Prisma Access
New Features in Prisma Access 5.2 and 5.2.1
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
New Features in Prisma Access 5.2 and 5.2.1
Where Can I Use This? | What Do I Need? |
---|---|
|
|
This section provides you with a list of new features in Prisma Access 5.2 and
5.2.1 Preferred and Innovation, along with the recommended and required software
versions you need to use.
This document contains roadmap information and is being shared for INFORMATIONAL
AND PLANNING PURPOSES ONLY. It is not a binding commitment and is subject to
change.
- Recommended Software Versions for Prisma Access 5.2.1 Preferred and Innovation
- Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.2.1 Preferred and Innovation Features
- Prisma Access 5.2.1 Features
- 5.2.0 Features
Recommended Software Versions for Prisma Access 5.2.1 Preferred and Innovation
There are two Prisma Access 5.2.1 versions:
- 5.2.1 Preferred runs a PAN-OS 10.2.10 dataplane. If your deployment is running a lower dataplane version, a dataplane upgrade to PAN-OS 10.2.10 is required to implement 5.2.1 Preferred features.
- 5.2.1 Innovation runs a PAN-OS 11.2.4 dataplane. An upgrade to PAN-OS 11.2.4 is required to implement 5.2 Innovation features.
For new Prisma Access 5.2.1 Innovation features, Prisma Access
recommends that you upgrade your Prisma Access to the following
versions before installing the plugin.
Prisma Access Version | Cloud Services Plugin Version | Required Dataplane Version for 5.2.1 | Recommended GlobalProtect Version | Recommended Panorama Version |
---|---|---|---|---|
5.2.1 | 5.2.0 hotfix | PAN-OS 10.2.10 (required for 5.2.1 Preferred) PAN-OS 11.2.4
(required for 5.2.1 Innovation) |
6.0.7+
6.1.3+
6.2.1+
|
10.2.10+
11.0.1+
11.1.0
11.2.4
|
Recommended Software Versions for Prisma Access 5.2 Preferred and Innovation
There are two Prisma Access 5.2 versions:
- 5.2 Preferred runs a PAN-OS 10.2.10 dataplane. If your deployment is running a lower dataplane version, a dataplane upgrade to PAN-OS 10.2.10 might be required to implement 5.2 Preferred features. If you're an existing customer, see Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.2.1 Preferred and Innovation Features to see if a dataplane upgrade is required for a Prisma Access 5.2 feature.
- 5.2 Innovation runs a PAN-OS dataplane of 11.2.3. An upgrade to PAN-OS 11.2.3 is required to implement 5.2 Innovation features.
For new Prisma Access 5.2 Innovation features, Prisma Access
recommends that you upgrade your Prisma Access to the following
versions before installing the plugin.
Prisma Access Version | Cloud Services Plugin Version | Required Dataplane Version for 5.2 | Recommended GlobalProtect Version | Recommended Panorama Version |
---|---|---|---|---|
5.2 | 5.2 | PAN-OS 10.2.10 (required for 5.2 Preferred) PAN-OS 11.2.3
(required for 5.2 Innovation) |
6.0.7+
6.1.3+
6.2.1+
|
10.2.10+
11.0.1+
11.1.0
11.2.3
|
Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.2.1 Preferred and Innovation Features
Prisma Access 5.2.1 features require one of more of the following components
to function:
- Infrastructure Upgrade—The infrastructure includes the underlying
service backend, orchestration, and monitoring infrastructure. Prisma Access upgrades the infrastructure before the general
availability (GA) date of a Prisma Access release. Features that require only an infrastructure upgrade to be unlocked take effect for all Prisma Access deployments, regardless of version, at the time of the infrastructure upgrade.
- Plugin Upgrade (Prisma Access Panorama Managed Deployments Only)—Installing the plugin activates the features that are available with that release. You download and install the plugin on the Panorama that manages Prisma Access.
- Dataplane Upgrade—The dataplane enables traffic inspection and
security policy enforcement on your network and user traffic.
- For Prisma Access (Managed by Strata Cloud Manager), go to ManageConfigurationNGFW and Prisma AccessOverview.'
