If you specify the same DNS server to resolve both internal and external domains, Prisma Access does not proxy the DNS request, and you can view the actual source IP address of the client that sent the DNS request. This enhancement allows you to enforce source IP address-based DNS policies or identify endpoints that communicate with malicious domains using the source IP of the DNS requests.

You can use Prisma Access to specify DNS servers to resolve both internal and public domains. If you specify an internal DNS server to resolve internal DNS domains and then specify either a public server or Prisma Access’ Cloud Default server to resolve external domains, Prisma Access proxies the requests from the remote network site. You can also specify an external DNS server that is closer to the egress points of your remote network sites than your internal DNS server, which can provide optimal connectivity for SaaS applications such as Microsoft Office 365.

Prisma Access allows you to configure two VLAN attachments for a single Clean Pipe location in an active/backup configuration for intra-zone redundancy—an enhancement to the current implementation, where you can specify two different VLAN attachments in different availability zones (inter-zone redundancy).

For Clean Pipe deployments, you can create QoS policies to define the traffic that receives QoS treatment and QoS profiles to define the classes of service, including priority, that the traffic can receive. You can define QoS based on DSCP values or zones (Trust or Untrust).

If you are hosting an internet-facing application or service in your remote network location, you can use Prisma Access to front-end that application or service and provide secure access from both internal and external users over the internet.

The Cloud Services Plugin increases multitenant support from 100 to 200 Prisma Access tenants. This gives Service Providers and large enterprises the capability to expand how they deploy and support disparate, segregated environments. For concurrent Panorama administrator login maximums, see the Prisma Access Administrator’s Guide (Panorama Managed).

To facilitate dynamic IPSec tunnel failover for BGP deployments if the on-premises devices do not use the same IP addresses for BGP peering, you can specify different BGP peer and local IP addresses for the primary and secondary (active and backup) IPSec tunnels for service connections and remote network connections.

This release adds support for Data Loss Prevention (DLP) on Prisma Access. DLP on Prisma Access uses predefined patterns, built-in settings, and options that make it easy for you to protect files that contain certain file properties (such as a document title or author), credit card numbers, regulated information from different countries (like social security numbers), and third-party DLP labels.

DLP on Prisma Access includes the following elements:

Prisma Access for Users and Prisma Access for Networks can leverage Palo Alto Networks’ Directory Sync service to retrieve user and group information for policy enforcement.

You can configure ECMP Load Balancing for remote networks with a bandwidth of 50, 100, or 150 Mbps, as well as 300 Mbps, allowing lower-bandwidth connections to increase their fault tolerance by adding up to four IPSec tunnels for a single remote network.