Palo Alto Prisma Review and Alternatives

Palo Alto Prisma is a software-defined wide area network system (SD-WAN). An SD-WAN gives you the privacy of a private network even though large stretches of the connections between devices are transported on the public medium of the internet.

What is an SD-WAN

The easiest way to conceptualize an SD-WAN is to compare it to a VPN. While a VPN provides connection security and privacy over the internet for an individual device connecting to a network, an SD-WAN implements the same strategy to connect distant LANs. That remote computer included in a LAN through a VPN is replaced by a remote gateway that provides access to a whole network of computers in the SD-WAN system.

The two vital features are connection security and IP address management.

About Palo Alto Networks

Palo Alto Networks started up operations in 2005 and produced its first product in 2007. That was claimed to be the world’s first next-generation firewall (NGFW). Today, the firewall is still the main product of Palo Alto Networks. The company’s products run in network appliances, virtual appliances, and cloud services.

The company’s founder, Nir Zuk, had emigrated from Israel, where, since the age of 16, he had been closely involved in malware software. Zuk started out writing viruses and then forged a career in cyber security, creating the first stateful firewall for Check Point. Zuk is still involved with the company and is its Chief Technical Officer.

The move to supply security software from the Cloud has allowed Palo Alto to implement other network security systems, such as Prisma, an SD-WAN.

How does an SD-WAN work?

A traditional method for managing the connections between WAN sites is to lease a line between two locations. SD-WANs remove that fixed cost by establishing a tunnel between two sites. “Tunneling” is used for virtual private networks (VPNs). It expresses a connection that is protected by encryption. All packets that pass between the two sites are encrypted entirely, including the packet header. That encryption renders the routing information in the header useless.

In tunneling, all transmissions during a session are packaged inside outer packets, which is a process called “encapsulation”. The outer packet is always addressed to the SD-WAN server. This removes the outer packet, decrypts it, and then sends it to the destination network’s gateway. This stretch is another tunnel with a different outer packet structure. The inner packet is again encrypted entirely.

An SD-WAN creates a VPN link to each site. The SD-WAN server acts as a switch between locations and enforces transmission security on packets that run through it.

When an SD-WAN is operating, all of the traffic for each site goes through the SD-WAN server. Therefore, the individual site gateway can’t put traffic directly onto the Internet – that traffic still goes to the SD_WAN server, which manages external connections for all protected endpoints.

How does Palo Alto Prisma work?

Palo Alto has implemented a system in its firewalls called SSL offloading. This is practiced by the Palo Alto stable of firewalls no matter where they are based. SSL offloading is necessary for next-generation firewalls because those security systems inspect the contents of packets passing in and out of the network. This connect inspection is the defining characteristic of stateful firewalls, which Nir Zuk invented.

These days, just about all internet traffic is encrypted before sending out. As firewalls operate on the gateway of a network, that encryption would block content inspection. The encryption key is usually established between the local application and the remote Web server. For example, when connecting over HTTPS, the Web browser negotiates authentication and a suitable encryption key with the Web server.

With Palo Alto products, including the SD-WAN, all local activities regarding content encryption are operated by the firewall, or in the case of the SD-WAN, by the Prisma server.

With a Palo Alto firewall, that service will scan outgoing packet contents, enabling it to implement data loss prevention.  The firewall establishes a session with the remote Web server, authenticates, and then acts as the endpoint for encryption. This is the strategy hackers use in a “man in the middle” attack. As it holds the encryption key, the firewall can decrypt all incoming packets and inspect their contents before forwarding them to the local application involved in the connection.

Move the Palo Alto firewall to the Cloud, and there needs to be a VPN connection between the site and the Firewall-as-a-Service server. Still, the firewall is responsible for establishing encryption keys with remote servers.

The Palo Alto Prisma service represents many sites. Therefore, it only needs to implement SSL encryption for packets leaving the Prisma server to other servers across the internet that are not involved in the SD-WAN network. As the server-to-site VPNs protect all packets being routed from one site to another, there is no need for the Prisma system to impose content security on internal traffic.

Palo Alto Prisma operations

Palo Alto Networks explains that its products operate at the Application Layer, or Layer 7. This refers to the stratification of network protocols seen in the Open System Interconnection (OSI) model.

Ordinarily, firewalls and gateways operate at the Network Layer (Layer 3). However, by taking responsibility for the SSL encryption, the Palo Alto product becomes included in the management of connections and, in the case of interactive applications, such as VoIP, the organization of data movements. That makes it a package component that delivers the user-facing presentation and, therefore, an Application Layer system. Here’s how the different elements of Palo Alto Prisma operate.

Connection security

The core of the Palo Alto system is its connection security service. As explained above, if you shatter the Prisma machine into its component parts, you have a VPN connecting each site to the Prisma server. Then SSL offloading on the Prisma system for internet-destined traffic.

Each VPN needs a client on the local system to break the components down even further. This implements all network routings for traffic destined for external destinations – it controls access to the network card.