- For Prisma Access (Managed by Panorama) deployments, you can view your dataplane version by going to PanoramaCloud ServicesConfigurationService Setup and viewing the Prisma Access Version. Prisma Access 5.2.1 Preferred runs PAN-OS 10.2.10 and Prisma Access Innovation runs PAN-OS 11.2.4.
A dataplane upgrade to 5.2.1 Innovation is optional, and is
only required if you want to take advantage of the features that require a dataplane
upgrade.
These features are activated with the infrastructure upgrade only for Prisma Access:
- RFC6598 Mobile Users Address Pool for New Prisma Access (Managed by Strata Cloud Manager) Deployments
- Israel and Saudi Arabia Strata Logging Service Region Support
- Native IPv6 Support for Existing Prisma Access Deployments
These features require an infrastructure and plugin upgrade but don't require
a dataplane upgrade; however, a minimum datapane version of 10.2.4 is required for
these features:
- Explicit Proxy Support for Colo-Connect
- Explicit Proxy Third-Party Enterprise Browser Integration
The following 5.2.1 features require an infrastructure and plugin upgrade and
require a minimum dataplane version of PAN-OS 10.2.10, making them Prisma Access 5.2.1 Preferred features:
- None
The following 5.2 features require an infrastructure, plugin, and dataplane
upgrade to PAN-OS 11.2.4, making them Prisma Access 5.2.1 Innovation features:
- Remote Network—High Performance Private App Access Support
- Static IP Address Enhancements for Mobile Users
Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.2 Preferred and Innovation Features
Prisma Access 5.2 features require one of more of the following components
to function:
- Infrastructure Upgrade—The infrastructure includes the underlying
service backend, orchestration, and monitoring infrastructure. Prisma Access upgrades the infrastructure before the general
availability (GA) date of a Prisma Access release. Features that require only an infrastructure upgrade to be unlocked take effect for all Prisma Access deployments, regardless of version, at the time of the infrastructure upgrade.
- Plugin Upgrade (Prisma Access Panorama Managed Deployments Only)—Installing the plugin activates the features that are available with that release. You download and install the plugin on the Panorama that manages Prisma Access.
- Dataplane Upgrade—The dataplane enables traffic inspection and
security policy enforcement on your network and user traffic.
- For Prisma Access (Managed by Strata Cloud Manager), go to ManageConfigurationNGFW and Prisma AccessOverview.
- For Prisma Access (Managed by Panorama) deployments, you can view your dataplane version by going to PanoramaCloud ServicesConfigurationService Setup and viewing the Prisma Access Version. Prisma Access 5.2 Preferred runs PAN-OS 10.2.10 and Prisma Access Innovation runs PAN-OS 11.2.3.
A dataplane upgrade to 5.2 Innovation is optional, and is
only required if you want to take advantage of the features that require a dataplane
upgrade.
These features are activated with the infrastructure upgrade only for Prisma Access:
- Simplify Prisma Access SaaS Connectivity with IP Optimization for Mobile Users and Explicit Proxy Deployments
- TLS 1.3 and PubSub Support for Traffic Replication
- View and Monitor Colo-Connect
These features require an infrastructure and plugin upgrade but don't require
a dataplane upgrade:
- 25,000 Remote Network and 50,000 IKE Gateway Support
- Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
- IP Address Optimization for Explicit Proxy Users- Proxy Deployments
- Simplified Prisma Access Private App Connectivity
- View Prisma Access, Dataplane, and Application and Threats Content Versions in Strata Cloud Manager
The following 5.2 features require an infrastructure and plugin upgrade and
require a minimum dataplane version of PAN-OS 10.2.10, making them Prisma Access 5.2
Preferred features:
- Remote Networks—High Performance
The following 5.2 features require an infrastructure, plugin, and dataplane
upgrade to Prisma Access 11.2.3, making them Prisma Access 5.2 Innovation features:
- SC-NAT Support for Dynamic Privilege Access with CIAM
- ZTNA Connector Support for Commitless App Onboarding
Prisma Access 5.2.1 Features
The following table describes the new features that will be generally available with
Prisma Access 5.2.1.
