Recommended Software Versions for Prisma Access 5.2 Preferred and Innovation

• 5.2 Preferred runs a PAN-OS 10.2.10 dataplane. If your deployment is running a lower dataplane version, a dataplane upgrade to PAN-OS 10.2.10 might be required to implement 5.2 Preferred features. If you're an existing customer, see Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.2.1 Preferred and Innovation Features to see if a dataplane upgrade is required for a Prisma Access 5.2 feature.
• 5.2 Innovation runs a PAN-OS dataplane of 11.2.3. An upgrade to PAN-OS 11.2.3 is required to implement 5.2 Innovation features.

Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.2.1 Preferred and Innovation Features

• RFC6598 Mobile Users Address Pool for New Prisma Access (Managed by Strata Cloud Manager) Deployments
• Israel and Saudi Arabia Strata Logging Service Region Support
• Native IPv6 Support for Existing Prisma Access Deployments

• Explicit Proxy Support for Colo-Connect
• Explicit Proxy Third-Party Enterprise Browser Integration

• None

• Remote Network—High Performance Private App Access Support
• Static IP Address Enhancements for Mobile Users

Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.2 Preferred and Innovation Features

• Simplify Prisma Access SaaS Connectivity with IP Optimization for Mobile Users and Explicit Proxy Deployments
• TLS 1.3 and PubSub Support for Traffic Replication
• View and Monitor Colo-Connect

• 25,000 Remote Network and 50,000 IKE Gateway Support
• Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
• IP Address Optimization for Explicit Proxy Users- Proxy Deployments
• Simplified Prisma Access Private App Connectivity
• View Prisma Access, Dataplane, and Application and Threats Content Versions in Strata Cloud Manager

• Remote Networks—High Performance

• SC-NAT Support for Dynamic Privilege Access with CIAM
• ZTNA Connector Support for Commitless App Onboarding

Prisma Access 5.2.1 Features

Prisma Access 5.2 Features

This section describes the new features that are available with Prisma Access 5.2.

25,000 Remote Network and 50,000 IKE Gateway Support

Supported in: Prisma Access 5.2 Preferred and Innovation

To implement this feature, reach out to your Palo Alto Networks account team, who will open an SRE case to accommodate the request.

You can onboard a maximum of 25,000 remote networks and 50,000 IKE gateways per tenant in a Prisma Access deployment. To accommodate this enhancement, the following changes have been made to the Strata Cloud Manager web interface starting with Prisma Access 5.1:

• Introducing pagination so that you can choose how many rows to display in a given page.

• Filtering is enabled for remote networks.
  After you apply filtering, you can sort the resulting output by name.

• A new Group By field is added. If you select a group by Compute Location, all groups display but are collapsed, and the page size you selected applies to the groups. If you select a compute location to expand it, the rows display based on the page size you selected.

• When remote networks are displayed in a drop-down, the web interface displays the first 500 items. You can find the desired Remote Network in the list by typing in the text box.
  In addition, the total number of remote networks displays.

• The following additional pages have pagination applied:
  • IPSec Tunnels:

  • QoS:

  • QoS Statistics:

  • Troubleshooting—Remote Networks under External Dynamic Lists:

Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic

Supported in: Prisma Access 5.2 Preferred and Innovation

Users who connect to Prisma Access Explicit Proxy through GlobalProtect agent from branches, can leverage Private IP addresses of endpoints for logging or to apply IP address based enforcement.

IP Address Optimization for Explicit Proxy Users- Proxy Deployments

Supported in: Prisma Access 5.2 Preferred and Innovation

IP address optimization is a set of architectural enhancements that reduce the overall number of IP addresses in your deployment, simplifying your allow listing workflows while improving resiliency and enabling faster onboarding of Prisma Access tenants and enabling faster onboarding of Prisma Access tenants.

IP Address Stickiness

With IP address stickiness, you can secure the SaaS apps and websites that require user sessions to maintain the same egress IP address of Prisma Access throughout the user session.

