Prisma Access: Consolidated Best Practices

Authentication

• Prefer SAML 2.0 Integration: Leverage modern Identity Providers (IdPs) like Azure AD, Okta, Ping Identity via SAML for GlobalProtect user authentication. This enables Single Sign-On (SSO) and centralizes identity management.
• Enforce Strong Multi-Factor Authentication (MFA): Always require MFA for user logins. Enforce this through your SAML IdP's conditional access policies or via RADIUS integration if SAML is not used.
• Secure IdP Integration: Use strong signing certificates, configure attribute mapping correctly (especially for username and groups), and regularly review IdP security settings.
• Regular Credential Hygiene: Although managed by the IdP, promote good password policies and regular credential rotation for underlying identity sources (like Active Directory).
• Monitor Authentication Logs: Regularly review GlobalProtect logs (System subtype `globalprotect`) and IdP logs for failed login attempts or suspicious activity. Configure alerts for excessive failures.

Security Policies

• Adopt Zero Trust / Least Privilege: Grant access based on identity (User-ID), context (HIP profile, location), and application (App-ID), not just network factors (IP/Port). Deny by default and only allow necessary access.
• Prioritize App-ID, User-ID, and HIP: Define Security Policy rules using these Layer 7+ identifiers whenever possible instead of relying solely on Layer 3/4 addresses and services/ports.
• Consistent Security Profiles: Apply up-to-date Security Profiles (Antivirus, Anti-Spyware, Vulnerability Protection, URL Filtering, File Blocking, WildFire) consistently to all relevant 'Allow' rules, especially those permitting internet access. Don't leave gaps.
• Enable Decryption Where Possible: Decrypt SSL/TLS traffic (especially outbound) to allow full inspection by Threat Prevention, URL Filtering, DLP, and App-ID. Carefully document and justify necessary exclusions (e.g., for privacy or technical incompatibility).
• Optimize Rulebase Structure:
  • Place specific rules above general rules.
  • Avoid overly broad 'any/any' rules.
  • Include explicit 'Deny' rules for known bad traffic/unwanted applications.
  • Regularly review and remove unused or redundant rules (use Policy Optimizer in Panorama).
  • Use descriptive rule names and leverage tags for organization.
• Log Everything Initially: Enable logging (at session end) for all rules, including the default deny, during initial deployment and troubleshooting. Adjust later to reduce noise if necessary, but maintain logging for critical allow/deny rules.

Zero Trust Policy Layers (Conceptual)

graph TD
    A[Traffic Ingress] --> B{Layer 1: Network Control}
    B -- Allowed --> C{Layer 2: App-ID Control}
    C -- Allowed --> D{Layer 3: User-ID / Group Control}
    D -- Allowed --> E{Layer 4: Device Posture - HIP}
    E -- Compliant --> F{Layer 5: Threat Prevention / URL / DLP}
    F -- Clean --> G[Access Granted to Resource]

    %% Deny Paths
    B -- Denied --> X[Blocked]
    C -- Denied --> X
    D -- Denied --> X
    E -- Non-Compliant --> X
    F -- Malicious/Blocked --> X

    %% Style nodes
    style A fill:#f9f,stroke:#333,stroke-width:2px
    style G fill:#ccffcc,stroke:#333,stroke-width:2px
    style X fill:#ffcccc,stroke:#333,stroke-width:2px

        

Networking

• Meticulous IP Address Planning: This cannot be stressed enough. Ensure Mobile User IP pools DO NOT overlap with any internal subnets reachable via Service Connections or Remote Networks. Document all allocations. Use RFC1918 space appropriately and plan for future growth.
• Implement Redundancy (RN & SC): Configure at least two IPSec tunnels for critical Remote Networks and all Service Connections. Preferably, terminate these tunnels in different Prisma Access compute locations for geographic redundancy. Ensure on-premises termination points (firewalls/routers) are also redundant if possible (HA pair).
• Utilize BGP for Dynamic Routing: Strongly prefer BGP over static routing for Remote Networks and Service Connections. It simplifies route management, enables automatic failover, and supports ECMP load sharing across redundant tunnels.
• Apply BGP Best Practices:
  • Implement route summarization where possible to reduce routing table size.
  • Use route filtering (prefix lists, route maps) to control which specific routes are advertised and accepted in both directions.
  • Tune BGP timers appropriately for desired convergence speed, balancing stability with failover time.
  • Use private ASNs where appropriate, especially within the Prisma Access configuration.
• Monitor Network Health: Actively monitor tunnel status, latency, jitter, packet loss, and bandwidth utilization using Prisma Access Insights and configure alerts for deviations.

