Compatibility Matrix
Prisma Access
Table of Contents
Prisma Access
Learn about compatibility information for Prisma® Access.
The following topics provide support information for Prisma® Access:
- What Features Does Prisma Access Support?
- Panorama Managed Multitenant Unsupported Features and Functionality
- Prisma Access and Panorama Version Compatibility
What Features Does Prisma Access Support?
These sections provide you with the supported features and network settings for Prisma Access (both Prisma Access (Managed by Strata Cloud Manager) and Prisma Access (Managed by Panorama)).
For a description of the features supported in GlobalProtect™, see the features that GlobalProtect
supports.
Management
| Feature | Prisma Access (Managed by Strata Cloud Manager) | Prisma Access (Managed by Panorama) |
|---|---|---|
|
Default Configurations
Default settings enable you to get started quickly and
securely
|
√
Examples include:
|
—
|
|
Built-in Best Practice Rules
To ensure that your network is as secure as possible, enable your
users and applications based on best practice templates. With
best practices as your basis, you can then refine policy based
on your enterprise needs.
|
√
Features with best practice rules include:
|
—
|
|
Onboarding Walkthroughs for First-Time Setup
|
Guided walkthroughs include:
|
—
|
|
Centralized Management Dashboards
These can include best practice scores and usage information
|
√
Dashboards are available for features including:
|
—
|
|
Hit Counts
|
√
Hit counts for Security profiles include counts that measure the
profile’s effectiveness, and these can depend on the profile
(for example, unblocked critical and high severity
vulnerabilities, or WildFire submission types).
| |
|
Policy Rule Usage
|
√
| |
Remote Networks
|
Feature
|
Prisma Access (Managed by Strata Cloud Manager)
|
Prisma Access (Managed by Panorama)
|
|---|---|---|
|
IPSec Tunnels
See the list of Supported IKE Cipher Suites.
We do not support FQDNs for peer IPSec addresses; use an IP
address for the peer address instead.
|
√
|
√
|
|
Tunnel Monitoring
| ||
|
Dead Peer Detection (DPD)
|
√
|
√
|
|
ICMP
|
√
|
√
|
|
Bidirectional Forwarding Detection (BFD)
|
—
|
—
|
Service Connections
|
Feature
|
Prisma Access (Managed by Strata Cloud Manager)
|
Prisma Access (Managed by Panorama)
|
|---|---|---|
|
IPSec Tunnels
See the list of Supported IKE Cipher Suites.
|
√
|
√
We do not support FQDNs for peer IPSec addresses; use an IP
address for the peer address instead.
|
|
Tunnel Monitoring
| ||
|
Dead Peer Detection (DPD)
|
√
|
√
|
|
ICMP
|
√
|
√
|
|
Bidirectional Forwarding Detection (BFD)
|
—
|
—
|
|
Traffic Steering
(using policy-based forwarding rules to forward internet-bound
traffic to service connections)
|
Introduced in 1.7.
| |
Mobile Users—GlobalProtect
|
Feature
|
Prisma Access (Managed by Strata Cloud Manager)
|
Prisma Access (Managed by Panorama)
|
|---|---|---|
| Using On-Premises Gateways (Hybrid Deployments) | ||
|
On-premises gateway integration with Prisma Access
|
√
|
√
We support using on-premises gateways with Prisma Access
gateways.
|
|
Priorities for Prisma Access and On-Premises Gateways
|
√
|
√
Supported for
deployments that have on-premises GlobalProtect gateways. You
can set a priority separately for on-premises gateways and
collectively for all gateways in Prisma Access. You can also
specify source regions for on-premises gateways.
|
|
Manual Gateway Selection
Users can manually select a cloud gateway from their client
machines using the GlobalProtect app.
| ||
|
GlobalProtect Gateway Modes
| ||
|
External Mode
|
√
|
√
|
|
√
Introduced in 5.1 Preferred and Innovation.
If you are running a version below 5.1 Innovation, you can add
one or more on-premise gateways and configure them as internal
gateways.
|
√
Introduced in 5.1 Preferred and Innovation.
