Palo Alto Networks Prisma Access Inbound Traffic Support

June 26, 2023

Here’s a common scenario: an organization hosts a web-based application at a branch office that is protected by an on-prem firewall. The organization has also started looking at secure access service edge (SASE) technologies to better address the needs of its mobile users and remote locations accessing the Internet. The dilemma is that this organization inevitably now needs to support multiple security platforms, which exacerbates an already complex environment. One common theme we hear from customers who have many branch offices is that they’d “like to get out of the firewall business.”


Most firewalls deployed at branch locations are predominantly just acting as a perimeter gateway for outbound access to the Internet or a VPN connection back to a data center to reach a private application. Historically, distributed organizations get stuck continuing to support firewalls at all their branches because of the few locations that serve up a web-based application requiring firewall protections for those resources.


This blog post explores how distributed organizations can leverage Palo Alto Networks Prisma® Access to secure inbound traffic from the Internet for all their branch locations. This is a valuable feature for those that need to protect applications at a branch without having to deploy and manage on-prem firewalls.


On-prem firewalls are primarily deployed at a branch office locations for architectures where local network segmentation is necessary (think east-west), and select resources at that branch require additional protections from the internet. When segmentation is not a concern, but applications at remote locations need to be accessed from the internet, you can now use Prisma Access to secure inbound access to those applications.


See the following example use case:




In the example above, User 1 is accessing an online web server located at a remote network location via Prisma Access. User 2 is accessing the internet outbound from the same remote network location while also being secured by Prisma Access. Note that a separate remote network connection is required for inbound access and outbound access. Palo Alto provides some guidelines on utilizing Prisma Access to secure inbound access to a remote network location.


Important Note: Remote networks that are configured for secure inbound access can only be used for that purpose. If you require outbound as well as inbound access for a remote network site, create two remote network sites in the same location—one for inbound access and another for outbound access.


Below are a few example use cases for secure inbound access:



  • You host a public-facing custom application or portal at a remote network site.
  • You have a lab or staging environment for which you want to provide secure access.
  • You need to provide access to an application or website to users who are not members of or part of an organizational domain.



Optiv can help you decide whether it's more effective to keep on-prem branch firewalls in place or secure both outbound internet access and inbound application access at your branches using Prisma Access. Contact your Optiv client manager to inquire about our full suite of services for Palo Alto Networks Prisma Access.

Anthony Tanzi
Partner Architect-Palo Alto Networks-Strata | Optiv
Anthony Tanzi has more than 20 years’ experience in the networking and network security space. As a Partner Architect focused on Palo Alto Networks, Tanzi is responsible for Optiv’s pre-sales enablement and support to accelerate growth between Palo Alto Networks and Optiv in existing and new markets across the U.S. and Canada. This includes training and enablement of the pre-sales team as well as supporting them in pre-sales Palo Alto Networks conversations as well as assisting in proof of concepts, running Ultimate test drives, perform best practice assessments as well as being a technical sounding board for Optiv customers. Tanzi works directly with Optiv’s dedicated Palo Alto Channel SE to drive technical enablement as well as being an advocate for our customers. He is also focused on supporting Optiv’s post sale implementation team and working with marketing on Palo Alto specific campaigns.

Tanzi came to Optiv as part of the acquisition of the Philadelphia based integrator Comm Solutions in 2017. While at Comm Solutions for 10 years, Tanzi lead the Palo Alto Networks practice as a pre-sales engineer, post-sale implementation engineer, certified Palo Alto instructor as well as holding his own Palo Alto user groups and other marketing functions and support.

Tanzi is a member of Palo Alto Networks Cyberforce and was the first partner engineer to reach the highest level of “Cyberforce Hero” in the United States as well as being the first worldwide to be awarded “Ultimate Cyberforce Hero”.

Optiv Security: Secure greatness.®

Optiv is the cyber advisory and solutions leader, delivering strategic and technical expertise to nearly 6,000 companies across every major industry. We partner with organizations to advise, deploy and operate complete cybersecurity programs from strategy and managed security services to risk, integration and technology solutions. With clients at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can. At Optiv, we manage cyber risk so you can secure your full potential. For more information, visit