Palo Alto Prisma Access: SASE design for distributed enterprises

Prisma Access turns Palo Alto policy into a globally delivered SASE service. Done right, it replaces hub firewalls and MPLS.

Building blocks

• Service connections to HQ/DC for east-west.
• Remote networks (IPSec) from branches/SD-WAN.
• Mobile users via GlobalProtect to Prisma.

Policy

• Same App-ID/Content-ID stack as on-prem PAN-OS.
• Posture via HIP and device certs.

Steering

• Per-app routing to direct internet vs corporate.
• Privileged access for SaaS via Cloud Identity Engine.

Observability

• Cortex Data Lake centralizes logs.
• ADEM for end-to-end user experience.

Pitfalls

• Right-size compute units; over-provision early.
• Plan IP allocation pools per region.

Train SASE-style policy reasoning in a TechLeague tournament.