Explicit Proxy Support for Colo-Connect
Supported in:
Prisma Access 5.2.1 Preferred and Innovation
|
If you have large data centers with direct connectivity to colocation facilities, you can now connect
through Prisma Access Explicit Proxy, enabling high-speed
access to private applications. With the enhancement, you will receive up to 20 Gbps
of throughput per region.
The integration of Colo-Connect with Explicit Proxy offers the following
benefits:
- Explicit Proxy automatically connects to the nearest Prisma Access compute location, offering you the best possible latency.
- Eliminates network and routing dependencies, offering automated secure tunnel management and routing for private applications.
- Colo-Connect supports retrieving private applications in overlapped networks, ensuring flexibility and accessibility
Secure Integration of Third-Party Enterprise Browsers with Explicit Proxy
Supported in:
Prisma Access 5.2.1 Preferred and Innovation
|
Prism Access can now enable secure access
to private applications through third-party Enterprise Browsers. With this
enhancement, user information can be securely and transparently exchanged between
the third-party Enterprise Browser and Prisma Access, allowing
for the enforcement of User-ID based policy rules within Prisma
Access. This eliminates the need for end users to re-authenticate with Prisma Access if they have already logged in to the third-party
Enterprise Browser.
Native IPv6 Support for Existing Prisma Access Deployments
Supported in:
Prisma Access 5.2.1 Preferred and Innovation for
all deployments (IPv6 support for new deployments is
supported starting Prisma Access
5.1.1; support for
existing deployments added in Prisma Access
5.2.1)
|
Prisma Access extends its support for IPv6 from private applications to encompass
comprehensive end-to-end IPv6 support for Mobile Users, Remote Networks, and Service
Connections, and adds native IPv6 support for existing Prisma Access deployments.
One advantageous aspect of native IPv6 support is its capacity to enable Mobile Users
utilizing IPv6-only endpoints to establish connections with Prisma Access via IPv6
connections using GlobalProtect. Additionally, this support facilitates accessing
public SaaS applications over the internet, particularly where those destinations
necessitate IPv6 connections.
IPv6 boasts a larger address space compared to IPv4, thereby accommodating
an almost limitless number of unique IP addresses. Through native IPv6 support,
Prisma Access is engineered to be compatible with both IPv6 and dual-stack
connections, facilitating the migration process from IPv4 to IPv6. This
compatibility ensures backward compatibility and empowers organizations in their
transition to cloud-based and IPv6-enabled networks.
Remote Networks—High Performance Private App Access Support
Supported in:
Prisma Access 5.2.1 Preferred and Innovation
|
The Prisma Access Remote Network—High Performance adds
private app access support, in addition to its existing support for egress to the
internet. This support means that you can:
- Retrieve private apps from a branch connected by a high-performance remote network
- Communicate with another branch (branch-to-branch traffic) using service connections
- Communicate with mobile users (mobile user-to-branch traffic) using service connections
Static IP Address Enhancements for Mobile Users
Supported in:
Prisma Access 5.2.1 Innovation
|
Prisma Access adds to the static IP address functionality for mobile
users, where you can assign static IP addresses to users based on the Prisma Access
theater or User-ID.
To enhance IP address assignment for mobile users, you can now use location groups
and user groups as a criteria, in addition to theater and User-ID.
In addition, the number of supported IP address pool profiles is increased to
10,000.
RFC6598 Mobile Users Address Pool for New Prisma Access (Managed by Strata Cloud Manager) Deployments
Supported in:
Prisma Access (Managed by Strata Cloud Manager) 5.2.1 Preferred and Innovation
|
Every Prisma Access deployment requires a Mobile User address IP pool. Prisma Access
assigns an IP address from this pool to each GlobalProtect-connected device. To
simplify the onboarding of GlobalProtect mobile users, Palo Alto Networks provides
new Prisma Access (Managed by Strata Cloud Manager) deployments with a default IP
address pool from the RFC6598. The IP pool is 100.92.0.0/16. If you require more
addresses, or want to use your own addresses, you can modify this pool or delete it
and add IP address pools of your own.
