If you are currently running a Prisma Access Preferred release, your dataplane will change from 9.1.7 to 10.0.7. Before Palo Alto Networks upgrades your deployment, you should check the Changes to Default Behavior and Upgrade/Downgrade Considerations for PAN-OS 10.0.

In addition, check that your IKE cryptographic cipher suites are compliant with the 10.0 dataplane and be sure to set Authentication to None if you use an AES-GCM algorithm for encryption in an IKE crypto profile.

If you created custom URL categories and use them in a traffic steering rule, do not enter a trailing slash (/) to URLs (for example, example.com/). If you have any trailing slashes in URLs and use them in traffic steering rules, you should remove them before you upgrade the plugin to 2.2 Preferred, or you will receive an error when you Commit and Push your changes.

Prisma Access has made changes to the supported cipher suites for the SSL/TLS tunnels that are used for communication between mobile users and the GlobalProtect portal and gateways. The following TLS version and cipher suites are supported:

TLS Version: TLS 1.2

Cipher Suites:

Most Prisma Access deployments will be unaffected by this change; however, if you have issues, you can check the following cipher suite settings.

Palo Alto Networks will be changing the public egress IP addresses for mobile user gateways and portals with the 2.2 upgrade. Palo Alto Networks will be replacing a limited set of older public IP addresses with new Palo Alto Networks-owned public IP addresses to make the allow listing of the public IP addresses simpler and easier.

The change affects your deployment if you have a mobile user deployment with existing security processing nodes (MU-SPNs), including gateways and portals that use an IP address from the ranges mentioned below:

The gateway and portal IP addresses from the IP ranges mentioned above will change to IP addresses from the following subnets:

The majority of these new IP addresses will come from the 134.238.0.0/16 subnet; however, a small number might be coming from one or more of the other subnets. If you use allow lists to provide access to internet resources such as SaaS applications or publicly accessible partner applications, you should add the new IP addresses to your allow lists.

This only affects mobile users deployments that use public IP addresses in the 34.96.0.0/13, 34.104.0.0/16, 34.124.0.0/16, and 35.203.0.0/16 ranges mentioned above. Public IP addresses for Remote Networks, Service Connections, Explicit Proxy, and Clean Pipe deployments do not change.

If you are affected by this change and need to update your allow lists, Palo Alto Networks recommends that you perform one of the following actions:

Because the IP address changes occur during the dataplane upgrade, Palo Alto Networks recommends that you do not delete any existing IP addresses from allow lists until after the upgrade is complete and you have downloaded and installed the Cloud Services plugin 2.2. After the dataplane upgrade is complete, please retrieve the list of all allocated IP addresses and verify that none of the active IP addresses are from the IP subnet ranges 34.96.0.0/13, 34.104.0.0/16, 34.124.0.0/16, and 35.203.0.0/16 mentioned previously. If you do see the active IP addresses from the old IP range, please contact Palo Alto Networks support and report the issue.

If you are currently running a Prisma Access Preferred release, your DLP version will change from using Enterprise DLP on Prisma Access to the Enterprise DLP plugin that runs on Panorama. To upgrade, see Upgrade to the Enterprise DLP Plugin—Existing Enterprise DLP on Prisma Access Deployments in the Enterprise DLP Administrator’s Guide.