Prisma Access by Palo Alto Networks Reviews

It made VPN easy with the ability to build distributed VPN gateways. The cost of IT deployment is a bit less because you just need a VPN-capable device at the branch, as against the full stack, before leveraging the firewall service feature. There is also better latency for the clients in terms of talking to resources back at the data center.

It's Panorama-managed. Using Panorama makes it easy for me in terms of pulling policies and doing things on the fly.

It's pretty similar to the native physical firewalls. The only difference is that with SaaS security, we're able to get a little more detail about shadow IT SaaS applications and properly categorize them, which is helpful to decide what we need to do with those applications. It affects which applications we would want to see running over the network and which applications we need to restrict from users.

Similarly, in terms of protecting data and preventing zero-day threats, it's the same thing that I get with my physical firewalls. The data is sent to Wildfire. All the features are all pulled from the same intelligence sensors. The only difference is that this is in the cloud.

Prisma SaaS helps to keep pace with SaaS growth in our organization, but it's not a big deal for us. Mostly, we're looking through or sifting through identified SaaS applications, and it's a good thing to have that visibility. That's what we're enjoying right now, and then probably with time, we might be relying on it to make decisions in terms of setting restrictions to some SaaS applications, especially those that are not sanctioned by IT.

It's hard for me to pinpoint a certain feature against the other. The product makes more sense as a whole. Overall, the cost savings, ease of deployment, and better VPN user experience and performance are valuable.

It helps to identify and control shadow IT apps. In terms of its impact on our organization's security, it has been like a sword with two edges. Sometimes, it has proved to be helpful in securing workloads, and sometimes, especially when there are modifications to App-IDs pushed through the content database, we find some things messed up. We've come to a point where we have our ways of managing these things, but all in all, App-ID has been very helpful, especially in detecting tunneled applications.

At the end of the day, it's simply an operational thing. Sometimes, you have these notifications sent out about changes in App-IDs, modifications in App-IDs, or even the introduction of entirely new App-IDs to replace. Sometimes, the recommendations are followed, but even then, when the package is installed on the firewall, it gets messed up. I remember a particular one was with Tableau, and suddenly, people weren't able to use Tableau, which is an analytics tool for business. So, it can get messed up, but it doesn't happen often.

I have been using it for about two years.

So far, it has been stable. We get all those notifications around changes. I haven't seen a lot of IT changes that need some kind of manual effort. 

Being on the global license package and being able to spin up a VPN gateway just like that has been a huge benefit. If I have new users in Berlin, I can make life better and just spin up something close to Berlin for them to connect to. If there's an office coming up somewhere in Poland and there are some supply chain issues. If I have a router somewhere there, I can just leverage on that easily without worrying about, "Oh, when am I going to get my stack deployed? How soon can I complete a project so that users are able to start working from that office?" Those are the things that I don't need to bother about anymore because I can easily spin up a complete node close to their location, and I can tunnel between them, do my routing, and they're good. They can talk to whatever resources we need them to talk to remotely and connect to the cloud from there for internally protected cloud workloads. Scalability is obviously a huge factor.

The Cloud App-ID technology is something I am still observing. It takes us back to SaaS security. App-ID is a critical and fundamental part of being able to identify SaaS applications. So far, the applications identified have been true positives. It seems to work so far, but with time, we'll see how it's able to help with identifying SaaS applications better. 

It helped to identify cloud applications that we were unaware that our employees were using. I don't have the metrics, but we do generate reports from time to time just to see what's going on and how we compare with the industry in terms of application usage. Similarly, for risk identification, I don't have metrics. We are just reviewing and sifting through these applications. We don't, or we haven't, put a risk score on them yet. Until that's done, it's almost impossible for me to say if these are bad actors or not. We have visibility now. The SaaS applications that have been used at the moment are not of concern based on the last review we did. As time goes on, we might start considering some as risky or start categorizing the risks in some of these SaaS applications. Currently, it's all open. We mostly have mobile users, and we have another solution for endpoint security and Internet-based applications that go through their home Internet. There are few who do visit the office. Probably less than 10% of the organization goes into the office, so there's no huge concern at the moment because of those very low numbers.

For the parts and the features that I use, which are mostly remote branch and mobile gateway, I would rate it an eight out of ten.

We're migrating customers from existing Cisco AnyConnect VPN to Prisma Access GlobalProtect VPN.

