Releases and Upgrades
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Releases and Upgrades
Prisma Access releases and updates allow you
to stay up-to-date and secure your users. Some of the updates are
managed by Palo Alto Networks, such as Prisma Access infrastructure
updates and you will receive advance notification so you can plan
around them. Other updates are your responsibility and you must
schedule the specified version of the content update, software update,
and plugin version (as required), at your earliest convenience.
You can retrieve the status of all cloud services,
including Prisma Access and Strata Logging Service, along with a historical
record of the uptime of each service, by accessing the https://sase.status.paloaltonetworks.com/ website.
You can also sign up for email or text message updates at this site
to be notified in advance when infrastructure updates are planned
and real-time notifications when updates occur, and when Palo Alto
Networks creates, updates, or resolves an incident.
Prisma Access Release Types
Prisma Access has upgrades, including major
releases and infrastructure maintenance, that include new features
and optimizations to deliver best-of-breed security for your remote
networks and mobile users.
The following list defines Prisma
Access release types, along with the advance notification we provide
you for each release. To make sure that you receive notifications
for all releases, register for email or text notifications for Prisma Access
at the https://sase.status.paloaltonetworks.com/ website
and sign up for alerts in the Prisma
Access app.
- Major Release—A major release typically includes significant new features and optimizations, and such updates are pushed with a planned maintenance window set up by Palo Alto Networks. Palo Alto Networks notify the customers of such planned maintenance activities via email notifications via sase.status.paloaltonetworks.com and Prisma Access Insights. You must subscribe to email alerts on both applications to stay up to date.Notification—Palo Alto Networks provides you with the following notifications for major releases:
Deployment Type Notification Period Production Deployments Palo Alto Networks provides you with a notification 21 days before a major release.Lab Deployments Palo Alto Networks provides you with a notification 7 days before a major release.Lab tenants are not covered under the Prisma Access Service Level Agreement (SLA), and customers are strongly advised to use the tenants only for pre-production testing and qualification purposes. - Infrastructure Maintenance—Includes incremental features and optimizations. In some cases, Palo Alto Networks may combine a hotfix with infrastructure maintenance.Notification—Palo Alto Networks provides you with the following notifications:
Deployment Type Notification Period Production Deployments Palo Alto Networks provides you with a notification 10 days before infrastructure maintenance.Lab Deployments Palo Alto Networks provides you with a notification 7 days before infrastructure maintenance. - Cloud Services Plugin Release (Panorama Managed Prisma Access Deployments Only)—If Prisma Access requires a new plugin, it is made available to download via the Palo Alto Networks Customer Support Portal (CSP) and on Panorama by the following Tuesday (by 5 p.m. PST) after all required upgrades have been successfully completed.Notification—The service will send an email notification via Prisma Access Insights after the plugin has been made available for the download.Prisma Access may force all tenants to upgrade to a specific Cloud Services plugin version to maintain backward compatibility and supported software versions. Such enforcement activity will provide a 14-day advance notice (via Prisma Access Insights and the sase.status.paloaltonetworks.com page) to plan for the upgrade of the plugin. The service strongly recommends that you upgrade to the latest plugin as soon as it is available to download.
Prisma Access Upgrade Types
Palo Alto Networks upgrades its cloud-based
infrastructure without any intervention required from you. Some
upgrades require that you perform an action, such as install a new
plugin.
The following list includes the different types of
Prisma Access upgrades:
- Infrastructure Upgrade—Palo Alto Networks upgrades the Prisma Access infrastructure, which includes the underlying service backend, orchestration, and monitoring infrastructure.
- Dataplane Upgrade—Palo Alto Networks upgrades the Prisma Access dataplane that enables traffic inspection and security policy enforcement on your network and user traffic.You use the Prisma Access app to sign up for dataplane upgrade email alert notifications and indicate your upgrade preferences.
