Enterprise 1 Build 5 (E1B5) - SASE and Microsegmentation - PAN NGFW and PAN Prisma Access as PEs#
Note
This page is supplementary material for the NIST SP 1800-35 publication.
Technologies#
E1B5 uses products from AWS, IBM, Mandiant, Okta, Palo Alto Networks (PAN), Radiant Logic, SailPoint, and Tenable. Certificates from DigiCert are also used. For more information on these collaborators and the products and technologies that they contributed to this project overall, see Collaborators and Their Contributions.
E1B5 components consist of PAN Panorama, PAN Next Generation Firewall (NGFW), PAN Prisma Access, PAN Prisma SASE (Prisma Access & Prisma SD-WAN), PAN Cloud-Delivered Security Services (CDSS), PAN Cloud Identity Engine (CIE), PAN Global Protect, PAN Strata Cloud Manager, Okta Identity Cloud, Radiant Logic RadiantOne Intelligent Identity Data Platform, SailPoint IdentityIQ, Okta Verify App, IBM Security QRadar XDR, Tenable.io, Tenable.ad, Tenable NNM, Mandiant Security Validation, DigiCert CertCentral, and AWS IaaS.
Table 1 lists all of the technologies used in Build E1B5. It lists the products used to instantiate each ZTA component and the security function that each component provides.
Table 1 - E1B5 Products and Technologies
Component |
Product |
Function |
|---|---|---|
PE |
PAN NGFW, PAN Prisma Access |
Decides whether to grant, deny, or revoke access to a resource based on enterprise policy, information from supporting components, and a trust algorithm. |
PA |
PAN NGFW, PAN Prisma Access |
Executes the PE’s policy decision by sending commands to a PEP that establishes and shuts down the communication path between subject and resource. |
PEP |
PAN NGFW, PAN Prisma SASE (Prisma Access & Prisma SD-WAN), PAN CDSS |
Guards the trust zone that hosts one or more enterprise resources; establishes, monitors, and terminates the connection between subject and resource as directed by the PA; forwards requests to and receives commands from the PA. |
ICAM - Identity Management |
Okta Identity Cloud, PAN Cloud Identity Engine |
Creates and manages enterprise user and device accounts, identity records, role information, and access attributes that form the basis of access decisions within an organization to ensure the correct subjects have the appropriate access to the correct resources at the appropriate time. |
ICAM - Access & Credential Management |
Okta Identity Cloud, PAN Cloud Identity Engine |
Manages access to resources by performing user and device authentication (e.g., SSO and MFA) and using identity, role, and access attributes to determine which access requests are authorized. |
ICAM - Federated Identity |
Radiant Logic RadiantOne Intelligent Identity Data Platform |
Aggregates and correlates all attributes relating to an identity or object that is being authorized by a ZTA. It enables users of one domain to securely access data or systems of another domain seamlessly, and without the need for completely redundant user administration. Federated identity encompasses the traditional ICAM data, supports identities that may be part of a larger federated ICAM community, and may include non-enterprise employees. |
ICAM - Identity Governance |
SailPoint IdentityIQ |
Provides policy-based, centralized, automated processes to manage user identity and access control functions (e.g., ensuring segregation of duties, role management, logging, access reviews, analytics, reporting) to ensure compliance with requirements and regulations. |
ICAM - MFA |
Okta Verify app |
Supports MFA of a user identity by requiring the user to provide not only something they know (e.g., a password), but also something they have (e.g., a token). |
Endpoint Security - UEM/MDM |
None |
Manages and secures enterprise desktop computers, laptops, and/or mobile devices in accordance with enterprise policy to protect applications and data; ensure device compliance; mitigate and remediate vulnerabilities and threats; monitor for suspicious activity to prevent and detect intrusions; prevent, detect, and disable malware and other malicious or unauthorized traffic; repair infected files when possible; provide alerts and recommend remediation actions; and encrypt data. Pushes enterprise applications and updates to devices, enables users to download enterprise applications that they are authorized to access, remotely deletes all applications and data from devices if needed, tracks user activity on devices, and detects and addresses security issues on the device. |
Endpoint Security - EPP |
PAN Global Protect |
Detects and stops threats to endpoints through an integrated suite of endpoint protection technologies including antivirus, data encryption, intrusion prevention, EDR, and DLP. May include mechanisms that are designed to protect applications and data; ensure device compliance with policies regarding hardware, firmware, software, and configuration; monitor endpoints for vulnerabilities, suspicious activity, intrusion, infection, and malware; block unauthorized traffic; disable malware and repair infections; manage and administer software and updates; monitor behavior and critical data; and enable endpoints to be tracked, troubleshooted, and wiped, if necessary. |
