Features in Prisma Access 3.2 and 3.2.1
Focus
Focus

Features in Prisma Access 3.2 and 3.2.1

Table of Contents

Features in Prisma Access 3.2 and 3.2.1

This section lists the new features that are available in Prisma Access 3.2, including Prisma Access 3.2.1, along with upgrade information and considerations if you are upgrading from a previous Prisma Access version.

Cloud Services Plugin 3.2 and 3.2.1

Prisma Access 3.2 (including Prisma Access 3.2.1) uses a single plugin for both Preferred and Innovation releases, providing operational simplification with a unified plugin for both Preferred and Innovation releases.
By default, the plugin will run the Preferred release. To upgrade to an Innovation release, reach out to your Palo Alto Networks account representative and submit a request.

Upgrade Considerations for 3.2 and 3.2.1 Prisma Access Releases

To upgrade to Prisma Access 3.2 or 3.2.1 Preferred, use one of the following upgrade paths.
To find your plugin version, select PanoramaCloud ServicesConfigurationService Setup in Panorama and check the plugin version in the Plugin Alert area.
Installed Cloud Services Plugin VersionTargeted 3.2 VersionUpgrade Path
Releases earlier than 2.2 Preferred3.2 or 3.2.1 Preferred
  1. Upgrade your deployment to Prisma Access 2.2.
    If your deployment is on a version of Prisma Access that is earlier than 2.2 Preferred, you must first upgrade to Prisma Access 2.2 before you can upgrade to 3.2. Upgrades from 2.0 or 2.1 versions of Prisma Access are not supported.
  2. Upgrade your deployment to Prisma Access 3.0.
  3. Upgrade your deployment to Prisma Access 3.1.
  4. Upgrade your deployment to Prisma Access 3.2 or 3.2.1.
2.2 Preferred3.2 or 3.2.1 Preferred
  1. Upgrade your deployment to Prisma Access 3.0.
  2. Upgrade your deployment to Prisma Access 3.1.
  3. Upgrade your deployment to Prisma Access 3.2 or 3.2.1.
Direct upgrades from Prisma Access 2.2 to 3.2 are not supported.
All Prisma Access Releases3.2 or 3.2.1 Innovation
To upgrade to 3.2 or 3.2.1 Innovation, reach out to your Palo Alto Networks account representative and submit a request. The request will be reviewed internally and, if approved, your deployment will be upgraded to 3.2 or 3.2.1 Innovation.

Minimum Required Software Versions

Minimum Required Panorama Versions—For the minimum Panorama versions that are supported for use Panorama Managed Prisma Access 3.2, see Prisma Access and Panorama Version Compatibility in the Palo Alto Networks Compatibility Matrix.
Minimum Required GlobalProtect Versions—Prisma Access supports any GlobalProtect version that is not End-of-Life (EoL). The GlobalProtect versions apply to both Panorama and Cloud Managed versions of Prisma Access.

New Features—Prisma Access 3.2.1 Preferred

The following features are added for Prisma Access 3.2.1 Preferred and Innovation. To find the new features for Cloud Managed Prisma Access, see the new features list in the Prisma Access Release Notes (Cloud Managed).
Feature
Description
Dual Authentication Portal Support for Mobile Users—GlobalProtect Deployments
You can configure two Mobile Users—GlobalProtect portals in Prisma Access, with each portal supporting a different authentication method on a single Prisma Access tenant (for example, one portal configured for RADIUS authentication and one portal configured for SAML authentication).
This functionality requires an upgrade to a specific Preferred PAN-OS dataplane. To enable this feature, reach out to your Palo Alto Networks account representative or partner, who will contact the SRE team and submit a request to upgrade your dataplane.
Licensing Enhancements (Additional Mobile User locations and Service Connections)
The following Prisma Access license enhancements are added:
  • If you have a Prisma Access Local Edition license and need to add more locations than the maximum number of five, you can purchase a license add-on that allows you to add one or more additional locations so that the Local license can support more than five locations.
  • If you need more service connections than your license offers, you can purchase additional service connections at a flat per-service connection rate.
Prisma Access Explicit Proxy License Enhancements
You can use the same Mobile Users license for both Explicit Proxy and GlobalProtect, and when you provision one mobile user license unit, you can enable GlobalProtect, Explicit Proxy, or both for a single user. This enhancement eliminates the need to purchase additional quantities of mobile user units to support use cases where both Explicit Proxy and GlobalProtect are needed for the same user. See Prisma Access 3.2.1 Mobile User Licensing Change Examples for licensing examples.
New Prisma Access Compute Locations: Middle-East West and Europe Northwest (Paris)
To better optimize performance of Prisma Access, the following compute locations have been added and the following locations have been remapped to those new compute locations:
  • Middle-East West Compute Location—The Israel location is remapped from the Europe Central compute location to the Middle-East West compute location.
  • Europe Northwest (Paris) Compute Location—the France South location is remapped from the France South compute location to the Europe Northwest (Paris) compute location.
New deployments have the new remapping applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma Access location.
Populate User Group Names in Security Policy Rules Using the Cloud Identity Engine
You can configure the Cloud Identity Engine in Panorama Managed Prisma Access deployments to populate groups in security policy rules, allowing you to either use the Cloud Identity Engine or a Master Device to perform this action. If you use a Master Device to make user and group information selectable in security policies, that functionality is unaffected.
Multi-Tenant Prisma Access support for Cloud Identity Engine Directory Group Sync
Enable Directory Group Sync for a multi-tenant Panorama managed Prisma Access deployment using the Cloud Identity Engine. To enable this feature, reach out to your Palo Alto networks representative.
New Strata Logging Service Region: Switzerland
A new region, Switzerland, is added to Strata Logging Service.
API to simplify Remote Network Automation
An XML API is provided for you to simplify connectivity from third-party SD-WAN devices and CPEs to Prisma Access for Remote Networks. You provide the bandwidth and the latitude and longitude of the SD-WAN device in the XML API; Prisma Access responds with the name of the IPSec termination node and compute location to use for the SD-WAN device.
Terminal Server Agent Support
Prisma Access supports the Palo Alto Networks Terminal Server (TS) Agent for the following platforms:
  • Citrix XenApp 7.x
  • Windows Server 2019
  • Windows 10 Enterprise Multi-session
Explicit Proxy Support for Office 365 Client Apps
In addition to browser-based Office 365 support, you can now forward O365 client application traffic through the Prisma Access Explicit Proxy Connect method.