GlobalProtect VPN is a brand new concept compared to Cisco AnyConnect VPN. The huge difference is that if a user is working from home and needs access to Office 365, the way traffic is usually sent will potentially increase the delay. Some companies open split tunneling for users and they are able to send a request to Office 365 directly, but there is a loss of control from the network and security perspectives.

Since we started using GlobalProtect VPN, all the traffic is monitored, even for a user who needs access to Office 365. The traffic from the user's PC will connect to the closed and available VPN boxes, depending on the location. The traffic from that box will head to Office 365, meaning it will meet the performance and as well as security requirements. So that's one, the huge difference.

The other difference, in my experience with Cisco VPN, is that we normally control traffic based on source address, destination address, and destination port. But with Prisma Access, and using a lot of features from Palo Alto firewalls, we control the source, in particular, with the user ID or an Active Directory Group, instead of an IP address. The benefit for the user of using the user ID or Active Directory Group is in the following scenario. Suppose a user is usually in the United States but goes on a business trip to the UK. With a regular VPN, the user in the U.S. has a subnet. But when they travel to the UK, the IP just will be changed and there will be a totally different subnet. The access they had in the States may be lost when connecting from the UK. But using the user ID or Active Directory Group, the ID is always there no matter whether they are in the States, the UK, or anywhere else. That makes it more flexible for a user who is working remotely, traveling, or roaming.

In addition, performance-wise, a lot of applications have improved because the cloud-based VPN, based on the geographical location, provides a more optimized path and potentially reduces the latency. That provides better performance, but it depends on the applications.

Being able to use the user ID or Active Directory Group is one of the great features for control and providing more flexibility without worrying about IP addresses. 

Prisma Access has a lot of other features. Instead of VPN, its gateway is able to decrypt traffic and, potentially, inspect it. This feature is more likely to be used by companies using Websense or a proxy server. Prisma Access or Prisma VPN has merged VPN, firewall, and some of the Websense-type and proxy functions. This means that four or five components have become one now.

The solution also protects all app traffic, meaning that users can access all apps. All traffic is sent through the Prisma devices. Even a user who reaches Office 365 with a load closed location is still controlled by the VPN boxes, and from the security and network perspectives, we can still see all of the traffic, meaning everything is under control.

In addition, there is something called Pre-logon with Prisma VPN, which means before you log in to the PC with the user ID, domain, and password, the PC automatically connects to the Prisma VPN. That means you already have some basic access, like to Office 365. In case the VPN box is having issues, the user still has access to Outlook, Teams, Word documents, et cetera. The Pre-logon features make things really convenient.

Another nice feature for users is that Prisma VPN saves the user session for seven days instead of, with Cisco VPN, only one day. As a result, the user doesn't need to connect to the VPN every day. After a week, once it expires, they will need to log in with the username and password, but it still keeps the security intact.

There is also the ability to do a HIP (Host Information Profile) check. We can check things like whether a device's operating systems are properly patched, that the antivirus software meets security requirements, and that the hard drive is encrypted. The latter is important because if the laptop is lost, the data can be stolen. A HIP check enables us to make sure the endpoint maintains the security requirements. That helps make things more secure.

And as a cloud-based solution, there are a lot of redundancies. I'm in Canada and have a gateway in Canada. In case the getaway or VPN box in Canada dies, they will automatically reroute me to New York or any other location that is available. In addition, if the cloud-based solution has an issue, we still have the on-prem firewall or VPN in place in our data centers, which means everything falls back to something that is just like Cisco VPN, but it is Palo Alto. But that is only happening in DR situations. The fact that Prisma Access is cloud-based also makes it easier to connect from our environment to cloud-computing environments.

I can't think of many things that need real improvement. But one thing that comes to mind is that when we deploy firewall rules via Panorama, we find it's a little bit slow. We have a global environment and might have 100 gateways or VPNs in the cloud. When we deploy something, it tries to deploy it one-by-one, and that can be slow. For example, one time we pushed a firewall change and the changes took about 10 minutes to finish up. If they could optimize the whole process to speed up that kind of deployment, that would be especially helpful.

I have been using Prisma Access by Palo Alto Networks for close to two years, including the testing and eventually working on it in the production environment.

As of now, we have deployed it for 25 percent of our employees globally and, so far, it has been stable. We haven't seen a situation where it is working one day and totally stops working the next. 

