Features in Prisma Access 3.2 and 3.2.1
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Features in Prisma Access 3.2 and 3.2.1
This section lists the new features that are available
in Prisma Access 3.2, including Prisma Access 3.2.1, along with
upgrade information and considerations if you are upgrading from
a previous Prisma Access version.
- Cloud Services Plugin 3.2 and 3.2.1
- Upgrade Considerations for 3.2 and 3.2.1 Prisma Access Releases
- Minimum Required Software Versions
- New Features—Prisma Access 3.2.1 Preferred
- New Features—Prisma Access 3.2.1 Innovation
- New Features—Prisma Access 3.2 Preferred
- New Features—Prisma Access 3.2 Innovation
Cloud Services Plugin 3.2 and 3.2.1
Prisma Access 3.2 (including Prisma Access 3.2.1) uses
a single plugin for both Preferred and Innovation releases, providing
operational simplification with a unified plugin for both Preferred
and Innovation releases.
By default, the plugin will run the Preferred release. To upgrade
to an Innovation release, reach out to your Palo Alto Networks account
representative and submit a request.
Upgrade Considerations for 3.2 and 3.2.1 Prisma Access Releases
To upgrade to Prisma Access 3.2 or 3.2.1 Preferred,
use one of the following upgrade paths.
To find your plugin version, select PanoramaCloud ServicesConfigurationService Setup in
Panorama and check the plugin version in the Plugin Alert area.
Installed Cloud Services Plugin Version | Targeted 3.2 Version | Upgrade Path |
---|---|---|
Releases earlier than 2.2 Preferred | 3.2 or 3.2.1 Preferred |
|
2.2 Preferred | 3.2 or 3.2.1 Preferred |
Direct
upgrades from Prisma Access 2.2 to 3.2 are not supported. |
All Prisma Access Releases | 3.2 or 3.2.1 Innovation | To upgrade to 3.2 or 3.2.1 Innovation, reach
out to your Palo Alto Networks account representative and submit
a request. The request will be reviewed internally and, if approved,
your deployment will be upgraded to 3.2 or 3.2.1 Innovation. |
Minimum Required Software Versions
Minimum Required Panorama Versions—For the minimum
Panorama versions that are supported for use Panorama Managed Prisma
Access 3.2, see Prisma Access and Panorama Version
Compatibility in the Palo Alto Networks Compatibility
Matrix.
Minimum Required GlobalProtect Versions—Prisma Access supports any GlobalProtect version
that is not End-of-Life (EoL). The GlobalProtect
versions apply to both Panorama and Cloud Managed versions of Prisma Access.
New Features—Prisma Access 3.2.1 Preferred
The following features are added for Prisma Access 3.2.1
Preferred and Innovation. To find the new features for Cloud Managed
Prisma Access, see the new features list in the Prisma Access Release Notes (Cloud
Managed).
Feature | Description |
---|---|
Dual Authentication Portal Support for Mobile Users—GlobalProtect Deployments | You can configure two Mobile Users—GlobalProtect
portals in Prisma Access, with each portal supporting a different authentication
method on a single Prisma Access tenant (for example, one portal configured
for RADIUS authentication and one portal configured for SAML authentication).
This functionality requires an upgrade
to a specific Preferred PAN-OS dataplane. To enable this
feature, reach out to your Palo Alto Networks account
representative or partner, who will contact the SRE team and
submit a request to upgrade your dataplane. |
Licensing Enhancements (Additional Mobile User locations and Service Connections) | The following Prisma Access license enhancements
are added:
|
Prisma Access Explicit Proxy License Enhancements | You can use the same Mobile Users license
for both Explicit Proxy and GlobalProtect, and when you provision
one mobile user license unit, you can enable GlobalProtect, Explicit
Proxy, or both for a single user. This enhancement eliminates the need
to purchase additional quantities of mobile user units to support
use cases where both Explicit Proxy and GlobalProtect are needed
for the same user. See Prisma Access 3.2.1 Mobile User Licensing Change Examples for licensing
examples. |
New Prisma Access Compute Locations: Middle-East West and Europe Northwest (Paris) |
To better optimize performance of Prisma Access, the following
compute locations have been added and the following locations
have been remapped to those new compute locations:
New deployments have the new remapping applied automatically. If
you have an existing Prisma Access deployment that uses one of
these locations and you want to take advantage of the remapped
compute location, follow the procedure to add a new compute location to
a deployed Prisma Access location.