If you are running a version below 5.1 Innovation, you can add
one or more on-premise gateways and configure them as internal
gateways.
| |
|
GlobalProtect App Connect Methods
| ||
|
User-Logon (always on)
|
√
|
√
|
|
Pre-Logon (always on)
|
√
|
√
|
|
Pre-Logon (then on-demand)
|
√
|
√
|
|
On-Demand
|
√
|
√
|
| Clientless VPN | ||
| Mobile User—GlobalProtect Features | ||
|
Support for Mutliple Username Formats
|
√
|
√
|
|
MDM Integration with HIP
Prisma Access does not support AirWatch MDM HIP service
integration; however, you can use the GlobalProtect App for iOS and
Android MDM Integration for HIP-Based Policy
Enforcement
|
√
|
√
|
|
Optimized Split Tunneling for GlobalProtect
|
√
|
√
|
|
DHCP
Prisma Access uses the IP address pools you
specify during mobile user setup to assign IP addresses to
mobile users and does not use DHCP.
|
—
|
—
|
|
GlobalProtect App Version Controls
|
√
One-click configuration for GlobalProtect agent log
collection
| |
Prisma Access Explicit Proxy
|
Feature
|
Prisma Access (Managed by Strata Cloud Manager)
|
Prisma Access (Managed by Panorama)
|
|---|---|---|
|
Explicit Proxy Connectivity in GlobalProtect for Always-On
Internet Security
|
Introduced in 4.0 Preferred with GlobalProtect app version
6.2
|
Introduced in 4.0 Preferred with GlobalProtect app version
6.2
|
Cloud-Delivered Security Services (CDSS)
|
Feature
| Prisma Access (Managed by Strata Cloud Manager) | Prisma Access (Managed by Panorama) |
|---|---|---|
|
Advanced DNS
Security Powered by Precision AI®:
| ||
| DNS Hijacking and Misconfiguration Prevention | √ Minimum dataplane version of PAN-OS® 11.2
required | √ Minimum Cloud Services plugin of 6.0 and minimum
dataplane version of PAN-OS® 11.2 required |
| Meticulously detects and immediately blocks DNS hijacking (where attackers alter DNS records to redirect traffic) and accidental or malicious DNS misconfigurations. This ensures the integrity of DNS resolution by preventing unauthorized redirection through advanced monitoring and analysis. | ||
| Malicious Traffic Distribution System (TDS) | √ Minimum dataplane version of PAN-OS® 11.2
required | √ Minimum Cloud Services plugin of 6.0 and minimum
dataplane version of PAN-OS® 11.2 required |
| Combats threats hidden within malicious TDS—sophisticated attack frameworks that use complex DNS schemes to distribute malware and exploit kits. The service analyzes DNS traffic patterns to identify indicators of compromise (IOCs), effectively blocking access to these malicious distribution channels. | ||
| Domain Masquerading Protection | √ Minimum dataplane version of PAN-OS® 11.2
required | √ Minimum Cloud Services plugin of 6.0 and minimum
dataplane version of PAN-OS® 11.2 required |
| Safeguards against domain masquerading by identifying and blocking malicious domains that closely resemble legitimate ones (typosquatting). It uses cutting-edge AI and machine learning algorithms to analyze vast amounts of DNS data, detecting subtle patterns and characteristic behaviors associated with spoofed or malicious domains. | ||
| Compromised Website | √ Minimum dataplane version of PAN-OS® 11.2
required | √ Minimum Cloud Services plugin of 6.0 and minimum
dataplane version of PAN-OS® 11.2 required |
| This category specifically identifies legitimate websites that have been hacked or infected with malicious content. This allows you to use granular policy control to distinguish between inherently malicious sites and otherwise trustworthy sites that have been temporarily compromised. | ||
| File Converter | √ Minimum dataplane version of PAN-OS® 11.2
required | √ Minimum Cloud Services plugin of 6.0 and minimum
dataplane version of PAN-OS® 11.2 required |
| This categorizes sites that allow users to convert, compress, or modify files. This new category helps organizations manage access to these tools, mitigating data leakage and compliance risks associated with unauthorized file sharing and modification. | ||
