Compatibility Matrix
Prisma Access
Table of Contents
Prisma Access
Learn about compatibility information for Prisma® Access.
The following topics provide support information for Prisma® Access:
What Features Does Prisma Access Support?
Prisma® Access helps you to deliver consistent security to your remote networks and
mobile users. There are two ways that you can deploy and manage Prisma Access:
- Cloud Managed Prisma Access—If you're not using Panorama™ software to manage your next-generation firewalls, the Prisma Access app on the hub gives you a simplified way to onboard and manage Prisma Access.
- Panorama Managed Prisma Access—If you're already using Panorama software to manage your next-generation firewalls, you can use Panorama to deploy Prisma Access and leverage your existing configurations. However, you’ll need the Cloud Services plugin to use Panorama for Prisma Access.
The features and IPSec parameters supported for Prisma Access vary depending on the
management interface you’re using—Panorama or the Prisma Access app. You cannot
switch between the management interfaces after you activate your Prisma Access
license. This means you must decide how you want to manage Prisma Access before you
begin setting up the product. Review the Prisma Access Feature Support information to help you select your management interface.
For a description of the features supported in GlobalProtect™, see the features that GlobalProtect
supports.
Prisma Access Feature Support
The following sections provide you with the supported features and network settings
for Prisma Access (both Panorama managed and Cloud managed).
Management
Feature | Prisma Access (Cloud Managed) | Prisma Access (Panorama Managed) |
---|---|---|
Default Configurations
Default settings enable you to get started quickly and
securely
|
√
Examples include:
|
—
|
Built-in Best Practice Rules
To ensure that your network is as secure as possible, enable your
users and applications based on best practice templates. With
best practices as your basis, you can then refine policy based
on your enterprise needs.
|
√
Features with best practice rules include:
|
—
|
Onboarding Walkthroughs for First-Time Setup
|
Guided walkthroughs include:
|
—
|
Centralized Management Dashboards
These can include best practice scores and usage information
|
√
Dashboards are available for features including:
|
—
|
Hit Counts
|
√
Hit counts for Security profiles include counts that measure the
profile’s effectiveness, and these can depend on the profile
(for example, unblocked critical and high severity
vulnerabilities, or WildFire submission types).
| |
Policy Rule Usage
|
√
| |
Remote Networks
Feature
|
Prisma Access (Cloud Managed)
|
Prisma Access (Panorama Managed)
|
---|---|---|
IPSec Tunnels
See the list of Supported IKE Cryptographic Parameters.
We do not support FQDNs for peer IPSec addresses; use an IP
address for the peer address instead.
|
√
|
√
|
Tunnel Monitoring
| ||
Dead Peer Detection (DPD)
|
√
|
√
|
ICMP
|
√
|
√
|
Bidirectional Forwarding Detection (BFD)
|
—
|
—
|
Service Connections
Feature
|
Prisma Access (Cloud Managed)
|
Prisma Access (Panorama Managed)
|
---|---|---|
IPSec Tunnels
See the list of Supported IKE Cryptographic Parameters.
|
√
|
√
We do not support FQDNs for peer IPSec addresses; use an IP
address for the peer address instead.
|
Tunnel Monitoring
| ||
Dead Peer Detection (DPD)
|
√
|
√
|
ICMP
|
√
|
√
|
Bidirectional Forwarding Detection (BFD)
|
—
|
—
|
Traffic Steering
(using policy-based forwarding rules to forward internet-bound
traffic to service connections)
|
Introduced in 1.7.
|
Mobile Users—GlobalProtect
Feature
|
Prisma Access (Cloud Managed)
|
Prisma Access (Panorama Managed)
|
---|---|---|
Using On-Premises Gateways (Hybrid Deployments) | ||
On-premises gateway integration with Prisma Access
|
√
|
√
We support using on-premises gateways with Prisma Access
gateways.
|
Priorities for Prisma Access and On-Premises Gateways
|
√
|
√
Supported for
deployments that have on-premises GlobalProtect gateways. You
can set a priority separately for on-premises gateways and
collectively for all gateways in Prisma Access. You can also
specify source regions for on-premises gateways.
|
Manual Gateway Selection
Users can manually select a cloud gateway from their client
machines using the GlobalProtect app.
| ||
GlobalProtect Gateway Modes
| ||
External Mode
|
√
|
√
|
√
Introduced in 5.1 Preferred and Innovation.