Israel and Saudi Arabia Strata Logging Service Region Support
Supported in:
Prisma Access 5.2.1 Preferred and Innovation
|
Prisma Access supports the Israel and Saudi Arabia Strata Logging Service regions.
Wildcard FQDN Configuration for Security Policies in ZTNA Connector
Supported in:
Prisma Access 5.2.1 Preferred and Innovation
|
The use of wildcard FQDN in security policy rules is
currently restricted by protocol limitations. As a result, only the HTTP and HTTPS
protocols are supported for wildcard FQDN in security policy rules at this time.
With this enhancement:
- You can configure a security policy based on the wildcard application FQDN.
- The same security policy is applied to all the discovered applications that share the same wildcard FQDN.
- When new applications that match the wildcard FQDN are discovered, traffic can pass without requiring a new commit.
ZTNA Connector for Onboarding Applications
Supported in:
Prisma Access 5.2.1 Preferred and Innovation
|
If your enterprise’s users access a large number of private apps, ZTNA Connector may experience scalability
issues when the number of applications in your infrastructure exceeds 15000.
ZTNA Connector offers an enhancement that improves scalability, allowing
users to onboard:
- 10,000 application targets per tenant
- 1,000 applications per connector group
- 200 connectors per tenant with a bandwidth of 8 Gbps per compute region
Prisma Access 5.2 Features
This section describes the new features that are available with Prisma Access 5.2.
25,000 Remote Network and 50,000 IKE Gateway Support
Supported in:
Prisma Access 5.2 Preferred and Innovation
|
To implement this feature, reach out to your Palo Alto Networks account team,
who will open an SRE case to accommodate the request.
You can onboard a maximum of 25,000 remote networks and 50,000 IKE gateways
per tenant in a Prisma Access deployment. To accommodate this enhancement, the
following changes have been made to the Strata Cloud Manager web interface starting
with Prisma Access 5.1:
- Introducing pagination so that you can choose how many rows to display in a given page.
- Filtering is enabled for remote networks.After you apply filtering, you can sort the resulting output by name.
- A new Group By field is added. If you select a group by Compute Location, all groups display but are collapsed, and the page size you selected applies to the groups. If you select a compute location to expand it, the rows display based on the page size you selected.
- When remote networks are displayed in a drop-down, the web interface displays the first 500 items. You can find the desired Remote Network in the list by typing in the text box.In addition, the total number of remote networks displays.
- The following additional pages have pagination applied:
- IPSec Tunnels:
- QoS:
- QoS Statistics:
- Troubleshooting—Remote Networks under External Dynamic Lists:
Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
Supported in:
Prisma Access 5.2 Preferred and Innovation
|
Users who connect to Prisma Access Explicit Proxy through GlobalProtect
agent from branches, can leverage Private IP addresses of endpoints for
logging or to apply IP address based enforcement.
IP Address Optimization for Explicit Proxy Users- Proxy Deployments
Supported in:
Prisma Access 5.2 Preferred and Innovation
|
IP address optimization is a set of architectural enhancements that reduce the
overall number of IP addresses in your deployment, simplifying your allow listing
workflows while improving resiliency and enabling faster onboarding of Prisma Access
tenants and enabling faster onboarding of Prisma Access tenants.
IP Address Stickiness
With IP address stickiness, you can secure the SaaS apps and websites that require
user sessions to maintain the same egress IP address of Prisma Access throughout the
user session.
Simplify SaaS Applications Onboarding
Adding a Prisma Access location or experiencing a scaling event at an existing Prisma Access
location could lead to new IP addresses being allocated to your Explicit Proxy
deployments. It's a best practice to retrieve the new egress and gateway IP
addresses and add them to an allow list of the SaaS applications. IP
address optimization reduces the number of IP addresses that you have to manage in
large deployments.
Explicit Proxy China Support
Supported in:
Prisma Access 5.2 Preferred and Innovation
|
Prisma Access supports Explicit Proxy deployments in China.
