deploying-palo-alto-prisma-access-zero-trust
Deploying Palo Alto Networks Prisma Access for SASE-based zero trust network access using GlobalProtect agents, ZTNA Connectors, security policy enforcement, and integration with Strata Cloud Manager for unified security management.
What this skill does
# Deploying Palo Alto Prisma Access Zero Trust
## When to Use
- When implementing enterprise-grade SASE with integrated ZTNA, SWG, CASB, and FWaaS
- When replacing both VPN and branch office firewalls with cloud-delivered security
- When needing advanced threat prevention (WildFire, DNS Security) for remote access traffic
- When deploying zero trust for both mobile users and remote network (branch) connections
- When integrating ZTNA with existing Palo Alto NGFW infrastructure via Strata Cloud Manager
**Do not use** for small organizations (< 200 users) where simpler ZTNA solutions suffice, for environments requiring only web application access without full network security, or when budget constraints preclude enterprise SASE licensing.
## Prerequisites
- Prisma Access license (Business Premium or equivalent)
- Strata Cloud Manager (SCM) tenant configured
- GlobalProtect agent for endpoint deployment
- ZTNA Connector VM: 4 vCPU, 8GB RAM, 128GB disk (VMware, AWS, Azure, or GCP)
- Identity provider: Okta, Entra ID, Ping Identity (SAML 2.0)
- Palo Alto Cortex Data Lake for log storage
## Workflow
### Step 1: Configure Prisma Access Infrastructure in Strata Cloud Manager
Set up the cloud infrastructure for mobile user and remote network connections.
```text
Strata Cloud Manager > Prisma Access > Infrastructure Settings:
Mobile Users Configuration:
- Service Connection: Auto-selected based on user location
- DNS Servers: 10.1.1.10, 10.1.1.11 (corporate DNS)
- IP Pool for Mobile Users: 10.100.0.0/16
- Authentication: SAML with Okta (Primary), Entra ID (Secondary)
- GlobalProtect Portal: portal.company.com
- GlobalProtect Gateway: Auto (nearest Prisma Access location)
Infrastructure Subnet:
- Range: 172.16.0.0/16
- Allocation: /24 per Prisma Access location
```
### Step 2: Deploy ZTNA Connectors for Private Application Access
Install ZTNA Connectors to provide secure access to internal applications.
```bash
# Deploy ZTNA Connector on VMware (OVA)
# Download OVA from Strata Cloud Manager > Prisma Access > ZTNA Connectors
# AWS deployment via CloudFormation
aws cloudformation create-stack \
--stack-name prisma-ztna-connector \
--template-url https://prisma-access-connector-templates.s3.amazonaws.com/ztna-connector-aws.yaml \
--parameters \
ParameterKey=VpcId,ParameterValue=vpc-PROD \
ParameterKey=SubnetId,ParameterValue=subnet-PRIVATE \
ParameterKey=InstanceType,ParameterValue=m5.xlarge \
ParameterKey=TenantServiceGroup,ParameterValue=TSG_ID \
ParameterKey=ConnectorName,ParameterValue=dc-east-connector-01
# Verify connector registration
# Strata Cloud Manager > Prisma Access > ZTNA Connectors
# Status should show "Connected" with nearest Prisma Access location
# Deploy second connector for HA
# ZTNA Connector auto-discovers nearest Prisma Access location
# IPSec tunnel uses: ecp384/aes256/sha512 for IKE and ESP
# Bandwidth: up to 2 Gbps per connector
```
### Step 3: Define Application Definitions and Access Policies
Create application definitions pointing to internal applications via ZTNA Connectors.