Security Analytics - SIEM |
IBM Security QRadar XDR |
Collects and consolidates security information and security event data from many sources; correlates and analyzes the data to help detect anomalies and recognize potential threats and vulnerabilities; and logs the data to adhere to data compliance requirements. |
Security Analytics - Endpoint Monitoring |
Tenable.io |
Discovers all IP-connected endpoints and performs continuous collection, examination, and analysis of software versions, configurations, and other information regarding hosts (devices or VMs) that are connected to the network. |
Security Analytics - Vulnerability Scanning and Assessment |
Tenable.io and Tenable.ad |
Scans and assesses the enterprise infrastructure and resources for security risks, identifies vulnerabilities and misconfigurations, and provides remediation guidance regarding investigating and prioritizing responses to incidents. |
Security Analytics - Traffic Inspection |
Tenable NNM |
Intercepts, examines, and records relevant traffic transmitted on the network. |
Security Analytics - Network Discovery |
Tenable NNM |
Discovers, classifies, and assesses the risk posed by devices and users on the network. |
Security Analytics - SOAR |
None |
Integrates the SIEM and other security tools into a single pane of glass to support generation of insights into threats and help track, manage, and resolve cybersecurity incidents. Executes predefined incident response workflows to automatically analyze information and orchestrate the operations required to respond. |
Security Analytics - Security Validation |
Mandiant Security Validation |
Provides visibility and evidence on the status of the security controls’ effectiveness in the ZTA. Enables security capabilities of the enterprise to be monitored and verified by continuously validating and measuring the cybersecurity controls; also used to automate the demonstrations that were performed to showcase ZTA capabilities. Deployed throughout the project’s laboratory environment to enable monitoring and verification of various security aspects of the builds. VMs that are intended to operate as actors are deployed on each of the subnetworks in each of the enterprises. These actors can be used to initiate various actions for the purpose of verifying that security controls are working to support the objectives of zero trust. |
Security Analytics - Centralized Management |
PAN Panorama |
Centralized platform for configuring and managing multiple security components. Can be used to modify and update policies to ensure consistency across PEPs. |
Security Analytics - Security Analytics and Access Monitoring |
PAN Strata Cloud Manager |
Uses AI and other data analytics to try to improve security posture and prevent network disruptions. |
Data Security - Data Access Protection |
PAN NGFW, PAN Prisma Access, and PAN CDSS |
Discovers sensitive business critical data in the cloud and on-premises and provides protection by preventing unauthorized access and minimizing the risk of data theft and data leaks using security policy rules. |
General - Remote Connectivity |
PAN Prisma Access |
Provides remote users with connectivity to on-premises and IaaS resources. |
Resource Protection - IaaS Security |
PAN NGFW in IaaS |
Component that is deployed to be the front-end for an internal resource in the cloud for the purpose of protecting that resource. |
General - Certificate Management |
DigiCert CertCentral TLS Manager |
Provides automated capabilities to issue, install, inspect, revoke, renew, and otherwise manage TLS certificates. |
General - Cloud IaaS |
AWS - GitLab |
Provides computing resources, complemented by storage and networking capabilities, hosted by a cloud service provider, offered to customers on demand, and exposed through a GUI and an API. An IPsec tunnel is used to provide a secure connection from the enterprise to the cloud. |
General - Cloud SaaS |
DigiCert CertCentral, Okta Identity Cloud, PAN CDSS, PAN CIE, PAN Prisma SASE (Prisma Access & Prisma SD-WAN), Tenable.io |
Cloud-based software delivered for use by the enterprise. |
General - Application |
GitLab |
Example enterprise resource to be protected. (In this build, GitLab is integrated with Okta using SAML, and IBM Security QRadar XDR pulls logs from GitLab.) There are instances of GitLab on-premises and in AWS. |
General - Enterprise-Managed Device |
Mobile devices (iOS and Android) and desktops/laptops (Windows, Mac, and Linux) |
Example endpoints to be protected. All enterprise-managed mobile devices have PAN Global Protect and the Okta Verify App installed. |
General - BYOD |
Mobile devices (iOS and Android) and desktops/laptops (Windows, Linux and Mac) |
Example endpoints to be protected. |
Build Architecture#
In this section we present the logical architecture of E1B5. We also describe E1B5’s physical architecture and present message flow diagrams for some of its processes.