| ML-powered Quishing (QR Code) Protection | √ Minimum dataplane version of PAN-OS® 11.2
required | √ Minimum Cloud Services plugin of 6.0 and minimum
dataplane version of PAN-OS® 11.2 required |
| Blocks quishing attacks by introducing an ML-powered QR code detector. This feature specifically addresses the growing threat of malicious QR codes embedded on legitimate websites, which attackers use to bypass the perimeter defenses of enterprise-protected networks and target unmanaged personal devices. | ||
| Deepfake Content Detection | √ Minimum dataplane version of PAN-OS® 11.2
required | √ Minimum Cloud Services plugin of 6.0 and minimum
dataplane version of PAN-OS® 11.2 required |
| Protects against hyper-realistic social engineering. A new deep learning model is active to identify and block malicious content featuring deepfake videos. This provides essential protection from attackers who use highly convincing deepfake impersonations of trusted individuals in phishing attacks. | ||
| PDF Analysis for Phishing | √ Minimum dataplane version of PAN-OS® 11.2
required | √ Minimum Cloud Services plugin of 6.0 and minimum
dataplane version of PAN-OS® 11.2 required |
| A Convolutional Neural Network (CNN)-based deep learning model is available. This model analyzes the visual appearance (in addition to the text) of embedded URLs in PDF files to detect highly evasive, embedded phishing attacks that exploit the PDF format. | ||
| API Vector Categorization | √ Minimum dataplane version of PAN-OS® 11.2
required | √ Minimum Cloud Services plugin of 6.0 and minimum
dataplane version of PAN-OS® 11.2 required |
| Leverages Machine Learning (ML) to perform in-memory analysis of the patterns and sequences of API calls made by malware during runtime. This advanced approach creates a unique behavioral "fingerprint" (API Vector) to accurately identify and classify highly evasive, fileless, and memory-resident attacks that bypass conventional analysis. | ||
| Multi-CPU advanced dynamic analysis | √ Minimum dataplane version of PAN-OS® 11.2
required | √ Minimum Cloud Services plugin of 6.0 and minimum
dataplane version of PAN-OS® 11.2 required |
| Enhances Advanced Dynamic Analysis (sandboxing) by including multiple virtual CPUs (vCPUs) in the Windows guest sandbox environment. This capability is specifically designed to defeat sophisticated malware that evades detection by checking for and refusing to execute in single-CPU virtual environments. | ||
| Advanced Threat Prevention Powered by Precision AI | ||
| Exfiltration Shield for Advanced Threat Prevention | √ Minimum dataplane version of PAN-OS® 11.2
required | √ Minimum Cloud Services plugin of 6.0 and minimum
dataplane version of PAN-OS® 11.2 required |
| Uses a sophisticated machine learning (ML) model to combat advanced data exfiltration. This feature focuses on detecting stealthy data egress over common protocols like DNS relay and HTTP headers, which are frequently used to bypass traditional security. Integration is seamless with existing Advanced DNS Security and ATP subscriptions. | ||
Security Services
|
Feature
| Prisma Access (Managed by Strata Cloud Manager) | Prisma Access (Managed by Panorama) |
|---|---|---|
|
Security Policy
|
√
|
√
|
|
DoS Protection
The Prisma Access infrastructure manages DoS protection.
|
√
|
√
|
|
SaaS Application Management
|
Supported for:
|
—
|
| IoT Security |
√
|
√
|
| Security Profiles | ||
|
Supported Profile Types
|
√
|
√
|
|
Dashboards for Security Profiles
|
Dashboards are tailored to each profile, and give you:
|
—
|
|
√
|
√
We support HTTP response pages for mobile users and users at
remote networks. To use HTTPS response pages, open a CLI session
in the Panorama that manages Prisma Access, enter the
set template Mobile_User_Template config
deviceconfig settingssl-decrypt
url-proxyyes command in
configuration mode, and commit your changes.
