Changes to Default Behavior
Focus
Focus

Changes to Default Behavior

Table of Contents

Changes to Default Behavior

The following tables detail the changes in default behavior for the Cloud Services Plugin version 3.0 Innovation and Preferred.

Changes to Default Behavior—Prisma Access 3.0 Preferred

The following table details the default behavior changes for 3.0 Preferred.
Component
Change
QoS Profile Requirements for Remote Networks that Allocate Bandwidth by Compute Location
If your remote network deployment allocates bandwidth by compute location and you want to implement QoS for traffic marking and shaping for remote networks after you upgrade to Prisma Access 3.0 Preferred, be sure to use a Class Bandwidth Type of Percentage instead of Mbps in your QoS profiles. Prisma Access does not support bandwidth types of Mbps in QoS profiles for deployments that allocate bandwidth by compute location.
WildFire India Cloud Support Changes
Because of the remapping of the Prisma Access India locations to the WildFire India Cloud (in.wildfire.paloaltonetworks.com), make a note of the following changes:
  • The following locations map to the WildFire India Cloud: India North, India South, India West
  • Prisma Access will generate a WildFire API key that you can use for WildFire verdicts and report fetching.
Exclude Video Traffic from the Global Protect Tunnel (Windows and MACOS only) Enabled by Default for New Mobile User - Global Protect Deployments
New Prisma Access Mobile User—GlobalProtect deployments will enable the exclude video traffic applications from the VPN tunnel option for Windows and MacOS GlobalProtect agents. The video applications that will be excluded from the GlobalProtect tunnel are: Dailymotion, Hulu, Netflix, YouTube, Sling, Vimeo, Xfinity TV, and Youku.
For Cloud Managed Prisma Access deployments, this feature is automatically enabled. For Prisma Access Panorama Managed deployments, Prisma Access enables NetworkGlobalProtectGatewaysGlobalProtect_External_GatewayAgentVideo TrafficExclude video traffic from the tunnel (Windows and macOS only).
Prisma Access UI and New Compute Location Names
As a result of the compute location additions being added for 3.0, the Prisma Access UI will reflect the following remote network compute location-to-location remapping:
  • The Australia South location will show as being in the Australia South compute location.
  • The Canada Central location will show as being in the Canada Central (Toronto) compute location.
  • The India North location will show as being in the India North compute location.
Data Redistribution Agents on Mobile User Template Do Not Support IP User Mappings and HIP Data Types
If you configure a Data Redistribution Agent (DeviceData Redistribution) on the Mobile_User_Template, do not specify the IP User Mappings and HIP Data types. A data redistribution agent is not required to distribute User-to-IP address and HIP mapping to the mobile user gateways, because this information is learned directly from the GlobalProtect app.

Changes to Default Behavior—Prisma Access 3.0 Innovation

Prisma Access 3.0 Innovation has all the changes to default behavior as 3.0 Preferred and includes the following additional changes to default behavior.
Component
Change
PAN-OS Dataplane Considerations for Prisma Access 3.0 Innovation Upgrades
If you are currently running Prisma Access 2.2 Preferred release and want to upgrade to 3.0 Innovation, your dataplane will change from 10.0 to 10.1. Before Palo Alto Networks upgrades your dataplane, you should check the Changes to Default Behavior and Upgrade/Downgrade Considerations for PAN-OS 10.1.
In addition, check that your IKE cryptographic cipher suites are compliant with the 10.0 dataplane and be sure to set Authentication to None if you use an AES-GCM algorithm for encryption in an IKE crypto profile.