|
Populate User Group Names in Security Policy Rules Using the Cloud Identity Engine | You can configure the Cloud Identity Engine
in Panorama Managed Prisma Access deployments to populate groups
in security policy rules, allowing you to either use the Cloud Identity Engine or
a Master Device to perform this action. If you use a Master Device
to make user and group information selectable in security policies,
that functionality is unaffected. |
Multi-Tenant Prisma Access support for Cloud Identity Engine Directory Group Sync | Enable Directory Group Sync for a multi-tenant
Panorama managed Prisma Access deployment using the Cloud Identity
Engine. To enable this feature, reach out to your Palo Alto networks
representative. |
New Strata Logging Service Region: Switzerland | A new region, Switzerland, is added to Strata Logging Service. |
API to simplify Remote Network Automation | An XML API is provided for you to simplify
connectivity from third-party SD-WAN devices and CPEs to Prisma
Access for Remote Networks. You provide the bandwidth and the latitude
and longitude of the SD-WAN device in the XML API; Prisma Access
responds with the name of the IPSec termination node and compute
location to use for the SD-WAN device. |
Terminal Server Agent Support | Prisma Access supports the Palo Alto Networks Terminal Server
(TS) Agent for the following platforms:
|
Explicit Proxy Support for Office 365 Client Apps | In addition to browser-based Office 365 support,
you can now forward O365 client application traffic through the
Prisma Access Explicit Proxy Connect method. |
New Features—Prisma Access 3.2.1 Innovation
Version 3.2 Innovation includes all the features
in 3.2.1 Preferred and adds the following features.
Feature | Description |
---|---|
Regional private IP address pools for Mobile Users - GlobalProtect |
To allow you to be more granular in your Mobile
Users-GlobalProtect IP address pool allocation, you can specify
granular IP pools for the locations that are available with the
feature, as well as Worldwide or per Prisma Access theater.
|
Cloud Identity Engine Multiple Authentication Mode Support | To simplify the process of identifying and authenticating
users, Prisma Access supports Cloud Identity Engine authentication
using certificate-based authentication in
addition to multiple SAML 2.0-based identity providers in
a single authentication profile. It now also supports group-based authentication
so that you can specify different authentication types for particular
groups or directories. This helps ensure that users experience a
smooth login process regardless of the method they use to authenticate
and makes it easier to deploy identity-based security policy. For
Prisma Access Explicit Proxy deployments, multiple authentication
mode is supported for SAML authentication only. |
Web Proxy Support | If your network uses a proxy device for security, you can now leverage the same level of
protection using the on-premises web proxy capability that is
available with PAN-OS 11.0. The web proxy features enables
additional options for migrating from an existing web proxy
architecture to a simple unified management console. Using the
web proxy feature with Prisma Access provides a seamless method
for migrating, deploying, and maintaining secure web gateway
(SWG) configurations from an easy to use and simplified
interface. Web proxy helps during the transition from
on-premises to the cloud with no loss to security or
efficiency. Web proxy requires a Panorama version of 11.0. |
Advanced Threat Prevention Inline Cloud Analysis Support for Explicit Proxy | Explicit Proxy adds Advanced Threat Prevention
Inline Cloud Analysis support, which is a series of ML-based detection
engines are added in the Advanced Threat Prevention cloud to
analyze traffic for advanced C2 (command-and-control) and spyware
threats in real-time to protect users against zero-day threats.
