It’s not needed for split tunnels of IPs, but domain based split tunnel doesn’t work without the license
for linux and mobile for sure - if you’re not using 3rd party.
Thanks fo rthe explanation.
For info, this comes as part of a project to run VeloCloud appliances, the VM-50 will run on the VeloCloud whiteboxes. For a start we’ll setup 3 VPN gateways per each region we have staff. Now if they had Prisma to the mix to provide Umbrella-like features I need to check how each components are working together, I’ll get a FW with GP and Prisma, not sure if we are making things too complicated but in terms of FW we still need services like VLAN segmentation and DMZ zones to publish webservices running on our on-prem servers, I am not sure thats the type of things Prisma will allow.
Hey thanks! I only know about it because we are legit looking for an Umbrella replacement ourselves (I heard in an Umbrella workshop a year and a half ago that Cisco was planning on phasing out the client in favor of integrating it with AnyConnect VPN which we can’t do for obvious reasons. Also there’s no plans for Linux support with their client). We’d love to use Palo’s DNS Security ourselves, but the lack of client off-VPN availability is a huge killer.
Perhaps once we finish rolling out Prisma Access we can solidly use DNS Security. Our Prisma Access setup is using that always-on config that auths with certificates (issued by our MDMs for wifi anyways) so it’s a fairly painless way to stay connected to the VPN. The only hurdle then would be for our sales guys that can’t use a VPN while at a customer’s office because their network blocks it.
Prisma Access allows you to tunnel all site traffic through the Prisma Access cloud firewall to access the Internet and/or other sites.
Prisma Access cannot be used for segmentation of VLANs in a given site. That would require a firewall.
You could use a firewall to segment locally and then establish a VPN from that firewall to Prisma Access for web filtering (though that could also happen on the firewall).
s! I only know about it because we are legit looking for an Umbrella replacement ourselves (I heard in an Umbrella workshop a year and a half ago that Cisco was planning on phasing out the client in favor of integrating it with AnyConnect VPN which we can’t do for obvious reasons. Also there’s no plans for Linux support with their client). We’d love to use Palo’s DNS Security ourselves, but the lack of client off-VPN availability is a huge killer.
Perhaps once we finish rollin
Have a look at Infoblox BloxOne Threat Defense. You can install an agent on your endpoints that routes DNS requests to the Infoblox BloxOne Threat Defense cloud portal where you can filter malicious DNS as well as enforce website filtering, etc.