There are still some bugs and sometimes we encounter issues and we have to open a case with Palo Alto to ask them to fix things. Because this is a new solution in the market, having been introduced two or three years ago, the overall stability is good, but they can still enhance that aspect even more.

The scalability is pretty good. Since we bought it, we have added more and more users and had no issues. And because it's cloud-based, they can add VPN boxes in the cloud and, for us, that process is transparent, which is pretty good.

All in all, tech support has satisfied us. We are a big customer, and they have two tech engineers working with us when we deploy and when we do a migration. We always have them with us, especially via conference calls.

The support is timely, but there is still some room for improvement because, when we open cases with them, some agents are not as timely about fixing problems as others.

But overall, we are satisfied with their services.

Positive

The initial setup was not too complicated, but it still took a little time to get familiar with it. The good thing is that Prisma VPN uses our existing Panorama centralized management tool, which we use to manage Palo Alto firewalls and VPNs. Because the centralized management tool is very familiar to us, it helped us in using the new solution. But, of course, since it is a cloud-based VPN, it did take a little bit of time to get used to, but after we got used to it, it became straightforward.

It is pretty expensive. We have to balance the cost of some features. They need to work on some of the services and products, price-wise.

The importance of the combination of the solution's traffic analysis, threat prevention, URL filtering, and segmentation depends on the business. Some business lines are very critical so we might potentially apply more features to them, but everything has pros and cons. Applying more features potentially slows down the performance, so we have to balance between security and performance. But so far, in most situations, we don't have any concerns because we already apply the HIP check to make sure the laptop side meets all kinds of security requirements, based on our internal policies. Also, we are able to see all the traffic logs. Even though it's a huge amount of data, and we're not currently doing so, we're potentially able to investigate or analyze things. 

It is a good solution and a new direction for many companies, especially big companies with global offices. Overall, the security that Prisma Access provides definitely meets our security requirements. Otherwise, we wouldn't be using this solution. The majority of companies, including a bank or any other financial company, should be happy with this solution.

Prisma Access GlobalProtect is our always-on VPN. We use it for URL filtering, to make sure people don't go to websites that are not permissible according to our security policy, such as gambling and pornography sites. We also implement Data Loss Prevention and decrypt the packets so that we can analyze the inside and make sure that nobody is trying to exfiltrate data. It's always on and it doesn't matter if you're in an office or at home or in a coffee shop or a hotel. 

We also use their service connections to access our internal services through them.

Since everybody is on the network all the time, it's allowing us to eliminate the step of having to connect to a VPN. That's the whole premise of an always-on VPN. Nobody has to think, "Oh, I need to get on VPN before I can connect to that server," or, "Oh, my VPN timed out because I've been on for 12 hours." The whole premise is that you're constantly on a VPN and it's constantly securing the system. That has helped from an end-user perspective. It hasn't come without its challenge, but that is one thing that is definitely a benefit.

In terms of security, it's definitely better than what we had because a user could just disconnect from the VPN before. They couldn't shut off the cloud proxy, but the cloud proxy only handled web-based traffic. If they wanted to FTP to a server, when they were connected to the VPN, it would get blocked. But they could just disconnect from VPN and then connect to FTP. Now, it goes through more security controls. So we are definitely more secure because of it. But it's just a completely different technology; it's more because of that than the product itself.

It's also somewhat of an alternative to SD-WAN. We had been looking at SD-WAN solutions and, realistically, the way the users are connecting now with Prisma Access, there's really no need for it.

It's an always-on solution and it supports both Mac and Windows. We have one configuration globally, and the only area where we had to do something differently is China.

Prisma Access protects all app traffic, so that users can gain access to all apps and that's very important because we need to be able to access everything. 

It also allows us to access non-web apps; anything internal that we need access to, we can access. Because we're using it as a VPN solution, our users are always on the internal network, regardless of where they are. They can't do anything because we lock them down so that if GlobalProtect doesn't connect, they can't get out to the internet. It's helped in that there were things that people would work around in other ways with our old model, things that they can't work around with the new model.

Also, having a single cloud-delivered platform, a global solution, was a key requirement for us.

We use the solution's threat prevention, URL filtering, and segmentation and they're all extremely important, based on what we're doing with the product. It's also very important to the business that Prisma Access provides millions of security updates per day.