If you are running a version below 5.1 Innovation, you can add
one or more on-premise gateways and configure them as internal
gateways.
|
√
Introduced in 5.1 Preferred and Innovation.
If you are running a version below 5.1 Innovation, you can add
one or more on-premise gateways and configure them as internal
gateways.
| |
GlobalProtect App Connect Methods
| ||
User-Logon (always on)
|
√
|
√
|
Pre-Logon (always on)
|
√
|
√
|
Pre-Logon (then on-demand)
|
√
|
√
|
On-Demand
|
√
|
√
|
Clientless VPN | ||
Mobile User—GlobalProtect Features | ||
MDM Integration with HIP
Prisma Access does not support AirWatch MDM HIP service
integration; however, you can use the GlobalProtect App for iOS and
Android MDM Integration for HIP-Based Policy
Enforcement
|
√
|
√
|
DHCP
Prisma Access uses the IP address pools you
specify during mobile user setup to assign IP addresses to
mobile users and does not use DHCP.
|
—
|
—
|
GlobalProtect App Version Controls
|
√
One-click configuration for GlobalProtect agent log
collection
|
Mobile Users—Explicit Proxy
Feature
|
Prisma Access (Cloud Managed)
|
Prisma Access (Panorama Managed)
|
---|---|---|
Explicit Proxy Connectivity in GlobalProtect for Always-On
Internet Security
|
Introduced in 4.0 Preferred with GlobalProtect app version
6.2
|
Introduced in 4.0 Preferred with GlobalProtect app version
6.2
|
Security Services
Feature
|
Prisma Access (Cloud Managed)
|
Prisma Access (Panorama Managed)
|
---|---|---|
Security Policy
|
√
|
√
|
SaaS Application Management
|
Supported for:
|
—
|
IoT Security |
√
|
√
|
Security Profiles | ||
Supported Profile Types
|
√
|
√
|
Dashboards for Security Profiles
|
Dashboards are tailored to each profile, and give you:
|
—
|
√
|
√
We support HTTP response pages for mobile users and users at
remote networks. To use HTTPS response pages, open a CLI session
in the Panorama that manages Prisma Access, enter the
set template Mobile_User_Template config
deviceconfig settingssl-decrypt
url-proxyyes command in
configuration mode, and commit your changes.
| |
HTTP Header Insertion
| ||
Decryption
| ||
SSL Forward Proxy |
√
|
√
|
SSL Inbound Inspection |
—
|
√
|
SSH Proxy |
—
|
√
|
Guided Walkthrough:
Turn on Decryption
|
√
|
—
|
Network Services
Feature
|
Prisma Access (Cloud Managed)
|
Prisma Access (Panorama Managed)
|
---|---|---|
Network Services | ||
Prisma Access uses the same QoS policy rules and QoS profiles and
supports the same DSCP markings as Palo Alto Networks
Next-Generation Firewalls.
|
√
|
√
We introduced QoS for Remote network deployments
that allocate bandwidth by compute location in 3.0
Preferred.
|
Application Override
|
√
|
√
|
IPv4 Addressing
|
√
|
√
|
IPv6 Addressing
Introduced in 2.2 Preferred.
|
√
|
√
|
Split Tunnel Based on Access Route
|
√
|
√
|
Split Tunnel Based on Destination Domain, Client Process, and
Video Streaming Application
|
√
|
√
|
NetFlow
|
—
|
—
|
NAT
Prisma Access automatically manages outbound NAT; you cannot
configure the settings.
|
√
|
√
|
SSL VPN Connections
|
√
|
√
|
Routing Features
| ||
Static Routing
|
√
|
√
|
Dynamic Routing (BGP)
|
√
|
√
|
Dynamic Routing (OSPF)
|
—
|
—
|
High Availability
| ||
SMTP
|
√
Prisma Access sometimes blocks SMTP port 25 for security reasons
and to mitigate the risk from known vulnerabilities that exploit
nonsecure SMTP. Palo Alto Networks recommends using ports 465,
587, or an alternate port 2525 for SMTP.
|
√
Prisma Access sometimes blocks SMTP port 25 for security reasons
and to mitigate the risk from known vulnerabilities that exploit
nonsecure SMTP. Palo Alto Networks recommends using ports 465,
587, or an alternate port 2525 for SMTP.
