Features Introduced in Prisma Access 2.0 Preferred
Focus
Focus

Features Introduced in Prisma Access 2.0 Preferred

Table of Contents

Features Introduced in Prisma Access 2.0 Preferred

The following table describes the new features introduced in Prisma Access version 2.0 Preferred.
Prisma Access supports GlobalProtect versions 5.1 and 5.2. For a list of the Panorama software versions that are supported with Prisma Access, see Minimum Required Panorama Software Versions in the Palo Alto Networks Compatibility Matrix.
Feature
Description
WildFire Canada Region Support
To allow you to adhere to data sovereignty and residency laws as well as established data protection and privacy regulations, Prisma Access will support the use of the WildFire Canada cloud for Prisma Access (ca.wildfire.paloaltonetworks.com).
Prisma Access automatically assigns the WildFire Canada region for any remote network connections or mobile user locations that are in the Canada East and Canada Central locations.
Additional Strata Logging Service Theaters
To allow better regional coverage for Strata Logging Service, you can now select from the following additional Strata Logging Service theaters:
  • Canada
  • Japan
  • Australia
  • Singapore
GlobalProtect App Log Collection for Troubleshooting Support
If you have a Prisma Access for Users license, you can quickly resolve mobile user connection, performance, and access issues by having GlobalProtect users generate and send an easy to read, comprehensive report from the end user’s endpoint to Strata Logging Service for further analysis.
For Prisma Access 2.0 Preferred, you are required to use CLI to set up a client certificate to be used between the GlobalProtect app and Strata Logging Service. See Set Up GlobalProtect Connectivity to Strata Logging Service for details.
Cloud Directory Support for Directory Sync
To allow you to integrate your organization’s cloud directory with Prisma Access, you can activate and use your Directory Sync instance with Azure Active Directory.
Support for Asymmetric Routing for Service Connections
Prisma Access removes the requirements to have a symmetric network path for the traffic returning from the data center. Asymmetric flows will be allowed through the Prisma Access backbone. This removal allows you to configure ECMP or any other load balancing mechanism for service connections to your CPE.
This capability is not enabled by default; to enable it, change the Backbone Routing options in your service setup settings.
(New if upgrading from the Cloud Services plugin 1.7) You allocate bandwidth for remote networks at an aggregate level per compute location.
The aggregate bandwidth model is available for all new Prisma Access deployments starting with the Cloud Services plugin 1.8 version and for existing deployments that have not had any remote networks onboarded before the release of the 1.8 plugin on November 17, 2020.
If you have a deployment using the Cloud Services plugin 1.7 with remote networks onboarded and you then upgrade to the Cloud Services Plugin 2.0 Preferred version, this model does not apply and you still apply bandwidth per location. If you upgrade to the Cloud Services Plugin 2.0 Innovation version, you can choose to allocate bandwidth by location or by compute location.
Secure inbound access for remote network sites and Quality of Service (QoS) for remote networks is not supported when you use the aggregate bandwidth model for remote network bandwidth allocation.
All locations you onboard share the allocated bandwidth for that compute location. For example, you need to onboard four branch offices using remote networks in the Singapore, Thailand, and Vietnam locations. All these locations map to the Asia Southeast compute location. If you allocate 200 Mbps bandwidth to the Asia Southeast compute location, Prisma Access divides the 200 Mbps of bandwidth between the four branch offices you onboarded in that location. If you also add a location in Hong Kong, Hong Kong maps to the Hong Kong compute location, and you would need to add bandwidth to that compute location. Specify a minimum bandwidth of 50 Mbps per compute location.
If one or more sites are not using a large amount of bandwidth, Prisma Access makes the remaining bandwidth available to other sites in that compute location.
(New if upgrading from the Cloud Services plugin 1.7) Prisma Access introduces an enhancement to the API you use to retrieve IP addresses that allows you to reserve gateway and portal IP addresses for mobile user locations ahead of time, before you enable them. This ability lets you add the mobile user egress IP addresses to your organization’s allow lists before you onboard the locations, which in turn gives mobile users access to external SaaS apps immediately after you onboard the locations.
The API response also includes the public IP pool subnets that are the source for the egress IP addresses for the requested locations.The gateway and portal addresses of any locations you add will be a part of this subnet. Adding the subnets to your allow lists provides for future location additions without allow list modification and is beneficial if your organization’s allow list size is limited.
The IP addresses and subnets are valid for 90 days after you retrieve them and expire after the validity period if you do not use them.
(New if upgrading from the Cloud Services plugin 1.7) Prisma Access offers the following enhancements to traffic steering:
  • Multi-tenancy is supported with traffic steering.
  • You can enable and disable Source NAT (SNAT) for dedicated service connections.
(New if upgrading from the Cloud Services plugin 1.7) Prisma Access increases its maximum fully-supported remote network bandwidth from 300 Mbps to 500 Mbps, and 500 Mbps is now supported with SSL decryption.
(New if upgrading from the Cloud Services plugin 1.7) Prisma Access supports custom and scheduled reports from the Panorama that manages Prisma Access.
The ability to run custom and scheduled reports requires a minimum Panorama version of 10.0.2.
(New if upgrading from the Cloud Services plugin 1.7) To optimize performance and improve latency, Prisma Access adds a new compute location in Japan and also changes the mapping of the following locations:
  • Colombia—Moved from the South America East compute location to the US Southeast compute location.
  • Mexico West—Moved from the US Southeast compute location to the US Southwest compute location.
  • Japan South—Moved from the Asia Northeast 1 compute location to the new Asia Northeast 2 compute location.
If you add the locations after your organization installs the Cloud Services 2.0 plugin Preferred or Innovation, Prisma Access associates the new compute locations automatically.
If you are upgrading from the Cloud Services plugin 2.0 Preferred or Innovation and you have already onboarded these locations, complete the following steps to take advantage of the new compute location:
To reduce down time for mobile user deployments, you can use the new API to pre-allocate the new gateway and portal IP addresses before you perform these steps.
  1. Delete the location associated with the new compute location.
  2. Commit and push your changes.
  3. Re-add the locations you just deleted.
  4. Commit and push your changes.
  5. Retrieve the new gateway and portal IP addresses (for mobile users) or the new egress IP addresses (for remote networks) using the API script.
  6. Make a note of the new IP addresses and add them to your allow lists.
Since you need to allow time to delete and add the existing location and change your allow lists, Palo Alto Networks recommends that you schedule a compute location change during a maintenance window or during off-peak hours.
(New if upgrading from the Cloud Services plugin 1.7) Prisma Access will offer the following enhancements to assist you when sharing public address space externally and internally with private apps:
  • Enable automatic IKE peer host routes for Remote Networks and Service Connections—This option allows Prisma Access to automatically add a host-specific static route to the static IKE gateway peer for the IPSec tunnel on the Remote Network security processing node (SPN) and Service Connection corporate access node (CAN).
  • Specify Outbound Routes—This enhancement allows you to add up to 10 prefixes for which static routes are added on all SPNs and CANs, and Prisma Access routes traffic to these prefixes over the internet.
WildFire UK Cloud Support
(New if upgrading from the Cloud Services plugin 1.7) Prisma Access supports the use of the WildFire UK cloud for Prisma Access (uk.wildfire.paloaltonetworks.com), which is designed to adhere to data sovereignty and residency laws as well as established data protection and privacy regulations.