New Features in Prisma Access 5.2 and 5.2.1
Focus
Focus
Prisma Access

New Features in Prisma Access 5.2 and 5.2.1

Table of Contents

New Features in Prisma Access 5.2 and 5.2.1

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Minimum Required Prisma Access Version 5.2 or 5.2.1 Preferred or Innovation
This section provides you with a list of new features in Prisma Access 5.2 and 5.2.1 Preferred and Innovation, along with the recommended and required software versions you need to use.
This document contains roadmap information and is being shared for INFORMATIONAL AND PLANNING PURPOSES ONLY. It is not a binding commitment and is subject to change.

Recommended Software Versions for Prisma Access 5.2.1 Preferred and Innovation

There are two Prisma Access 5.2.1 versions:
  • 5.2.1 Preferred runs a PAN-OS 10.2.10 dataplane. If your deployment is running a lower dataplane version, a dataplane upgrade to PAN-OS 10.2.10 is required to implement 5.2.1 Preferred features.
  • 5.2.1 Innovation runs a PAN-OS 11.2.4 dataplane. An upgrade to PAN-OS 11.2.4 is required to implement 5.2 Innovation features.
For new Prisma Access 5.2.1 Innovation features, Prisma Access recommends that you upgrade your Prisma Access to the following versions before installing the plugin.
Prisma Access VersionCloud Services Plugin VersionRequired Dataplane Version for 5.2.1Recommended GlobalProtect VersionRecommended Panorama Version
5.2.15.2.0 hotfixPAN-OS 10.2.10 (required for 5.2.1 Preferred)
PAN-OS 11.2.4 (required for 5.2.1 Innovation)
6.0.7+
6.1.3+
6.2.1+
10.2.10+
11.0.1+
11.1.0
11.2.4

Recommended Software Versions for Prisma Access 5.2 Preferred and Innovation

There are two Prisma Access 5.2 versions:
  • 5.2 Preferred runs a PAN-OS 10.2.10 dataplane. If your deployment is running a lower dataplane version, a dataplane upgrade to PAN-OS 10.2.10 might be required to implement 5.2 Preferred features. If you're an existing customer, see Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.2.1 Preferred and Innovation Features to see if a dataplane upgrade is required for a Prisma Access 5.2 feature.
  • 5.2 Innovation runs a PAN-OS dataplane of 11.2.3. An upgrade to PAN-OS 11.2.3 is required to implement 5.2 Innovation features.
For new Prisma Access 5.2 Innovation features, Prisma Access recommends that you upgrade your Prisma Access to the following versions before installing the plugin.
Prisma Access VersionCloud Services Plugin VersionRequired Dataplane Version for 5.2Recommended GlobalProtect VersionRecommended Panorama Version
5.25.2PAN-OS 10.2.10 (required for 5.2 Preferred)
PAN-OS 11.2.3 (required for 5.2 Innovation)
6.0.7+
6.1.3+
6.2.1+
10.2.10+
11.0.1+
11.1.0
11.2.3

Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.2.1 Preferred and Innovation Features

