Palo Alto’s powerful brand and the strong reputation of its security solutions makes Prisma SASE a serious contender in the market. For SASE service providers, the appeal is further enhanced with artificial intelligence (AI) enhanced automation features and multi-tenant capabilities.
For more details explore the following sections of this review:
- Who is Palo Alto
- Prisma SASE
- Pricing & Delivery
- Features
- Pros
- Cons
- Alternatives to Prisma SASE
- How We Evaluated Prisma SASE
- Bottom Line: Best for Entry-Level SASE
To compare Palo Alto Prisma SASE against the competition, see our complete list of top secure access service edge (SASE) solutions.
Who is Palo Alto?
Palo Alto is a top cybersecurity company that pioneered firewall technology and continues to focus on market leadership. The company trades publicly on the NASDAQ stock exchange under the symbol “PANW.”
Prisma SASE
Palo Alto’s Prisma SASE solution is the only company recognized as a Leader in Gartner’s 2023 Magic Quadrant for Single-Vendor SASE. It satisfies the six key SASE capabilities with:
- Centralized control through onsite (Panorama Managed) or cloud-hosted (Strata Cloud Manager) consoles that provides a single interface to manage other components and policies
- Monitored network status through advanced and AI-automated software defined wide area network (SD-WAN) capabilities that provide reports, analytics and control over network operations performance and security
- Monitored user activity and data loss prevention (DLP) analysis through activity dashboards and reports based on access logs and the Prisma Access Insights application
- Inspected and decrypted traffic that blocks malware and malicious URLs through a centralized control and filtering, inline internet security, the Advanced WIldFire malware analysis software, and a secure web gateway (SWG) with next generation firewall (NGFW) capabilities
- Controlled access to data and resources based upon user, device, and permissions through zero trust network access (ZTNA), SD-WAN, next generation cloud access security broker (CASB), and domain name service (DNS) security capabilities
- Secured cloud-based assets such as applications, websites, and Software-as-a-Service (SaaS) resources through ZTNA, SWG and CASB capabilities for both public and private apps
Prisma SASE can deploy artificial intelligence (AI) and machine learning (ML) algorithms to quickly detect anomalies and provide powerful analytics, control and response capabilities for advanced threat detection and automated operations and security remediation.
Palo Alto sells the Prisma Access product in three editions:
- Business Edition: includes SWG, advanced URL filtering, and DNS security
- Business Premium Edition: adds advanced threat protection and advanced WildFire malware analysis
- Enterprise Edition: adds ZTNA connections for 2-5 private apps
Each unit licensed permits 250 GB of data transfer per year, and customers can select Strata Cloud Manager or local Prisma Access management using virtual or physical Panorama Management appliances. A Cortex Data Lake subscription for the storage of log files is required for Prisma Access.
Customers can select either a Local or a Worldwide access model for each tier. Licenses are sold in units, where a unit is defined as one mobile user or 1 Mbps of network bandwidth.
A Local option requires a minimum of 200 “units” and will allow for up to 5 point-of-presence (PoP) access points. The Worldwide option requires a minimum of 1,000 “units” and allows access to an expanding PoP access network currently exceeding 100 PoP.
Customers can also purchase add-on components for specialized needs and to meet the base SASE requirements:
- Additional Service Connections for Private App Access
- Autonomous Digital Experience Management (ADEM)*
- AI-powered ADEM
- Colo Connect*
- Enterprise DLP
- Inline SaaS Security*
- IoT Security (only available for remote networks)
- Next-Gen CASB*
- Traffic Replication
- ZTNA Connector*
*These options will be required to achieve the SASE definition but may not be required for every customer.
Pricing & Delivery
Palo Alto does not publicly publish pricing for Prisma Access and its components; however, Palo Alto does provide a Prisma Access Licensing Guide. Although intended to provide maximum flexibility, the multiple editions and options can also make it difficult to determine the licenses needed for a specific solution. Customers are encouraged to contact Palo Alto or their partners for specific pricing.
Limited information is publicly available but includes:
- Licenses are typically offered for 1, 3, or 5 year subscriptions
- Panorama Management appliances for local deployments
- Customers must maintain a valid support license, which depends upon the number of devices supported and level of support required (Standard, Premium)
- All logs forward to the Cortex Data Lake ($2,000 / TB of data)
- Cloud Managed Prisma Access
- Requires the Cortex Data Lake license $2,000 / TB of data
- Must be licensed in the same region as Prisma Access
- Customers may need to license and integrate the SaaS Security API for clientless VPN and authentication
- Prisma Access units (per user, per Mbps) cost $60 – $200 per year depending upon the tier (Business, Business Premium, Enterprise) and PoP access (local, worldwide)
- Add-on options run between $40 and $150 per unit (User, SaaS App, etc.)
