To allow you to adhere to data sovereignty and residency laws as well as established data protection and privacy regulations, Prisma Access will support the use of the WildFire Canada cloud for Prisma Access (ca.wildfire.paloaltonetworks.com).

Prisma Access automatically assigns the WildFire Canada region for any remote network connections or mobile user locations that are in the Canada East and Canada Central locations.

To allow better regional coverage for Strata Logging Service, you can now select from the following additional Strata Logging Service theaters:

If you have a Prisma Access for Users license, you can quickly resolve mobile user connection, performance, and access issues by having GlobalProtect users generate and send an easy to read, comprehensive report from the end user’s endpoint to Strata Logging Service for further analysis.

For Prisma Access 2.0 Preferred, you are required to use CLI to set up a client certificate to be used between the GlobalProtect app and Strata Logging Service. See Set Up GlobalProtect Connectivity to Strata Logging Service for details.

To allow you to integrate your organization’s cloud directory with Prisma Access, you can activate and use your Directory Sync instance with Azure Active Directory.

Prisma Access removes the requirements to have a symmetric network path for the traffic returning from the data center. Asymmetric flows will be allowed through the Prisma Access backbone. This removal allows you to configure ECMP or any other load balancing mechanism for service connections to your CPE.

This capability is not enabled by default; to enable it, change the Backbone Routing options in your service setup settings.

(New if upgrading from the Cloud Services plugin 1.7) You allocate bandwidth for remote networks at an aggregate level per compute location.

The aggregate bandwidth model is available for all new Prisma Access deployments starting with the Cloud Services plugin 1.8 version and for existing deployments that have not had any remote networks onboarded before the release of the 1.8 plugin on November 17, 2020.

If you have a deployment using the Cloud Services plugin 1.7 with remote networks onboarded and you then upgrade to the Cloud Services Plugin 2.0 Preferred version, this model does not apply and you still apply bandwidth per location. If you upgrade to the Cloud Services Plugin 2.0 Innovation version, you can choose to allocate bandwidth by location or by compute location.

All locations you onboard share the allocated bandwidth for that compute location. For example, you need to onboard four branch offices using remote networks in the Singapore, Thailand, and Vietnam locations. All these locations map to the Asia Southeast compute location. If you allocate 200 Mbps bandwidth to the Asia Southeast compute location, Prisma Access divides the 200 Mbps of bandwidth between the four branch offices you onboarded in that location. If you also add a location in Hong Kong, Hong Kong maps to the Hong Kong compute location, and you would need to add bandwidth to that compute location. Specify a minimum bandwidth of 50 Mbps per compute location.

If one or more sites are not using a large amount of bandwidth, Prisma Access makes the remaining bandwidth available to other sites in that compute location.

(New if upgrading from the Cloud Services plugin 1.7) Prisma Access introduces an enhancement to the API you use to retrieve IP addresses that allows you to reserve gateway and portal IP addresses for mobile user locations ahead of time, before you enable them. This ability lets you add the mobile user egress IP addresses to your organization’s allow lists before you onboard the locations, which in turn gives mobile users access to external SaaS apps immediately after you onboard the locations.

The API response also includes the public IP pool subnets that are the source for the egress IP addresses for the requested locations.The gateway and portal addresses of any locations you add will be a part of this subnet. Adding the subnets to your allow lists provides for future location additions without allow list modification and is beneficial if your organization’s allow list size is limited.

The IP addresses and subnets are valid for 90 days after you retrieve them and expire after the validity period if you do not use them.

(New if upgrading from the Cloud Services plugin 1.7) Prisma Access offers the following enhancements to traffic steering:

(New if upgrading from the Cloud Services plugin 1.7) Prisma Access increases its maximum fully-supported remote network bandwidth from 300 Mbps to 500 Mbps, and 500 Mbps is now supported with SSL decryption.

(New if upgrading from the Cloud Services plugin 1.7) Prisma Access supports custom and scheduled reports from the Panorama that manages Prisma Access.

The ability to run custom and scheduled reports requires a minimum Panorama version of 10.0.2.

(New if upgrading from the Cloud Services plugin 1.7) To optimize performance and improve latency, Prisma Access adds a new compute location in Japan and also changes the mapping of the following locations:

If you add the locations after your organization installs the Cloud Services 2.0 plugin Preferred or Innovation, Prisma Access associates the new compute locations automatically.

If you are upgrading from the Cloud Services plugin 2.0 Preferred or Innovation and you have already onboarded these locations, complete the following steps to take advantage of the new compute location:

Since you need to allow time to delete and add the existing location and change your allow lists, Palo Alto Networks recommends that you schedule a compute location change during a maintenance window or during off-peak hours.

(New if upgrading from the Cloud Services plugin 1.7) Prisma Access will offer the following enhancements to assist you when sharing public address space externally and internally with private apps: