Prisma Access
New Features in Prisma Access 5.1 and 5.1.1
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
New Features in Prisma Access 5.1 and 5.1.1
Where Can I Use This? | What Do I Need? |
---|---|
|
|
This section provides you with a list of new features in Prisma Access 5.1
Preferred and Innovation, along with the recommended and required software versions you
need to use.
- Recommended Software Versions for Prisma Access 5.1 and 5.1.1
- Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.1 and 5.1.1 Features
- Prisma Access 5.1 Features
- 5.1.1 Features
Recommended Software Versions for Prisma Access 5.1 and 5.1.1
There are two Prisma Access 5.1 versions:
- 5.1 Preferred runs a PAN-OS 10.2.4, 10.2.9, or 10.2.10 dataplane, depending on the features you implement. If your deployment is running a lower dataplane version, a dataplane upgrade is required to implement 5.1 Preferred features.
- 5.1 Innovation runs a PAN-OS dataplane of 11.2.
For new Prisma Access 5.1 Innovation features, Prisma Access
recommends that you upgrade your Prisma Access to the following
versions before installing the plugin.
Prisma Access Version | Cloud Services Plugin Version | Required Dataplane Version for 5.1 | Recommended GlobalProtect Version | Recommended Panorama Version |
---|---|---|---|---|
5.1 | 5.1 | PAN-OS 10.2.4 (required for 5.1 Preferred) PAN-OS 11.2
(required for 5.1 Innovation) |
6.0.7+
6.1.3+
6.2.1+
|
10.1.8+
10.2.4+
11.0.1+
11.1.0
11.2.0
|
Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.1 and 5.1.1 Features
Prisma Access 5.1 features require one of more of the following components
to function:
- Infrastructure Upgrade—The infrastructure, also known as the Prisma Access
Control Plane, includes the underlying service backend,
orchestration, and monitoring infrastructure. Prisma Access
upgrades the infrastructure before the general availability (GA) date of a
Prisma Access release. Features that require only an infrastructure upgrade to be unlocked take effect for all Prisma Access deployments, regardless of version, at the time of the infrastructure upgrade.
- Plugin Upgrade (Prisma Access Panorama Managed Deployments Only)—Installing the plugin activates the features that are available with that release. You download and install the plugin on the Panorama that manages Prisma Access.
- Dataplane Upgrade—The dataplane enables traffic inspection and
security policy enforcement on your network and user traffic. For Panorama Managed Prisma Access deployments, you can view your dataplane version by going to PanoramaCloud ServicesConfigurationService Setup and viewing the Prisma Access Version. Prisma Access 5.1 Innovation runs PAN-OS 11.2.
This dataplane upgrade to 5.1 Innovation is optional, and is
only required if you want to take advantage of the features that require a dataplane
upgrade.
These features are activated with the infrastructure upgrade for Prisma Access:
- PAN-OS 11.2 Support for Panoramas that Manage Prisma Access 11.2
- Calgary and South Africa Compute Locations
- Explicit Proxy Support for South Africa Central Location
These features require an infrastructure and plugin upgrade but don't require
a dataplane upgrade:
Prisma Access 5.1 Features:
- Advanced Threat Prevention: Support for Zero-day Exploit Prevention
Prisma Access 5.1.1 Features: None
The following 5.1 features require an infrastructure and plugin upgrade and
require a minimum dataplane version of PAN-OS 10.2.4 unless otherwise noted, making
them Prisma Access 5.1 Preferred features:
Prisma Access 5.1 Features:
- Explicit Proxy SAML Authentication Improvements (requires a minimum dataplane upgrade to PAN-OS 10.2.10)
- Fast-Session Delete
- GlobalProtect Proxy Enhancements
- Prisma Access Internal Gateway
Prisma Access 5.1.1 Features:
- ZTNA Connector Application Discovery, User-ID Across NAT, and IP Connector Block Deletion Support (User-ID Across NAT requires a minimum dataplane of 11.2 (5.1.1 Innovation)
The following 5.1 features require an infrastructure, plugin, and dataplane
upgrade to Prisma Access 11.2, making them Prisma Access 5.1 Innovation features:
Prisma Access 5.1 Features:
- Advanced DNS Security
- Business Continuity During Mergers and Acquisitions
- Dynamic DNS Registration Support for Mobile Users—GlobalProtect
- FQDNs for Remote Network and Service Connection IPSec Tunnels
- GlobalProtect Portal and Gateway Support for TLSv1.3
- IPSec Serviceability
- PAN-OS 11.0, 11.1, and 11.2 Dataplane Support
- Static IP Address Allocation for Mobile Users
- User-ID Across NAT
Prisma Access 5.1.1 Features:
- Native IPv6 Compatibility
- View and Monitor Native IPv6 Compatibility
Prisma Access 5.1 Features
This section describes the new features that will be generally available with
Prisma Access 5.1.1.
