deploying-palo-alto-prisma-access-zero-trust

# Deploying Palo Alto Prisma Access Zero Trust ## When to Use - When implementing enterprise-grade SASE with integrated ZTNA, SWG, CASB, and FWaaS - When replacing both VPN and branch office firewalls with cloud-delivered security - When needing advanced threat prevention (WildFire, DNS Security) for remote access traffic - When deploying zero trust for both mobile users and remote network (branch) connections - When integrating ZTNA with existing Palo Alto NGFW infrastructure via Strata Cloud Manager **Do not use** for small organizations (< 200 users) where simpler ZTNA solutions suffice, for environments requiring only web application access without full network security, or when budget constraints preclude enterprise SASE licensing. ## Prerequisites - Prisma Access license (Business Premium or equivalent) - Strata Cloud Manager (SCM) tenant configured - GlobalProtect agent for endpoint deployment - ZTNA Connector VM: 4 vCPU, 8GB RAM, 128GB disk (VMware, AWS, Azure, or GCP) - Identity provider: Okta, Entra ID, Ping Identity (SAML 2.0) - Palo Alto Cortex Data Lake for log storage ## Workflow ### Step 1: Configure Prisma Access Infrastructure in Strata Cloud Manager Set up the cloud infrastructure for mobile user and remote network connections. ```text Strata Cloud Manager > Prisma Access > Infrastructure Settings: Mobile Users Configuration: - Service Connection: Auto-selected based on user location - DNS Servers: 10.1.1.10, 10.1.1.11 (corporate DNS) - IP Po...