for cloud monitoring. Compute looks at workload security, and we use it for container security, build security, and assessments. Cloud looks at our AWS account and gives us input on any security issues with our AWS workload.

We now know if there's any vulnerabilities during runtime, which is not something we had before. We didn't used to have visibility into our cloud infrastructure or our container space once the containers were running but we do have that visibility now. We also have visibility into how the different pieces of our solution talk to each other, so we know which services talk to each other, and then we are able to pick up anomalies. For example, when service A is talking to service B and there's no reason why they should be talking to each other. That's been a real help.

The solution is pretty comprehensive across all three tenets of build, run, and software. This has improved our operations because, for example, at build time if there is an inability within dependencies or within the Docker images we're going to use, we are able to stop, build, and remediate at that point. Within our registries where we keep our containers, we are still able to look back and see how vulnerabilities were corrected over time. Sometimes you build images in a repository, so a vulnerability might get discovered on the internet and it's good to know whether you're still safe before you run your images. Also, once you are running, it's helpful to know that you are still running secure environments.

A feature I've found very helpful is run time security because most of the products on the market will look at security during the build time, and they don't really look at what happens once you're going into production. 

It's a perfect solution for protecting the full stack native cloud. There's been a lot of development over time, so it's gotten better during the time we've been using it. 

The solution provides visibility and it's pretty simple to use. The dashboard is very intuitive. The solution makes it easy because we can look at one screen and see vulnerabilities across the infrastructure.

There is room for improvement in the multi-environment visibility, especially around containers. The product easily gets confused if you have, for example, similar Docker images that are running in different environments. It does not have a way of isolating that even though it's the same image, it's running in a different environment. It just consolidates that reporting and makes it difficult to figure out how far your plus range is.

I don't think the solution has a preventative approach. I think most of it is really more fighting. I guess you could use what it finds to predict what might happen in the future, but I haven't seen any features that are preventative.

I've been using this solution for three years now. 

The solution is very stable. I think in the last year we've done around four upgrades and it's never missed a beat, even through those.

The solution scales quite easily. We've thrown a lot at it and it's still standing. Everything that we run goes through Prisma. 

I think the support has a lot to improve on. Sometimes it's very difficult to get context around tickets, especially if they get keep on getting switched around, and then there are many issues. Not issues per se, but there are times when you need help and the person who is running the ticket is not able to service your ticket and then they have to push it on to engineering and that takes forever. I would rate the customer service as a five out of ten. 

Neutral

The initial setup was pretty straightforward. The product has very good documentation that is very easy to follow. Deployment took about a day. Rolling it out took longer, but that was because of internal challenges, not the product itself. 

We handled it all in-house. I actually did the deployment myself, and it went good. We used Terraform for deploying, and ran it in ECS, in our container environment. Our services are all running in AWS ECS, so we used their ECS module to plug our content environments into Prisma, and then we used their standalone agent for the rest of our systems that are not running container services.

We have seen an ROI because now it takes less time to identify vulnerabilities and fix them. When vulnerabilities are detected, the responsible teams are notified immediately, as opposed to having security go around once a week.

The pricing is very friendly and that's the reason why we renewed this solution. It was really just based on pricing, and the licensing is also pretty understandable. It's not confusing to figure out your workload and how much you'd be paying for the solution. 

We chose a mixed infrastructure where we have a bit on-prem and then also a direct cloud version. If you're running it on-prem, you have to meet infrastructure costs for the solution to run on your server in addition to standard licensing costs.

Before we did our last renewal we looked at a couple of other products. We chose to renew because of the pricing and licensing of this solution. 

The crux of why we're using the product is because of the automations. We are very confident that the product will keep us secure at all times. 

We are able to inject Prisma into our build jobs without it really affecting our build times or the developers.

The solution has reduced alerts investigation times by 60-70%.

I would rate this product as a nine out of ten. 

Prisma Access protects all app traffic so that users can gain access to all apps. This is very important when you have multiple applications in your environment. You do not want any network traffic to get compromised. It inspects all the incoming traffic so that the user can access that traffic in a secure way.

It secures both non-web and web-based apps, which is very important. You have applications in your environment. So, you want them to be accessed in a secure manner. It also provides security on the internet when you are trying to access something, such as PaaS apps. It provides security to that as well with the security management policy. It has an inbuilt security management policy. You just need to enable that, and that's it. This security of the non-web and web-based apps reduces the data breach. It is good for our operations that our non-web apps as well as web-based apps are secured.