Advanced DNS Security
Supported in:
Prisma Access (Managed by Panorama) deployments in Prisma Access
5.1 Innovation
|
The Advanced DNS Security service is a new
subscription offering by Palo Alto Networks that operates new domain detectors in
the Advanced DNS Security cloud that inspect changes in DNS responses to detect
various types of DNS hijacking in real-time. With access to Advanced DNS Security,
you can detect and block DNS responses from hijacked domains and misconfigured
domains. Hijacked and misconfigured domains can be introduced into your network by
either directly manipulating DNS responses or by exploiting the DNS infrastructure
configuration settings in order to redirect users to a malicious domain from which
they initiate additional attacks. The primary difference between these two
techniques is where the exploit occurs. In the case of DNS hijacking, the attackers
gain the ability to resolve DNS queries to attacker-operated domains by compromising
some aspect of an organization's DNS infrastructure, be it through unauthorized
administrative access to a DNS provider or the DNS server itself, or an MiTM attack
during the DNS resolution process. Misconfigured domains present a similar problem -
the attacker seeks to incorporate their own malicious domain into an organization’s
DNS by taking advantage of domain configuration issues, such as outdated DNS
records, which can enable attackers to take ownership of the customer’s subdomain.
Advanced DNS Security can detect and categorize hijacked and misconfigured domains in
real-time by operating cloud based detection engines, which provide DNS health
support by analyzing DNS responses using ML-based analytics to detect malicious
activity. Because these detectors are located in the cloud, you can access a wide
array of detection mechanisms that are updated and deployed automatically without
requiring the user to download update packages when changes to detectors are made.
Upon initial release, Advanced DNS Security supports two analysis engines: DNS
Misconfiguration Domains and Hijacking Domains. Additionally, DNS responses for all
DNS queries are sent to the Advanced DNS Security cloud for enhanced response
analysis to more accurately categorize and return a result in a real-time exchange.
Analysis models are delivered through content updates, however, enhancements to
existing models are performed as a cloud-side update, requiring no updates by the
user. Advanced DNS Security is enabled and
configured through the Anti-Spyware (or DNS Security) profile and require
active Advanced DNS Security and Advanced Threat Prevention (or Threat Prevention)
licenses.
Advanced Threat Prevention: Support for Zero-day Exploit Prevention
Supported in:
Prisma Access (Managed by Panorama) deployments in Prisma Access
5.1 Preferred and Innovation
|
Palo Alto Networks now operates new inline deep learning detection engines in the
Advanced Threat Prevention cloud to analyze traffic for command injection and SQL
injection vulnerabilities in real-time to protect users against zero-day threats.
This also includes signature-based prevention for thousands of known vulnerabilities
and industry-leading response times for critical and high CVEs for top vendors.
By operating cloud-based detection engines, you can access a wide array of detection
mechanisms that are updated and deployed automatically without requiring the user to
download update packages or operate process intensive, firewall-based analyzers
which can sap resources. Inline cloud analysis operates under your Vulnerability
Protection profile and supports two analysis engines upon initial release: SQL
injection and Command injection. Additional analysis models are delivered through
content updates, however, enhancements to existing models are performed as a
cloud-side update, requiring no local update process. Inline cloud analysis is enabled and configured
using the Vulnerability Protection profile and requires an active Advanced
Threat Prevention license.
App Acceleration Support for Additional Apps
Supported in:
Prisma Access (Managed by Panorama)
and
Prisma Access (Managed by Strata Cloud Manager) deployments in Prisma Access 5.1 Preferred and Innovation
Requires a minimum PAN-OS dataplane of 10.2.10.
|
Enterprises today employ workers everywhere, connecting to apps that are anywhere.
Hybrid workforces rely on high-performing app experiences, but slowdowns caused by
cloud latency and adverse network conditions drain productivity and frustrate
workers. The major causes of poor performance can consist of:
- Cloud latency experienced when apps are processing dynamic content
- Wireless connectivity issues
Both of these issues exist outside the control of the enterprise. Apps use Content
Delivery Network (CDN) caching, but modern apps are powered by dynamic content that
can't be cached. And consumer-grade Wi-Fi and wireless connectivity have no
performance service-level agreements (SLAs) because wireless conditions like
interference and signal strength are continuously changing.
