Prisma Access
New Features in Prisma Access 4.1
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
New Features in Prisma Access 4.1
Where Can I Use This? | What Do I Need? |
---|---|
|
|
Prisma Access Application Name Update
November 18, 2023
The application tile name on the hub for Prisma Access is now
changed to Strata Cloud Manager.
|
The application tile names on the hub for Prisma Access, Prisma SD-WAN, and
AIOps for NGFW (the premium app only) are now changed to Strata Cloud
Manager. With this update, the application URL has also changed to stratacloudmanager.paloaltonetworks.com, and
you’ll also now see the Strata Cloud Manager logo on the left navigation
pane.
Moving forward, continue using the Strata Cloud Manager app to manage and
monitor your deployments.
Prisma Access on the New Strata Cloud Manager Platform
Prisma Access is now supported on the new Strata Cloud Manager platform. We'll be
updating Prisma Access so that it is on the Strata Cloud Manager platform, alongside
your other Palo Alto Networks products and subscriptions that are supported for
unified management. If you've been using the Prisma Access app for Prisma Access
Cloud Management or for Prisma Access monitoring and visibility features (including
Autonomous DEM, Insights, and Activity dashboards and reports), the update to Strata
Cloud Manager introduces a new management and visibility experience.
Learn more:
- What to expect when Prisma Access is updated to give you the new management experience
- Where are my Prisma Access features in Strata Cloud Manager?
- Prisma Access visibility and monitoringwith Strata Cloud Manager
Introducing Strata Cloud Manager: The AI-Powered Network Security Platform
Palo Alto Networks Strata Cloud Manager is the new AI-Powered network security
management and operations platform. With Strata Cloud Manager, you can easily manage
and monitor your Palo Alto Networks network security infrastructure ━ your NGFWs and
SASE environment ━ from a single, streamlined user interface. This new cloud
management experience gives you:
- Shared policy for SASE and your NGFWs, and a unified view into security effectiveness.
- AI-Powered ADEM for Prisma SASE; this new Prisma Access add-on license automates complex IT operations, to increase productivity and reduce time to resolution for issues.
- Best practice recommendations and workflows to strengthen security posture and eliminate risk.
- A common alerting framework that identifies network disruptions, so you can maintain optimal health and performance.
- Enhanced user experience, with contextual and interactive use-case driven dashboards and license-aware data enrichment.
Learn more about Strata Cloud Manager
High-Bandwidth Private App Access with Colo-Connect
Supported in:
|
Does your organization require high-bandwidth (more than 10 Gbps) access between its
network infrastructure and Prisma Access at multiple locations as part of your
hybrid multicloud strategy? Perhaps you’ve thought about aggregating multiple
service connections to achieve high bandwidth, but you’re concerned about
scalability. If so, Colo-Connect has you covered.
Today, large enterprises are building Colo-based performance hubs to reach private
applications in hybrid, multicloud architectures because of the high-bandwidth and
low-latency requirements. Typically, these hubs include interconnects to one or more
cloud providers and connections to the on-premises data centers over a private or
leased WAN. Performance hubs can route traffic between the public cloud and
on-premises infrastructure at high speed, and are resilient because of the
underlying interconnect infrastructure.
Colo-Connect builds on the Colo-based performance hub concept, offering
high-bandwidth (10-20 Gbps) low-latency connections, seamless Layer 2/3 connectivity
to Prisma Access from existing performance hubs. The following figure shows Prisma
Access being onboarded in a GCP instance using service connections and cloud
interconnects. This setup limits exposure to the internet and allows the use of
private connections for private application connectivity.
Colo-Connect allows you to use Prisma Access to secure private apps using a cloud
interconnect that can provide high-bandwidth service connections using the following
capabilities:
- High bandwidth (up to 20-Gbps) throughput per region for private application access
- Support for Dedicated and Partner interconnects using Google Cloud Platform (GCP)
- Support for multiple VLAN attachments (up to 20) per interconnect link
- Redundant connectivity support per region
Third-Party Device-ID
Supported in:
|
You can use the Cloud Identity Engine along with Prisma Access to apply information
from third-party IoT detection sources to simplify the task of identifying and
closing security gaps for devices in your network. After you set up Third-Party
Device-ID in the Cloud Identity Engine using an API, you can set up a device object
and a security policy rule in Prisma Access to obtain and use information from
third-party IoT visibility solutions through the Cloud Identity Engine for device
visibility and control.