We've run into some challenges, having hit a lot of bugs over the past year in the deployment of GlobalProtect. We've had our fair share of issues that I haven't been happy with. We're working with the support organization to remediate them and waiting for updated releases. The response on getting the bugs fixed has not been what I would consider adequate for a product like this. We've had some very pointed discussions with the support organization and the development teams on those issues and on doing what we can to help remediate them as well. They have been more responsive now towards our needs but it's a work in progress. 

They're going from being an organization that supported physical hardware, the Palo Alto firewall, into the realm of a SaaS-based solution. As a result, they need to change their operating model, support model, and release model to support that SaaS-based solution. That is related to support, related to operational efficiency, and deployments of code. Those are the areas where they need to improve.

I've been using Prisma Access by Palo Alto for about a year.

I don't see issues yet in terms of its scalability. We have more capacity than we need, so I think it's fine. We have firewalls in every region and in every country that Palo Alto has available. It's fairly scalable.

We previously used Cisco AnyConnect for VPN and a cloud proxy solution for web-based security. We went from two products to one. The main purpose was to find a replacement for the cloud proxy solution. VPN just wound up being a good and positive outcome, in addition to it.

The initial setup was complex. It has taken us almost a year, but we have about 7,000 users. We're just finishing up the main deployment of 5,000-plus users. We had an acquisition earlier this year and that will add another couple of thousand users. There have been a lot of hurdles with the bugs that we hit in the product. The stability of the software has been our biggest challenge.

We did the deployment ourselves. In terms of maintenance, I manage the network engineering team globally, and our team is responsible for it.

We did look at other vendors when we were deciding on our VPN software and we went with Palo Alto for security reasons. 

My advice would be to wait until they fix the bugs. We've been on a pretty stable version for the past several months and haven't had any issues. But other users who are on the same version have hit bugs on a regular basis, and it has been a nightmare to try to support. We're waiting on the final update of version 5.2.9 to get some of these issues fixed, and we're also waiting on 5.2.10 to support Windows 11 and the new version of Mac.

It's a balancing act in terms of security and nothing is perfect. We do have Palo Alto hardware as well as the Prisma Access solution, so we're reliant on Palo Alto's security for a lot of our security needs. I think the security is adequate.

I like the product in principle and I would rate it pretty high, but the bugs that we've hit pull the score down a bit. And then there are the operational support issues that we've had with Palo Alto, in general, that contribute to the score of six out of 10, as well.

My customers are military and federal government agencies. They're really interested in Secure Access Service Edge technology for their endpoints. Palo Alto Prisma is one of the solutions we use to make the SASE solution work for endpoints. For our customers, we normally do SD-WAN, Zero Trust, SWG, and SWaaS. Nobody has really asked for ADEM yet.

Prisma Access lets us compete in the cloud space.

Prisma isn't hard for the average system admin to use, and our customers are interested in Prisma's SD-WAN and Zero Trust capabilities. Government customers are particularly interested in the CASB capability. Prisma protects all app traffic, so our customers can access all of our apps, which is essential. That's one of the main reasons my business and customers use this technology, especially in the COVID-19 environment.

My military customers have users who need secure access to their information from all over the world. If they're using Microsoft Office products or some other app that isn't web-based, they can still access them through the web whether they're using their corporate devices or working on their personal devices using corporate information. Prisma will still protect that from phishing or other attacks.

Having all of these capabilities on a single cloud-delivered platform was extremely important to us. We also liked how well Prisma integrates with other solutions. Other solutions offer the same functionalities Prisma does when it comes to Zero Trust, CASB, and SD-WAN within the Microsoft Cloud. Prisma helps us protect our customers when a user isn't going to the Microsoft Cloud. 

Prisma also helps with traffic analysis, and that is controlled through the Manager. We can see what websites individuals within organizations are going to. For example, we can do cybersecurity analysis, such as phishing and so forth, to determine the cybersecurity risk of a particular site. While Prisma is doing that, we're also sending those Prisma files to our security operations, and they're also doing the analysis. In addition to threat detection, we're doing threat prevention. URL filtering fits into that category because we can determine what website an individual was able to access.

Prisma does segmentation either through the management of user groups or according to network access. Prisma provides millions of security updates per day, which is crucial for my government customers and business partners. It helps us keep up with security violations or phishing attacks by bad state actors. These threats are dynamic.

Prisma should implement industry updates in near real-time. Also, Prisma's integration between operational technology and IT should be more seamless. Right now, it requires additional setup and maintenance.