App Acceleration for Prisma SASE directly addresses the causes of poor performance by
accelerating dynamic content in top SaaS apps, and has added support for these apps:
- AWS S3
- Azure Storage
- Box
- Google Drive
- Microsoft OneDrive
- Salesforce
- SAP Ariba
- ServiceNow
- Slack (file downloads)
- Zoom (file downloads from chat, recording downloads)
These enhancements provide you with the following benefits:
- Up to five times the improvement over direct-to-internet app performance (measured in app response time and throughput metrics)
- Enriches AI-powered ADEM with Real User Metrics (RUM) to enhance observability into performance issues
- No code changes required
Business Continuity During Mergers and Acquisitions
Supported in:
Prisma Access 5.1 Preferred and Innovation
To implement this feature, reach out to your Palo Alto
Networks account team, who will open an SRE case to
accommodate the request. Palo Alto Networks recommends that
you schedule this change during a maintenance window or
during off-peak hours. Palo Alto Networks upgrades all
gateways in your deployment that require the name change
during the maintenance window.
|
If your organization has merger and acquisition (M&A) activity, you might have a
need for existing gateways to either not reference an earlier brand name or
reference a new brand name. With this functionality, Prisma Access ensures business
continuity by updating the gateway name to the new brand name and displaying the new
name in the UI, in logs, and anywhere else the gateway name is referenced.
Canada West (Calgary) and South Africa Central Compute Locations
Supported in:
Prisma Access 5.1 Preferred and Innovation
|
Prisma Access adds two new compute locations: Canada West (Calgary) and South Africa
Central. The following locations are remapped to the new compute location:
- The South Africa Central location is remapped to the South Africa Central compute location.
- The Canada West location is remapped to the Canada West (Calgary) compute location.
New deployments have the new remapping applied automatically. If you have an existing
Prisma Access deployment that uses one of these locations and you want to take
advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma
Access location.
Dynamic DNS Registration Support for Mobile Users—GlobalProtect
Supported in:
Prisma Access 5.1 Innovation
|
When a mobile user connects remotely to Prisma Access using GlobalProtect, the DNS
and IP Address Management (IPAM) servers in your enterprise are not updated with the
GlobalProtect gateway-assigned client IP address and endpoint FQDN. This results in
your IT administrator and your apps not being able to identify and update remote
endpoints with FQDN. With Dynamic DNS registration, Prisma Access integrates with
IPAM vendors to dynamically create A and PTR records in the DNS servers with IPAM
updates.
Dynamic Privilege Access
Supported in:
Prisma Access (Managed by Strata Cloud Manager) 5.1 Innovation
|
For Enterprise IT and IT Enabled Services (ITES) companies that need to control which
users have access to their customer projects, Dynamic Privilege Access provides a
seamless, secure, and compartmentalized way for your users to access only those
projects that they are assigned to. Employees are typically assigned to several
customer projects and are provided with siloed access to these projects so that an
authorized user can access only one customer project at a time.
A new predefined role called the Project Admin is available to
allow project administrators to create and manage project definitions. Project
administrators have the ability to map projects to select Prisma Access location
groups, and create IP address assignments using DHCP based on the project and
location group.
Explicit Proxy SAML Authentication Improvements
Supported in:
Prisma Access 5.1 Preferred and Innovation
Requires a minimum PAN-OS dataplane version of 10.2.10.
|
For simpler SAML authentication configuration,
Explicit Proxy no longer requires that you create a policy rule to allow
pre-authentication user traffic.
Explicit Proxy Forwarding Profiles with Multiple PAC File Support
Supported in:
Prisma Access (Managed by Strata Cloud Manager) 5.1 Preferred and Innovation
|
You can now more easily manage the traffic flowing through or bypassing
Explicit Proxy by using Forwarding Profiles instead of only a single PAC
file. Forwarding Profiles enable you to define forwarding rules and
objects from a simple, easy to use interface rather than dealing with the complexity
of a PAC file.
If you already employ a PAC file, you can seamlessly transition to
Forwarding Profiles by importing the PAC file into a profile. Furthermore, if you
have had to manage multiple PAC files for different kinds of traffic, you can now
import these PAC files into profiles to use them simultaneously.