Logical Architecture#
Figure 1 depicts the logical architecture of E1B5. It uses numbered arrows to depict the general flow of messages needed for a subject to request access to a resource and have that access request evaluated based on subject identity (both requesting user and requesting endpoint identity), user authorizations, and requesting endpoint health. It also depicts the flow of messages supporting periodic reauthentication of the requesting user and the requesting endpoint and periodic verification of requesting endpoint health, all of which must be performed to continually reevaluate access. The labeled steps in Figure 1 have the same meanings as they do in Architecture - Figure 1. However, Figure 1 includes the specific products that instantiate the architecture of E1B5. Figure 1 also does not depict any of the resource management steps found in Architecture - Figure 1 because the ZTA technologies deployed in E1B5 do not support the ability to perform authentication and reauthentication of the resource or periodic verification of resource health.
E1B5 was designed with Palo Alto Networks components that serve as PEs, PAs, and PEPs, and Okta Identity Cloud that serves as identity, access, and credential manager. PAN Cloud Identity Engine is used to connect and integrate Okta Identity Cloud with PAN products such as the NGFW and Panorama. Radiant Logic acts as a PIP for the PDP as it responds to inquiries and provides identity information on demand in order for Okta and PAN to make near-real-time access decisions. A more detailed depiction of the messages that flow among components to support a user access request can be found in Message Flows for Successful Resource Access Requests.
Figure 1 - Logical Architecture of E1B5
ICAM Information Architecture#
How ICAM information is provisioned, distributed, updated, shared, correlated, governed, and used among ZTA components is fundamental to the operation of the ZTA. The ICAM information architecture ensures that when a subject requests access to a resource, the aggregated set of identity information and attributes necessary to identify, authenticate, and authorize the subject is available to be used as a basis on which to make the access decision.
In E1B5, Okta, Radiant Logic, and SailPoint integrate with each other as well as with other components of the ZTA to support the ICAM information architecture. The ways that these components work together to correlate identity information and to support actions such as users joining, changing roles, and leaving the enterprise are the same in E1B5 as they are in E1B1, E1B2, E1B3, and E1B4. These interactions are described in E1B1 - ICAM Information Architecture.
Physical Architecture#
Enterprise 1 and Enterprise 1 Branch Office describe and depict the physical architecture of the E1B5 headquarters network and E1B5 branch office network, respectively.
Message Flows for Successful Resource Access Requests#
This section depicts several authentication message flows supported by E1B5. Resource access is protected by PAN components, which act as PDPs and PEPs. Okta acts as the identity provider for this build, and PAN Prisma Access and PAN NGFWs integrate with Okta via the PAN Cloud Identity Engine, which acts like an ICAM proxy for Prisma Access and NGFW. Five flows are depicted.
Message Flow for Remote User Access to Enterprise Resources that Are Either On-Premises or In the Cloud (PAN Prisma Access, PAN Global Protect, PAN Cloud Identity Engine, PAN NGFW)#
Figure 2 depicts the high-level message flow supporting the use case in which a remote user (i.e., a user who is not located on-premises or at a branch office) who has an enterprise ID, is using a compliant device, and is authorized to access an enterprise resource, requests and receives access to that resource. The resource may be located either on-premises or in the cloud. Access to the resource is authenticated and authorized by the following components working together:
PAN Global Protect Agent running on the user’s endpoint, which collects cybersecurity and other information about the endpoint such as firewall status, OS, antivirus, etc. and submits it as a host information profile (HIP) to a PAN PDP such as Prisma Access or NGFW. The PDP uses the PDP to perform endpoint compliance checks. The Global Protect Agent connects to a Global Protect Gateway that is running on a PAN PEP and submits access requests to it.