In the following figure, the Third-Party Device-ID service receives the device
information from the third-party IoT solutions, which it then transmits as IP
address-to-device mappings to the Cloud Identity Engine and the Prisma Access
Security Processing Nodes (SPNs).
Traffic Replication and PCAP Support
Supported in:
|
Prisma Access secures your traffic in real time based on traffic inspection, threat
analysis, and security policies. While you can view Prisma Access logs to view
security events, your organization might have a requirement to save packet capture (PCAP) files for forensic and
analytical purposes, for example:
- You need to examine your traffic using industry-specific or privately-developed monitoring and threat tools in your organization and those tools require PCAPs for additional content inspection, threat monitoring, and troubleshooting.
- After an intrusion attempt or the detection of a new zero-day threat, you need to preserve and collect PCAPs for forensic analysis both before and after the attempt. After you analyze the PCAPs and determine the root cause of the intrusion event, you could then create a new policy or implement a new security posture.
- Your organization needs to download and archive PCAPs for a specific period of time and retrieve as needed for legal or compliance requirements.
- Your organization requires PCAPs for network-level troubleshooting (for example, your networking team requires data at a packet level to debug application performance or other network issues).
To accomplish these objectives, you can enable traffic replication which uses the
Prisma Access cloud to replicate traffic and encrypt PCAP files using your
organization's encryption certificates. To store the PCAP files, you create a GCP service account, which Prisma Access uses as the
storage location of the PCAP files.
Service Provider Backbone Integration
Supported in:
|
Integrate Prisma Access with a service provider (SP) backbone, which
allows you (the SP) to assign specific region and egress internet capabilities to
your tenants, providing more granular control over the Prisma Access egress traffic.
Without the SP Backbone feature, Prisma Access egress traffic uses public cloud
providers for network backbone instead.
The following diagram represents Prisma Access egress traffic without SP Backbone
integration.
The following diagram represents Prisma Access egress traffic with SP Backbone
integration.
Transparent SafeSearch Support
Supported in:
|
Prisma Access allows you to resolve search engine queries from mobile users and users
at remote networks to the engine's SafeSearch portal by performing an FQDN-to-IP
mapping. This functionality can be useful if you have guest internet services at
your organization and you want your guests to safely use search engines, preventing
them from searching for potentially inappropriate or offensive material that could
be against company policy.
Private IP Visibility and Enforcement for Explicit Proxy Traffic Originating from Remote Networks
Supported in:
|
You can now leverage the private IP addresses of the systems in your branch locations
that are forwarding traffic to Explicit Proxy using Proxy mode. You can use the private
IP address to skip authentication of headless systems that can't authenticate, set
up security policies, and get visibility of the traffic on Prisma Access Explicit
Proxy.
You can enable this functionality when you secure users and devices at a branch with
a site-to-site IPSec tunnel using Remote
Network and Explicit Proxy Secure Processing Nodes (SPNs).
New and Remapped Prisma Access Locations and Compute Locations
Supported in:
|
The following location and compute location changes are
made:
- New Compute Locations—The following new compute locations are added, and
the following locations are moved to these compute locations:
- Europe North (Stockholm)—The new Sweden location is added to this compute location.
- Middle-East Central (UAE)—The United Arab Emirates location is moved to this location.
- Middle-East Central (Qatar)—The new Qatar location is added to this compute location.
- New Prisma Access Locations—The following new Prisma Access locations are
added:
- Sweden
- Kazakhstan
- Qatar
- Senegal
- Remapped Prisma Access Locations—To better optimize performance of Prisma
Access, the following locations have been remapped to the following compute
locations:
- Ecuador—Remapped from the US Central compute location to the US Southeast compute location
- Jordan—Remapped from the Europe Central compute location to the Europe South compute location
New deployments have the new remapping applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma Access location.