Palo Alto partners may offer bundled pricing or discounts based upon volume or multi-year subscriptions.
Features
- Full SASE Features: centralized control, monitored user activity, inspected and decrypted traffic, controlled access, secured cloud-based assets, and monitored network status and operations control
- Rigorous ZTNA (aka ZTNA 2.0) controls with continuous trust verification, security inspection, and data protection as well as precise access control at the app and sub-app levels
- Multi-tenant deployment option for service providers
- Machine learning (ML) enhanced SWG boosts static analysis capabilities to improve security and also simplify user onboarding and customer migration
- Largest API-based CASB coverage of SaaS apps
- Automatic discovery of apps through comprehensive scans of traffic, ports and protocols
- Automatic SD-WAN configuration for Prisma Access enabled by CloudBlade Docker container installation
- ML-powered DLP with more detection engines and more control points to detect and block unintentional or malicious data leaks
- SaaS security misconfiguration detection and drift prevention through the Prisma SASE next generation CASB
- SOC2 reports available for many Prisma SASE components (WildFire, Prisma Access, Prisma SD-WAN, etc.)
- Agentless and Agent-based (GlobalProtect app) remote user protection and security
- Wide OS support: GlobalProtect agent supports Windows, macOS, iOS, Android, ChromeOS, Linux
Pros
- SASE Leader as recognized by Gartner in their 2023 Single Vendor SASE Magic Quadrant and the only vendor in the Leader category
- Market Leader also recognized by Gartner in SASE components (SSE, SD-WAN) and by Forrester for Zero Trust Edge Solutions
- Feature rich with many options for licensing and technology add-ons
- Straightforward GUI for SASE management
- Well trusted brand and an established SASE vendor with a good track record of customer success
- Granular control over devices, assets, users, and security options
- Automated IT operations options for AIOps and Autonomous Digital Experience Management (ADEM) for predictive problem detection and analytics to reduce mean time to resolution (MTTR)
- Integrated IoT security option through SD-WAN to help simplify the connection of devices
Cons
- Add-ons required for key SASE security controls such as next-gen CASB or DLP
- No private backbone for high-speed SD-WAN connections; customers use public backbone resources or contract with backbone providers
- Option overload can make it difficult to determine appropriate licenses and options required
- More complex options from well-established technology can create longer and a more complex setup and possible unintended gaps or conflicts in security policies
- Local integration issues with management appliances and other SASE features
- Poor international documentation with limited non-English information
- Higher prices cited by customers
- Performance hits noted by some customers when used in a mixed vendor environment; may work best in a Palo Alto exclusive environment
Alternatives to Palo Alto Prisma SASE
Prisma SASE wins accolades for security and the available features and customization options of their solution. Buyers seeking multi-tenant alternatives to Prisma SASE will likely gravitate towards similar brands and options such as:
- FortiSASE: Deploys application specific integrated circuit (ASIC) designs for SD-WAN hardware that improve network throughput performance and a similar range of network and security customization
- Versa Universal SASE: Offers a fully-onsite SASE solution in which a customer can install the SASE controller within their own environment and also offers a private backbone for SD-WAN traffic acceleration for the organizations that prefer to buy a hosted solution
- VMware SASE: Provides outstanding options for remote user security with potential bundles for VMware’s market-leading Workspace ONE virtual desktop instance (VDI) security for remote users and technology-agnostic connectors for third-party solutions.
How We Evaluated Prisma SASE
Prisma SASE is rated and ranked against seven other SASE competitors in our top SASE providers article. That article explains the overall ranking and here we provide details specific to Prisma SASE:
- Overall Rating: 3.31 / 5 (#7)
- Licensing Information: 2.75 out of 5 possible criteria
- Monitoring and Managing: 4.2 out of 7 possible criteria
- Asset Control: 3.4 out of 4 possible criteria
- Implementation and Administration: 3.9 out of 5 possible criteria
- Customer Support: 3.31 out of 4 possible criteria
Prisma SASE offers a huge range of options, but some SASE fundamentals can only be obtained with optional add-ons, which make the licensing requirements more difficult to determine. Still, the powerful brand name will ensure that Palo Alto’s solution will be regularly considered for all large enterprises.
Bottom Line: Best for Multi-Tenant Service Providers
As a market leader that performs well in security tests and with a top ranking in analyst reports, managed service providers can use the powerful Palo Alto brand to sell their managed SASE services. Prisma SASE further enforces this capability with robust multi-tenant features and a large number of options to support even uncommon networking and security requirements.