>
    Prisma Access Dataplane Upgrades
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Administration
    4. Prisma Access Releases and Upgrades
    5. Prisma Access Dataplane Upgrades
    Download PDF
    Prisma Access

    Prisma Access Dataplane Upgrades

    Table of Contents

    Prisma Access Dataplane Upgrades

    Learn the steps you perform to upgrade the Prisma Access (Panorama Managed) dataplane.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access license
    Prisma Access (Managed by Strata Cloud Manager) automatically performs dataplane upgrades, without any intervention required from you.
    Prisma Access performs dataplane upgrades on the service to provide new security features and capabilities to help protect your organization’s end-users, business assets, and digital transformation. When a new version of Prisma Access requires a dataplane upgrade, you need to understand how the upgrade process works and have the required prerequisites in place before upgrading.
    You can expect your dataplane to be upgraded one to two times a year. Some releases might offer an optional dataplane upgrade in addition to the required dataplane upgrades to support Prisma Access features that require it.

    Dataplane Upgrade Overview

    Prisma Access upgrades your dataplane in two phases on two weekend dates, and keeps you informed about the upgrade using Strata Cloud Manager. On a high level, the following steps are taken during the upgrade process.
    • An email notification from Strata Cloud Manager arrives 21 days before the scheduled dataplane upgrade start date. This email notification provides the dataplane upgrade start date for phase #1.
      You may see a date populated in Strata Cloud Manager before the 21-day notification, but this date may not be final until you receive your 21-day notification.
    • In the email, you are asked to select and submit the location or locations to upgrade first and the preferred time window for the upgrade through Strata Cloud Manager.
      You can change and submit the first locations to upgrade and time window multiple times for a given tenant. The last submission that occurred seven days before the scheduled start date will be chosen by the service for the upgrade. You will not be able to make any changes within seven days of the upgrade start date.
      If you make changes, it might take up to 30 minutes for the changes you made to be displayed in the Upgrade Dashboard on Insights. You will be notified via email alert when the Prisma Access has processed and completed the changes.
      Palo Alto Networks strongly suggests that you select locations that reflect your entire deployment. For example, if you have a mobile user, service connection, and remote network deployment, select a location or locations that have all deployment types.
    • Prisma Access will perform phase #1 of the upgrade on the selected location or locations within the local time window selected for those locations.
    • If the selected upgrade locations have any combination of Mobile Users—GlobalProtect, Mobile Users—Explicit Proxy, Service Connections, or Remote Networks, the dataplane for each deployment will be upgraded to the required dataplane version, as described later in this section.
    • Once the upgrade is complete in the first location, you’ll receive an email notification through Strata Cloud Manager. Palo Alto Networks recommends that you monitor the service for any new issues that occur immediately after the dataplane upgrade.
    • In an unlikely occurrence where you see a new issue, report the issue to Palo Alto Networks technical support.
      The technical support team will investigate the issue and take corrective actions that may also include rolling back to the previous dataplane version. This decision will be communicated to you via the technical support case.
    • If there are no new issues or a new issue is not upgrade-related, Prisma Access will proceed with the dataplane upgrade on the following weekend.
    • The upgrade of the remaining locations will take place during the same time window you selected for the first upgrade (in local time).
    • After the dataplane upgrade completes, you will be notified via email alert.
    • If a plugin upgrade is required after the dataplane upgrade, Palo Alto Networks recommends that you upgrade the plugin after the dataplane upgrade completes.
    The following figure shows the timeline used for the upgrade and includes the tasks that you will need to perform for the dataplane upgrade (shown in green), as well as the steps that Prisma Access performs.
    The following section provides more details about the dataplane upgrade process.
    After you sign up for notifications, Prisma Access informs you of the two weekend dates that will be used for the upgrade process and sends these notifications 21 days, 14 days, 7 days, 3 days, and 24 hours before the first phase of the upgrade will occur. The upgrade process occurs in two phases:
    • Phase #1 upgrades the location or locations you chose on the first weekend using the time window you provided and notifies you via email when the upgrade is complete. If you did not choose the locations to upgrade first, or did not select a time window, Prisma Access makes the choices for you.
      Palo Alto Networks attempts to upgrade the locations during the four-hour window that you select through Strata Cloud Manager. However, completing the required upgrades during this window is best-effort and Palo Alto Networks cannot guarantee that the locations will be upgraded during that time. If there are any issues during the upgrade, Palo Alto Networks will attempt the upgrade 24 hours after the original four-hour window.
      For this reason, you should schedule a change request window for 72 hours starting at 8 p.m. local time on Friday and ending at 8 p.m. local time on Monday for each of the two weekends when the dataplane upgrade occurs. You will receive an email when the upgrade is complete.
      Prisma Access makes the following changes to your deployment during Phase #1 of the upgrade.
      Deployment TypeWhat is Upgraded
      Mobile Users—GlobalProtect DeploymentsPrisma Access upgrades:
      • The GlobalProtect gateway, also known as the Mobile User Security Processing Node (MU-SPN), for the location or locations you specify.
      • The GlobalProtect portal associated with that region.
      Mobile Users—Explicit Proxy DeploymentsPrisma Access upgrades the Explicit Proxy nodes for the Explicit Proxy location or locations you specify.
      Remote Network Deployments
      Prisma Access upgrades the backup (HA) remote network, also known as the Remote Network Security Processing Node (RN-SPN), then makes the backup remote network the active node for the location or locations you specify. The backup remote network connection is not upgraded until the following weekend, when the active and backup nodes are upgraded for all locations.
      If there are multiple RN-SPNs in the selected location, all primary nodes are upgraded to the new dataplane version.
      Service Connections
      Prisma Access upgrades the backup (HA) service connection, also known as the Service Connection Corporate Access Node (SC-CAN), then makes the backup service connection the active node for the location or locations you specify. The backup service connection is not upgraded until the following weekend, when the active and backup nodes are upgraded for all locations.
      If there are multiple SC-CANs in the selected location, all backup nodes are upgraded to the new dataplane version.
      ZTNA ConnectorsZTNA Connectors are not upgraded; you can upgrade the ZTNA Connectors on an as-needed basis.
      Between the first and second upgrades, monitor the first upgraded locations and perform connectivity, performance, routing, and logging testing to make sure that the locations upgraded successfully. If you encounter a service-impacting failure after the upgrade, open a Support Case with Palo Alto Networks Technical Support for assistance. Palo Alto Networks will attempt to resolve the issue by rolling back the dataplane to a previous dataplane version within 24 hours.
    • Seven days after Prisma Access upgrades the first location, Prisma Access upgrades the remainder of your locations (Phase #2 upgrade), using the same time window you selected for the first phase, and notifies you via email when the upgrade is complete.
      The upgrade window can be longer. For example, if Phase #2 occurs during a national holiday in the United States of America, the second phase of the upgrade happens 14 days after the first phase instead of 7. The notifications you receive in Strata Cloud Manager show you the specific timeline for the upcoming dataplane upgrade.