| |
|
HTTP Header Insertion
| ||
|
Decryption
| ||
| SSL Forward Proxy |
√
|
√
|
| SSL Inbound Inspection |
—
|
√
|
| SSH Proxy |
—
|
√
|
|
Guided Walkthrough:
Turn on Decryption
|
√
|
—
|
Network Services
|
Feature
|
Prisma Access (Managed by Strata Cloud Manager)
|
Prisma Access (Managed by Panorama)
|
|---|---|---|
| Network Services | ||
|
Prisma Access uses the same QoS policy rules and QoS profiles and
supports the same DSCP markings as Palo Alto Networks
Next-Generation Firewalls.
|
√
|
√
We introduced QoS for Remote network deployments
that allocate bandwidth by compute location in 3.0
Preferred.
|
|
Application Override
|
√
|
√
|
|
IPv4 Addressing
|
√
|
√
|
|
IPv6 addressing for private apps introduced in 2.2 Preferred;
IPv6 addressing for public (internet) and private apps
introduced in 5.2.1.
|
√
|
√
|
|
Split Tunnel Based on Access Route
|
√
|
√
|
|
Split Tunnel Based on Destination Domain, Client Process, and
Video Streaming Application
|
√
|
√
|
|
NetFlow
|
—
|
—
|
|
NAT
Prisma Access automatically manages outbound NAT; you cannot
configure the settings.
|
√
|
√
|
|
SSL VPN Connections
|
√
|
√
|
|
Routing Features
| ||
|
Static Routing
|
√
|
√
|
|
Dynamic Routing (BGP)
|
√
|
√
|
|
Dynamic Routing (OSPF)
|
—
|
—
|
|
High Availability
| ||
|
SMTP
|
√
Prisma Access sometimes blocks SMTP port 25 for security reasons
and to mitigate the risk from known vulnerabilities that exploit
nonsecure SMTP. Palo Alto Networks recommends using ports 465,
587, or an alternate port 2525 for SMTP.
|
√
Prisma Access sometimes blocks SMTP port 25 for security reasons
and to mitigate the risk from known vulnerabilities that exploit
nonsecure SMTP. Palo Alto Networks recommends using ports 465,
587, or an alternate port 2525 for SMTP.
|
Identity Services
|
Feature
|
Prisma Access (Managed by Strata Cloud Manager)
|
Prisma Access (Managed by Panorama)
|
|---|---|---|
| Authentication Types | ||
|
SAML
|
√
|
√
|
|
TACACS+
|
√
|
√
|
|
RADIUS
|
√
|
√
|
|
Local Database Authentication
|
√
|
√
|
| Authentication Features | ||
|
Authentication Rules
|
√
|
√
|
|
Authentication Portal
|
√
|
√
|
|
√
Supported for both IPSec and mobile users with GlobalProtect.
|
√
Supported for both IPSec and mobile users with GlobalProtect.
| |
|
Extensible Authentication Protocol (EAP) Support for RADIUS
|
√
|
√
|
|
Single Sign-On (SSO)
|
√
|
√
|
|
√
Supported for the following platforms:
We support a maximum of 400 TS agents.
|
√
Supported for the following platforms:
We support a maximum of 400 TS agents.
| |
| Cloud Identity Engine (Directory Sync Component) | ||
|
Directory Sync for User and Group-Based Policy
|
√
Supports on-premises Active Directory and Azure Active
Directory.
|
√
You can retrieve user and group
information using the Directory Sync component of the
Cloud Identity
Engine.
Prisma Access supports on-premises Active Directory, Azure Active
Directory, and Google IdP.
Introduced in 1.6.
Support for Azure Active Directory introduced in 2.0
Preferred.
Support for Google IdP introduced in 3.0 Preferred and
Innovation.
|
|
Identity Redistribution
|
√
|
√
|
|
Ingestion of IP address-to-username mappings from a third-party
integration (NAC)
|
—
|
√
|
|
√
|
√
Introduced in 1.7.