```text
Strata Cloud Manager > Prisma Access > Applications:
Application 1: Internal Wiki
- FQDN: wiki.internal.corp
- Port: TCP 443
- ZTNA Connector: dc-east-connector-01
- Protocol: HTTPS
- Health Check: Enabled (HTTP GET /health)
Application 2: Source Code Repository
- FQDN: git.internal.corp
- Ports: TCP 22, 443
- ZTNA Connector: dc-east-connector-01, dc-east-connector-02
- Protocol: HTTPS, SSH
Application 3: Finance ERP
- FQDN: erp.internal.corp
- Port: TCP 443
- ZTNA Connector: dc-east-connector-01
- Protocol: HTTPS
- User Authentication: Required (re-auth every 2h)
Strata Cloud Manager > Policies > Security Policy:
Rule 1: Engineering Access to Dev Tools
Source: User Group "Engineering" (from Okta SAML)
Destination: Application "Source Code Repository", "Internal Wiki"
HIP Profile: "Managed Device with CrowdStrike"
Action: Allow
Logging: Enabled
Threat Prevention: Best Practice profile
Rule 2: Finance Access to ERP
Source: User Group "Finance"
Destination: Application "Finance ERP"
HIP Profile: "Compliant Device - High Security"
Action: Allow
SSL Decryption: Forward Proxy
DLP Profile: "Financial Data Protection"
Rule 3: Default Deny Private Apps
Source: Any
Destination: Any Private App
Action: Deny
Logging: Enabled
```
### Step 4: Configure Host Information Profile (HIP) for Device Posture
Define device posture requirements using HIP checks.
```text
Strata Cloud Manager > Objects > GlobalProtect > HIP Objects:
HIP Object: "CrowdStrike Running"
- Vendor: CrowdStrike
- Product: Falcon Sensor
- Is Running: Yes
- Minimum Version: 7.10
HIP Object: "Disk Encryption Enabled"
- Windows: BitLocker = Encrypted
- macOS: FileVault = Encrypted
HIP Object: "OS Patch Level"
- Windows: >= 10.0.22631
- macOS: >= 14.0
HIP Profile: "Managed Device with CrowdStrike"
- Match: "CrowdStrike Running" AND "Disk Encryption Enabled"
HIP Profile: "Compliant Device - High Security"
- Match: "CrowdStrike Running" AND "Disk Encryption Enabled" AND "OS Patch Level"
```
### Step 5: Deploy GlobalProtect Agent to Endpoints
Roll out the GlobalProtect agent for secure connectivity.
```bash
# Deploy GlobalProtect via Intune (Windows)
# MSI download from Strata Cloud Manager > GlobalProtect > Agent Downloads
# GlobalProtect pre-deployment configuration
# pre-deploy.xml for automated portal connection:
cat > pre-deploy.xml << 'EOF'
<GlobalProtect>
<Settings>
<portal>portal.company.com</portal>
<connect-method>pre-logon</connect-method>
<authentication-override>
<generate-cookie>yes</generate-cookie>
<cookie-lifetime>24</cookie-lifetime>
</authentication-override>
</Settings>
</GlobalProtect>
EOF
# Verify GlobalProtect connection status
# GlobalProtect system tray > Settings > Connection Details
# Should show: Connected to nearest Prisma Access gateway
# IPSec tunnel established with full threat prevention
```
### Step 6: Configure Logging and Monitoring
Set up Cortex Data Lake integration and monitoring dashboards.