Simplify SaaS Applications Onboarding

Adding a Prisma Access location or experiencing a scaling event at an existing Prisma Access location could lead to new IP addresses being allocated to your Explicit Proxy deployments. It's a best practice to retrieve the new egress and gateway IP addresses and add them to an allow list of the SaaS applications. IP address optimization reduces the number of IP addresses that you have to manage in large deployments.

Explicit Proxy China Support

Supported in: Prisma Access 5.2 Preferred and Innovation

Prisma Access supports Explicit Proxy deployments in China.

Remote Networks—High Performance

Supported in: Prisma Access 5.2 Preferred and Innovation

Prisma Access offers a comprehensive solution for high-bandwidth IPSec termination, supporting large sites, automated load balancing, simplified onboarding, regional redundancy, single egress IP management, and compatibility with various SD-WAN solutions including Prisma SD-WAN. These features collectively enhance the scalability, performance, and reliability of remote site connectivity.

As your business scales and your office locations become geographically distributed, you can quickly onboard a branch site with a high bandwidth using a Prisma Access performant remote network, also known as a Remote Network—High Performance. These networks offer the following benefits:

• Supports up to 3 Gbps aggregate bandwidth per service IP address or service endpoint address, providing you with a reduced number of IP addresses or FQDNs to use for IPSec tunnel termination.
• Includes regional redundancy to improve availability and fault tolerance.
• Uses NAT to reduce public egress IP addresses.
• Simplifies onboarding with in-product recommendations for choosing locations based on geographic availability.
• Includes support for Link Quality Metrics (LQM), where Prisma SD-WAN determines link quality by actively probing the Secure Fabric VPN paths over public and private transports and the private WAN underlay paths. The probes provide a constant measurement of network performance metrics, such as jitter, latency, and packet loss. These metrics, along with application-specific performance metrics and Layer 1 through Layer 7 reachability, inform traffic forwarding decisions for new and existing application flows.

Route Summarization for Dynamic Privilege Access

Supported in: Prisma Access (Managed by Strata Cloud Manager) 5.2 Innovation

On Dynamic Privilege Access enabled Prisma Access tenants, you can summarize routes when advertising the Mobile User (MU) routes to your on-premises network. Route summarization is beneficial for enterprises that have on-premises equipment that has limited capacity such as basic cloud routers. By reducing the demand on these devices, route summarization ensures that the devices won't exceed their route capacity when communicating with the data center.

To enable route summarization, configure global summary pools that consist of lists of large IP pools that can be used across multiple projects. Then, enable route summarization in the Prisma Access service connection. When a user uses the Prisma Access Agent to connect to a project that has an IP address within the range of the configured global summary pools, the service connection will advertise the global summary pool instead of the smaller project-level route. This helps reduce the number of routes that are sent to the network.

SC-NAT Support for Dynamic Privilege Access with CIAM

Supported in: Prisma Access 5.2 Innovation

Use SC-NAT support for Dynamic Privilege Access (DPA) if you use DPA and have created service connections to access private apps in your data center or headquarters location. Multiple projects in your DPA environment can experience IP address exhaustion if the IP addresses of the Infrastructure Subnet overlap. To fix this issue, Prisma Access can implement source NAT (SNAT) for IP addresses, which:

• Lets Prisma Access map a single IP address for a mobile user accessing private apps using a service connection
• Provides you with SNAT for easy routing
• Eliminates IP Pool overlap
• Eliminates IP Pool IPv4 exhaustion between Prisma Access and your data center or headquarters location

Simplified Prisma Access Private App Connectivity

Supported in: Prisma Access 5.2 Preferred and Innovation

One way to access a private app is by using a service connection, also known as a Service Connection-Corporate Access Node (SC-CAN). It can be difficult to connect to private apps using service connections because:

• Indeterministic throughput of the private app due to SC-CAN bottlenecks
• Latency due to incorrect transit hops
• Operational complexity in deploying SC-CANs

To solve this issue, Prisma Access has enhanced its routing infrastructure routing enhancements that:

• Eliminates SC-CAN bottlenecks by improving the internal network
• Orchestrates an anchor SC-CAN when required, preventing incorrect transit hops and inefficient routing

This design offers the following benefits:

• Routing setup that is easier to deploy
• Easy day zero setup
• Deterministic 1 Gbps bandwidth from a given SC-CAN to the data center or headquarters location where the private app is located

Simplify Prisma Access SaaS Connectivity with IP Optimization for Mobile Users and Explicit Proxy Deployments

Supported in: Prisma Access 5.2 Preferred and Innovation

Prisma Access expands on the IP Optimization functionality by offering it for Explicit Proxy as well as Mobile Users—GlobalProtect.