- Cloud Services Plugin Upgrade (Panorama Managed Deployments Only)—When a new plugin release becomes available, your network administrator will need to upgrade the Cloud Services plugin on the Panorama appliance that manages Prisma Access.
- Panorama Software Version Upgrade (Panorama Managed Deployments Only) —An upgrade of your Panorama software might be required to ensure continued compatibility with Prisma Access.
The following table shows you
what is included with each release, including the maintenance window
we provide and any impact to your Prisma Access service.
Upgrade Type | Maintenance Window | Impact |
---|---|---|
Infrastructure Upgrade | 2-8 hours | No impact to network traffic; however you cannot
perform commits during the maintenance window. Palo Alto Networks
schedules the upgrades at a local time that is minimally disruptive
to business functions. |
Dataplane Upgrade | 72 hours | Palo Alto Networks uses this window to upgrade
the dataplane for all customers. You can make configuration changes
and commits during this window. Our goal is to minimize impact to network
traffic, but in some cases there may be a brief interruption. See Prisma Access Dataplane Upgrades for more information. You use the Prisma Access Insights app to
sign up for dataplane upgrade email alert notifications and indicate
your upgrade preferences, including the preferred time window for
your upgrade. |
Cloud Services Plugin Upgrade (Panorama Managed Deployments Only) | You install the plugin when it becomes available. | Prisma Access might require you to upgrade all
tenants to a specific plugin version to maintain backward compatibility
and supported software versions. For more information about the
time windows and the notifications that Prisma Access provides,
see Prisma Access Release Types. During the
plugin upgrade, you cannot make configuration changes and commits
in Panorama. |
Panorama Software Version Upgrade (Panorama Managed Deployments Only) | You schedule and perform the upgrade on
the Panorama that manages Prisma Access. | When Prisma Access upgrades its infrastructure
and dataplane after a major release, the upgrades can be incompatible
with earlier Panorama versions. Because of the fast-paced release
of Prisma Access and the Cloud Services plugin, the software compatibility
(end-of-support) dates for Panorama are shorter than the software end-of-life
dates for Panorama releases and apply to Panorama version compatibility
with Prisma Access only. For more information, including end-of-support
dates for Panorama when used with Prisma Access, see Prisma Access and Panorama Version
Compatibility in the Palo Alto Networks Compatibility
Matrix. |
Cadence for Software and Content Updates for Prisma Access
The following table informs you of the software
and content updates to get the latest applications and threat signatures
and leverage the threat prevention capabilities provided by Palo
Alto Networks. If the Cloud Controlled? column
has an attribute of No, you perform the required actions
to update the component.
Component | Update Schedule | Cloud Controlled? (Yes/No) | Comments |
---|---|---|---|
Upgrades to Panorama software for compatibility with Prisma Access | For major Prisma Access releases, you might
need to upgrade your Panorama version for the following use cases: Required Upgrade—On
occasion, you will be required to upgrade the software version on
Panorama to maintain compatibility with
Prisma Access.
Optional Upgrade—In
other cases, you might need to upgrade the Panorama software version
to use the new features that Prisma Access supports in the major release.
| No | See Prisma Access and Panorama Version Compatibility to learn when a Panorama version becomes incompatible with Prisma Access. See Upgrade the Cloud Services Plugin for the currently supported Panorama versions to use with Prisma Access. To upgrade your Panorama to a new version, see Install Content and Software Updates for Panorama. |
Cloud Services plugin version | Available after the plugin release. | No | You perform the tasks to upgrade the plugin. See Prisma Access Release Types for details about when Prisma Access updates its plugin version. See Upgrade the Cloud Services Plugin to upgrade the plugin in the Panorama appliance. |
GlobalProtect app | Major GlobalProtect App Releases (for
example, x.0 or 5.x)—Prisma Access updates the
agent on the portal with the latest major release 7-10 days after
the general availability of the x.0.1 version of that release.