We've been using Prisma Access for about a year.

Prisma is stable. It works as advertised.

Prisma is highly scalable and global.

I rate Palo Alto's tech support 10 out of 10. It's outstanding. But I'd like to highlight the difference between technical support and government technical support because it's two different beasts. I'm talking about Palo Alto's government technical support. They have a separate set of personnel inside the organization that handles government customers.

Positive

Setting up Prisma is pretty straightforward. It takes around an hour to get it up and running. The amount of time needed to fully deploy Prisma depends on the size of the enterprise and the number of units, groups, endpoints, etc. Pre-deployment preparation also varies according to the size of the enterprise. It takes about a couple of days for a medium-size organization. You have to set up the architecture, determine who the users are, set up the IP schema, establish your Zero Trust scheme, set up network access, and send your log files over to the site. All of that takes about three days. Two network engineers can handle setup and deployment. After that, Prisma can be maintained by normal networking staff and at least one engineer.

Integrators from our partners at Tech Data help us deploy. We also get help integrating from my engineers over at TOSIBOX, our proprietary VPN solution.

We're now able to go after contracts that require a Zero Trust solution and Prisma's other technology solutions. 

We looked at other competitors, including Aruba, HP, Cisco, and Microsoft Enterprise solutions. 

I rate Prisma Access nine out of 10. It has been constantly changing since it was released. Palo Alto is the leader in all these technologies on the Gartner Magic Quadrant. 

I would advise anyone considering Prisma to look at their endpoint protection and evaluate how it fits in the overall enterprise solution, including integration with operational technology.

As a Palo Alto provider, their Platform as a Service (PaaS) for their Prisma Cloud-Native product, is offered as a hosted or Software as a Service (SaaS) version. As a user their product should scan and manage cloud container images to identify vulnerabilities. It's a key feature for identifying CI/CD development issues for remediation. 

The most valuable feature of Prisma Cloud-Native, in my opinion, is that it assists in identifying, analyzing, and remediating vulnerabilities.

Palo Alto does a great job on managing updates to their products. It can be difficult managing all the subscription updates, especially if they are manual. There should be a process in place. 

One area of challenge is for them to stay on top of current CVEs on their platform. Anything in the lines of compliance should be current from potential attacks. They have a URL link where customers can make recommendations to map to specific compliance frameworks or standards. That's great, but instead of having the customer identify those, they should make sure they're using the most recent version. The NIST SP 800-53 Rev. 4, should be mapped to NIST SP 800-53 Rev. 5 current version. Many people are unaware of this change. Should use the most current version, unless you have an exception for legacy systems.

I have been using Palo Alto Prisma Cloud for about a year now.

I'm currently supporting a Prisma Cloud-Native re-configuration project. It's their Software-as-a-Service (SaaS) version in the Cloud to scan for vulnerabilities. 

Prisma Palo Alto Networks is an optimal solution. They use the Amazon platform. They have some extremely talented engineers who keep the product up to date. Version updates could be a challenge as some versions are not automated. They don't always push you to update unless you're maybe using the hosted version. If you are unaware of this, you may have been using an older version for an extended period of time. There will be bugs and issues, and it will not perform optimally. It's important to use the most current version. 

Palo Alot support is great. There are no complaints.

I am familiar with Trend Micro, and WatchGuard solutions. I really like Trend Micro. They are excellent, in my opinion. They are great for anti-malware, as well as scanning your desktops and computers for personal or business use.

Proofpoint is another product that I really like for DLP Endpoint Security. They do an excellent job.

I didn't do the original configuration, but I am doing some of the re-configuration. It is important to understand your organization's infrastructure, cloud containers, and all the various types of administrative access controls. It all comes down to having the knowledge and visibility to configure it with your environment. 

The pricing is reasonable for Palo Alto. They price their products using credit modules. There are various types of modules in each section. I believe there are four different modules. If you want to ensure that you are saving on cost, you should develop a very good DevOps or DevSecOps process with the cloud engineers and development team. Meaning, when the development team is no longer creating apps or working in their CI/CD environment, they must scale down, repave and decommission or it could increase your costs significantly.

We use it for remote access VPN. When our users are working remotely, from home, they can use it to connect to our IT environment.

An important aspect is that Prisma Access provides all its capabilities in a single cloud-delivered platform. It would be very inconvenient for us if we had to go to multiple places. It gives us centralized operations, and centralized configuration and management that enable us to be more efficient. We don't have to reference or go to multiple places or systems to maintain things and operate.