|
Identity Services
Feature
|
Prisma Access (Cloud Managed)
|
Prisma Access (Panorama Managed)
|
---|---|---|
Authentication Types | ||
SAML
|
√
|
√
|
√
Requires 3.0 Innovation or a later Innovation release.
|
√
Requires 3.0 Innovation or a later Innovation release.
| |
TACACS+
|
√
|
√
|
RADIUS
|
√
|
√
|
Local Database Authentication
|
√
|
√
|
Authentication Features | ||
Authentication Rules
|
√
|
√
|
Authentication Portal
|
√
|
√
|
√
Supported for both IPSec and mobile users with GlobalProtect.
|
√
Supported for both IPSec and mobile users with GlobalProtect.
| |
Single Sign-On (SSO)
|
√
|
√
|
√
Supported for the following platforms:
We support a maximum of 400 TS agents.
|
√
Supported for the following platforms:
We support a maximum of 400 TS agents.
| |
Cloud Identity Engine (Directory Sync Component) | ||
Directory Sync for User and Group-Based Policy
|
√
Supports on-premises Active Directory and Azure Active
Directory.
|
√
You can retrieve user and group
information using the Directory Sync component of the
Cloud Identity
Engine.
Prisma Access supports on-premises Active Directory, Azure Active
Directory, and Google IdP.
Introduced in 1.6.
Support for Azure Active Directory introduced in 2.0
Preferred.
Support for Google IdP introduced in 3.0 Preferred and
Innovation.
|
Identity Redistribution
|
√
|
√
|
Ingestion of IP address-to-username mappings from a third-party
integration (NAC)
|
—
|
√
|
√
|
√
Introduced in 1.7.
Requires Panorama running PAN-OS 9.1.1 or a later supported
PAN-OS version.
|
Policy Objects
Feature
|
Prisma Access (Cloud Managed)
|
Prisma Access (Panorama Managed)
|
---|---|---|
Addresses
|
√
|
√
|
Address Groups
|
√
|
√
|
Dynamic Address Groups (DAGs) and Auto-Tags
|
—
|
—
|
XML API - Based Dynamic Address Group Updates
|
—
|
√
|
Regions
|
√
|
√
|
App-ID (Applications)
|
√
|
√
|
√
|
—
We do not support commit warnings for Prisma Access.
| |
Application Groups |
√
|
√
|
Application Filters |
√
|
√
|
Services |
√
|
√
|
Service Groups |
√
|
√
|
Tags |
√
|
√
|
√
|
√
Introduced in 1.7.
Requires Panorama running PAN-OS 9.1.1 or a later supported
PAN-OS version.
| |
Auto-Tag Actions |
√
|
√
|
HIP Objects | ||
HIP-Based Security Policy |
√
|
√
|
HIP Report Submission |
√
|
√
|
HIP Report Viewing
|
—
|
√
Introduced in 1.5.
|
HIP Objects and Profiles
|
√
|
√
|
Certificate Management | ||
Custom Certificates
|
√
|
√
|
Palo Alto Networks Issued Certificates
|
√
|
√
|
Certificate Profiles
|
√
|
√
|
Custom Certificates
|
√
|
√
|
SSL/TLS Service Profiles
|
√
|
√
|
SSL
We support SSL only for mobile users, not for site-to-site
VPNs.
|
√
|
√
|
SCEPs
|
√
|
√
|
OCSP Responders
|
√
|
√
|
Default Trusted Certificate Authorities
|
√
|
√
|
Logs
Feature
|
Prisma Access (Cloud Managed)
|
Prisma Access (Panorama Managed)
|
---|---|---|
Strata™ Logging Service (formerly Cortex® Data Lake) Log
Storage
|
√
|
√
|
Forward logs stored in Strata Logging Service to syslog and email
destinations
|
√
|
√
|
Enhanced Mobile Users
Visibility for Administrators (GlobalProtect
logs)
|
√
|
√
Introduced in 1.7.