By operating cloud-based detection engines, you can access a wide
array of detection mechanisms that are updated and deployed automatically
without requiring the user to download update packages or operate
resource-intensive analyzers. |
Advanced URL Filtering Inline Deep Learning Analysis Support for Explicit Proxy | Advanced URL Filtering provides best-in-class
web protection for the modern enterprise and stops unknown web-based attacks
in real time to prevent patient zero web threats. Advanced URL Filtering
combines Palo Alto Networks’ malicious URL database capabilities
with the industry’s first real-time web protection engine powered
by machine learning (ML). Advanced URL Filtering Inline adds
a series of inline cloud-based deep learning
detectors that evaluate suspicious web page contents in real-time. |
Commit job status via XML/API for Multi-tenant | An operational XML API is provided to
retrieve the commit job status for multi-tenant Prisma Access Panorama
Managed deployments. To retrieve the job status using a curl command,
enter the following command and API parameters: curl -k 'https://<a.b.c.d>//api/?type=op&cmd=<request><plugins><cloud_services><prisma-access><multi-tenant><tenant-name><entry%20name="<tenant_name>"></entry></tenant-name><request-job-result><jobid><job_id></jobid></request-job-result></multi-tenant></prisma-access></cloud_services></plugins></request>&key=<key>' Where:
|
New Features—Prisma Access 3.2 Preferred
The following table describes the new features that
are available with Prisma Access 3.2 Preferred.
Feature | Description |
---|---|
SaaS Security Posture Management (SSPM) | SSPM is a new product in the SaaS Security
offering that helps find and fix misconfigured settings on supported
SaaS apps along with other features to ensure proper posture security
all from one unified cloud management console. |
Suspicious User Activity | Suspicious User Activity with SaaS Security
API is an out-of-the-box policy-based detection of user activity
by User, App, and Risk scenarios. |
Autonomous Digital Experience Management Self Serve | Autonomous digital experience management
(Autonomous DEM) empowers end users to resolve application experience issues
that fall into their purview without consulting IT. ADEM Self Serve
reduces ticket load and improves the experience of end-users by
helping them quickly resolve the following issues:
|
Prisma SASE Platform | SASE Portal (https://sase.paloaltonetworks.com)
is a single location to access and manage Secure Access Service
Edge (SASE) products and services for enterprises and service providers
(SPs). The key capabilities are as follows:
|
Simplified Activation and Subscription Management | You can now use a completely new and revamped
user-friendly workflow to activate and manage all your Prisma Access subscriptions
in one place. With this update, Palo Alto Networks optimizes the
activation flow, significantly reducing the activation time and
providing contextual information that can reduce any human errors
during the activation. The updates include the following workflows:
|
DNS Security Enhancements | Prisma Access deployments now extend protection
for the latest DNS-based attack techniques, including strategically
aged domains, making it the most comprehensive DNS security solution
available. |
1 Gbps Maximum Bandwidth Support for Remote Network IPSec Termination Nodes | The maximum bandwidth that Prisma Access
can allocate to IPSec termination nodes for remote network deployments is
increasing from 500 Mbps to 1000 Mbps. This change allows
you to allocate more bandwidth to remote networks. To make this increase
effective, you must allocate a minimum of 501 Mbps to the compute locations associated
with the IPSec termination nodes. See Changes to Default
Behavior for details. While bandwidth enforcement
is not currently applied, Prisma Access reserves the right to enforce
the allocated bandwidth when the consumption exceeds the allocation.