It has also improved our remote access. We deployed it to replace an older remote-access VPN that we had been using. That is where the usefulness of the product is for us. It provides security and allows our remote users to connect to our environments.

Remote access is the most valuable feature, giving remote users secure access to our IT environment. That is the specific feature that we are using it for. Prisma Access provides secure access to the environment, including apps, and some non-apps systems, such as system administration. This ability is very important, almost a mandatory requirement for some of our systems.

It not only protects web-based apps, but non-web-based apps as well. Again, that's important, because for this kind of access, the traffic has to be protected and secure. The fact that it secures not just web-based apps but non-web apps indirectly reduces the risk of a data breach. If all the traffic can be seen it should help keep things from getting into the hands of hackers, helping prevent data from being compromised and preventing access to systems as well. We don't want our systems to be compromised, as they are critical to our services and to our customers.

The solution also provides traffic analysis, threat prevention, URL filtering, and segmentation. That combination is important because it enhances the protection and makes the traffic more secure. It also keeps things more up-to-date, enabling us to deal with more of the current threats.

In addition, Prisma Access provides security updates for threat prevention. Those updates are important in general, of course, for security reasons. The more up-to-date you are, the better you are protected.

It's not very easy to use. Sometimes it's buggy and there are problems when doing updates. The user interface is okay, but some configuration items are difficult. I would like it to be less buggy and easier to configure, to better streamline the user experience.

I have been using Prisma Access by Palo Alto Networks for a little more than one and half years.

The stability is pretty good. There are certain portions that are not very stable, but the core is pretty good.

I think the scalability is pretty good too, although we are a small company so I don't know how big we can scale, but for us, it's pretty good.

We have about a dozen users on it and most of them are technical staff, such as engineers and software engineers. Outside of the IT personnel, even finance people use it because they need access to the systems and applications. We are using it for one part of our environment, but we plan to expand it from 1,000 users to about 5,000 users.

The technical support is pretty good, as is the post-sales support. They are both very good and very attentive. Although the software is buggy, and sometimes it's hard to fix, they do provide the appropriate support levels to help us through.

Positive

We have used Cisco VPN, and I have used Juniper and Meraki. We switched because we are standardized on Palo Alto firewalls, so we wanted to use the same vendor for more interoperability.

The initial setup of the solution was complex. The configuration is not easy to understand and requires a lot of expertise from the Palo Alto side. The terms that they use in the product require quite a bit of explanation and clarification.

We used a phased approach. The first deployment we did, as a milestone, took us at least six months. For the deployment, we needed at least two to three engineers: someone from security, someone from networking, and someone from the end-user side. All parties had to be involved.

We used a contractor to help us.

The return on investment is that it allows our remote users to access our environment.

The licensing model for this product is complicated and changes all the time, making it very hard for the user to comprehend the configuration.

My advice would be to directly test it before you purchase it to see if the user experience and the complexity of the networking component are things you are able to handle.

The biggest lesson we learned from using the solution is not specific to the solution: We needed to do more proper planning in the beginning. Because the process is complicated, without good planning, it becomes more difficult during the process. The configuration involves many templates. Without planning ahead, they are created in a messy and disorganized way, and that causes further problems when we need to grow and do more setups. Now, we have to go back and correct those messy configurations, and that is something we are still doing.

Overall, the security provided by Prisma Access is very good. It provides the authentication, protection, and encryption that we are looking for for our remote users.

In this pandemic, users want to work remotely and that means we need centralized control of remote users, our branch offices, and the head office. Prisma Access collects everything together and provides us with centralized management, enabling us to manage all our locations and users globally.

It manages on-premises networks, but it has its own infra in the cloud.

The ability to manage networks reduces costs for our organization. Suppose I have four offices and all four have a firewall device. All of those firewalls will have separate licenses, and each office will have a separate internet connection. The Prisma Access solution means we only need one router at each office and all the internet connectivity will go through the solution. That definitely cuts our internet costs.

It is also very important that Prisma Access provides all its capabilities in a single, cloud-delivered platform. For mobile users, without Prisma Access, I would have to control their traffic through on-premises networks and give them on-premises internet. Suppose that one of those users does not connect through the on-premises VPN. That user would then have access to and control of whatever he wants. The system might be compromised through unauthorized access. That's why, from a security perspective, it is very important to control this type of situation. We could control the system without Prisma Access, but that would require additional solutions. We would have to add another security client to the user's system. With Prisma Access, instead of having two solutions, we have one solution.

Prisma Access gives us security from a single point. It controls mobile users and determines how secure their networks will be, including from where they will get internet access. We can optimize things and add security profiles centrally.

Another valuable feature for mobile users is the GP VPN access. It provides security and a firewall as a service, including threat and vulnerability protection. From a security perspective, it is very good.

I haven't seen any SD-WAN configuration capability. If Prisma Access would support SD-WAN, that would help. There are some trending technologies in networking with SD-WAN. SD-WAN is nothing more than optimizing your WAN. SD-WAN devices should be able to reach Prisma Access, and Palo Alto should support different, vendor-specific devices, not just Palo Alto devices, for SD-WAN configuration.

Also, Palo Alto only provides corporate licenses. If they would give a license to a non-corporate email ID, for testing and a pre-trial, that would be really great for users to practice with it. Everybody could explore it. Or, for people who are not working in a corporate environment and who want to explore this kind of setup, it would enable that type of test access on a personal email account.

I have been working in networking and security for eight-plus years. I work on various infra including routers, switches, firewalls, and different cloud services. I work on various vendors' solutions, such as Fortinet, SonicWall, Sophos, and for the last four years, on Palo Alto.

Prisma Access is a subset of Palo Alto Networks and is a product they recently introduced. We just recently heard that our organization was planning to use the Prisma Access solution.

I cannot evaluate the stability based on my limited experience, but I recently called a colleague in a different organization who has been running Prisma Access, and he said it is going well and that he has seen good stability.

We have more than 10,000 users and 40 Palo Alto firewalls, located in different regions. They were involved in the PoC. In the future, we are planning on having Prisma in production.

Palo Alto support is very responsive. They respond immediately and they are very kind and very knowledgeable. They work on cases by priority. In general, when we call them, we are able to talk with them without much delay and they provide solutions that have met our expectations. 

I would rate their support at eight out of 10. I deducted two points because sometimes they do have a very busy schedule and every engineer is busy. Once we reach them, everything works fine.

Positive

This is a new implementation for SASE in our organization.

The license activation process is very straightforward. When we purchased Prisma Access, they provided a link and, from there, we had to add the serial number of our existing Panorama. After that, everything happened automatically. Once that management setup was done, we were easily able to add a rule and do other configurations.

Our deployment did not take a long time. However, our infra is very big. While the initial setup was done in four to five hours, finishing everything took us one week.

If you are planning on using the SASE model for your organization, I would recommend Palo Alto Prisma Access. It works well, based on my experience.

I have come across many firewalls and I have hands-on experience with various devices, but Palo Alto is the best for everything. It is the best device for infra security. It not only has security, but it works well when it comes to routing and switching.

Overall I would rate Prisma Access at 8 out of 10. It gives us centralized management and reliability, scalability, and ease of configuration.

One of our use cases is that it is used by our internal users, our employees, when they need to work remotely. They'll be out in the field and, wherever they have an internet connection, they run the GlobalProtect client, connect, and they can access our resources as if they're in our building. For example, we have health inspectors who go to different sites.

Of course, we're doing more teleworking like everyone right now. Also, our admins all use it because that's how we get in and do remote work. And, periodically, we have contractors or vendors who need remote access. We'll build an account in AD and either have them download the client and connect to us, or if they currently use the GlobalProtect client for some other VPN connection, we can just provide our gateway and they can use their existing client to connect to the resources that we allow them.

We also have a clientless VPN by Palo Alto. It's a website where you can enter your AD credentials, and it will publish internal web apps that you can access through a browser. We have some users, and a set of contractors, who use that to access some of our internal systems for COVID response.

It's a cloud-based VPN, but it's managed from our Panorama instance, which is on-site. There's the GlobalProtect client that gets installed, that's the VPN client on your laptop, and that automatically updates from the cloud when a new version is available.

Prisma Access is our first cloud-based VPN solution. I like that aspect because I don't have all the traffic hitting my firewall interface directly. Users go to the cloud, wherever they are, and connect to some kind of cloud. It will grab their config, and our firewall doesn't see any extra traffic from that. That's awesome.