Remote Networks—High Performance
Supported in:
Prisma Access 5.2 Preferred and Innovation
|
Prisma Access offers a comprehensive solution for high-bandwidth IPSec
termination, supporting large sites, automated load balancing, simplified
onboarding, regional redundancy, single egress IP management, and compatibility with
various SD-WAN solutions including Prisma SD-WAN. These features collectively
enhance the scalability, performance, and reliability of remote site connectivity.
As your business scales and your office locations become geographically distributed,
you can quickly onboard a branch site with a high bandwidth using a Prisma Access
performant remote network, also known as a Remote
Network—High Performance. These networks offer the following benefits:
- Supports up to 3 Gbps aggregate bandwidth per service IP address or service endpoint address, providing you with a reduced number of IP addresses or FQDNs to use for IPSec tunnel termination.
- Includes regional redundancy to improve availability and fault tolerance.
- Uses NAT to reduce public egress IP addresses.
- Simplifies onboarding with in-product recommendations for choosing locations based on geographic availability.
- Includes support for Link Quality Metrics (LQM), where Prisma SD-WAN determines link quality by actively probing the Secure Fabric VPN paths over public and private transports and the private WAN underlay paths. The probes provide a constant measurement of network performance metrics, such as jitter, latency, and packet loss. These metrics, along with application-specific performance metrics and Layer 1 through Layer 7 reachability, inform traffic forwarding decisions for new and existing application flows.
Route Summarization for Dynamic Privilege Access
Supported in:
Prisma Access (Managed by Strata Cloud Manager) 5.2 Innovation
|
On Dynamic Privilege Access enabled Prisma
Access tenants, you can summarize routes when advertising the Mobile User (MU)
routes to your on-premises network. Route summarization is beneficial for
enterprises that have on-premises equipment that has limited capacity such as basic
cloud routers. By reducing the demand on these devices, route summarization ensures
that the devices won't exceed their route capacity when communicating with the data
center.
To enable route summarization, configure
global summary pools that consist of lists of large IP pools that can be used across
multiple projects. Then, enable route summarization in the Prisma Access service
connection. When a user uses the Prisma Access Agent to connect to a project that
has an IP address within the range of the configured global summary pools, the
service connection will advertise the global summary pool instead of the smaller
project-level route. This helps reduce the number of routes that are sent to the
network.
SC-NAT Support for Dynamic Privilege Access with CIAM
Supported in:
Prisma Access 5.2 Innovation
|
Use SC-NAT support for Dynamic Privilege Access (DPA) if you use
DPA and have created service connections to access private apps in your data center
or headquarters location. Multiple projects in your DPA environment can experience
IP address exhaustion if the IP addresses of the Infrastructure Subnet overlap. To
fix this issue, Prisma Access can implement source NAT (SNAT) for IP addresses,
which:
- Lets Prisma Access map a single IP address for a mobile user accessing private apps using a service connection
- Provides you with SNAT for easy routing
- Eliminates IP Pool overlap
- Eliminates IP Pool IPv4 exhaustion between Prisma Access and your data center or headquarters location
Simplified Prisma Access Private App Connectivity
Supported in:
Prisma Access 5.2 Preferred and Innovation
|
One way to access a private app is by using a service connection, also known as a
Service Connection-Corporate Access Node (SC-CAN). It can be difficult to
connect to private apps using service connections because:
- Indeterministic throughput of the private app due to SC-CAN bottlenecks
- Latency due to incorrect transit hops
- Operational complexity in deploying SC-CANs
To solve this issue, Prisma Access has enhanced its routing infrastructure routing
enhancements that:
- Eliminates SC-CAN bottlenecks by improving the internal network
- Orchestrates an anchor SC-CAN when required, preventing incorrect transit hops and inefficient routing
This design offers the following benefits:
- Routing setup that is easier to deploy
- Easy day zero setup
- Deterministic 1 Gbps bandwidth from a given SC-CAN to the data center or headquarters location where the private app is located
Simplify Prisma Access SaaS Connectivity with IP Optimization for Mobile Users and Explicit Proxy Deployments
Supported in:
Prisma Access 5.2 Preferred and Innovation
|
Prisma Access expands on the IP Optimization functionality by offering it for
Explicit Proxy as well as Mobile Users—GlobalProtect.
