NetSec Platform: Prisma Access (Distributed Enforcement Architecture)
In the previous Prisma Access post, I described it as the distributed enforcement form factor within the NetSec platform - steering user and branch traffic into regional enforcement points under a unified control plane.
If you are new to the discussion, it is worth reviewing that post before continuing. This article builds on those foundations and examines how the enforcement fabric itself is constructed.
Distributed Enforcement
Distributed enforcement is not a single appliance; it is a composition of enforcement nodes, routing domains, and service insertion points.
Traffic enters the enforcement fabric through regional ingress locations.
Portal nodes perform authentication and device posture validation.
Authenticated sessions are handed to the appropriate Security-Processing Node (SPN) for inspection and enforcement.
Separating authentication from inspection preserves scale and resilience within the enforcement fabric.
Compute locations host SPNs, which perform traffic inspection and enforcement.
Customer traffic is isolated within its own tenant and dedicated SPNs, preserving logical separation within the shared service infrastructure.
The distributed enforcement fabric comprises distinct attachment points and processing roles, each optimised for specific traffic domains:
Mobile-User Security-Processing Node (MU-SPN) - enforcement node optimised for identity-driven user traffic
Explicit-Proxy Security-Processing Node (EP-SPN) - enforcement node for explicit proxy-based web traffic
Remote-Network Security-Processing Node (RN-SPN) - enforcement node optimised for site-originated traffic
Service-Connection Corporate-Access Node (SC-CAN) - controlled ingress/egress boundary for private connectivity
ZTNA Tunnel Terminator (ZTT) - termination point for outbound-initiated application connectors
Routing consistency is maintained across the distributed fabric.
Internally, the enforcement fabric uses iBGP for node-to-node routing.
Where customer equipment peers with the service (Remote Networks or Service Connections), eBGP is used.
Organisations may deploy one or multiple attachment points depending on the scale and complexity of their environment.
Control Plane
Strata Cloud Manager (SCM) is used for Prisma Access onboarding, initiating the automated workflows that deploy and configure the underlying network infrastructure.
All enforcement nodes operate under a unified control plane. Policy is:
- Defined centrally in SCM
- Distributed consistently to SPNs across regions
- Executed locally at each enforcement node
- Logged and correlated centrally for visibility and analytics
Shared Responsibility
Because Prisma Access is delivered as a managed service, the distributed enforcement fabric is maintained and operated by Palo Alto rather than deployed as customer-owned appliances.
This includes the underlying service infrastructure that connects regional ingress and compute locations, as well as the orchestration systems that provision and scale enforcement components.
Customers do not deploy or manage individual appliances. They define policy in the control plane and onboard users, locations, and applications.
Provider Responsibilities:
- Regional infrastructure lifecycle
- Maintaining inspection engines and content
- Capacity scaling and elasticity
- High availability design
- Platform upgrades and patching
- Core service integrity
- Securing the underlying cloud platform
Customer Responsibilities:
- Defining and maintaining security policy
- Onboarding users, branches, and private connectivity
- Design of access patterns and application segmentation
- Identity integration
- Monitoring and responding to security events
Governance and policy authority remain with the customer, while operational responsibility for the infrastructure shifts to the service provider (Palo Alto).
Prisma Access is not a collection of independent nodes. It is a coordinated enforcement fabric operating across regions, governed centrally and executed locally.
Users, branches, and private applications all attach to the same distributed system. Policy is defined once and enforcement is applied consistently. This is what enables scale without fragmenting security.