Okta, which acts as IdP and has a directory and SAML integration with PAN Cloud Identity Engine.
PAN Prisma Access, which acts as both PDP and PEP, and includes a mobile user security processing node (MU SPN), a service connection security processing node (SC SPN), and a Global Protect Gateway.
PAN NGFW, which acts as both PDP and PEP. If the resource is located on-premises, the NGFW controlling access is the enterprise NGFW that is on-premises guarding the resource; if the resource is located in the cloud, the NGFW controlling access is a VM-series NGFW in the cloud. The NGFW includes a Global Protect Gateway (not shown).
Figure 2 - Use Case E1B5 - Remote User Authentication and Access Enforcement Using PAN Prisma Access, PAN Global Protect, and PAN NGFW
The message flow depicted in Figure 2 consists of the following steps:
The PAN Global Protect Agent on the user’s device tries to connect to the portal. Because the user is remote (i.e., not located on-premises or at a branch office), this connection attempt is received at the MU SPN component of PAN Prisma Access.
The MU SPN component of Prisma Access redirects the Global Protect Agent to the PAN Cloud Identity Engine (CIE) for authentication.
The Global Protect Agent directs the user’s endpoint to contact PAN CIE for authentication in a web browser.
PAN CIE determines that Okta is the IdP based on the authentication profile and redirects the user to Okta.
Okta challenges the user for both first- and second-factor authentication and the user re-sponds by providing their first- and second-factor credentials.
Assuming the user provided the correct credentials, Okta sends an authentication token to the endpoint. The MU SPN component of PAN Prisma Access learns the user’s IP address as traffic passes through it.
The Global Protect Agent connects to the best/closest Global Protect Gateway, based on user location and latency. The Global Protect Agent authenticates to this gateway by providing the authentication token.
The Global Protect Agent also submits the HIP to the Prisma Access PEP.
The user sends a request to access the enterprise resource on the connection to the Prisma Access PEP. (The resource may be located either on-premises or in an enterprise data center that is hosted in the cloud.)
Prisma Access looks up the security policy and the device HIP profile, inspects the traffic, and forwards the traffic, assuming the endpoint is compliant and access is permitted by policy.
The SC SPN component of Prisma Access forwards the traffic using an IPsec tunnel that termi-nates at the PAN NGFW that is guarding the resource. If the resource is on-premises, the ser-vice connection IPsec tunnel will terminate at an on-premises enterprise NGFW. If the re-source is in the cloud, the service connection IPsec tunnel will terminate at a VM-series NGFW that is deployed in the cloud.
The NGFW looks up security policy, inspects the traffic, and forwards the traffic to the re-source, if allowed.
Message Flow for A User Who Is Located at a Branch Office to Access an Enterprise Resource On-Premises at Another Enterprise Site or In the Cloud (PAN Prisma Access, PAN Global Protect, PAN Cloud Identity Engine, PAN NGFW)#
Figure 3 depicts the high-level message flow supporting the use case in which a user who is located at a branch office, who has an enterprise ID, is using a compliant device, and is authorized to access an on-premises enterprise resource, requests and receives access to that resource. The resource may be located either on-premises at another enterprise site or in the cloud. Access to the resource is authenticated and authorized by the following components working together:
PAN Global Protect Agent running on the user’s endpoint, which collects cybersecurity and other information about the endpoint such as firewall status, OS, antivirus, etc. and submits it as a host information profile (HIP) to a PAN PDP such as Prisma Access or NGFW. The PDP uses the PDP to perform endpoint compliance checks. The Global Protect Agent connects to a Global Protect Gateway that is running on a PAN PEP and submits access requests to it.
Okta, which acts as IdP and has a directory and SAML integration with PAN Cloud Identity Engine.
PAN Prisma Access, which acts as both PDP and PEP, and includes a remote network security processing node (RN SPN), a service connection security processing node (SC SPN), and a Global Protect Gateway.
Two PAN NGFWs, which act as both PDPs and PEPs: an NGFW located at the branch office where the user is located, and an NGFW that is guarding the resource. If the resource is located on premises, the NGFW controlling access is the enterprise NGFW that is on-premises guarding the resource; if the resource is located in the cloud, the NGFW controlling access is a VM-series NGFW in the cloud. Each NGFW includes a Global Protect Gateway (not shown).