Prisma Access 5.2.1 features require one of more of the following components to function:
  • Infrastructure Upgrade—The infrastructure includes the underlying service backend, orchestration, and monitoring infrastructure. Prisma Access upgrades the infrastructure before the general availability (GA) date of a Prisma Access release.
    Features that require only an infrastructure upgrade to be unlocked take effect for all Prisma Access deployments, regardless of version, at the time of the infrastructure upgrade.
  • Plugin Upgrade (Prisma Access Panorama Managed Deployments Only)—Installing the plugin activates the features that are available with that release. You download and install the plugin on the Panorama that manages Prisma Access.
  • Dataplane Upgrade—The dataplane enables traffic inspection and security policy enforcement on your network and user traffic.
    • For Prisma Access (Managed by Strata Cloud Manager), go to ManageConfigurationNGFW and Prisma AccessOverview.'
    • For Prisma Access (Managed by Panorama) deployments, you can view your dataplane version by going to PanoramaCloud ServicesConfigurationService Setup and viewing the Prisma Access Version. Prisma Access 5.2.1 Preferred runs PAN-OS 10.2.10 and Prisma Access Innovation runs PAN-OS 11.2.4.
A dataplane upgrade to 5.2.1 Innovation is optional, and is only required if you want to take advantage of the features that require a dataplane upgrade.
These features are activated with the infrastructure upgrade only for Prisma Access:
  • RFC6598 Mobile Users Address Pool for New Prisma Access (Managed by Strata Cloud Manager) Deployments
  • Israel and Saudi Arabia Strata Logging Service Region Support
  • Native IPv6 Support for Existing Prisma Access Deployments
These features require an infrastructure and plugin upgrade but don't require a dataplane upgrade; however, a minimum datapane version of 10.2.4 is required for these features:
  • Explicit Proxy Support for Colo-Connect
  • Explicit Proxy Third-Party Enterprise Browser Integration
The following 5.2.1 features require an infrastructure and plugin upgrade and require a minimum dataplane version of PAN-OS 10.2.10, making them Prisma Access 5.2.1 Preferred features:
  • None
The following 5.2 features require an infrastructure, plugin, and dataplane upgrade to PAN-OS 11.2.4, making them Prisma Access 5.2.1 Innovation features:
  • Remote Network—High Performance Private App Access Support
  • Static IP Address Enhancements for Mobile Users

Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.2 Preferred and Innovation Features

Prisma Access 5.2 features require one of more of the following components to function:
  • Infrastructure Upgrade—The infrastructure includes the underlying service backend, orchestration, and monitoring infrastructure. Prisma Access upgrades the infrastructure before the general availability (GA) date of a Prisma Access release.
    Features that require only an infrastructure upgrade to be unlocked take effect for all Prisma Access deployments, regardless of version, at the time of the infrastructure upgrade.
  • Plugin Upgrade (Prisma Access Panorama Managed Deployments Only)—Installing the plugin activates the features that are available with that release. You download and install the plugin on the Panorama that manages Prisma Access.
  • Dataplane Upgrade—The dataplane enables traffic inspection and security policy enforcement on your network and user traffic.
    • For Prisma Access (Managed by Strata Cloud Manager), go to ManageConfigurationNGFW and Prisma AccessOverview.
    • For Prisma Access (Managed by Panorama) deployments, you can view your dataplane version by going to PanoramaCloud ServicesConfigurationService Setup and viewing the Prisma Access Version. Prisma Access 5.2 Preferred runs PAN-OS 10.2.10 and Prisma Access Innovation runs PAN-OS 11.2.3.
A dataplane upgrade to 5.2 Innovation is optional, and is only required if you want to take advantage of the features that require a dataplane upgrade.
These features are activated with the infrastructure upgrade only for Prisma Access:
  • Simplify Prisma Access SaaS Connectivity with IP Optimization for Mobile Users and Explicit Proxy Deployments
  • TLS 1.3 and PubSub Support for Traffic Replication
  • View and Monitor Colo-Connect
These features require an infrastructure and plugin upgrade but don't require a dataplane upgrade:
  • 25,000 Remote Network and 50,000 IKE Gateway Support
  • Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
  • IP Address Optimization for Explicit Proxy Users- Proxy Deployments
  • Simplified Prisma Access Private App Connectivity
  • View Prisma Access, Dataplane, and Application and Threats Content Versions in Strata Cloud Manager
The following 5.2 features require an infrastructure and plugin upgrade and require a minimum dataplane version of PAN-OS 10.2.10, making them Prisma Access 5.2 Preferred features:
  • Remote Networks—High Performance
The following 5.2 features require an infrastructure, plugin, and dataplane upgrade to Prisma Access 11.2.3, making them Prisma Access 5.2 Innovation features:
  • SC-NAT Support for Dynamic Privilege Access with CIAM
  • ZTNA Connector Support for Commitless App Onboarding

Prisma Access 5.2.1 Features

The following table describes the new features that will be generally available with Prisma Access 5.2.1.