New Features—Prisma Access 3.2.1 Innovation

Version 3.2 Innovation includes all the features in 3.2.1 Preferred and adds the following features.
Feature
Description
Regional private IP address pools for Mobile Users - GlobalProtect
To allow you to be more granular in your Mobile Users-GlobalProtect IP address pool allocation, you can specify granular IP pools for the locations that are available with the feature, as well as Worldwide or per Prisma Access theater.
Cloud Identity Engine Multiple Authentication Mode Support
To simplify the process of identifying and authenticating users, Prisma Access supports Cloud Identity Engine authentication using certificate-based authentication in addition to multiple SAML 2.0-based identity providers in a single authentication profile. It now also supports group-based authentication so that you can specify different authentication types for particular groups or directories. This helps ensure that users experience a smooth login process regardless of the method they use to authenticate and makes it easier to deploy identity-based security policy.
For Prisma Access Explicit Proxy deployments, multiple authentication mode is supported for SAML authentication only.
Web Proxy Support
If your network uses a proxy device for security, you can now leverage the same level of protection using the on-premises web proxy capability that is available with PAN-OS 11.0. The web proxy features enables additional options for migrating from an existing web proxy architecture to a simple unified management console. Using the web proxy feature with Prisma Access provides a seamless method for migrating, deploying, and maintaining secure web gateway (SWG) configurations from an easy to use and simplified interface. Web proxy helps during the transition from on-premises to the cloud with no loss to security or efficiency.
Web proxy requires a Panorama version of 11.0.
Advanced Threat Prevention Inline Cloud Analysis Support for Explicit Proxy
Explicit Proxy adds Advanced Threat Prevention Inline Cloud Analysis support, which is a series of ML-based detection engines are added in the Advanced Threat Prevention cloud to analyze traffic for advanced C2 (command-and-control) and spyware threats in real-time to protect users against zero-day threats. By operating cloud-based detection engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages or operate resource-intensive analyzers.
Advanced URL Filtering Inline Deep Learning Analysis Support for Explicit Proxy
Advanced URL Filtering provides best-in-class web protection for the modern enterprise and stops unknown web-based attacks in real time to prevent patient zero web threats. Advanced URL Filtering combines Palo Alto Networks’ malicious URL database capabilities with the industry’s first real-time web protection engine powered by machine learning (ML).
Advanced URL Filtering Inline adds a series of inline cloud-based deep learning detectors that evaluate suspicious web page contents in real-time.
Commit job status via XML/API for Multi-tenant
An operational XML API is provided to retrieve the commit job status for multi-tenant Prisma Access Panorama Managed deployments. To retrieve the job status using a curl command, enter the following command and API parameters:
curl -k 'https://<a.b.c.d>//api/?type=op&cmd=<request><plugins><cloud_services><prisma-access><multi-tenant><tenant-name><entry%20name="<tenant_name>"></entry></tenant-name><request-job-result><jobid><job_id></jobid></request-job-result></multi-tenant></prisma-access></cloud_services></plugins></request>&key=<key>'
Where:
  • <a.b.c.d> is the address of the Panorama that manages Prisma Access
  • <tenant_name> is the name of the tenant
  • <job_id> is the ID of the job for which you are requesting status.