In addition to using Forwarding Profiles with a standard proxy, you can also use them
to simplify how you define the flow of traffic through GlobalProtect in Proxy or
Tunnel and Proxy mode.
Explicit Proxy Support for South Africa Central Location
Supported in:
Prisma Access 5.1 Preferred and Innovation
|
South Africa Central is added as a supported location for Prisma Access Explicit
Proxy.
Fast-Session Delete
Supported in:
Prisma Access (Managed by Panorama) deployments in Prisma Access
5.1 Preferred and Innovation and SCM R3 2024
|
If your deployment has a requirement to delete sessions quickly, you can enable fast session delete, which allows Prisma
Access to reuse TCP port numbers before the TCP TIME_WAIT period expires, and can be
useful for SSL decrypted sessions that may be short-lived. You can enable this
functionality for Remote Networks, Service Connections, and Mobile Users
—GlobalProtect; for Mobile Users—Explicit Proxy deployments, this functionality is
enabled by default and cannot be changed.
FQDNs for Remote Network and Service Connection IPSec Tunnels
Supported in:
Prisma Access (Managed by Panorama) deployments in Prisma Access
5.1 Preferred and Innovation and SCM R3 2024
|
When you onboard a Service Connection or Remote Network connection, a public IP
address is assigned for the other side of the IPSec tunnel (the Service IP Address). You use these public
IP addresses for your CPE in you branch site or headquarters or data center
location. Keeping records of all the IP addresses you need to configure on your CPE
can be time consuming.
Instead of IP addresses, Prisma Access provides you FQDNs to use for the other end of
the IPSec tunnel for Service Connections and Remote Network Connections, thus
facilitating CPE setup at your branch sites or headquarters or data center
locations.
GlobalProtect Portal and Gateway Support for TLSv1.3
Supported in:
Prisma Access 5.1 Innovation
|
You can now configure SSL/TLS service profiles using
TLSv1.3 on the firewall that is hosting the GlobalProtect portal or
gateway to establish TLS connectivity between GlobalProtect components. TLSv1.3 is
the latest version of the TLS protocol, which provides increased network security by
removing the weak ciphers supported in the earlier versions of TLS and adding more
secure cipher suites. In addition, the GlobalProtect gateway and portal now support
the following TLSv1.3 cipher suites:
- TLS-AES-128-GCM-SHA256
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256
You can configure SSL/TLS service profiles with TLSv1.3 to provide enhanced security
and a faster TLS handshake while establishing connection between GlobalProtect
components. To provide the strongest security, you must set both the minimum and
maximum supported version as TLSv1.3 in the SSL/TLS service profile.
GlobalProtect Proxy: Simplified Configuration
Supported in:
Prisma Access (Managed by Panorama)
and
Prisma Access (Managed by Strata Cloud Manager) deployments in Prisma Access 5.1 Preferred and Innovation
Requires a minimum PAN-OS dataplane of 10.2.9.
|
GlobalProtect in proxy-only mode now no
longer requires that you deploy a mobile user gateway, which simplifies
initial configuration.
GlobalProtect Proxy: TCP and Multi-Channel Support
Supported in:
Prisma Access (Managed by Strata Cloud Manager) deployments in Prisma Access
5.1 Preferred and Innovation
Requires a minimum GlobalProtect version of 6.3 and a minimum
PAN-OS dataplane of 10.2.9.
|
GlobalProtect Proxy now
- supports all IPv4 TCP connections, including non-proxy-aware traffic, to better support the needs of your network beyond only proxy-aware traffic
- supports multiple Explicit Proxy channels to different regions, enabling you to support apps and destinations that have region-specific requirements.
IPSec Serviceability
Supported in:
Prisma Access 5.1 Innovation
|
Prisma Access uses IPSec to securely connect branch offices and data centers to the
service. If there is an issue with bringing up the IPSec tunnel, it can be
challenging to read logs related to IKE and IPSec events in an attempt to
troubleshoot the issue.
A new UI provides clear diagnostic IPSec tunnel information, including the reason for
the tunnel failure, the configured and exchanged IPSec and IKE parameters, and
recommended settings for IKE and IPSec crypto values for service connections and
remote network connections. With the UI, you have a full picture of your IPSec
tunnels. You can also trigger an IKE renegotiation for a given service connections
or remote network connections.
This tunnel information reflects real-time monitoring status, along with an
explanation of why any tunnels have gone down.