You will be notified prior to applying the enforcement. This functionality is supported for Panorama Managed deployments only. If you are upgrading from
an earlier Cloud Services plugin version, you must perform a
Commit and Push before installing the
3.2 plugin and perform a Push to Devices
after installing the plugin to implement this change. |
Simplified SASE Consumption Model with Prisma Access SD-WAN Add-On | Palo Alto Networks is introducing Prisma SD-WAN as a simple add-on
solution to Prisma Access, allowing customers to get best-in-class
security and SD-WAN in an effortless, consumable model. With the
Prisma SD-WAN add-on to Prisma Access, you can get the most comprehensive SASE
solution that enables aggregation of bandwidth across all branch
locations, provides ease of activation via a single link for all
SASE services—including SD-WAN—while gaining the flexibility to
easily add additional services as needed from a unified management console. |
New Prisma Access Locations | To better accommodate worldwide deployments
and provide enhanced local coverage, the following new locations
have been added, which map to the following compute locations:
|
New and Renamed Prisma Access Compute Locations and Remapped Locations | To better optimize performance of Prisma Access,
the following new compute locations are added and the following
locations are remapped to the new compute locations:
In
addition, the existing Asia Southeast compute location is
renamed Asia Southeast (Singapore). New deployments
have the new remapping applied automatically. If you have an existing
Prisma Access deployment that uses one of these locations and you
want to take advantage of the remapped compute location, follow
the procedure to add a new compute location to
a deployed Prisma Access location. |
Terminal Server (TS) Agent Support | Prisma Access supports the Palo Alto Networks Terminal Server
(TS) Agent for the following platforms:
A maximum
of 400 TS Agents are supported. |
Disable Logging for Service Connections | This functionality allows the Palo Alto Networks
Site Reliability Engineering (SRE) team to disable logging on the
service connections for your Prisma Access deployment. If the majority of the traffic flows logged by the service connections are asymmetric, disabling
service connection logging might be required to reduce the
consumption of Strata Logging Service logging storage. If your
deployment does not have asymmetric flows via the service
connections, you do not need to disable logging. To disable logging for
service connections, reach out to your Palo Alto Networks account
representative or partner, who will contact the SRE team and submit
a request. |
New Features—Prisma Access 3.2 Innovation
Version 3.2 Innovation includes all the features
in 3.2 Preferred and adds the following features.
Feature | Description |
---|---|
Next-Generation CASB-X for Prisma Access and Next-Generation Firewalls | The Next-Generation Cloud Access Security
Broker (CASB-X) is a new SKU that contains all the CASB components
such as SaaS Security Inline, SaaS Security API, SaaS Security Posture Management
(SSPM), and Enterprise DLP API. It
can be applied on Cloud Managed Prisma Access, Panorama Managed Prisma
Access, and Panorama Managed Next-Generation Firewall (NGFW) devices
in a single-tenant environment. |
Simplify Private App Access Using ZTNA Connector | The Zero Trust Network Access (ZTNA) Connector
dramatically simplifies private app access for all apps including
modern, cloud-native, containerized, microservice, and legacy apps. With
the introduction of this feature, you can either use the ZTNA Connector
or a service connection to
enable access to private apps for your users. Both methods enforce
all ZTNA 2.0 principles. For
Panorama Managed Prisma Access deployments, the ZTNA Connector is
not supported in a multi-tenant deployment,
however, multi-tenancy is supported with ZTNA Connector in a Cloud Managed
Prisma Access deployment. |
Advanced Threat Prevention Inline Cloud Analysis and Domain Fronting Detection | Advanced Threat Prevention blocks unknown
and evasive command and control traffic inline in real-time with
unique deep learning and machine learning models. The following
advanced threat prevention capabilities are added to Prisma Access:
|
Advanced URL Filtering Inline Deep Learning Analysis | Advanced URL Filtering provides best-in-class
web protection for the modern enterprise and stops unknown web-based attacks
in real time to prevent patient zero web threats. Advanced URL Filtering
combines Palo Alto Networks’ malicious URL database capabilities
with the industry’s first real-time web protection engine powered
by machine learning (ML). Advanced URL Filtering Inline adds
a series of inline cloud-based deep learning
detectors that evaluate suspicious web page contents in real-time. |
DLP Web Form Data Inspection | To prevent exfiltration of sensitive information
in data exchanged in collaboration applications, web forms, Cloud
applications, custom applications, and social media, Enterprise
Data Loss Prevention (DLP) supports inspection of non-filed format
traffic using web form data inspection. |
NAT Support for Private Applications | You can specify a subnet at one or more service
connections that are used to NAT traffic between Prisma Access GlobalProtect
mobile users and private applications and resources at a data center.
You
can use either RFC1918 or RFC6598 addresses as the subnets. |
Kerberos Authentication Support for Explicit Proxy | You can now use both SAML to authenticate
users, and Kerberos to authenticate users and machines, in a single Explicit
Proxy deployment. |