Is Prisma SASE / Access basically a VPN?

Is it just a full IP-sec tunnel? How similar is it to Zscaler’s architecture?

Think of Prisma Access as more of a cloud-based GlobalProtect implementation. It’s pretty versatile and EXTREMELY scalable for large environments with a bunch of branches and remote resources/employees.

Depends who you ask but … sort of. Obviously there is a lot more to it. It does full traffic tunneling which means you can then do full layer 7 inspection of everything as well as User-ID, etc.

Prismatic SASE adds (I belive) the monitoring of enterprise SaaS accounts (eg Google Drive, Dropbox, etc) for malware, DLP, etc. That isn’t VPN bit ties into the concept that these things may get edited from anywhere so it isn’t sufficient to just try and secure access to it, you have to monitor the SaaS content ‘live’. Not sure where that bit fits into the licencing though.

As others have stated - VPN is the transport element to deliver your traffic to the cloud security function.
That said it’s not the only transport option - there’s SSL “clientless VPN” and an Explicit Proxy (SWG). What works for Palo is that all of these options are within single product/feature set.

Zsclaler started as a web proxy first and VPN transport as an afterthought. Hence their constant nagging that the firewall is dead/obsolete and other FUD.

ZTNA/SASE is a new shiny term but in the end it’s about delivering secure connectivity. Zscaler is really good at delivering connectivity quick and easy. But security in depth is difficult to deliver using just SWG with IPSec slapped on top. That’s why they do things like deception to cover for blind spots.

Yup it’s essentially a hosted firewall

From my experience prisma sase , which encompasses prisma access is a rip & replace to VPN & is better for ztna at the endpoint level. If your core focus is to only secure the cloud netskope is better and it’s also cheaper , prisma isn’t as enriched from a casb standpoint . Again this is my opinion only

SASE acts a single point of access replacing the multiple point-products (web gateways, firewalls, VPNs). Each point-product requires specific architecture to deploy, policies to configure, and interfaces to manage, as well as multiple sources of logs. SASE unifies these services into a single appliance.

One of the multiple services that the Prisma SASE service provides is Prisma Access, which you can think of as VPN services.

Yes. it Global Protect in the cloud. There is a lot of similarity. I think Palo has more complete security feature set, although Zscaler isn’t bad. As an example Zscaler will only sandbox file from “suspicious”. https://help.zscaler.com/zia/about-sandbox

Another difference is that Palo builds a dedicated GCP instance per customer. Only your traffic is on your instance. This is also why there is a 200 user minimum.

You can build your own Palo VM series in the cloud provider of your choice cheaper (usually). Although, of course, you have to care, feed and maintain it.

If you already have GP, do you need another agent for prisma?

Prisma SASE also includes Prisma Access (VPN termination and enforcement in the cloud) plus Prisma SDWAN (the product that developed from the Cloudgenix acquisition). So it is the full solution for both users and network site locations.

The main ways the architectures differ from say a solution like zScaler is that the Prisma Access is deployed inside public cloud nodes like AWS/GCP with a separate instance for each customer and it can scale on demand. Also the single GUI handles the VPN/Security/SDWAN/proxy functionality.

From what I understand zScaler applications are deployed in shared infrastructure in co-location DCs. Customers share infrastructure and zScaler scales by adding more servers to racks. Also there is a separate application for proxy traffic Vs full VPN L7 traffic

There are a few other differences and features to Prisma SASE (ADEM, NG-CASB, IoT etc) but these are some of the core items.

Few questions:

Are you still doing SSL decryption for the full L7 inspection or is this done on the endpoint somehow?

How does this interact when users are on prem? Do you lose that full tunnel inspection? Do you haul the traffic out to the cloud then back to on prem resources?

Or am I misunderstanding what this does? Is it really just hosted globalprotect?

Simplifying it this way, we can also say that zscaler is just a proxy, perhaps a squid instance running somehwere

Interesting. Are you using Netskope CASB? Is it primarily for Office 365?

You’re a bit off on the sandbox. Look up ZScalers advanced cloud sandbox. Much richer than Pablo’s offering.

Also the disadvantage to your own instance is that you don’t get instant shared threat intel and blocking from all other tenants.

Nope, same agent :+1:. Can use it in parallel to existing GP setup too

There is really good Gartner review of all solutions including Palo Alto and zScaler which you can understand the pros and cons of each solution. From there you can see the documentation of each solution regarding the area of interest. What pain point do you want to address?

It’s a bit more than hosted GP & VPN

It’s not designed for East West intra site traffic, you still need an on site fw to inspect and enforce that traffic.

It however inspects and secures traffic from remote sites to wherever the data is, public cloud, SaaS or private DC.

I know you’re saying this in jest but… i mean I agree, it kinda is. Of course there’s other stuff to make the cloud integrations work but when you strip away the marketing you’re left with firewalls and proxies being hosted by others, add a dash of scripting and a sprinkle of per MB billing and you get prisma/zscaler/etc

Also wildfire sandboxing is much richer than zscaler simply because it has bigger coverage from all the customer, it includes even bare-metal analysis plus ML models

Found the Zscaler rep…