Minimum Required Prisma Access Version 5.1 Preferred or
Innovation
The following table details the changes in default behavior for the Cloud Services plugin
version 5.1 and 5.1.1.
Component
Change
Set GlobalProtect App Version in Prisma Access Global
Settings
Starting with Prisma Access 5.1.1, you must set the
GlobalProtect App version in Prisma Access. If you do not set the
GlobalProtect version, you will be prompted to upgrade the GlobalProtect
version every time a new version is released.
To set the
GlobalProtect version:
Prisma Access (Managed by Strata Cloud Manager) Deployments: From Strata Cloud Manager, go to WorkflowsPrisma Access SetupGlobalProtectGlobalProtect App, click the gear to edit the
GlobalProtect App Settings, and
select the GlobalProtect App Version.
Prisma Access (Managed by Panorama) Deployments: From Panorama, go
to PanoramaCloud ServicesConfigurationService SetupGlobalProtect App Activation and make sure that you have selected an
Active GlobalProtect App version and,
if you haven't, Activate new GlobalProtect app
version.
Remapped Prisma Access Locations
To better optimize the performance of Prisma Access, the
following locations have been remapped to the following compute
locations:
The South Africa Central location is remapped to the
South Africa Central compute location.
The Canada West location is remapped to the Calgary West
(Calgary) compute location.
New deployments have the new remapping applied automatically. If
you have an existing Prisma Access deployment that uses one of these
locations and you want to take advantage of the remapped compute
location, follow the procedure to add a new compute location to a
deployed Prisma Access location.
Upgrade Considerations for the PAN-OS 11.2
If you choose to have Palo Alto Networks upgrade your dataplane to
PAN-OS 11.2, make sure that you're aware of the following changes and
upgrade considerations before you schedule the upgrade:
FQDNs Substituted for Service IP Addresses for Service Connections
and Remote Network Connections (Panorama Managed Deployments
Only)
For new Prisma Access (Managed by Panorama) deployments, when you onboard a new
service connection or remote network connection, Prisma Access provides
you with an FQDN instead of a Service
IP Address as the peer IP address. If you need to use an
IP address for the other side of the service connection or remote
network connection instead of the FQDN, you can find the Service IP
Address under PanoramaCloud ServicesConfigurationService SetupService OperationsServiceability CommandsService IP Address.
Troubleshooting Commands Renamed to Serviceability Commands
(Panorama Managed Deployments Only)
The Troubleshooting Commands area in Panorama
Managed Prisma Access (PanoramaCloud ServicesConfigurationService SetupService OperationsTroubleshooting Commands) has been renamed to Serviceability
Commands (PanoramaCloud ServicesConfigurationService SetupService OperationsServiceability Commands).
swg-known-auth-bypass User in Explicit Proxy
Deployments
For the domains bypassed for authentication in Explicit Proxy, users
will be tracked as swg-known-auth-bypass instead of unknown
user, which was used previously. Ensure that security policy
rules for those authentication bypassed domains allow
swg-known-auth-bypass or pre-defined "Known-Users".
IP Address Consolidation for Deployments that Have Migrated to IP
Optimization
If you have an existing Prisma Access that has had one or more
regions migrated to IP Optimization and are
using Prisma Access Allow
listing, some IP addresses that you have allow listed
have moved from the Allocated Egress IP
addresses area to the Allocated Ingress
IP addresses area in the Prisma Access UI.
This change is a result of IP address consolidation as a part of the
Prisma Access 5.2.1 infrastructure upgrade. Your networks can still
reach these IP addresses and you no longer have to allow list them.