Requires Panorama running PAN-OS 9.1.1 or a later supported
PAN-OS version. If you use Panorama running a PAN-OS 9.0 (EoS)
version, you can still see traffic and HIP logs from Panorama
but you need to use the Explore app from the Hub to see the remaining logs.
|
Reports
Feature
|
Prisma Access (Cloud Managed)
|
Prisma Access (Panorama Managed)
|
---|---|---|
Reports
|
You can also use Dashboards for a
comprehensive view of the applications, ION devices, threats,
users, and security subscriptions at work in your network.
|
Introduced in Prisma Access 1.8.
|
App Report
|
This feature has the following Strata Logging Service-based
limitation:
SaaS Application Usage report (MonitorPDF ReportsSaaS Application Usage)—You cannot filter the logs for user groups (we
do not support the Include user group information in
the report option).
| |
Integration with Other Palo Alto Networks Products
Feature
|
Prisma Access (Cloud Managed)
|
Prisma Access (Panorama Managed)
|
---|---|---|
Cortex XSOAR integration
|
—
|
√
We support source IP-based allow lists and malicious user
activity detection.
|
Cortex XDR
integration
|
√
Prisma Access is compatible with the Cortex XDR version of Strata Logging
Service. Cortex XDR receives Prisma Access log
information from Strata Logging Service (formerly Cortex Data
Lake).
|
√
Prisma Access is compatible with the Cortex XDR version of Strata Logging
Service. Cortex XDR receives Prisma Access log
information from Strata Logging Service (formerly Cortex Data
Lake).
|
Prisma SaaS
integration
|
√
We support SaaS visibility with Strata
Logging Service.
|
√
We support SaaS visibility with Strata
Logging Service.
|
Multitenancy Unsupported Features and Functionality
We do not support the following Prisma Access (Panorama managed) features in a multitenant deployment:
In addition, a Panorama managed multitenant deployment has changes to the following
functionality:
- You cannot view your Panorama managed tenants under Common Services: Tenant Management.
- For Panorama Managed Prisma Access, continue to use Panorama for managing Prisma Access and the admin access that Panorama controls locally. You cannot manage users, roles, and services accounts using Common Services: Identity and Access for Panorama Managed Prisma Access. However, you can use Common Services: Identity and Access for managing other apps such as ADEM and Insights.
- You cannot use the Prisma Access APIs in pan-dev.
The following Prisma Access components and add-ons have the following caveats when
used in a multitenant deployment:
- For Prisma Access—Explicit Proxy deployments, if you have an existing Prisma Access non-multitenant deployment and convert it to a multitenant deployment, only the first tenant (the tenant you migrated) supports Explicit Proxy. Any subsequent tenants you create for the multitenant deployment after the first one do not support Explicit Proxy.
- SaaS Security and Enterprise Data Loss Prevention (Enterprise DLP) support multitenancy with the following restrictions:
- Only a superuser on Panorama can create DLP profiles and patterns and can associate DLP profiles to Security policy rules for tenants.
- A superuser must commit all changes to Panorama whenever they make changes in DLP profiles and patterns.
- All tenants share a single copy of profiles and pattern configurations and, therefore, changes occur on all tenants.
- Since Security policy rules can be different across tenants, each tenant can have different data filtering profiles associated with Security policy rules.
- You can use Prisma SD-WAN integration and Configuring multiple portals in Prisma Access only with one tenant per multitenant deployment.
- If you enable high availability (HA) with active and passive Panorama appliances in a multitenant deployment, you cannot change the HA pair association after you enable multitenancy.
Prisma Access and Panorama Version Compatibility
This section provides you with the minimum and maximum versions of Panorama™ to use
with Prisma® Access, along with the end-of-service (EoS) dates for Panorama software
versions with Prisma Access.
Supported IKE Cryptographic Parameters
The following table documents the IKE cryptographic settings that we support with
Prisma® Access.
Component | Phase 1 Supported Crypto Parameters | Phase 2 Supported Crypto Parameters |
---|---|---|
Encryption |
3DES
AES-128
AES-192
AES-256
|
Null (not recommended)
DES
3DES
AES-128-CBC
AES-192-CBC
AES-256-CBC
AES-128-GCM
AES-192-GCM
AES-256-GCM
|
Authentication/Integrity |
MD5
SHA-1
We support only SHA1 in IKE Crypto profiles (Phase 1) with
IKEv2 with certificate-based authentication.
