Features in Prisma Access 3.1
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Features in Prisma Access 3.1
This section lists the new features that are available
in Prisma Access 3.1, along with upgrade information and considerations
if you are upgrading from a previous Prisma Access version.
- Cloud Services Plugin 3.1
- Upgrade Considerations for 3.1 Prisma Access Releases
- Minimum Required Software Versions
- New Features—Prisma Access 3.1.2 Preferred and Innovation
- New Features—Prisma Access 3.1.1 Preferred and Innovation
- New Features—Prisma Access 3.1 Preferred
- New Features—Prisma Access 3.1 Innovation
- New Features—Prisma Access 3.1.1 Preferred and Innovation
Cloud Services Plugin 3.1
Prisma Access 3.1 uses a single plugin for both 3.1
Preferred or 3.1 Innovation. By default, the plugin will run 3.1
Preferred. To upgrade to 3.1 Innovation, reach out to your Palo
Alto Networks account representative and submit a request.
Upgrade Considerations for 3.1 Prisma Access Releases
To upgrade to Prisma Access 3.1 Preferred, use one of
the following upgrade paths.
To find your plugin version, select PanoramaCloud ServicesConfigurationService Setup in
Panorama and check the plugin version in the Plugin Alert area.
Installed Cloud Services Plugin Version | Targeted 3.1 Version | Upgrade Path |
---|---|---|
Releases earlier than 2.2 Preferred | 3.1 Preferred |
|
2.2 Preferred | 3.1 Preferred |
Direct
upgrades from Prisma Access 2.2 to 3.1 are not supported. |
All Prisma Access Releases | 3.1 Innovation | To upgrade to 3.1 Innovation, reach out
to your Palo Alto Networks account representative and submit a request.
The request will be reviewed internally and, if approved, your deployment
will be upgraded to 3.1 Innovation. |
Minimum Required Software Versions
For the minimum Panorama version that is supported with
Prisma Access 3.1, see Prisma Access and Panorama Version
Compatibility in the Palo Alto Networks Compatibility
Matrix.
If you have a Cloud Managed Prisma Access deployment, plugin
upgrades are not required; however, the GlobalProtect versions apply
to both Panorama and Cloud Managed versions of Prisma Access.
Prisma Access supports any GlobalProtect version that is not End-of-Life (EoL). A minimum of
GlobalProtect 5.2.5 is required for GlobalProtect App Log Collection for
Troubleshooting. The Autonomous DEM (ADEM) documentation has
the minimum GlobalProtect and Content Release versions required for ADEM.
New Features—Prisma Access 3.1.2 Preferred and Innovation
The following features are added for Prisma Access 3.1.2
Preferred and Innovation. To find the new features for Cloud Managed
Prisma Access, see the new features list in
the Prisma Access Release Notes (Cloud
Managed).
To unlock the 3.1.2 features, use a minimum Cloud Services
plugin of 3.1.0-h50.
Feature | Description |
---|---|
Panorama 10.2.2 Support | Starting with the Cloud Services plugin version
of 3.1.0-h50, Prisma Access supports a Panorama version of 10.2.2. A
minimum Panorama version of 10.2.2-h1 is required. Do not install Panorama 10.2.2-h1 on the
Panorama that manages Prisma Access until after you have installed
a minimum hotfix plugin version of 3.1.0-h50. In addition, 10.2
Panorama versions lower than 10.2.2 (for example, 10.2.1), or 10.2.2
versions lower than 10.2.2-h1, are not supported for use with Prisma Access. If
you use a Panorama of 10.2.2 with Prisma Access, be aware of the
following PAN-OS Known Issues and Prisma Access Known Issues that are applicable to deployments
running Panorama 10.2.2-h1 with Prisma Access: You
can still use other PAN-OS versions as described in the Compatibility Matrix. |
Support for RFC 6598 Addresses in Prisma Access Infrastructure IP Addresses | If your enterprise uses RFC 6598 IP addresses
as a part of your enterprise routable address space, you can use
that address space in the following Prisma Access infrastructure
IP addresses:
The
following functionality is not supported with RFC 6598 addresses: To
enable the use of 100.64.0.0/10 addresses in infrastructure addresses,
reach out to your Palo Alto Networks account representative or partner
and submit a request. An upgrade to 3.1 Innovation is required. |
Block Incoming Connections from Specific Countries for GlobalProtect, Explicit Proxy, and Remote Network Deployments | Prisma Access allows you to create security policy rules to block login attempts
for Remote Network, Mobile Users—GlobalProtect, and Mobile
Users—Explicit Proxy deployments from countries you specify.