The local agent has one job: to channel all communications through to the Prisma server, no matter what actual destination is nominated in the header of the local packet. The Prisma server takes all routing decisions. WAN traffic is forwarded down the appropriate tunnel, and internet traffic gets SSL session protection, negotiated with the destination server.

IP address management

In any network, local routers direct traffic between endpoints. Packets are only sent to the gateway for internet transmission. In the SD-WAN scenario, each site is a subnet. The controlling SD-WAN IP address manager limits the range of IP addresses used on each site to a specific subnet address range. Thus, there can be no clash in addresses when all sites operate as part of a single virtual network.

The central console for the Prisma system is the only place on the virtual network that has an overview of all addressing activities. However, as long as local nodes operate their IP address management within their given address pool, there is no need for the Prisma system to get into each LAN to implement IP address management.

Traffic monitoring

The local agent for Prisma is usually installed on the gateway device. However, its visibility is not limited to traffic routed through it. All network monitors operate in what is known as “promiscuous mode”. Ordinarily, a network card only spicks up traffic addressed to it, so the device it serves can only see those packets. However, the network card picks up all passing packets in promiscuous mode.

Network monitoring software operates on an endpoint with its network card in promiscuous mode and performs analysis on all packets traveling around the network. With Prisma, the local agent operates as a network monitor and uploads its traffic analysis data to the Prisma server.

Prisma consolidates locally gathered traffic data to give an overview of WAN activity. Then, adding statistics on its activity, Prisma can provide a complete view of the managed WAN. Users can then drill down on data in different dimensions, looking at traffic per site or slicing traffic data by endpoint or protocol.

Expanding the Prisma SD-WAN

The Prisma service was a logical evolution on the Palo Alto firewall strategy, and you will wonder whether this system is also a firewall. The basic SD-WAN service only provides site-to-site security and SSL protection for external traffic. You can choose to subscribe to Prisma with the FWaaS elements activated – this is a different product called Prisma Access. The Prisma Access package is a Security Access Service Edge (SASE) system.

While the SD-WAN can implement network monitoring, the SASE can apply corporate security policies to all WAN traffic. This requires more power from the local agents, which need to catch suspicious activity on the local network. The Prisma SASE service operates at two levels – on the local network and the cloud-based WAN’s hub.

One way of looking at the two Palo Alto services is that Prisma Access is Prisma SD-WAN plus the Palo Alto NGFW. Another way of expressing the difference between these products is that Prisma SD-WAN is Prisma Access with the firewall module turned off.

Palo Alto Prisma SD-WAN prices

Palo Alto doesn’t publish its price list. To start your inquiries and identify whether the Prisma SD-WAN or Prisma Access is right for your business, you can join a demo session, which Palo Alto terms as a test drive. Sign up for the Prisma Access demo, which covers both products.

Palo Alto Prisma SD-WAN strengths and weaknesses

After examining Palo Alto SD-WAN, we identified several good points and bad points related to this product.


  • An efficient way to unify multiple site networks
  • Low load on local servers
  • Centralizes responsibility for SSL security
  • Provides a central network monitoring dashboard
  • Offers a good option for global businesses


  • Not suitable for small businesses

Alternatives to Palo Alto Prisma SD-WAN

While the Prisma SD-WAN is an excellent system, it’s hard to see why it wouldn’t just be better to get the full Prisma Access SASE service and benefit from Palo Alto’s perfect firewall system.

There are other SD-WAN services available on the market, and it is always a good idea to compare several services before buying any new system. This is also a good idea so that you can get a complete comprehension of how the Prisma service compares to its rivals. You could get a good rundown of some of the leading rivals to Palo Alto Prisma SD-WAN in the Best SD-WAN Vendors & Solutions. However, the top products in that review are summarized here.

Here is our list of the five best alternatives to Palo Alto SD-WAN:

  1. VMWare SD-WAN VMWare is the world’s leading provider for server virtualization, and this SD-WAN is a network implementation that builds on the company’s virtualization expertise. Like Palo Alto Prisma, The VMWare SASE is offered as a full service or an SD-WAN, which is the SASE without the firewall. As a result, this package is a better choice than Palo Alto if you also need to include home-based staff in your WAN.
  2. Citrix SD-WAN This SD-WAN is the product of another primary hypervisor provider. It is implemented as a SaaS or service from the marketplaces on Azure, AWS, and Google Cloud. In addition, Citrix adds in traffic management capabilities, such as QoS for VoIP. It also offers a failover service, and Citrix provides a version for MSPs.
  3. FortiGate SD-WAN This is a very close rival to Prisma because Fortinet is mainly a firewall provider. This package is a Secure SD-WAN, which means it is a SASE. You can deploy this system as a physical appliance, a virtual appliance, or a SaaS package.
  4. Aruba EdgeConnect This is purely an SD-WAN system rather than a SASE. However, all inter-site traffic over the internet is protected. The central server runs on one of your sites either as a physical appliance or as a virtual appliance.
  5. Aryaka Networks This option is different from the others on this list because it is a managed service. The provider offers a range of WAN management options, including an SD-WAN system. Aryaka technicians run the entire network.