Security incident on record — CVE-2024-3400 (GlobalProtect zero-day, April 2024) — affected PAN-OS firewalls not Prisma SaaS; patched promptly
▪ Editorial verdict
Palo Alto Prisma Access delivers the strongest device posture enforcement in the ZTNA category through HIP profiles that provide the most granular endpoint health checks available, combined with Cortex XDR real-time threat context. For organisations already running Palo Alto NGFW and Cortex XDR, the unified security context across network, endpoint, and access is a compelling operational advantage.
The deployment complexity and GlobalProtect client overhead are the most frequently noted limitations. Palo Alto Prisma Access requires dedicated Palo Alto expertise and the user experience is less seamless than Cloudflare or Zscaler for end users without Palo Alto technical background.
The verdict: Palo Alto Prisma Access is right for enterprises already in the Palo Alto ecosystem wanting ZTNA integrated with NGFW and endpoint security. Organisations without existing Palo Alto investment should evaluate Zscaler ZPA or Cloudflare Zero Trust.
Strong app-level access control with NGFW-grade inspection. Scored 4 because the most comprehensive access policy depth, though complexity requires dedicated Palo Alto expertise.
Sources: Palo Alto Prisma Access documentation
Device posture checks
5 / 5
GlobalProtect agent collects comprehensive device posture signals and enforces pre-login and post-login policies. Scored 5 because posture integration with CrowdStrike, SentinelOne, and MDM is the most mature.
Sources: Palo Alto documentation
OPERATIONSStrong
UX vs VPN
3 / 5
Scored 3 because GlobalProtect agent is heavier than Cloudflare WARP or Zscaler, and some reviewers note latency on first connection. The experience improves significantly with proper PoP selection.
Sources: G2 reviews
IAM & MFA integration
5 / 5
Integrates with Okta, Azure AD, Ping, and all major IdPs. Scored 5 because NGFW-grade access policy combined with IdP integration is the strongest multi-signal policy engine.
Sources: Palo Alto documentation
ANALYTICSStrong
Access & activity logs
4 / 5
Comprehensive logging via Cortex Data Lake. Scored 4 because full logging requires Cortex subscription.
Sources: Palo Alto documentation
TRUST & ECOSYSTEMStrong
Deployment flexibility
4 / 5
SaaS-only (Prisma Access) or on-premises (Panorama managed). Scored 4 for hybrid deployment option.
Sources: Palo Alto documentation
Strongest: Device posture checks
Watch out for: UX vs VPN
Strengths & limitations
Strengths
●Unified single-vendor SASE combining NGFW heritage with SSE
●Broadest inspection and DLP capabilities of any ZTNA/SSE vendor
●Deep ecosystem — integrates with Cortex XDR and Prisma Cloud
Watch out for
●Most expensive ZTNA platform — per-feature licensing adds up
●Steep admin learning curve; requires PA expertise
●Performance concerns when all inspection features enabled
Best for
Enterprises consolidating SD-WAN and SSE on single vendor already invested in Palo Alto Strata firewalls.
Not suitable for: SMBs — most expensive ZTNA/SASE; minimum 250 users