Figure 3 - Use Case E1B5 - User Located in a Branch Office Authentication and Access Enforcement to an On-Premises Enterprise Resource Using PAN Prisma Access, PAN Global Protect, and PAN NGFW
The message flow depicted in Figure 3 consists of the following steps:
The PAN Global Protect Agent on the user’s device tries to connect to the portal. Because the user is located at a Branch Office, this connection attempt is received at the Branch NGFW.
The Branch NGFW redirects the Global Protect Agent to the PAN Cloud Identity Engine (CIE) for authentication.
The Global Protect Agent directs the user’s endpoint to contact PAN CIE for authentication in a web browser.
PAN CIE determines that Okta is the IdP based on the authentication profile and redirects the user to Okta.
Okta challenges the user for both first- and second-factor authentication. and the user re-sponds by providing their first- and second-factor credentials.
Assuming the user provided the correct credentials, Okta sends an authentication token to the endpoint. The Branch NGFW learns the user’s IP address as traffic passes through it.
The Global Protect Agent connects to the internal Global Protect Gateway within the Branch NGFW once internal host detection is resolved, demonstrating that the endpoint is physically present at the site. The Global Protect Agent authenticates to the internal gateway by provid-ing the authentication token.
The Global Protect Agent also submits the HIP to the Global Protect Gateway that is on the Branch NGFW PEP.
The user sends a request to access the enterprise resource that is located on-premises at an-other site (headquarters or another branch office) on the connection to the Branch NGFW.
The Branch NGFW looks up the security policy and the device HIP profile, inspects the traffic, and forwards the traffic to the RN SPN component of Prisma Access, assuming the endpoint is compliant and access is permitted by policy.
The RN SPN component of Prisma Access performs policy enforcement, traffic inspection, and routing of the request as it forwards the request to the SC SPN component of Prisma Access.
The SC SPN component of Prisma Access forwards the traffic using an IPsec tunnel that termi-nates at the enterprise PAN NGFW guarding the resource. If the resource is on-premises, the service connection IPsec tunnel will terminate at an on-premises enterprise NGFW. If the re-source is in the cloud, the service connection IPsec tunnel will terminate at a VM-series NGFW that is deployed in the cloud.
The NGFW that is guarding the resource looks up security policy, inspects the traffic, and for-wards the traffic to the resource, if allowed.
Message Flow for A User Who Is On-Premises at Enterprise Headquarters to Access an Enterprise Resource Located at a Data Center Hosted in the Cloud (PAN Prisma Access, PAN Global Protect, PAN Cloud Identity Engine, PAN on premise and cloud NGFWs)#
Figure 4 depicts the high-level message flow supporting the use case in which a user who is located on-premises at headquarters, has an enterprise ID, is using a compliant device, and is authorized to access an enterprise resource that is in a data center hosted in the cloud, requests and receives access to that resource. Access to the resource is authenticated and authorized by the following components working together:
PAN Global Protect Agent running on the user’s endpoint, which collects cybersecurity and other information about the endpoint such as firewall status, OS, antivirus, etc. and submits it as a host information profile (HIP) to a PAN PDP such as Prisma Access or NGFW. The PDP uses the PDP to perform endpoint compliance checks. The Global Protect Agent connects to a Global Protect Gateway that is running on a PAN PEP and submits access requests to it.
Okta, which acts as IdP and has a directory and SAML integration with PAN Cloud Identity Engine.
PAN Prisma Access, which acts as both PDP and PEP, and includes multiple instantiations of service connection security processing nodes (SC SPNs) and a Global Protect Gateway.
Two PAN NGFWs, which act as both PDPs and PEPs: a NGFW located on-premises at headquarters where the user is located, and a VM-series NGFW in the cloud where the resource is located. Each NGFW includes a Global Protect Gateway (not shown).