For example, given an agent release of 5.1, Prisma Access updates
the agent on the portal 7-10 days after the release of 5.1.1. Minor GlobalProtect
App Releases (for example, 5.1.x)—Prisma Access updates
the agent on the portal with the latest infrastructure maintenance
7-10 days after the general availability of that release. | Yes | The cloud controls the versions of the app
that is available for upgrade; however you can choose between several different
hosted versions of the app and can control how and when to roll
out GlobalProtect app updates to the end users. See Manage Upgrade Options for the GlobalProtect App for details. If
your Prisma Access deployment requires a hotfix of the GlobalProtect
app, open a Support Case with Palo
Alto Networks Technical Support for assistance. |
Applications and threat updates | Daily with a threshold of 24 hours. We
release New App-IDs on the third Tuesday of every month. Plan to
review and incorporate these new App-IDs within the 24 hour threshold.
Use the New App-ID filter to minimize
this possible traffic impact. | Yes | We will provide an update via the sase.status.paloaltonetworks.com page 48 hours prior
to a cloud upgrade, and 24 hours prior to release of new App-ID version. |
Antivirus protection | Every hour, 10 minutes after the hour | Yes | Prisma Access is always up-to-date with the latest Antivirus release. |
WildFire | Real-Time | Yes | Prisma Access retrieves WildFire signatures for newly-discovered malware as soon as the WildFire public cloud can generate them. |
GlobalProtect Data File | Every hour | Yes | Prisma Access is always up-to-date with the latest GlobalProtect data file release. |
Clientless VPN application signatures | Every hour | Yes | Prisma Access is always up-to-date with the latest Clientless VPN application signature release. |
Prisma Access Dataplane Upgrades
Prisma Access performs dataplane upgrades
on the service to provide new security features and capabilities
to help protect your organization’s end-users, business assets,
and digital transformation. When a new version of Prisma Access
requires a dataplane upgrade, you need to understand how the upgrade
process works and have the required prerequisites in place before
upgrading. You can expect to receive upgrades every 8 to 12 weeks.
The following sections provide an overview of the process, along
with what you need in order to have a successful upgrade.
Dataplane Upgrade Requirements
Before you start the upgrade process, make
sure that you have completed the following required actions:
- Go to the Prisma Access app and sign up for email notifications that keep you informed of when the dataplane upgrade will occur.In the email notifications, Palo Alto Networks will notify you of the two weekend dates when the upgrade process will occur. In addition, you will be requested to provide the first location to upgrade, along with the four-hour time window that Prisma Access will use to upgrade your locations. The time zone used for the window is the same as the time zone used for each location. For example, the US Southwest location uses the Pacific time zone for dataplane upgrades and the US Northeast location uses the Eastern time zone.
- Make sure that you have the following Prisma Access infrastructure requirements in place:
- Make sure that the Panorama that manages Prisma Access has the minimum required Panorama version for the Prisma Access version to which you want to upgrade.
- Use the API to retrieve the public IP addresses for your Prisma Access deployment, and make sure that those IP addresses have been added to the allow lists in your network.
Dataplane Upgrade Overview
Prisma Access upgrades your dataplane in two
phases on two weekend dates, and keeps you informed about the upgrade
using the Prisma Access app. On a high level, the following steps
are taken during the upgrade process.
- An email notification from the Prisma Access app arrives 21 days before the scheduled dataplane upgrade start date. This email notification provides the dataplane upgrade start date for phase #1.
- In the email, you are asked to select and submit the location or locations to upgrade first and the preferred time window for the upgrade via the Prisma Access App.You can change and submit the first locations to upgrade and time window multiple times for a given tenant. The last submission that occurred five days before the scheduled start date will be chosen by the service for the upgrade. You will not be able to make any changes within five days of the upgrade start date.If you make changes, it might take up to 30 minutes for the changes you made to be displayed in the Upgrade Dashboard on Insights. You will be notified via email alert when the Prisma Access has processed and completed the changes.Palo Alto Networks strongly suggests that you select locations that reflect your entire deployment. For example, if you have a mobile user, service connection, and remote network deployment, select a location or locations that have all deployment types.