PAN-OS 11.0, 11.1, and 11.2 Dataplane Support
Supported in:
Prisma Access 5.1 Innovation
|
The following PAN-OS features are not supported:
PAN-OS 11.2 Support for Panoramas that Manage Prisma Access
Supported in:
Prisma Access 5.1 Preferred and Innovation
|
If you have a Panorama Managed Prisma Access deployment, you can use a Panorama
running 11.2 to manage Prisma Access.
Prisma Access Internal Gateway
Supported in:
Prisma Access 5.1 Preferred and Innovation
|
Prisma Access introduces a native internal gateway solution within
the Prisma Access architecture, reducing the need to implement GlobalProtect in
conjunction with an on-premises internal gateway to learn User-ID for users on an
internal network. Prisma Access deployments can enable a native internal gateway
natively within the Prisma Access architecture.
Use the native internal gateway to enforce user-based security policies for remote
network traffic without the need to deploy an on-premises internal gateway.
Service Connection Support for Explicit Proxy
Supported in:
Prisma Access (Managed by Strata Cloud Manager) deployments in Prisma Access
5.1 Preferred and Innovation
Requires GlobalProtect in Proxy Mode to access private and
partner apps in a data center and a minimum PAN-OS dataplane
of 10.2.10.
|
Prisma Access Explicit Proxy now supports service connections to enable you to
access resources in your data center. With
this change, you will still be able to benefit from a proxy connection while
accessing external dynamic lists, partner apps, or private apps hosted in your data
center.
Static IP Address Allocation for Mobile Users
Supported in:
Prisma Access (Managed by Strata Cloud Manager) deployments in Prisma Access
5.1 Innovation
Requires a minimum GlobalProtect version of 6.1.4
|
The Static IP Allocation feature allows you to assign a fixed IP address to Prisma Access Mobile
Users. This is useful if your network deployments restrict user access to resources
using IP addresses as part of their network and application design. With this
functionality, you can define IP pool based on the theatre and user.
Assigning static IP addresses to users provide you with the following
benefits:
- Static IP Address Allocation—Prisma Access assigns the IP address in the configured IP address pool to users every time they connect to Prisma Access.
- IP Address Management—Prisma Access can assign IP addresses based on the User-ID and the theater which simplifies the subnet management and allocation.
- Granular IP Address-Based Policy Rules—You can use the static IP addresses to create persistent User-ID mapping and use IP address based controls in your network and application resources..
User-ID Across NAT
Supported in:
Prisma Access 5.1 Innovation
|
Mobile users access private apps using a service connection. If your deployment uses
a Next-Generation Firewall (NGFW) in the data center or headquarters location where
the private apps are located, and if your service connection has source NAT enabled,
the NGFW can't retrieve the User-ID and Device-ID mapping. Source NAT on the service
connection prevents the mobile users' User-ID and Device-ID mapping to be
distributed to the NGFW. If the NGFW can't retrieve this mapping, it can't enforce
zone-based security policy rules you have created on it based on User-ID or
Device-ID mapping.
User-ID Across NAT lets your network distribute the User- or Device-ID mapping from
mobile users to the NGFW and then on to the headquarters or data center, thus
allowing the NGFW to enforce security policy rules based on the User-ID mapping it
has learned from the service connection. This configuration ensures a consistent
security posture across your mobile user deployment.
View and Monitor App Acceleration
Supported in:
Prisma Access 5.1 Preferred and Innovation
|
App Acceleration addresses the causes of poor app performance and acts in real-time
to boost throughput while maintaining best-in-class security, improving the user
experience for Prisma Access GlobalProtect and Remote Network users. You can view and monitor App Acceleration to see
details about accelerated applications in your environment. In Strata Cloud Manager,
select MonitorApplications to view details about all accelerated applications.
View and Monitor Dynamic Privilege Access
Supported in:
Prisma Access (Managed by Strata Cloud Manager) 5.1 Innovation
|
Dynamic Privilege Access enables Prisma Access to apply different network and
Security policy rules to mobile user flows based on the project your users are
working on. In the Strata Cloud Manager Command Center, you can view user-based access information in your
environment.
Gain visibility into your Prisma Access Agent deployment by using Strata Cloud
Manager to monitor your users' project activity. In the Strata Cloud Manager Command
Center, you can view project-based access information in your
environment.