For Mobile Users—GlobalProtect deployments, when a large number of users access a
GlobalProtect gateway from a location, Prisma Access autoscales the location and
adds another GlobalProtect gateway. IP Optimization uses a NAT layer so that the
autoscaled gateway uses the same IP address as the previously allocated IP address,
thus eliminating the need to add extra IP addresses to your organization's allow
lists.
Prisma Access expands the NAT layer to Explicit Proxy Security Processing Nodes
(SPNs) as well as Mobile User SPNs, reducing the need to allow list IP addresses for
Explicit Proxy deployments. This Explicit Proxy NAT layer is beneficial if you're
setting up a Mobile Users and Explicit Proxy deployment in Proxy Mode or Tunnel and Proxy Mode.
TLS 1.3 and PubSub Support for Traffic Replication
Supported in:
Prisma Access 5.2 Preferred and Innovation
|
If you're a large organization using Traffic Replication, you can have the
following challenges in deploying and using it:
- Tools that consume the packet capture (PCAP) files require frequent queries of the buckets to cope with a large number of PCAP files. The tools might create overhead on the buckets and their use might be limited by the cloud providers.
- When using the PCAP files for forensic analysis, accessing SSL decrypted traffic provides better efficacy, and a significant amount of the traffic is TLS 1.3 encrypted.
To solve these issues, Prisma Access offers these enhancements that allow third-party
tools to be more efficient and easier to scale:
- Pub/Sub Notifications—Prisma Access proactively sends a Pub/Sub notification when a new PCAP file is uploaded to the storage bucket. Using Pub/Sub notifications for new PCAP files eliminates the need to develop tools that notify you when there are new files in the buckets.
- TLS 1.3 Decryption Support—Prisma Access uses TLS 1.3 when decrypting PCAP files, thus providing deeper visibility into the traffic. This support applies to remote network deployments where you have enabled the use of SSL/TLS decryption policy rules on PCAP files.
View and Monitor Colo-Connect
Supported in:
Prisma Access 5.2 Preferred and Innovation
|
Prisma Access
Colo-Connect builds on the Colo-based
performance hub concept, with high-bandwidth private connections along with Layer
2/3 connectivity to Prisma Access from existing performance hubs. Colo-Connect
leverages the cloud native GCP interconnect technology to provide high-bandwidth
service connections to your private applications. Go to MonitorData Centers Service Connections to view and monitor your private connectivity to hybrid cloud and
on-premises data centers over cloud interconnects.
View Prisma Access, Dataplane, and Application and Threats Content Versions in Strata Cloud Manager and Panorama
Supported in:
Prisma Access (Managed by Strata Cloud Manager) 5.2 Preferred and
Innovation
|
To allow you to gain more information about your Prisma Access (managed by Strata Cloud
Manager) deployments, the Software Information area in the Overview page (ManageConfigurationNGFW and Prisma AccessOverview in Strata Cloud Manager and Prisma Access Version (PanoramaCloud ServicesConfigurationService Setup) in Panorama provide you with the following information:
- Prisma Access version
- PAN-OS dataplane version
- Release Type (Preferred or Innovation)
- Applications and Threats content version
ZTNA Connector Support for Commitless App Onboarding
Supported in:
Prisma Access 5.2 Innovation
|
With commitless onboarding enhancement, you have an improved experience when
onboarding, modifying, or removing applications. The previous delay of 5-10 minutes
is eliminated, resulting in a faster process. Your application onboarding time now takes
less than 1 minute, allowing you to quickly and efficiently manage your
applications. Additionally, the enhanced scale of the ZTNA Connector caters to the
needs of large customers who manage more than 10,000 applications. You have the
capability to onboard a larger number of applications, providing you with greater
flexibility and efficiency in your operations.