- Prisma Access will perform phase #1 of the upgrade on the selected location or locations within the local time window selected for those locations.
- If the selected upgrade locations have any combination of Mobile Users—GlobalProtect, Service Connections, or Remote Networks, the dataplane for each deployment will be upgraded to the required dataplane version, as described later in this section.
- Once the upgrade is complete in the first location, you’ll receive an email notification via the Prisma Access app. Palo Alto Networks recommends that you monitor the service for any new issues that occur immediately after the dataplane upgrade.
- In an unlikely occurrence where you see a new issue, report the issue to Palo Alto Networks technical support.The technical support team will investigate the issue and take corrective actions that may also include rolling back to the previous dataplane version. This decision will be communicated to you via the technical support case.
- If there are no new issues or a new issue is not upgrade-related, Prisma Access will proceed with the dataplane upgrade on the following weekend.
- The upgrade of the remaining locations will take place during the same time window you selected for the first upgrade (in local time).
- After the dataplane upgrade completes, you will be notified via email alert.
The following figure shows the
timeline used for the upgrade and includes the tasks that you will
need to perform for the dataplane upgrade (shown in green), as well
as the steps that Prisma Access performs.
The
following section provides more details about the dataplane upgrade
process.
After you sign up for notifications,
Prisma Access informs you of the two weekend dates that will be used
for the upgrade process and sends these notifications 21 days, 3
days, and 24 hours before the first phase of the upgrade will occur.
The upgrade process occurs in two phases:
- Phase #1 upgrades the location or locations you chose on the first weekend using the time window you provided and notifies you via email when the upgrade is complete. If you did not choose the locations to upgrade first, or did not select a time window, Prisma Access makes the choices for you.Palo Alto Networks attempts to upgrade the locations during the four-hour window that you select via the Prisma Access app. However, completing the required upgrades during this window is best-effort and Palo Alto Networks cannot guarantee that the locations will be upgraded during that time. If the locations cannot be upgraded within the specified time window, you will receive an email notification. Palo Alto Networks recommends that you schedule a change request window starting at 8 p.m. local time on Friday and ending at 8 p.m. local time on Sunday for each of the two weekends when the dataplane upgrade occurs.Prisma Access makes the following changes to your deployment during Phase #1 of the upgrade. See Dataplane Upgrade Example for more details.
Deployment Type What is Upgraded Mobile User Deployments Prisma Access upgrades a single mobile user gateway, also known as the Mobile User Security Processing Node (MU-SPN), for the location or locations you specify. Remote Network Deployments Prisma Access upgrades the backup (HA) remote network, also known as the Remote Network Security Processing Node (RN-SPN), then makes the backup remote network the active node for the location or locations you specify. The backup remote network connection is not upgraded until the following weekend, when the active and backup nodes are upgraded for all locations.If there are multiple RN-SPNs in the selected location, all primary nodes are upgraded to the new dataplane version.Service Connections Prisma Access upgrades the backup (HA) service connection, also known as the Service Connection Corporate Access Node (SC-CAN), then makes the backup service connection the active node for the location or locations you specify. The backup service connection is not upgraded until the following weekend, when the active and backup nodes are upgraded for all locations.If there are multiple SC-CANs in the selected location, all nodes are upgraded to the new dataplane version.Between the first and second upgrades, monitor the first upgraded locations and perform connectivity, performance, routing, and logging testing to make sure that the locations upgraded successfully. If you encounter a service-impacting failure after the upgrade, open a Support Case with Palo Alto Networks Technical Support for assistance. Palo Alto Networks will attempt to resolve the issue by rolling back the dataplane to a previous dataplane version within 24 hours. - Seven days after Prisma Access upgrades the first location, Prisma Access upgrades the remainder of your locations (Phase #2 upgrade), using the same time window you selected for the first phase, and notifies you via email when the upgrade is complete.The upgrade window can be longer. For example, if Phase #2 occurs during a national holiday in the United States of America, the second phase of the upgrade happens 14 days after the first phase instead of seven. The notifications you receive in the Prisma Access app show you the specific timeline for the upcoming dataplane upgrade.