For Mobile Users—GlobalProtect deployments, when a large number of users access a GlobalProtect gateway from a location, Prisma Access autoscales the location and adds another GlobalProtect gateway. IP Optimization uses a NAT layer so that the autoscaled gateway uses the same IP address as the previously allocated IP address, thus eliminating the need to add extra IP addresses to your organization's allow lists.

Prisma Access expands the NAT layer to Explicit Proxy Security Processing Nodes (SPNs) as well as Mobile User SPNs, reducing the need to allow list IP addresses for Explicit Proxy deployments. This Explicit Proxy NAT layer is beneficial if you're setting up a Mobile Users and Explicit Proxy deployment in Proxy Mode or Tunnel and Proxy Mode.

TLS 1.3 and PubSub Support for Traffic Replication

Supported in: Prisma Access 5.2 Preferred and Innovation

If you're a large organization using Traffic Replication, you can have the following challenges in deploying and using it:

• Tools that consume the packet capture (PCAP) files require frequent queries of the buckets to cope with a large number of PCAP files. The tools might create overhead on the buckets and their use might be limited by the cloud providers.
• When using the PCAP files for forensic analysis, accessing SSL decrypted traffic provides better efficacy, and a significant amount of the traffic is TLS 1.3 encrypted.

To solve these issues, Prisma Access offers these enhancements that allow third-party tools to be more efficient and easier to scale:

• Pub/Sub Notifications—Prisma Access proactively sends a Pub/Sub notification when a new PCAP file is uploaded to the storage bucket. Using Pub/Sub notifications for new PCAP files eliminates the need to develop tools that notify you when there are new files in the buckets.
• TLS 1.3 Decryption Support—Prisma Access uses TLS 1.3 when decrypting PCAP files, thus providing deeper visibility into the traffic. This support applies to remote network deployments where you have enabled the use of SSL/TLS decryption policy rules on PCAP files.

View and Monitor Colo-Connect

Supported in: Prisma Access 5.2 Preferred and Innovation

Prisma Access Colo-Connect builds on the Colo-based performance hub concept, with high-bandwidth private connections along with Layer 2/3 connectivity to Prisma Access from existing performance hubs. Colo-Connect leverages the cloud native GCP interconnect technology to provide high-bandwidth service connections to your private applications. Go to MonitorData Centers Service Connections to view and monitor your private connectivity to hybrid cloud and on-premises data centers over cloud interconnects.

View Prisma Access, Dataplane, and Application and Threats Content Versions in Strata Cloud Manager and Panorama

Supported in: Prisma Access (Managed by Strata Cloud Manager) 5.2 Preferred and Innovation

To allow you to gain more information about your Prisma Access (managed by Strata Cloud Manager) deployments, the Software Information area in the Overview page (ManageConfigurationNGFW and Prisma AccessOverview in Strata Cloud Manager and Prisma Access Version (PanoramaCloud ServicesConfigurationService Setup) in Panorama provide you with the following information:

• Prisma Access version
• PAN-OS dataplane version
• Release Type (Preferred or Innovation)
• Applications and Threats content version

ZTNA Connector Support for Commitless App Onboarding

Supported in: Prisma Access 5.2 Innovation

With commitless onboarding enhancement, you have an improved experience when onboarding, modifying, or removing applications. The previous delay of 5-10 minutes is eliminated, resulting in a faster process. Your application onboarding time now takes less than 1 minute, allowing you to quickly and efficiently manage your applications. Additionally, the enhanced scale of the ZTNA Connector caters to the needs of large customers who manage more than 10,000 applications. You have the capability to onboard a larger number of applications, providing you with greater flexibility and efficiency in your operations.