We have two ways to manage Prisma Access. One is Panorama, and the other one is the Cloud Managed application. The graphical UI is very easy to use. It has a user-friendly graphical user interface, and we have a graphical statistics page as well, which gives you an insight into what's happening. It is very user-friendly.

It makes it very easy that in a single interface, you get all the features, such as routing, security, decryption, and other application functionalities. So, in a single graphical interface, you get everything, and it's easy to manage.

It provides traffic analysis, threat prevention, URL filtering, and segmentation. These elements are very important because you do not want to allow all the URL categories in your environment. You can simply block the categories that you don't want your users to access in your network. That's where these features come in handy. We can simply block these URL categories, and we have that functionality in Prisma Access.

It provides millions of security updates per day. Technology is changing every day, and Palo Alto is providing regular updates so that we can keep ourselves up to the market level. Constant enhancements are provided with the help of the Prisma Access plugin version. New plugins and features are coming every month.

Autonomous Digital Experience Management (ADEM) features are very good. It's a very helpful application. It helps us to troubleshoot network-related issues. It makes the job easy. We get to know whether an issue is at the endpoint level, ISP level, or system Access level. It helps us to determine the issue so that we can isolate and focus on a specific area. It makes our job easy.

ADEM is very impressive, and the users are enjoying this application. If they're not that tech savvy, it helps to isolate the issue at a particular level, making the job easy.

It enables us to deliver better applications. It is helpful because I can connect all my branch offices. If I have one office in the US, one in Asia, and one in Europe, I can connect all my offices to Prisma Access. I can also connect my data center and my mobile users spread across the globe. In Prisma Access, we have more than 100 locations provided by Palo Alto. So, it is very easy.

We have different security profiles inside Prisma Access. We have file blocking. We have anti-spyware. We have antivirus, and we have vulnerability protection. We also have DoS protection. All of these features are provided by Palo Alto Prisma Access, and we can utilize these options to make our security even better.

GlobalProtect is one of the best features of Prisma Access. It provides a remote access VPN solution.

We have an application called ADEM that helps us troubleshoot network-related issues. It helps us to isolate an issue whether it is on the ISP level, endpoint level, or system access level.

The Cloud Managed Prisma Access needs some more enhancement. Its GUI needs to be updated with respect to the inside application of Prisma Access.

The BGP filtering options on Prisma Access should be improved.

It has been three years.

It is very stable. If one node goes down on Prisma Access, we always have a backup node so that the traffic is not impacted. A backup node is always available, and the traffic is not compromised.

It is a scalable solution. Many clients are using the Prisma Access solution. I have personally worked with clients from across the globe, such as Germany, Australia, and Asia. They all are enterprise customers. 

People who work with or manage it are cybersecurity architects and cybersecurity leads. 

Sometimes, there's a long wait, and it is hard to get technical support, but it's improving day by day. I would rate them a 7 out of 10.

Neutral

I didn't use any other solution. 

It's straightforward and very easy. The deployment duration depends on the client's infrastructure. It depends on how many branch offices they are going to have. They could have only 3 offices, or they could have 100 offices. On average, if they have only 4 offices, it will take a max of four sessions. If they have 10 offices, it would take about 20 hours with two hours for each session.

We need an infrastructure subnet so that we can create an infrastructure over Prisma Access. We need to decide on the routing part, whether we are going with BGP or traffic routing. We need to have the IP address information for the IPsec tunnel. Apart from that, we need to take care of the DNS and resolve internal domains, if they have any. 

From my end, only one consultant is assigned for delivering the solution to the customer.

I would advise choosing your options according to your company's needs. Just go for what you want and do not pay for anything extra in terms of licensing. You need to determine how much bandwidth is required in your company network, and according to that, you should pay for the license. The mobile user license is based on the number of users who are going to use the VPN solution. You need to determine how many mobile users you are going to have in your network, and you should pay according to that.

There are no other costs in addition to licensing, but if you go for the consultant services of Palo Alto networks to deliver the solution for you, then you need to pay something extra. That is not a part of licensing.

If you have a company with branch offices, you do not need to have your own data center. You can simply connect your branch offices as well as your remote VPN users to the Prisma Palo Alto data center. You do not need to maintain your own data center. It will save your LAN cost, electricity cost, and labor cost.

Make sure that you are familiar with your company's network design and your design is compatible with Prisma Access. Make sure that the design is properly done and every use case or scenario is properly discussed. After that only go for the Prisma Access solution.

I would rate Prisma Access an 8 out of 10.