Prisma Access blocks incoming connections from the countries you
specify based on the geo location information from the source IP
address of the client. Block these countries
using the following combination of Rule names, tags, and actions: Rule
names:
Tag:
PA_predefined_embargo_rule Action: Drop To drop traffic
by country, specify one or more countries in the Source tab
of the security policy rule. |
Remapped Prisma Access Locations | To better optimize performance of Prisma Access
locations, the following locations are remapped to the Chile compute
location:
New deployments have the new remapping
applied automatically. If you have an existing Prisma Access deployment
that uses one of these locations and you want to take advantage
of the remapped compute location, follow the procedure to Add a new compute location to
a deployed Prisma Access location. |
New Features—Prisma Access 3.1.1 Preferred and Innovation
The following features are added for Prisma Access 3.1.1
Preferred and Innovation.
To unlock the 3.1.1 features, use a minimum Cloud Services
plugin of 3.1.0-h10.
Feature | Description |
---|---|
Dynamic DNS Registration Support for Mobile Users—GlobalProtect | Prisma Access supports the updating of enterprise
DNS servers with mobile users’ A (Address) and PTR (Pointer) records
using Dynamic DNS (DDNS) registration. This functionality allows
system administrators or user management software to access the
remote endpoint with FQDN for troubleshooting and software updates. |
New Features—Prisma Access 3.1 Preferred
The following table describes the new features that
are available with Prisma Access 3.1 Preferred.
Feature | Description |
---|---|
New Prisma Access Compute Location for Chile Location | To optimize performance and reduce latency,
Prisma Access adds a new compute location that is hosted in Chile
(South America West), and maps the Chile location to that compute
location. This new compute region is available as of March 28, 2022,
at 12 p.m. UTC. If you add Chile after you install the Cloud Services
3.1 plugin, Prisma Access associates the new compute location automatically.
If you are upgrading from an existing Prisma Access location, you
can use this procedure to
migrate to the new compute location for Chile. |
Multitenant Support for New Cloud Managed Prisma Access Deployments | New Cloud Managed Prisma Access deployments
support multitenancy using a single cloud-based Prisma SASE Multitanant Cloud
Management Platform, which allows Managed Security Service Providers
(MSSPs) and distributed enterprises to manage the tenants and users
that you create for your Prisma Access instances, and to monitor
those instances. Alternatively, if you are a new customer but
not licensed as an MSSP, you can still use cloud-managed multitenancy
if you want to configure your new Prisma Access deployment into
a hierarchy of business verticals or geographic locations. |
Support for CASB Bundle and Activation | Palo Alto Networks provides a SKU that allows
you to purchase and activate all the components required for the
cloud access security broker (CASB) security offering, which includes
the following products:
|
Multitenant Support for Cloud Managed Explicit Proxy Deployments | New Cloud Managed Prisma Access deployments
will support using multitenancy in Explicit Proxy deployments, which
will allow managed security service providers to manage multiple
Prisma Access tenants from a single cloud-based Prisma SASE Multitenant
Platform. |
New Features—Prisma Access 3.1 Innovation
Version 3.1 Innovation includes all the features in
3.1 Preferred and adds the following features.
Feature | Description |
---|---|
Migration Support for Legacy Per-Location Bandwidth Model with QoS to Aggregate Bandwidth Model | If you use QoS with your current
Prisma Access remote network deployment and you allocate bandwidth
by location, you can migrate to an aggregate bandwidth
deployment (a deployment that allocates bandwidth by compute
location instead of Prisma Access location), while retaining your
existing QoS policies and profiles. Using the aggregate bandwidth
model, you allocate bandwidth at an aggregate level per compute location, and
Prisma Access dynamically allocates the bandwidth based on load
or demand per location. When you migrate to the allocated bandwidth
model, the bandwidth per location can change if you have multiple
locations onboarded in a single compute location; for
this reason, Palo Alto Networks recommends that
you change your QoS profiles to have a Class Bandwidth Type of Percentage. |
Explicit Proxy Enhancements | In addition to the Explicit Proxy enhancements
described for 3.0 Preferred,
Prisma Access offers the following additional enhancements for 3.0 Innovation:
|
Multi-Cloud Vendor Redundancy for Service Connections | To provide additional redundancy for service
connections, Prisma Access will let you onboard active and backup
service connections from different cloud providers in the same location,
or from different Prisma Access compute locations. Prisma Access
provides you with a list of the supported in-country service
connections you can use as active and backup locations. |