Explicit Proxy Support for Colo-Connect

Supported in: Prisma Access 5.2.1 Preferred and Innovation
If you have large data centers with direct connectivity to colocation facilities, you can now connect through Prisma Access Explicit Proxy, enabling high-speed access to private applications. With the enhancement, you will receive up to 20 Gbps of throughput per region.
The integration of Colo-Connect with Explicit Proxy offers the following benefits:
  • Explicit Proxy automatically connects to the nearest Prisma Access compute location, offering you the best possible latency.
  • Eliminates network and routing dependencies, offering automated secure tunnel management and routing for private applications.
  • Colo-Connect supports retrieving private applications in overlapped networks, ensuring flexibility and accessibility

Secure Integration of Third-Party Enterprise Browsers with Explicit Proxy

Supported in: Prisma Access 5.2.1 Preferred and Innovation
Prism Access can now enable secure access to private applications through third-party Enterprise Browsers. With this enhancement, user information can be securely and transparently exchanged between the third-party Enterprise Browser and Prisma Access, allowing for the enforcement of User-ID based policy rules within Prisma Access. This eliminates the need for end users to re-authenticate with Prisma Access if they have already logged in to the third-party Enterprise Browser.

Native IPv6 Support for Existing Prisma Access Deployments

Supported in: Prisma Access 5.2.1 Preferred and Innovation for all deployments (IPv6 support for new deployments is supported starting Prisma Access 5.1.1; support for existing deployments added in Prisma Access 5.2.1)
Prisma Access extends its support for IPv6 from private applications to encompass comprehensive end-to-end IPv6 support for Mobile Users, Remote Networks, and Service Connections, and adds native IPv6 support for existing Prisma Access deployments.
One advantageous aspect of native IPv6 support is its capacity to enable Mobile Users utilizing IPv6-only endpoints to establish connections with Prisma Access via IPv6 connections using GlobalProtect. Additionally, this support facilitates accessing public SaaS applications over the internet, particularly where those destinations necessitate IPv6 connections.
IPv6 boasts a larger address space compared to IPv4, thereby accommodating an almost limitless number of unique IP addresses. Through native IPv6 support, Prisma Access is engineered to be compatible with both IPv6 and dual-stack connections, facilitating the migration process from IPv4 to IPv6. This compatibility ensures backward compatibility and empowers organizations in their transition to cloud-based and IPv6-enabled networks.

Remote Networks—High Performance Private App Access Support

Supported in: Prisma Access 5.2.1 Preferred and Innovation
The Prisma Access Remote Network—High Performance adds private app access support, in addition to its existing support for egress to the internet. This support means that you can:
  • Retrieve private apps from a branch connected by a high-performance remote network
  • Communicate with another branch (branch-to-branch traffic) using service connections
  • Communicate with mobile users (mobile user-to-branch traffic) using service connections

Static IP Address Enhancements for Mobile Users

Supported in: Prisma Access 5.2.1 Innovation
Prisma Access adds to the static IP address functionality for mobile users, where you can assign static IP addresses to users based on the Prisma Access theater or User-ID.
To enhance IP address assignment for mobile users, you can now use location groups and user groups as a criteria, in addition to theater and User-ID.
In addition, the number of supported IP address pool profiles is increased to 10,000.

RFC6598 Mobile Users Address Pool for New Prisma Access (Managed by Strata Cloud Manager) Deployments

Supported in: Prisma Access (Managed by Strata Cloud Manager) 5.2.1 Preferred and Innovation
Every Prisma Access deployment requires a Mobile User address IP pool. Prisma Access assigns an IP address from this pool to each GlobalProtect-connected device. To simplify the onboarding of GlobalProtect mobile users, Palo Alto Networks provides new Prisma Access (Managed by Strata Cloud Manager) deployments with a default IP address pool from the RFC6598. The IP pool is 100.92.0.0/16. If you require more addresses, or want to use your own addresses, you can modify this pool or delete it and add IP address pools of your own.