Requires Panorama running a minimum PAN-OS 9.1.1 version.
| |
Policy Objects
|
Feature
|
Prisma Access (Managed by Strata Cloud Manager)
|
Prisma Access (Managed by Panorama)
|
|---|---|---|
|
Addresses
|
√
|
√
|
|
Address Groups
|
√
|
√
|
|
Dynamic Address Groups (DAGs) and Auto-Tags
|
—
|
—
|
|
XML API - Based Dynamic Address Group Updates
|
—
|
√
|
|
Regions
|
√
|
√
|
|
App-ID (Applications)
|
√
|
√
|
|
√
|
—
We do not support commit warnings for Prisma Access.
| |
| Application Groups |
√
|
√
|
| Application Filters |
√
|
√
|
| Services |
√
|
√
|
| Service Groups |
√
|
√
|
| Tags |
√
|
√
|
|
√
|
√
Introduced in 1.7.
Requires Panorama running a minimum PAN-OS 9.1.1 version.
| |
| HIP Objects | ||
| HIP-Based Security Policy |
√
|
√
|
| HIP Report Submission |
√
|
√
|
|
HIP Report Viewing
|
—
|
√
Introduced in 1.5.
|
|
HIP Objects and Profiles
|
√
|
√
|
| Certificate Management | ||
|
Custom Certificates
|
√
|
√
|
|
Palo Alto Networks Issued Certificates
|
√
|
√
|
|
Certificate Profiles
|
√
|
√
|
|
Custom Certificates
|
√
|
√
|
|
SSL/TLS Service Profiles
|
√
|
√
|
|
SSL
We support SSL only for mobile users, not for site-to-site
VPNs.
|
√
|
√
|
|
SCEPs
|
√
|
√
|
|
OCSP Responders
|
√
|
√
|
|
Default Trusted Certificate Authorities
|
√
|
√
|
Logs
|
Feature
|
Prisma Access (Managed by Strata Cloud Manager)
|
Prisma Access (Managed by Panorama)
|
|---|---|---|
|
Strata™ Logging Service (formerly Cortex® Data Lake) Log
Storage
|
√
|
√
|
|
Enhanced Mobile Users
Visibility for Administrators (GlobalProtect
logs)
|
√
|
√
Introduced in 1.7.
Requires Panorama running a minimum PAN-OS 9.1.1 version.
|
Reports
|
Feature
|
Prisma Access (Managed by Strata Cloud Manager)
|
Prisma Access (Managed by Panorama)
|
|---|---|---|
|
Reports
|
You can also use Dashboards for a
comprehensive view of the applications, ION devices, threats,
users, and security subscriptions at work in your network.
|
Introduced in Prisma Access 1.8.
|
|
App Report
|
This feature has the following Strata Logging Service-based
limitation:
SaaS Application Usage report (MonitorPDF ReportsSaaS Application Usage)—You cannot filter the logs for user groups (we
do not support the Include user group information in
the report option).
| |
Integration with Other Palo Alto Networks Products
|
Feature
|
Prisma Access (Managed by Strata Cloud Manager)
|
Prisma Access (Managed by Panorama)
|
|---|---|---|
|
Cortex XSOAR integration
|
—
|
√
We support source IP-based allow lists and malicious user
activity detection.
|
|
Cortex XDR
integration
|
√
Prisma Access is compatible with the Cortex XDR version of Strata Logging
Service. Cortex XDR receives Prisma Access log
information from Strata Logging Service (formerly Cortex Data
Lake).
|
√
Prisma Access is compatible with the Cortex XDR version of Strata Logging
Service. Cortex XDR receives Prisma Access log
information from Strata Logging Service (formerly Cortex Data
Lake).
|
|
Prisma SaaS
integration
|
√
We support SaaS visibility with Strata
Logging Service.
|
√
We support SaaS visibility with Strata
Logging Service.
|
Panorama Managed Multitenant Unsupported Features and Functionality
We do not support the following features in a Prisma Access (Managed by Panorama)
multitenant deployment:
In addition, a Panorama managed multitenant deployment has changes to the following
functionality:
- You cannot view your Panorama managed tenants under Common Services: Tenant Management.
- For Prisma Access (Managed by Panorama), continue to use Panorama for managing Prisma Access and the admin access that Panorama controls locally. You cannot manage users, roles, and services accounts using Common Services: Identity and Access for Prisma Access (Managed by Panorama). However, you can use Common Services: Identity and Access for managing other apps such as ADEM and Insights.