Dataplane Upgrade Example
The following example shows a sample dataplane
upgrade procedure for a Mobile Users deployment with five locations
(MU-SPNs) and three SC-CANs. The US West location has two MU-SPNs
as the result of an autoscale event (an extra MU-SPN was added after
a large number of mobile users logged in to that location).
In this
example, you selected a single location (US West) to upgrade first,
and requested a four-hour upgrade window of 8:00 a.m. to 12:00 noon
Saturday for the upgrade.
On the first upgrade weekend (Phase
#1), the dataplane upgrade for one of the MU-SPNs and the primary
node of the SC-CAN in the US West location takes place between 8:00
a.m. and 12:00 p.m. Pacific Time on Saturday.
To determine
the MU-SPN that was upgraded, contact your authorized Palo Alto
Networks representative or partner.
Seven
days after the first location is upgraded, Prisma Access upgrades
the remaining components (Phase #2), including all the MU-SPNs and
SC-CANs in the deployment, using the same four-hour time window
as was used for the first phase of the upgrade (8:00 a.m. to 12:00
p.m. on Saturday).
In this example, Prisma Access uses the
following time zone information when upgrading the dataplane:
- The remaining MU-SPN (MU-SPN 2) in the US West location is upgraded.
- The Japan Central MU-SPN and SC-CAN are upgraded using the local time in Japan.
- The UK MU-SPN and SC-CAN are upgraded using the local time in the UK.
- The US Southwest MU-SPN is upgraded using Pacific Time.
Use the Prisma Access App to Get Upgrade Alerts and Updates
To stay informed about the upgrade schedule
for your dataplane upgrade and to select your upgrade preferences,
you must use the Prisma Access app to subscribe to Prisma Access
notifications. Prisma Access uses email alerts to inform you of
the two weekend dates when your upgrade occurs; you select the location
or locations you want to upgrade first and the four-hour time window
to use for the upgrade.
After the upgrade starts, you can
also monitor the status of the upgrade using the Prisma Access app
as shown in the following steps.
- Sign up for alert notifications from the Prisma
Access app.
- Grant access for the people
whom you want to receive alert notifications.To receive alerts, you must be a Prisma Access admin. There are three types of admin roles, but only account administrators can grant users access to an app. Go to the hub to check role assignments and assign roles.
- Log in to Prisma Access from the hub.
- Select InsightsAlertsAlert Subscription.
- + Add Users and enter the User
Email Address(es), separated by commas, to which Prisma
Access should send alert notifications.The email addresses to which Prisma Access sends alerts must be the same email addresses associated with users in your Palo Alto Networks support account.
- (Multitenant Deployments Only) In a multitenant deployment, Select Sub-Tenants for which you want users to receive notifications or All Sub-Tenants if you want them to receive notifications from all sub-tenants.
- Add the users.
- Grant access for the people
whom you want to receive alert notifications.
- Check your notifications to be made aware of upcoming
dataplane upgrades; then, select your upgrade preferences using
one of the following methods.Prisma Access sends an upgrade notification 21 days before your dataplane upgrade is scheduled.
- Select InsightsNetwork ObjectsPrisma Access UpgradeUpgrade Preferences.
- Log in to the Prisma Access app, view the banner at the top of the page for your scheduled upgrade, and select Click here.
- Check your email for notifications for your scheduled upgrade and click the hyperlink in the email.
- Select InsightsNetwork ObjectsPrisma Access UpgradeUpgrade Preferences.
The Prisma Access Upgrade Dashboard displays. - (Optional) Read the Upgrade Process to learn more about how the upgrade process works.