Israel and Saudi Arabia Strata Logging Service Region Support

Supported in: Prisma Access 5.2.1 Preferred and Innovation
Prisma Access supports the Israel and Saudi Arabia Strata Logging Service regions.

Wildcard FQDN Configuration for Security Policies in ZTNA Connector

Supported in: Prisma Access 5.2.1 Preferred and Innovation
The use of wildcard FQDN in security policy rules is currently restricted by protocol limitations. As a result, only the HTTP and HTTPS protocols are supported for wildcard FQDN in security policy rules at this time.
With this enhancement:
  • You can configure a security policy based on the wildcard application FQDN.
  • The same security policy is applied to all the discovered applications that share the same wildcard FQDN.
  • When new applications that match the wildcard FQDN are discovered, traffic can pass without requiring a new commit.

ZTNA Connector for Onboarding Applications

Supported in: Prisma Access 5.2.1 Preferred and Innovation
If your enterprise’s users access a large number of private apps, ZTNA Connector may experience scalability issues when the number of applications in your infrastructure exceeds 15000.
ZTNA Connector offers an enhancement that improves scalability, allowing users to onboard:
  • 10,000 application targets per tenant
  • 1,000 applications per connector group
  • 200 connectors per tenant with a bandwidth of 8 Gbps per compute region

Prisma Access 5.2 Features

This section describes the new features that are available with Prisma Access 5.2.

25,000 Remote Network and 50,000 IKE Gateway Support

Supported in: Prisma Access 5.2 Preferred and Innovation
To implement this feature, reach out to your Palo Alto Networks account team, who will open an SRE case to accommodate the request.
You can onboard a maximum of 25,000 remote networks and 50,000 IKE gateways per tenant in a Prisma Access deployment. To accommodate this enhancement, the following changes have been made to the Strata Cloud Manager web interface starting with Prisma Access 5.1:
  • Introducing pagination so that you can choose how many rows to display in a given page.
  • Filtering is enabled for remote networks.
    After you apply filtering, you can sort the resulting output by name.
  • A new Group By field is added. If you select a group by Compute Location, all groups display but are collapsed, and the page size you selected applies to the groups. If you select a compute location to expand it, the rows display based on the page size you selected.
  • When remote networks are displayed in a drop-down, the web interface displays the first 500 items. You can find the desired Remote Network in the list by typing in the text box.
    In addition, the total number of remote networks displays.
  • The following additional pages have pagination applied:
    • IPSec Tunnels:
    • QoS:
    • QoS Statistics:
    • Troubleshooting—Remote Networks under External Dynamic Lists:

Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic

Supported in: Prisma Access 5.2 Preferred and Innovation
Users who connect to Prisma Access Explicit Proxy through GlobalProtect agent from branches, can leverage Private IP addresses of endpoints for logging or to apply IP address based enforcement.

IP Address Optimization for Explicit Proxy Users- Proxy Deployments

Supported in: Prisma Access 5.2 Preferred and Innovation
IP address optimization is a set of architectural enhancements that reduce the overall number of IP addresses in your deployment, simplifying your allow listing workflows while improving resiliency and enabling faster onboarding of Prisma Access tenants and enabling faster onboarding of Prisma Access tenants.
IP Address Stickiness
With IP address stickiness, you can secure the SaaS apps and websites that require user sessions to maintain the same egress IP address of Prisma Access throughout the user session.
Simplify SaaS Applications Onboarding
Adding a Prisma Access location or experiencing a scaling event at an existing Prisma Access location could lead to new IP addresses being allocated to your Explicit Proxy deployments. It's a best practice to retrieve the new egress and gateway IP addresses and add them to an allow list of the SaaS applications. IP address optimization reduces the number of IP addresses that you have to manage in large deployments.