    Dataplane Upgrade Example

    The following example shows a sample dataplane upgrade procedure for a Mobile Users deployment with five gateways (MU-SPNs) and three SC-CANs. The US West location has two MU-SPNs as the result of an autoscale event (an extra MU-SPN was added after a large number of mobile users logged in to that location).
    In this example, you selected a single location (US West) to upgrade first, and requested a four-hour upgrade window of 8:00 a.m. to 12:00 noon Saturday for the upgrade.
    On the first upgrade weekend (Phase #1), the upgrade occurs for the SC-CANs and MU-SPNs in the US West location takes place between 8:00 a.m. and 12:00 p.m. Pacific Time on Saturday.
    Seven days after the first location is upgraded, Palo Alto Networks upgrades the remaining components (Phase #2) using the same four-hour time window as was used for the first phase of the upgrade (8:00 a.m. to 12:00 p.m. on Saturday).
    In this example, Prisma Access uses the following time zone information when upgrading the dataplane:
    • The Japan Central MU-SPN and SC-CAN are upgraded using the local time in Japan.
    • The UK MU-SPN and SC-CAN are upgraded using the local time in the UK.
    • The US Southwest MU-SPN is upgraded using Pacific Time.

    © 2025 Palo Alto Networks, Inc. All rights reserved.