```text
Strata Cloud Manager > Prisma Access > Monitoring:
Log Forwarding:
- Cortex Data Lake: Enabled (all log types)
- SIEM Forwarding: Splunk HEC (https://splunk-hec.company.com:8088)
- Log Types: Traffic, Threat, URL, WildFire, GlobalProtect, HIP Match
Dashboard Monitoring:
- Mobile Users: Active connections, locations, bandwidth
- ZTNA Connectors: Health, latency, tunnel status
- Security Events: Threats blocked, DLP violations, HIP failures
- Application Usage: Top apps, top users, denied access attempts
Alerting:
- ZTNA Connector down: Email + PagerDuty
- HIP failure rate > 10%: Email to IT
- Threat detected on mobile user: SOC alert
```
## Key Concepts
| Term | Definition |
|------|------------|
| Prisma Access | Palo Alto's cloud-delivered SASE platform providing FWaaS, SWG, CASB, DLP, and ZTNA from a single architecture |
| ZTNA Connector | VM-based connector establishing IPSec tunnels from internal networks to Prisma Access for private application access |
| GlobalProtect | Endpoint agent providing secure connectivity to Prisma Access with HIP checks and always-on VPN |
| Host Information Profile (HIP) | Device posture checks evaluating endpoint security state (EDR, encryption, patches) before granting access |
| Strata Cloud Manager | Unified management console for Prisma Access, NGFW, and Prisma Cloud security policy |
| Cortex Data Lake | Cloud-based log storage and analytics platform for Palo Alto security telemetry |
## Tools & Systems
- **Prisma Access**: Cloud-delivered SASE with integrated ZTNA, SWG, CASB, DLP, FWaaS
- **Strata Cloud Manager (SCM)**: Unified policy management across Palo Alto security products
- **GlobalProtect Agent**: Endpoint connectivity agent with HIP data collection
- **ZTNA Connector**: Outbound-only tunnel connector foRelated in Cloud & DevOps
appbuilder-action-scaffolder
IncludedCreate, implement, deploy, and debug Adobe Runtime actions with consistent layout, validation, and error handling. Use this skill whenever the user needs to add actions to an App Builder project, understand action structure (params, response format, web/raw actions), configure actions in the manifest, use App Builder SDKs (State, Files, Events, database), deploy and invoke actions via CLI, debug action issues, or implement patterns such as webhook receivers, custom event providers, journaling consumers, large payload redirects, action sequence pipelines, and Asset Compute workers. Also trigger when users mention serverless functions in Adobe context, action logging, IMS authentication for actions, or cron-style scheduled actions.
orchestrating-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. Use this skill when the user needs a multi-step Data Cloud pipeline, cross-phase troubleshooting, or data space and data kit management. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase sf data360 workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching phase-specific skill), the task is STDM/session tracing/parquet telemetry (use observing-agentforce), standard CRM SOQL (use querying-soql), or Apex implementation (use generating-apex).
github-project-automation
IncludedAutomate GitHub repository setup with CI/CD workflows, issue templates, Dependabot, and CodeQL security scanning. Includes 12 production-tested workflows and prevents 18 errors: YAML syntax, action pinning, and configuration. Use when: setting up GitHub Actions CI/CD, creating issue/PR templates, enabling Dependabot or CodeQL scanning, deploying to Cloudflare Workers, implementing matrix testing, or troubleshooting YAML indentation, action version pinning, secrets syntax, runner versions, or CodeQL configuration. Keywords: github actions, github workflow, ci/cd, issue templates, pull request templates, dependabot, codeql, security scanning, yaml syntax, github automation, repository setup, workflow templates, github actions matrix, secrets management, branch protection, codeowners, github projects, continuous integration, continuous deployment, workflow syntax error, action version pinning, runner version, github context, yaml indentation error
sf-datacloud
IncludedSalesforce Data Cloud product orchestrator for connect→prepare→harmonize→segment→act workflows. TRIGGER when: user needs a multi-step Data Cloud pipeline, asks to set up or troubleshoot Data Cloud across phases, manages data spaces or data kits, or wants a cross-phase `sf data360` workflow. DO NOT TRIGGER when: work is isolated to a single phase (use the matching sf-datacloud-* skill), the task is STDM/session tracing/parquet telemetry (use sf-ai-agentforce-observability), standard CRM SOQL (use sf-soql), or Apex implementation (use sf-apex).
fabric-cli
IncludedUse this skill for Fabric.so CLI workflows with the `fabric` terminal command: diagnose/install/login, search or browse a Fabric library, save notes/links/files, create folders, ask the Fabric AI assistant, manage tasks/workspaces, generate shell completion, check subscription usage, produce JSON output, and use Fabric as persistent agent memory. Do not use for Microsoft Fabric/Azure/Power BI `fab`, Daniel Miessler's Fabric framework, Python Fabric SSH, Fabric.js, or textile/fashion fabric.
lark
IncludedLark/Feishu CLI skills: lark-cli operations for docs, markdown, sheets, base, calendar, im, mail, task, okr, drive, wiki, slides, whiteboard, apps, approval, attendance, contact, vc, minutes, event. Use when the user needs to operate Lark/Feishu resources via lark-cli, send messages, manage documents, spreadsheets, calendars, tasks, OKRs, deploy web pages, or any Feishu/Lark workspace operations.