Figure 4 - Use Case E1B5 - User Located On-Premises at Headquarters Authentication and Access Enforcement to a Resource in the Cloud Using PAN Prisma Access, PAN Global Protect, and PAN NGFW
The message flow depicted in Figure 4 consists of the following steps:
The PAN Global Protect Agent on the user’s device tries to connect to the portal. Because the user is located at the enterprise headquarters, this connection attempt is received at the on-premises Enterprise NGFW.
The Enterprise NGFW redirects the Global Protect Agent to the PAN Cloud Identity Engine (CIE) for authentication.
The Global Protect Agent directs the user’s endpoint to contact PAN CIE for authentication in a web browser.
PAN CIE determines that Okta is the IdP based on the authentication profile and redirects the user to Okta.
Okta challenges the user for both first- and second-factor authentication, and the user re-sponds by providing their first- and second-factor credentials.
Assuming the user provided the correct credentials, Okta sends an authentication token to the endpoint. The Enterprise NGFW learns the user’s IP address as traffic passes through it.
The Global Protect Agent connects to the internal Global Protect Gateway within the Enter-prise NGFW once internal host detection is resolved, demonstrating that the endpoint is phys-ically present at the site. The Global Protect Agent authenticates to the internal gateway by providing the authentication token.
The Global Protect Agent also submits the HIP profile to the Global Protect Gateway that is on the on-premises PAN NGFW PEP.
The user sends a request to access the enterprise resource that is located in the cloud on the connection to the Enterprise NGFW.
The Enterprise NGFW looks up the security policy and the device HIP profile, inspects the traf-fic, and forwards the traffic to the SC SPN component of Prisma Access, assuming the endpoint is compliant and access is permitted by policy.
Traffic is routed from between service connections set up by the SC SPN component of Prisma Access.
An SC SPN component of Prisma Access forwards the traffic using an IPsec tunnel that termi-nates at an NGFW NVF that is in the cloud guarding the resource.
The NGFW looks up security policy, inspects the traffic, and forwards the traffic to the re-source, if allowed.
Message Flow for A User Located On-Premises to Access an Enterprise Resource Also Located On-Premises (PAN Prisma Access, PAN Global Protect, PAN Cloud Identity Engine, PAN NGFW)#
Figure 5 depicts the high-level message flow supporting the use case in which a user who is located on-premises at headquarters, has an enterprise ID, is using a compliant device, and is authorized to access an enterprise resource that is also located on-premises at headquarters, requests and receives access to that resource. Access to the resource is authenticated and authorized by the following components working together:
PAN Global Protect Agent running on the user’s endpoint, which collects cybersecurity and other information about the endpoint such as firewall status, OS, antivirus, etc. and submits it as a host information profile (HIP) to a PAN PDP such as Prisma Access or NGFW. The PDP uses the PDP to perform endpoint compliance checks. The Global Protect Agent connects to a Global Protect Gateway that is running on a PAN PEP and submits access requests to it.
Okta, which acts as IdP and has a directory and SAML integration with PAN Cloud Identity Engine.
PAN NGFW, which acts as both PDP and PEP, and is located on-premises at enterprise headquarters where both the user and the resource are located. The NGFW includes a Global Protect Gateway (not shown).
Figure 5 - Use Case—E1B5 - User Located On-Premises at Enterprise Authentication and Access Enforcement to a Resource Located Internally On-Premises Using PAN Global Protect and PAN NGFW
The message flow depicted in Figure 5 consists of the following steps:
The PAN Global Protect Agent on the user’s device tries to connect to the portal. Because the user is located on-premises at the enterprise, this connection attempt is received at the inter-nal, on-premises Enterprise NGFW.
The Enterprise NGFW redirects the Global Protect Agent to the PAN Cloud Identity Engine (CIE) for authentication.
The Global Protect Agent directs the user’s endpoint to contact PAN CIE for authentication in a web browser.
PAN CIE determines that Okta is the IdP based on the authentication profile and redirects the user to Okta.
Okta challenges the user for both first- and second-factor authentication, and the user re-sponds by providing their first- and second-factor credentials.
Assuming the user provided the correct credentials, Okta sends an authentication token to the endpoint. The Enterprise NGFW learns the user’s IP address as traffic passes through it.
The Global Protect Agent connects to the internal Global Protect Gateway within the internal Enterprise NGFW once internal host detection is resolved, demonstrating that the endpoint is physically present at the site. The Global Protect Agent authenticates to the internal gateway by providing the authentication token.