- You cannot use the Prisma Access APIs in pan-dev.
The following Prisma Access components and add-ons have the following caveats when
used in a multitenant deployment:
- For the following components, if you have an existing Prisma Access (Managed by Panorama)
non-multitenant deployment and convert it to a multitenant
deployment, only the first tenant (the tenant you migrated) supports
these components. Any subsequent tenants you create for the multitenant
deployment after the first one do not support these components:
- Prisma Access Explicit Proxy
- Prisma Browser
- ZTNA Connector
- After you enable multitenancy, ZTNA Connector is supported only on the first tenant where the child account ID is the same as the parent (root) account ID.
- Palo Alto Networks recommends that you add Application IP and Connector IP blocks and Configure ZTNA Connector after you enable multitenancy
- SaaS Security and Enterprise Data Loss Prevention (Enterprise DLP) support multitenancy with the following restrictions:
- Only a superuser on Panorama can create DLP profiles and patterns and can associate DLP profiles to Security policy rules for tenants.
- A superuser must commit all changes to Panorama whenever they make changes in DLP profiles and patterns.
- All tenants share a single copy of profiles and pattern configurations and, therefore, changes occur on all tenants.
- Since Security policy rules can be different across tenants, each tenant can have different data filtering profiles associated with Security policy rules.
- If you enable high availability (HA) with active and passive Panorama appliances in a multitenant deployment, you cannot change the HA pair association after you enable multitenancy.
- You can use these features with a Prisma Access (Managed by Panorama) multitenant deployment; however you can only use them in one tenant per multitenant deployment:
Prisma Access and Panorama Version Compatibility
This section provides you with the minimum and maximum versions of Panorama™ to use
with Prisma® Access.
Supported IKE Cipher Suites
The following table documents the IKE cryptographic settings that we support with
Prisma Access.
| Component | Phase 1 Supported Crypto Parameters | Phase 2 Supported Crypto Parameters |
|---|---|---|
| Encryption |
3des
aes-128-cbc
aes-192-cbc
aes-256-cbc
aes-128-gcm
aes-256-gcm
|
null (not recommended)
3des
aes-128-cbc
aes-192-cbc
aes-256-cbc
aes-128-gcm
aes-256-gcm
|
| Authentication |
non-auth
If you select an AES with
Galois/Counter Mode (AES-GCM) algorithm for encryption, you
must select the Authentication setting
non-auth or the commit will fail.
The hash is automatically selected based on the DH Group
selected. DH Group 19 and below uses
sha256; DH Group 20 uses
sha384. md5
sha1
sha256
sha384
sha512
|
md5
none
If you select an AES-GCM algorithm
for encryption, you must select none
for Phase 2 authentication or the commit will fail. The hash
is automatically selected based on the DH Group selected. DH
Group 19 and below uses sha256; DH
Group 20 uses sha384. sha1
sha256
sha384
sha512
|
| DH Group |
Group 1
Group 2
Group 5
Group 14
Group 19
Group 20
|
No PFS (not recommended)
Group 1
Group 2
Group 5
Group 14
Group 19
Group 20
|
| Security Association (SA) Lifetime |
Configurable
|
Configurable
|
| SA Lifebytes |
N/A
|
Configurable
|
Minimum Required Panorama Software Versions
The Cloud Services plugins require the following minimum Panorama™ software
versions.
For more information about the versions used with Prisma Access, including the
recommended Panorama and GlobalProtect versions, see the Prisma Access Release Notes
for your Release:
| Cloud Services Plugin Version | Minimum Required Panorama Version |
|---|---|
| 6.0 Preferred and Innovation |
|
| 5.2 and 5.2.1 Preferred and Innovation |
|
| 5.1 and 5.1.1 Preferred and Innovation |
|
| 4.0, 4.1, and 4.2 Preferred 5.0 and 5.0.1 Preferred
and Innovation |
For Panorama versions supported and required for FedRAMP
deployments, see Prisma Access FedRAMP
Requirements. |