Explicit Proxy China Support

Supported in: Prisma Access 5.2 Preferred and Innovation
Prisma Access supports Explicit Proxy deployments in China.

Remote Networks—High Performance

Supported in: Prisma Access 5.2 Preferred and Innovation
Prisma Access offers a comprehensive solution for high-bandwidth IPSec termination, supporting large sites, automated load balancing, simplified onboarding, regional redundancy, single egress IP management, and compatibility with various SD-WAN solutions including Prisma SD-WAN. These features collectively enhance the scalability, performance, and reliability of remote site connectivity.
As your business scales and your office locations become geographically distributed, you can quickly onboard a branch site with a high bandwidth using a Prisma Access performant remote network, also known as a Remote Network—High Performance. These networks offer the following benefits:
  • Supports up to 3 Gbps aggregate bandwidth per service IP address or service endpoint address, providing you with a reduced number of IP addresses or FQDNs to use for IPSec tunnel termination.
  • Includes regional redundancy to improve availability and fault tolerance.
  • Uses NAT to reduce public egress IP addresses.
  • Simplifies onboarding with in-product recommendations for choosing locations based on geographic availability.
  • Includes support for Link Quality Metrics (LQM), where Prisma SD-WAN determines link quality by actively probing the Secure Fabric VPN paths over public and private transports and the private WAN underlay paths. The probes provide a constant measurement of network performance metrics, such as jitter, latency, and packet loss. These metrics, along with application-specific performance metrics and Layer 1 through Layer 7 reachability, inform traffic forwarding decisions for new and existing application flows.

Route Summarization for Dynamic Privilege Access

Supported in: Prisma Access (Managed by Strata Cloud Manager) 5.2 Innovation
On Dynamic Privilege Access enabled Prisma Access tenants, you can summarize routes when advertising the Mobile User (MU) routes to your on-premises network. Route summarization is beneficial for enterprises that have on-premises equipment that has limited capacity such as basic cloud routers. By reducing the demand on these devices, route summarization ensures that the devices won't exceed their route capacity when communicating with the data center.
To enable route summarization, configure global summary pools that consist of lists of large IP pools that can be used across multiple projects. Then, enable route summarization in the Prisma Access service connection. When a user uses the Prisma Access Agent to connect to a project that has an IP address within the range of the configured global summary pools, the service connection will advertise the global summary pool instead of the smaller project-level route. This helps reduce the number of routes that are sent to the network.

SC-NAT Support for Dynamic Privilege Access with CIAM

Supported in: Prisma Access 5.2 Innovation
Use SC-NAT support for Dynamic Privilege Access (DPA) if you use DPA and have created service connections to access private apps in your data center or headquarters location. Multiple projects in your DPA environment can experience IP address exhaustion if the IP addresses of the Infrastructure Subnet overlap. To fix this issue, Prisma Access can implement source NAT (SNAT) for IP addresses, which:
  • Lets Prisma Access map a single IP address for a mobile user accessing private apps using a service connection
  • Provides you with SNAT for easy routing
  • Eliminates IP Pool overlap
  • Eliminates IP Pool IPv4 exhaustion between Prisma Access and your data center or headquarters location

Simplified Prisma Access Private App Connectivity

Supported in: Prisma Access 5.2 Preferred and Innovation
One way to access a private app is by using a service connection, also known as a Service Connection-Corporate Access Node (SC-CAN). It can be difficult to connect to private apps using service connections because:
  • Indeterministic throughput of the private app due to SC-CAN bottlenecks
  • Latency due to incorrect transit hops
  • Operational complexity in deploying SC-CANs
To solve this issue, Prisma Access has enhanced its routing infrastructure routing enhancements that:
  • Eliminates SC-CAN bottlenecks by improving the internal network
  • Orchestrates an anchor SC-CAN when required, preventing incorrect transit hops and inefficient routing
This design offers the following benefits:
  • Routing setup that is easier to deploy
  • Easy day zero setup
  • Deterministic 1 Gbps bandwidth from a given SC-CAN to the data center or headquarters location where the private app is located