Because we are in the health sector, the clientless, web-based VPN that we're using has allowed us to partner with some external companies to do contact tracing for COVID. That means that if someone is positive for COVID, those companies track back to the people they have been in contact with and try to find the source. The fact that the only way a couple of hundred of our employees can access our records at any time is through the web-based VPN has really improved our ability to respond to the pandemic.

I like it because it's very easy to use. You install the client and you have to know your gateway, but that's something we give to our users. Beyond that, it takes about three seconds to train them on how to use it. And it just works well. That's great for us because it means less administrative time.

It's also nice that Prisma Access provides all its capabilities in a single, cloud-delivered platform. 

The thick client secures non-web apps in addition to web-based apps. If you have the client installed on your laptop, it's a completely secure VPN connection and anything you run will be secured by it. The clientless VPN, the web-based one, only allows you to redirect to URLs; it's only web. Being able to access non-web apps is important to us because it's how we get our remote work done. Not everything is web-based. We have to run applications and access Windows shares and the like. 

This ability helps decrease the risk of data breach. Information security is more and more a huge concern for everyone. Knowing that everything's going across an encrypted tunnel, and that we can manage what is accessed by which user, are huge benefits.

Another important aspect is that Prisma Access provides millions of security updates per day, because security has really become our number-one focus lately. That feature is very good.

I've been using Prisma Access by Palo Alto Networks for about two years, maybe a little longer.

It has been very stable. We've had a couple of small outages, but overall it's very trustworthy and stable.

It's cloud-based, so it's infinitely scalable. For us, it has worked fine. We went from a few users at first and we built up to hundreds.

It's our clientless VPN that really builds up our user count. It is consistently between 300 and 400 users. It rises and falls depending on what kind of campaign we're doing. If a new COVID variant is discovered and we have to ramp things up because of CDC guidance, the user count will bump up.

The one thing that I've been a little bit disappointed with is when we have had to open cases with Palo Alto about Prisma Access issues. Versus their other platforms, like their firewalls, where we tend to get really quick responses and very definitive answers, the few tickets I've had to open for Prisma Access have taken them longer to respond to. And they haven't necessarily given me the kind of answer I was looking for, meaning a fix to the problem. Maybe this technology is not as cut and dry as some of their other technologies. But I think they could improve their support offering for Prisma a little bit and put more expertise in place.

Overall, I'm very happy with Palo Alto's support. I'm not saying that their Prisma support is awful. It just hasn't been quite up to par with other support I've seen from them, which has been pretty phenomenal.

Positive

For VPN, we used Cisco AnyConnect. The switch to Prisma Cloud was part of a platform switch from Cisco ASA to Palo Alto firewalls.

We also have other solutions, such as a virtual desktop solution that is available externally. Some of our users use that and others use the VPN.

The setup was medium complex. Because of the way we're doing it through our Panorama, it's a little more complex than it would be on the cloud-only solution. There is definitely some  complexity to it.

I wasn't involved in the initial deployment of it, but our organization worked with a vendor called CompuNet, a company with Palo Alto expertise. I would guess it took one to two days to get through everything and test it. 

The evaluation happened before my time here, but we had people who had worked with Palo Alto previously. They knew its reputation and were happy with it. I think the switch happened directly.

It functions like a lot of other VPN solutions. It's not special in that sense. It just works.

I have spoken with another agency that was looking at Prisma Access. The one thing they weren't aware of was the clientless, web-based VPN that is part of the product. They were pretty excited when I explained to them how we use it. So make sure you review the full feature set that Prisma Access offers. It may be broader than you expected.

We are using it as a hybrid solution where we manage it through our onsite firewall. There is a Prisma Access full-cloud solution where you do all the management there. If we were to start over again today, I would probably go full-cloud. That would ease the management a little bit. People who are using the cloud-only solution probably have fewer hoops to jump through to get certain things accomplished. But we've been fine.

The biggest issue I've run into is that most of the documentation for Prisma Access is based on the full-cloud model, as opposed to our hybrid implementation. It's a little trickier to find out how to implement some of those changes through Panorama. There are also some connectors you have to set up to make sure that your Panorama is talking to the cloud the way it should. Those wouldn't be necessary in the cloud version, and that means it's probably a little easier to sync your AD, set up your users in the cloud, and you're done. Everything is already on the cloud.

Overall, I'm very happy with the security provided by Prisma Access. Palo Alto is a security company and is always working on ways to make things more secure. I feel very confident that our data is safe using the solution, which is the whole point.