GlobalProtect

• Optimize Gateway Selection: Rely on the default latency-based automatic gateway selection for the best user experience. Use source region mapping only if specific geographic routing is strictly required.
• Strategic Split Tunneling: Carefully define your split tunnel strategy. Consider tunneling all traffic by default for maximum security unless there's a compelling performance or compatibility reason to exclude specific, trusted applications/domains. Prefer excluding based on App-ID over domains/IPs.
• Mandatory HIP Checks for Sensitive Access: Configure HIP Objects/Profiles reflecting your organization's security baseline (OS version, AV, disk encryption, etc.). Use these HIP profiles in Security Policy rules to enforce posture checks before granting access to critical internal or SaaS resources.
• Keep GlobalProtect Client Updated: Regularly deploy updated GP client versions to endpoints to benefit from security patches, bug fixes, and new features. Use the Portal deployment feature or standard software management tools.
• Use SAML for Authentication: As mentioned under Authentication, SAML integration with your IdP is the preferred method for GP authentication.

Logging

• Log to Cortex Data Lake (CDL): Ensure log forwarding to CDL is configured correctly for all relevant log types (Traffic, Threat, URL, User-ID, HIP, System, Config, etc.) from all Prisma Access components via Panorama templates or Cloud UI settings.
• Sufficient Log Retention: Purchase adequate CDL storage and retention periods to meet operational troubleshooting and compliance requirements (e.g., 30 days, 90 days, 1 year).
• Configure Meaningful Alerts: Set up alerts in Prisma Access Insights for critical events (tunnels down, high resource usage, critical threats) but avoid excessive noise. Tune thresholds based on observed baselines.
• Establish Regular Log Review: Implement processes for regularly reviewing key logs, especially Threat, URL Filtering, and authentication failures, to identify security incidents or operational issues.
• Integrate with SIEM (If Applicable): Configure log forwarding from CDL to your central SIEM solution if required for unified security monitoring and correlation, using the CDL App's forwarding capabilities.

Management (Panorama Focus)

• Leverage Templates and Stacks: Use Templates extensively to define reusable network/device configurations. Organize them logically in Template Stacks for consistent deployment to Prisma Access components.
• Use Template Variables Wisely: Employ variables for site-specific parameters like IP addresses or interface names, but avoid using them for sensitive data like Pre-Shared Keys if possible (configure directly or use certificates).
• Hierarchical Device Groups: Structure Device Groups hierarchically (e.g., Shared > Prisma Access Parent > MU/RN/SC Specific) to inherit common policies and apply specific policies efficiently.
• Descriptive Naming Conventions: Use clear, consistent, and descriptive names for all objects, policies, profiles, templates, and rules. Include site names, functions, or ticket numbers where applicable.
• Regular Panorama Backups: Schedule regular backups of the Panorama configuration (both device state and configuration bundles). Store backups securely off-box.
• Role-Based Access Control (RBAC): Configure administrative accounts on Panorama with specific roles (e.g., read-only auditor, policy administrator, network administrator) based on the principle of least privilege.
• Use Commit Comments: Always add descriptive comments when committing changes in Panorama, explaining the purpose of the change (e.g., "Add rule for Project X per CHG12345").

Change Management

• Document All Changes: Maintain a change log detailing what was changed, why it was changed, who made the change, when it was made, and the associated change request/ticket number.
• Staged Rollouts: Implement significant changes (e.g., major policy revisions, new GP client versions, large-scale onboarding) in phases. Start with a small pilot group or non-critical sites to test impact before broad deployment.
• Peer Review: Have configuration changes reviewed by another qualified engineer before committing and pushing, especially for complex or critical modifications.
• Test Thoroughly: After deploying changes, thoroughly test connectivity, application access, and policy enforcement to ensure the change had the intended effect and no unintended consequences.
• Develop Rollback Plans: For major changes, have a documented plan on how to revert the configuration if significant issues arise. Leverage Panorama's configuration versioning and backup/restore capabilities.
• Communicate Changes: Inform relevant stakeholders (users, application owners, IT support) about planned changes and potential impacts, especially for user-facing changes like GP client updates or authentication modifications.