View and Monitor Third-Party Device-IDs
Supported in:
Prisma Access 5.1 Preferred and Innovation
|
You can use the Cloud Identity Engine with Prisma Access to apply information from
third-party IoT detection sources to simplify the task of identifying and closing
security gaps for devices in your network. See Configure Third-Party Device-ID in Prisma
Access for details about setup and configuration.
Go to MonitorDevicesIOT
to get insights on your IoT devices, such
as the number of IoT devices connected within the last 30 minutes, all IoT devices
connected during the time range selected, and details about all connected IoT
devices.
Prisma Access 5.1.1 Features
This section describes the new features that will be generally available with
Prisma Access 5.1.1.
Native IPv6 Compatibility
Supported in:
Prisma Access (Managed by Panorama) deployments in Prisma Access 5.1.1
Preferred and Innovation and SCM R3 2024 (new Prisma Access deployments only)
|
Prisma Access is extending its support for IPv6 from private applications to encompass
comprehensive end-to-end IPv6 support for Mobile Users, Remote Networks, and Service
Connections. One advantageous aspect of native IPv6 support is its capacity to
enable Mobile Users utilizing IPv6-only endpoints to establish connections with
Prisma Access via IPv6 connections using GlobalProtect. Additionally, this support
facilitates accessing public SaaS applications over the internet, particularly where
those destinations necessitate IPv6 connections.
IPv6 boasts a significantly larger address space compared to IPv4, thereby
accommodating an almost limitless number of unique IP addresses. Through native IPv6
support, Prisma Access is engineered to be compatible with both IPv6 and dual-stack
connections, facilitating the migration process from IPv4 to IPv6. This
compatibility ensures backward compatibility and empowers organizations in their
transition to cloud-based and IPv6-enabled networks.
View and Monitor Native IPv6 Compatibility
Supported in:
Prisma Access (Managed by Panorama) deployments in Prisma Access 5.1.1
Preferred and Innovation and SCM R3 2024 (new Prisma Access deployments only)
|
If you use IPv6 networking in your Mobile Users—GlobalProtect deployment, you
can configure Prisma Access to use IPv6 addresses in your mobile user networking. To
view information about IPv6 in your GlobalProtect deployment, go to InsightsUsers in Strata Cloud Manager Command Center.
ZTNA Connector Application Discovery, User-ID Across NAT, and IP Connector Block Deletion Support
Supported in:
Prisma Access (Managed by Panorama) deployments in Prisma Access 5.1.1
Preferred and Innovation. User-ID Across NAT requires a minimum
dataplane of 11.2 (5.1.1 Innovation).
|
ZTNA Connector provides the following new functionalities with this
release:
- Application Discovery—Your enterprise network can have many applications hosted in its cloud or data center environment. In many cases, the network security teams are unaware of all the applications that are hosted in the network. As a result, when you deploy a ZTNA Connector and start to add application targets in connector groups, it can be difficult to determine which applications you need to add.Private application target discovery simplifies application hosting and discovery of applications that are hosted in AWS.The private application target discovery service:
- Finds the Prisma Access tenant you have deployed and allows you to onboard that tenant to start the app discovery process, or lets you remove an existing tenant to remove apps that are discovered.
- Retrieves application relevant information from one or more cloud providers accounts using Assumed Role and Work Load Identity (WLI).
- Allows you to view the application discovery results.
- Provides a way for other modules to query for the discovered applications.
- User-ID Across NAT—Mobile users access private apps using a ZTNA
Connector. If your deployment uses a Next-Generation Firewall (NGFW) in the data
center or headquarters location where the private apps are located, and ZTNA
Connector has source NAT enabled, the NGFW can't retrieve the User-ID and
Device-ID mapping. Source NAT on the service connection or ZTNA Connector
prevents the mobile users' User-ID and Device-ID mapping to be distributed to
the NGFW. If the NGFW can't retrieve this mapping, it can't enforce zone-based
Security policy rules you have created on it based on User-ID or Device-ID
mapping.User-ID Across NAT lets your network distribute the User- or Device-ID mapping from mobile users to the NGFW, thus allowing the NGFW to enforce Security policy rules based on the User-ID mapping it has learned from the service connection or ZTNA Connector. This configuration ensures a consistent security posture across your mobile user deployment.
- IP Connector Block Deletion—To allow you more flexibility after configuring Connector IP Blocks, you can now delete and update the Connector IP Blocks. You can delete the Connector IP Blocks only after you delete all the ZTNA objects such as connectors, applications, wildcards, and connector-groups on the tenant.