SHA-256
SHA-384
SHA-512
|
None (supported with Galois/Counter Mode (GCM)
MD5
SHA-1
SHA-256
SHA-384
SHA-512
|
DH Group |
Group 1
Group 2
Group 5
Group 14
Group 19
Group 20
|
No PFS (not recommended)
Group 1
Group 2
Group 5
Group 14
Group 19
Group 20
|
Security Association (SA) Lifetime |
Configurable
|
Configurable
|
SA Lifebytes |
N/A
|
Configurable
|
Minimum Required Panorama Software Versions
The Cloud Services plugins require the following minimum Panorama™ software
versions.
Due to the fast-paced release cycle for Prisma Access and the Cloud Services
plugin, the software end-of-support (EoS) dates for Panorama
appliances for managing Prisma Access vary from the software end-of-life (EoL)
dates for PAN-OS and Panorama releases. These exceptions apply only to Panorama
version compatibility with Prisma Access.
Cloud Services Plugin Version | Minimum Required Panorama Version |
---|---|
5.1 Preferred and Innovation |
|
4.0, 4.1, and 4.2 Preferred 5.0 and 5.0.1 Preferred
and Innovation |
For Panorama versions supported and required for FedRAMP
deployments, see Prisma Access FedRAMP
Requirements. |
3.2.1 Preferred |
For Panorama versions supported and required for FedRAMP
deployments, see Prisma Access FedRAMP
Requirements. |
3.2.1 Innovation |
|
3.2 Preferred |
For Panorama versions supported and required for FedRAMP
deployments, see Prisma Access FedRAMP
Requirements. |
3.2 Innovation |
|
3.1 Preferred |
|
3.1 Innovation |
|
3.0 |
For Panorama versions supported and required for FedRAMP
deployments, see Prisma Access FedRAMP
Requirements. |
2.2 Preferred |
For Panorama versions supported and required for FedRAMP
deployments, see Prisma Access FedRAMP
Requirements. |
End-of-Support (EoS) Dates for Panorama Software Version Compatibility with Prisma Access
When Prisma® Access upgrades its infrastructure and dataplane after a major release,
the upgrades can become incompatible with earlier Panorama™ versions. Because of the
fast-paced release of Prisma Access and the Cloud Services plugin, the software
compatibility end-of-support (EoS) dates for Panorama can differ from the software
end-of-life dates for Panorama releases and apply to Panorama version compatibility
with Prisma Access only.
If the Panorama appliance that manages Prisma Access is running a software version
that’s incompatible (not supported) with the upgrades, you must upgrade Panorama to
a compatible version to take full advantage of the capabilities of the
infrastructure and dataplane upgrades. It's our goal to make this process as easy as
possible and, for this reason, we make every effort to provide you with adequate
notice of Panorama and Prisma Access version compatibility requirements.
Use the dates in the following table to learn when a Panorama software version that
manages Prisma Access is no longer compatible with Prisma Access so that you can
plan an upgrade to a supported version prior to the EoS date.
Due to the fast-paced release cycles for Prisma Access and the Cloud Services
plugin, the software compatibility end-of-support (EoS) dates for Panorama
appliances that manage Prisma Access sometimes differ from the software
end-of-life (EoL) dates for PAN-OS and Panorama software versions. The
exceptions apply only to Panorama version compatibility with Prisma Access.
To find the latest EoS compatibility information for your Panorama software with
Prisma Access, log in to the Panorama appliance that manages Prisma Access,
select the Service Setup page (PanoramaCloud ServicesConfigurationService Setup), and view the Panorama Alert information.
(See Notifications and Alerts for Panorama, Cloud
Services Plugin, and PAN-OS Dataplane Versions for details.)
Panorama Software Version | EoS Dates for Prisma Access Deployments |
---|---|
PAN-OS 10.0 |
March 1, 2023
|
PAN-OS 9.1 |
August 1, 2022
Before this date, you must upgrade your Panorama to PAN-OS 10.1
or a later supported (with Prisma Access) PAN-OS version.
We support PAN-OS 10.1 only after you upgrade to 2.2 Preferred or
to the following 2.1 plugins:
|
You must upgrade Panorama regardless of the Cloud Services plugin version you're
running when the Panorama software version reaches its EoS date. You cannot continue
using earlier versions of the Cloud Services plugin with an earlier unsupported
version of Panorama software.
The following Panorama software versions are already EoS and you cannot use them with
Prisma Access:
- PAN-OS 10.0—EoS on July 16, 2022
- PAN-OS 9.0—EoS on February 1, 2021