The Global Protect Agent also submits the HIP profile to the Global Protect Gateway that is on the Enterprise NGFW.
The user sends a request to access the internal, on-premises enterprise resource on the con-nection to the Enterprise NGFW.
The Enterprise NGFW looks up the security policy and the device HIP profile, inspects the traf-fic, and forwards the traffic to the resource, assuming the endpoint is compliant and access is permitted by policy.
Message Flow for A Branch Office User to Access an Enterprise Resource Located On-Premises at the Enterprise Headquarters Using SD-WAN (PAN Prisma Access, PAN Prisma SD-WAN, PAN Global Protect, PAN Cloud Identity Engine, PAN NGFW)#
Figure 6 depicts the high-level message flow supporting the use case in which a user who is located at a branch office, has an enterprise ID, is using a compliant device, and is authorized to access a resource on the on-premises enterprise network at headquarters, requests and receives access to that resource over a path selected using SD-WAN. Access to the resource is authenticated and authorized by the following components working together:
PAN Global Protect Agent running on the user’s endpoint, which collects cybersecurity and other information about the endpoint such as firewall status, OS, antivirus, etc. and submits it as a host information profile (HIP) to a PAN PDP such as Prisma Access or NGFW. The PDP uses the PDP to perform endpoint compliance checks. The Global Protect Agent connects to a Global Protect Gateway that is running on a PAN PEP and submits access requests to it.
Okta, which acts as IdP and has a directory and SAML integration with PAN Cloud Identity Engine.
PAN Prisma Access, which acts as both PDP and PEP, and includes a remote network security processing node (RN SPN), a Mobile User Portal, a service connection security processing node (SC SPN), and a Global Protect Gateway.
A PAN NGFW, which acts as both PDP and PEP, located on-premises on the enterprise network at the headquarters where the resource is located. The NGFW includes a Global Protect Gateway (not shown).
PAN Prisma Access SD-WAN, which acts as a router and supports efficient transport of traffic between the branch office and the main headquarters.
Figure 6 - Use Case E1B5 - User Located in a Branch Office Authentication and Access Enforcement to an On-Premises Enterprise Resource Using PAN Prisma SD-WAN, as well as PAN Prisma Access, PAN Global Protect, and PAN NGFW
The message flow depicted in Figure 6 consists of the following steps:
The PAN Global Protect Agent on the user’s device tries to connect to the portal. Because the user is located at a Branch Office, this connection attempt is received at Prisma Access.
Prisma Access redirects the Global Protect Agent to the PAN Cloud Identity Engine (CIE) for authentication.
The Global Protect Agent directs the user’s endpoint to contact PAN CIE for authentication in a web browser.
PAN CIE determines that Okta is the IdP based on the authentication profile and redirects the user to Okta.
Okta challenges the user for both first- and second-factor authentication, and the user re-sponds by providing their first- and second-factor credentials.
Assuming the user provided the correct credentials, Okta sends an authentication token to the endpoint. The MU SPN component of Prisma Access learns the user’s IP address as traffic passes through it.
The Global Protect Agent connects to the internal Global Protect gateway within Prisma Access once internal host detection is resolved, demonstrating that the endpoint is physically present at the Branch Office site. The Global Protect Agent authenticates to the internal gateway by providing the authentication token.
The Global Protect Agent also submits the HIP profile to the Prisma Access PEP.
The user, who is located in the Branch Office, sends the Prisma SD-WAN a request to access a resource that is on the enterprise network.
Prisma SD-WAN looks up the security policy and the device HIP profile, inspects the traffic, chooses the best path (based on link quality) and forwards the traffic to Prisma Access via an IPsec tunnel, assuming the endpoint is compliant and access is permitted by policy.
The RN SPN component of Prisma Access performs policy enforcement, traffic inspection, and routing of the request as it forwards the request to the SC SPN component of Prisma Access.
The SC SPN component of Prisma Access forwards the traffic using an IPsec tunnel that termi-nates at the enterprise PAN NGFW that is on-premises, local to, and guarding the resource.
The Enterprise NGFW looks up security policy, inspects the traffic, and forwards the traffic to the resource, if allowed.