Direct upgrades from Prisma Access 2.2 to 3.2 are not supported.

You can configure two Mobile Users—GlobalProtect portals in Prisma Access, with each portal supporting a different authentication method on a single Prisma Access tenant (for example, one portal configured for RADIUS authentication and one portal configured for SAML authentication).

The following Prisma Access license enhancements are added:

You can use the same Mobile Users license for both Explicit Proxy and GlobalProtect, and when you provision one mobile user license unit, you can enable GlobalProtect, Explicit Proxy, or both for a single user. This enhancement eliminates the need to purchase additional quantities of mobile user units to support use cases where both Explicit Proxy and GlobalProtect are needed for the same user. See Prisma Access 3.2.1 Mobile User Licensing Change Examples for licensing examples.

To better optimize performance of Prisma Access, the following compute locations have been added and the following locations have been remapped to those new compute locations:

New deployments have the new remapping applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma Access location.

You can configure the Cloud Identity Engine in Panorama Managed Prisma Access deployments to populate groups in security policy rules, allowing you to either use the Cloud Identity Engine or a Master Device to perform this action. If you use a Master Device to make user and group information selectable in security policies, that functionality is unaffected.

Enable Directory Group Sync for a multi-tenant Panorama managed Prisma Access deployment using the Cloud Identity Engine. To enable this feature, reach out to your Palo Alto networks representative.

A new region, Switzerland, is added to Strata Logging Service.

An XML API is provided for you to simplify connectivity from third-party SD-WAN devices and CPEs to Prisma Access for Remote Networks. You provide the bandwidth and the latitude and longitude of the SD-WAN device in the XML API; Prisma Access responds with the name of the IPSec termination node and compute location to use for the SD-WAN device.

Prisma Access supports the Palo Alto Networks Terminal Server (TS) Agent for the following platforms:

To allow you to be more granular in your Mobile Users-GlobalProtect IP address pool allocation, you can specify granular IP pools for the locations that are available with the feature, as well as Worldwide or per Prisma Access theater.

To simplify the process of identifying and authenticating users, Prisma Access supports Cloud Identity Engine authentication using certificate-based authentication in addition to multiple SAML 2.0-based identity providers in a single authentication profile. It now also supports group-based authentication so that you can specify different authentication types for particular groups or directories. This helps ensure that users experience a smooth login process regardless of the method they use to authenticate and makes it easier to deploy identity-based security policy.

For Prisma Access Explicit Proxy deployments, multiple authentication mode is supported for SAML authentication only.

If your network uses a proxy device for security, you can now leverage the same level of protection using the on-premises web proxy capability that is available with PAN-OS 11.0. The web proxy features enables additional options for migrating from an existing web proxy architecture to a simple unified management console. Using the web proxy feature with Prisma Access provides a seamless method for migrating, deploying, and maintaining secure web gateway (SWG) configurations from an easy to use and simplified interface. Web proxy helps during the transition from on-premises to the cloud with no loss to security or efficiency.

Web proxy requires a Panorama version of 11.0.

Explicit Proxy adds Advanced Threat Prevention Inline Cloud Analysis support, which is a series of ML-based detection engines are added in the Advanced Threat Prevention cloud to analyze traffic for advanced C2 (command-and-control) and spyware threats in real-time to protect users against zero-day threats. By operating cloud-based detection engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages or operate resource-intensive analyzers.

Advanced URL Filtering provides best-in-class web protection for the modern enterprise and stops unknown web-based attacks in real time to prevent patient zero web threats. Advanced URL Filtering combines Palo Alto Networks’ malicious URL database capabilities with the industry’s first real-time web protection engine powered by machine learning (ML).

Advanced URL Filtering Inline adds a series of inline cloud-based deep learning detectors that evaluate suspicious web page contents in real-time.

SSPM is a new product in the SaaS Security offering that helps find and fix misconfigured settings on supported SaaS apps along with other features to ensure proper posture security all from one unified cloud management console.

Suspicious User Activity with SaaS Security API is an out-of-the-box policy-based detection of user activity by User, App, and Risk scenarios.