- Select your Upgrade Preferences.If you have a multitenant deployment, all tenants display in this area. If you have already selected your upgrade preferences for your deployment, these selections display here.
- Select the tenants for which to set upgrade preferences, then select Edit Preferences.
- Select the Preferred Prisma Access Locations that
you want to upgrade first. Palo Alto Networks strongly suggests that you select locations that reflect your entire deployment. For example, if you have a mobile user, service connection, and remote network deployment, select a location or locations that have all deployment types.Select from the choices in the drop-down list.
- Prisma Access only displays the locations where you have deployed mobile users, remote networks, service connections, or any combination thereof.
- The groups in the drop-down list belong to the same compute location.
Prisma Access will inform you via email alerts when the locations were upgraded.After the first set of Prisma Access locations is upgraded successfully, the Prisma Access team monitors these locations for seven days, and then upgrades all remaining Prisma Access locations. Selecting a single location or a small number of locations gives you a chance to monitor these locations before the remainder of your locations are upgraded one week later.If no locations display in the drop-down list, you either selected multiple tenants that have no common locations deployed or you have not yet onboarded any locations for the tenants you selected. - Select the Preferred time for the upgrade
window from the list of available options.Choose from the following upgrade time windows. The time windows are local to the location or locations being upgraded and are all four hour windows:
- Friday 8:00 p.m. (noon) to 12:00 a.m. (midnight)
- Saturday 12:00 a.m. (midnight) to 4:00 a.m.
- Saturday 4:00 a.m. to 8:00 a.m.
- Saturday 8:00 a.m. to 12:00 p.m. (noon)
- Saturday 12:00 p.m. (noon) to 4:00 p.m.
- Saturday 4:00 p.m. (noon) to 8:00 p.m.
Palo Alto Networks uses your preference to begin the rollout at the Prisma Access location or locations you selected.The last submission that occurred five days before the scheduled start date will be chosen by the service for the upgrade. If you make changes, it might take up to 30 minutes for the changes you made to be displayed in the Upgrade Dashboard on Insights. You will be notified via email alert when the Prisma Access has processed and completed the changes.If you do not provide your upgrade preferences five days before the scheduled upgrade window, Palo Alto Networks will automatically select the first set of your deployed Prisma Access locations, notify you of the selection, and upgrade the selected locations on the scheduled date. The remaining Prisma Access locations, if any, in your deployment will be upgraded seven days after the selected time window. - Select the Software Version that you want to upgrade to, if more than one version is available.
- Submit your changes.
- After your rollout begins, select InsightsNetwork ObjectsPrisma Access UpgradeUpgrade Status by Tenants and
view the Upgrade Status by Location. This
page displays the following information for each location that is
being upgraded:
- The name of the tenant that is being upgraded.
- The start and finish date of the upgrade process.
- The dataplane version that the tenant is being upgraded to.
- The preferred time window for the upgrade.
- The initial locations that are being upgraded.
- The date that the remaining locations will be upgraded.
In addition, a table displays the locations being upgraded, the start date and time window of the upgrade, and the time zone used for the upgrade. The Upgrade Status column provides you with the following information:Upgrade Status Description Scheduled The dataplane upgrade has been scheduled. Started The upgrade has started. In Progress The dataplane upgrade is in progress. Re-trying The dataplane upgrade did not complete successfully, but Prisma Access continues to be operational using the older dataplane version. Prisma Access will retry the upgrade before the maintenance window for the weekend expires. Success The upgrade completed successfully. - After the first set of locations has completed the dataplane upgrade, monitor the upgraded locations and perform connectivity, performance, routing, and logging testing to make sure that they upgraded successfully.
- When the second set of locations is scheduled to be upgraded,
monitor those locations and check their status by selecting InsightsNetwork ObjectsPrisma Access UpgradeUpgrade Status
by Tenants.Prisma Access sends you an email notification after the dataplane upgrade is complete.