New Features—Prisma Access 3.2 Preferred

The following table describes the new features that are available with Prisma Access 3.2 Preferred.
Feature
Description
SaaS Security Posture Management (SSPM)
SSPM is a new product in the SaaS Security offering that helps find and fix misconfigured settings on supported SaaS apps along with other features to ensure proper posture security all from one unified cloud management console.
Suspicious User Activity
Suspicious User Activity with SaaS Security API is an out-of-the-box policy-based detection of user activity by User, App, and Risk scenarios.
Autonomous Digital Experience Management Self Serve
Autonomous digital experience management (Autonomous DEM) empowers end users to resolve application experience issues that fall into their purview without consulting IT. ADEM Self Serve reduces ticket load and improves the experience of end-users by helping them quickly resolve the following issues:
  • CPU and Memory Issues impacting application experience—Autonomous DEM Self Serve can detect High CPU or Memory Utilization conditions and notify mobile users with guided remediation.
  • WiFi issues impacting application experience—Autonomous DEM Self Serve can detect poor WiFi quality, change of WiFi connections or disconnect conditions, and notify mobile users with guided remediation.
  • Internet issues impacting application experience—Autonomous DEM Self Serve can detect internet disconnect conditions for wired and wireless connections and notify mobile users with guided remediation.
Prisma SASE Platform
SASE Portal (https://sase.paloaltonetworks.com) is a single location to access and manage Secure Access Service Edge (SASE) products and services for enterprises and service providers (SPs). The key capabilities are as follows:
  • License activation and subscription management—Activate and manage all your available licenses from one location.
  • Tenant management—The option to create single and multiple tenants, build a hierarchy, and share and allocate license subscriptions for the desired tenants.
  • Hierarchical Multi-tenant Cloud Management Dashboard—Single Pane of Glass Management supporting insights into network and security services across all tenants.
  • Open API gateway—API access via centralized API gateway to enable integration and automation.
  • Identity and access management—Centralized authentication and authorization of user roles and permissions for all applications and API-based access.
Simplified Activation and Subscription Management
You can now use a completely new and revamped user-friendly workflow to activate and manage all your Prisma Access subscriptions in one place. With this update, Palo Alto Networks optimizes the activation flow, significantly reducing the activation time and providing contextual information that can reduce any human errors during the activation.
The updates include the following workflows:
  • Evaluation-to-production conversion request
  • Incident management procedures to troubleshoot activation-related issues and improve the overall serviceability experience
DNS Security Enhancements
Prisma Access deployments now extend protection for the latest DNS-based attack techniques, including strategically aged domains, making it the most comprehensive DNS security solution available.
1 Gbps Maximum Bandwidth Support for Remote Network IPSec Termination Nodes
The maximum bandwidth that Prisma Access can allocate to IPSec termination nodes for remote network deployments is increasing from 500 Mbps to 1000 Mbps.
This change allows you to allocate more bandwidth to remote networks. To make this increase effective, you must allocate a minimum of 501 Mbps to the compute locations associated with the IPSec termination nodes. See Changes to Default Behavior for details.
While bandwidth enforcement is not currently applied, Prisma Access reserves the right to enforce the allocated bandwidth when the consumption exceeds the allocation. You will be notified prior to applying the enforcement.
This functionality is supported for Panorama Managed deployments only. If you are upgrading from an earlier Cloud Services plugin version, you must perform a Commit and Push before installing the 3.2 plugin and perform a Push to Devices after installing the plugin to implement this change.
Simplified SASE Consumption Model with Prisma Access SD-WAN Add-On
Palo Alto Networks is introducing Prisma SD-WAN as a simple add-on solution to Prisma Access, allowing customers to get best-in-class security and SD-WAN in an effortless, consumable model. With the Prisma SD-WAN add-on to Prisma Access, you can get the most comprehensive SASE solution that enables aggregation of bandwidth across all branch locations, provides ease of activation via a single link for all SASE services—including SD-WAN—while gaining the flexibility to easily add additional services as needed from a unified management console.
New Prisma Access Locations
To better accommodate worldwide deployments and provide enhanced local coverage, the following new locations have been added, which map to the following compute locations:
  • Pakistan West (II)—Maps to the Asia Southeast (Singapore) compute location.
  • Sri Lanka—Maps to the Asia Southeast (Singapore) compute location.
New and Renamed Prisma Access Compute Locations and Remapped Locations
To better optimize performance of Prisma Access, the following new compute locations are added and the following locations are remapped to the new compute locations:
  • US South—The Mexico Central, Mexico West, and US South locations are moving to the US South compute location.
  • Europe Southwest—The Andorra, Portugal, Spain Central, and Spain East locations are moving to the Europe Southwest compute location.
  • Europe South—The Italy, Kenya, and Monaco locations are moving to the Europe South compute location.
  • Asia Southeast (Indonesia)—The Indonesia location is moving to the Asia Southeast (Indonesia) compute location.
In addition, the existing Asia Southeast compute location is renamed Asia Southeast (Singapore).
New deployments have the new remapping applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma Access location.
Terminal Server (TS) Agent Support
Prisma Access supports the Palo Alto Networks Terminal Server (TS) Agent for the following platforms:
  • Windows Server 2019
  • Windows 10 Enterprise Multi-session
A maximum of 400 TS Agents are supported.
Disable Logging for Service Connections
This functionality allows the Palo Alto Networks Site Reliability Engineering (SRE) team to disable logging on the service connections for your Prisma Access deployment.
If the majority of the traffic flows logged by the service connections are asymmetric, disabling service connection logging might be required to reduce the consumption of Strata Logging Service logging storage. If your deployment does not have asymmetric flows via the service connections, you do not need to disable logging.
To disable logging for service connections, reach out to your Palo Alto Networks account representative or partner, who will contact the SRE team and submit a request.