Simplify Prisma Access SaaS Connectivity with IP Optimization for Mobile Users and Explicit Proxy Deployments

Supported in: Prisma Access 5.2 Preferred and Innovation
Prisma Access expands on the IP Optimization functionality by offering it for Explicit Proxy as well as Mobile Users—GlobalProtect.
For Mobile Users—GlobalProtect deployments, when a large number of users access a GlobalProtect gateway from a location, Prisma Access autoscales the location and adds another GlobalProtect gateway. IP Optimization uses a NAT layer so that the autoscaled gateway uses the same IP address as the previously allocated IP address, thus eliminating the need to add extra IP addresses to your organization's allow lists.
Prisma Access expands the NAT layer to Explicit Proxy Security Processing Nodes (SPNs) as well as Mobile User SPNs, reducing the need to allow list IP addresses for Explicit Proxy deployments. This Explicit Proxy NAT layer is beneficial if you're setting up a Mobile Users and Explicit Proxy deployment in Proxy Mode or Tunnel and Proxy Mode.

TLS 1.3 and PubSub Support for Traffic Replication

Supported in: Prisma Access 5.2 Preferred and Innovation
If you're a large organization using Traffic Replication, you can have the following challenges in deploying and using it:
  • Tools that consume the packet capture (PCAP) files require frequent queries of the buckets to cope with a large number of PCAP files. The tools might create overhead on the buckets and their use might be limited by the cloud providers.
  • When using the PCAP files for forensic analysis, accessing SSL decrypted traffic provides better efficacy, and a significant amount of the traffic is TLS 1.3 encrypted.
To solve these issues, Prisma Access offers these enhancements that allow third-party tools to be more efficient and easier to scale:
  • Pub/Sub Notifications—Prisma Access proactively sends a Pub/Sub notification when a new PCAP file is uploaded to the storage bucket. Using Pub/Sub notifications for new PCAP files eliminates the need to develop tools that notify you when there are new files in the buckets.
  • TLS 1.3 Decryption Support—Prisma Access uses TLS 1.3 when decrypting PCAP files, thus providing deeper visibility into the traffic. This support applies to remote network deployments where you have enabled the use of SSL/TLS decryption policy rules on PCAP files.

View and Monitor Colo-Connect

Supported in: Prisma Access 5.2 Preferred and Innovation
Prisma Access Colo-Connect builds on the Colo-based performance hub concept, with high-bandwidth private connections along with Layer 2/3 connectivity to Prisma Access from existing performance hubs. Colo-Connect leverages the cloud native GCP interconnect technology to provide high-bandwidth service connections to your private applications. Go to MonitorData Centers Service Connections to view and monitor your private connectivity to hybrid cloud and on-premises data centers over cloud interconnects.

View Prisma Access, Dataplane, and Application and Threats Content Versions in Strata Cloud Manager and Panorama

Supported in: Prisma Access (Managed by Strata Cloud Manager) 5.2 Preferred and Innovation
To allow you to gain more information about your Prisma Access (managed by Strata Cloud Manager) deployments, the Software Information area in the Overview page (ManageConfigurationNGFW and Prisma AccessOverview in Strata Cloud Manager and Prisma Access Version (PanoramaCloud ServicesConfigurationService Setup) in Panorama provide you with the following information:

ZTNA Connector Support for Commitless App Onboarding

Supported in: Prisma Access 5.2 Innovation
With commitless onboarding enhancement, you have an improved experience when onboarding, modifying, or removing applications. The previous delay of 5-10 minutes is eliminated, resulting in a faster process. Your application onboarding time now takes less than 1 minute, allowing you to quickly and efficiently manage your applications. Additionally, the enhanced scale of the ZTNA Connector caters to the needs of large customers who manage more than 10,000 applications. You have the capability to onboard a larger number of applications, providing you with greater flexibility and efficiency in your operations.