Autonomous digital experience management (Autonomous DEM) empowers end users to resolve application experience issues that fall into their purview without consulting IT. ADEM Self Serve reduces ticket load and improves the experience of end-users by helping them quickly resolve the following issues:

SASE Portal (https://sase.paloaltonetworks.com) is a single location to access and manage Secure Access Service Edge (SASE) products and services for enterprises and service providers (SPs). The key capabilities are as follows:

You can now use a completely new and revamped user-friendly workflow to activate and manage all your Prisma Access subscriptions in one place. With this update, Palo Alto Networks optimizes the activation flow, significantly reducing the activation time and providing contextual information that can reduce any human errors during the activation.

The updates include the following workflows:

Prisma Access deployments now extend protection for the latest DNS-based attack techniques, including strategically aged domains, making it the most comprehensive DNS security solution available.

The maximum bandwidth that Prisma Access can allocate to IPSec termination nodes for remote network deployments is increasing from 500 Mbps to 1000 Mbps.

This change allows you to allocate more bandwidth to remote networks. To make this increase effective, you must allocate a minimum of 501 Mbps to the compute locations associated with the IPSec termination nodes. See Changes to Default Behavior for details.

This functionality is supported for Panorama Managed deployments only. If you are upgrading from an earlier Cloud Services plugin version, you must perform a Commit and Push before installing the 3.2 plugin and perform a Push to Devices after installing the plugin to implement this change.

Palo Alto Networks is introducing Prisma SD-WAN as a simple add-on solution to Prisma Access, allowing customers to get best-in-class security and SD-WAN in an effortless, consumable model. With the Prisma SD-WAN add-on to Prisma Access, you can get the most comprehensive SASE solution that enables aggregation of bandwidth across all branch locations, provides ease of activation via a single link for all SASE services—including SD-WAN—while gaining the flexibility to easily add additional services as needed from a unified management console.

To better accommodate worldwide deployments and provide enhanced local coverage, the following new locations have been added, which map to the following compute locations:

To better optimize performance of Prisma Access, the following new compute locations are added and the following locations are remapped to the new compute locations:

In addition, the existing Asia Southeast compute location is renamed Asia Southeast (Singapore).

New deployments have the new remapping applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma Access location.

Prisma Access supports the Palo Alto Networks Terminal Server (TS) Agent for the following platforms:

A maximum of 400 TS Agents are supported.

The Next-Generation Cloud Access Security Broker (CASB-X) is a new SKU that contains all the CASB components such as SaaS Security Inline, SaaS Security API, SaaS Security Posture Management (SSPM), and Enterprise DLP API. It can be applied on Cloud Managed Prisma Access, Panorama Managed Prisma Access, and Panorama Managed Next-Generation Firewall (NGFW) devices in a single-tenant environment.

The Zero Trust Network Access (ZTNA) Connector dramatically simplifies private app access for all apps including modern, cloud-native, containerized, microservice, and legacy apps.

With the introduction of this feature, you can either use the ZTNA Connector or a service connection to enable access to private apps for your users. Both methods enforce all ZTNA 2.0 principles.

For Panorama Managed Prisma Access deployments, the ZTNA Connector is not supported in a multi-tenant deployment, however, multi-tenancy is supported with ZTNA Connector in a Cloud Managed Prisma Access deployment.

Advanced Threat Prevention blocks unknown and evasive command and control traffic inline in real-time with unique deep learning and machine learning models.

The following advanced threat prevention capabilities are added to Prisma Access:

Advanced URL Filtering provides best-in-class web protection for the modern enterprise and stops unknown web-based attacks in real time to prevent patient zero web threats. Advanced URL Filtering combines Palo Alto Networks’ malicious URL database capabilities with the industry’s first real-time web protection engine powered by machine learning (ML).

Advanced URL Filtering Inline adds a series of inline cloud-based deep learning detectors that evaluate suspicious web page contents in real-time.

To prevent exfiltration of sensitive information in data exchanged in collaboration applications, web forms, Cloud applications, custom applications, and social media, Enterprise Data Loss Prevention (DLP) supports inspection of non-filed format traffic using web form data inspection.

You can specify a subnet at one or more service connections that are used to NAT traffic between Prisma Access GlobalProtect mobile users and private applications and resources at a data center.

You can use either RFC1918 or RFC6598 addresses as the subnets.