New Features—Prisma Access 3.2 Innovation

Version 3.2 Innovation includes all the features in 3.2 Preferred and adds the following features.
Feature
Description
Next-Generation CASB-X for Prisma Access and Next-Generation Firewalls
The Next-Generation Cloud Access Security Broker (CASB-X) is a new SKU that contains all the CASB components such as SaaS Security Inline, SaaS Security API, SaaS Security Posture Management (SSPM), and Enterprise DLP API. It can be applied on Cloud Managed Prisma Access, Panorama Managed Prisma Access, and Panorama Managed Next-Generation Firewall (NGFW) devices in a single-tenant environment.
Simplify Private App Access Using ZTNA Connector
The Zero Trust Network Access (ZTNA) Connector dramatically simplifies private app access for all apps including modern, cloud-native, containerized, microservice, and legacy apps.
With the introduction of this feature, you can either use the ZTNA Connector or a service connection to enable access to private apps for your users. Both methods enforce all ZTNA 2.0 principles.
For Panorama Managed Prisma Access deployments, the ZTNA Connector is not supported in a multi-tenant deployment, however, multi-tenancy is supported with ZTNA Connector in a Cloud Managed Prisma Access deployment.
Advanced Threat Prevention Inline Cloud Analysis and Domain Fronting Detection
Advanced Threat Prevention blocks unknown and evasive command and control traffic inline in real-time with unique deep learning and machine learning models.
The following advanced threat prevention capabilities are added to Prisma Access:
  • Inline Cloud Analysis—A series of ML-based detection engines are added in the Advanced Threat Prevention cloud to analyze traffic for advanced C2 (command-and-control) and spyware threats in real-time to protect users against zero-day threats. By operating cloud-based detection engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages or operate resource-intensive analyzers.
  • Domain Fronting Detection—Threat Prevention can detect domain fronting, a TLS evasion technique that can circumvent URL filtering database solutions and facilitate data exfiltration using SNI spoofing.
Advanced URL Filtering Inline Deep Learning Analysis
Advanced URL Filtering provides best-in-class web protection for the modern enterprise and stops unknown web-based attacks in real time to prevent patient zero web threats. Advanced URL Filtering combines Palo Alto Networks’ malicious URL database capabilities with the industry’s first real-time web protection engine powered by machine learning (ML).
Advanced URL Filtering Inline adds a series of inline cloud-based deep learning detectors that evaluate suspicious web page contents in real-time.
DLP Web Form Data Inspection
To prevent exfiltration of sensitive information in data exchanged in collaboration applications, web forms, Cloud applications, custom applications, and social media, Enterprise Data Loss Prevention (DLP) supports inspection of non-filed format traffic using web form data inspection.
NAT Support for Private Applications
You can specify a subnet at one or more service connections that are used to NAT traffic between Prisma Access GlobalProtect mobile users and private applications and resources at a data center.
  • Enable Data Traffic Source NAT—You can NAT Mobile User IP Address pool addresses so that they are not advertised to the data center, and only the subnets you specify at the service connections are advertised and routed in the data center.
  • Enable Infrastructure Traffic Source NAT—You can NAT addresses from the Infrastructure Subnet so that they are not advertised to the data center, and only those subnets you specify at the service connections are advertised and routed in the data center.
You can use either RFC1918 or RFC6598 addresses as the subnets.
Kerberos Authentication Support for Explicit Proxy
You can now use both SAML to authenticate users, and Kerberos to authenticate users and machines, in a single Explicit Proxy deployment.