New Features - Prisma Access - 5.1 Preferred and Innovation

ADEM Agent is now modularized and called Access Experience. Access Experience can be used for multiple features based on the license activated, such as ADEM and App Acceleration. Other enhancements include:

• An agent out-of-band upgrade.
• New Access Experience Agent configuration options for GlobalProtect version 6.3 and above:
  • Install —Install the agent on the endpoint.
  • Uninstall —Uninstall the agent from the endpoint.
  • No Action —Retain the last agent state.

When organizations engage in merger and acquisition (M & A) activity, a critical and often overlooked technical requirement is the need to update existing network gateways. These gateways, which serve as essential connection points, frequently bear the brand name of the original company. To ensure a seamless transition and maintain business continuity, these gateways must either cease referencing the old brand or adopt the new one. This is where the functionality of Prisma® Access becomes invaluable. By integrating this capability, Prisma Access allows for the effortless renaming of gateways, ensuring the new brand name is reflected not only in the user interface (UI) but also consistently across all logs and any other system references. This update is crucial for a smooth operational handover and prevents confusion among users and IT administrators. Ultimately, this functionality simplifies the post-merger integration process, allowing the organization to operate cohesively under a unified brand identity without the need for a costly and disruptive infrastructure overhaul.

Prisma Access adds two new compute locations: Canada West (Calgary) and South Africa Central. The following locations are remapped to the new compute location:

• The South Africa Central location is remapped to the South Africa Central compute location.
• The Canada West location is remapped to the Canada West (Calgary) compute location.

New deployments have the new remapping applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma Access location.

Managing network security often leaves behind unused or obsolete Connector IP blocks, increasing administrative burden and potentially leading to IP resource waste. Previously, cleaning up these blocks was complex and error-prone. To resolve this, we enhanced management flexibility for Prisma Access Prisma® Access ZTNA Connector deployments, enabling you to update and securely delete unused Connector IP blocks as needed.

This functionality streamlines network configuration, recovers valuable IP address pools, and improves overall management efficiency by preventing network clutter. You can delete unused connector IP blocks only after you remove all associated ZTNA Connector objects (connectors, applications, wildcards, and connector groups) from the tenant. Additionally, the system performs a strict validation check to ensure technical accuracy. If you attempt to delete a connector IP block still included in an active IP address pool, the commit and push process will fail, and the system displays a validation error message protecting the integrity of your network configuration.

You can give your end users the flexibility to temporarily disable the Prisma Access Agent when necessary. This feature is useful in environments where other secure access solutions coexist, such as the GlobalProtect™ app. This capability allows users to switch between the Prisma Access Agent and the GlobalProtect app without interference. You can configure this feature on a per-user or user group basis, giving you granular control over who has the ability to disable the agent. When configured, users can easily disable and re-enable the agent through the app interface without requiring the supervisor password, streamlining the process. This feature is compatible with various connection methods, including always-on and on-demand modes, and is compatible with the anti-tamper feature, which prevents an unauthorized user from tampering with the agent. By implementing this capability, you can allow your users to manage their secure access connections more effectively while maintaining overall security and control.

For Enterprise IT and IT Enabled Services (ITES) companies that need to control which users have access to their customer projects, Dynamic Privilege Access provides a seamless, secure, and compartmentalized way for your users to access only those projects that they are assigned to. Employees are typically assigned to several customer projects and are provided with siloed access to these projects so that an authorized user can access only one customer project at a time.

The Dynamic Privilege Access feature in Prisma Access provides dynamic privileges for your users based on the workflow or project that your users select in the Prisma Access Agent. Your users can have dynamic privileges based on the combination of the user group and IP pool that is assigned to a project. This unique combination defines a project. With Dynamic Privilege Access, you can isolate resources in your network so that they are only accessible to your users according to the projects they are assigned to.

A new predefined role called the Project Admin is available to allow project administrators to create and manage project definitions. Project administrators have the ability to map projects to select Prisma Access location groups, and create IP address assignments using DHCP based on the project and location group.

You can gain visibility into your Prisma Access Agent deployment by using Strata Cloud Manager to monitor your users' project activity, and view the service consumption and security posture in your network.

Managing explicit proxy traffic using single or multiple Proxy Auto-Configuration (PAC) files introduces complexity and management burden. You can now manage traffic flow and bypass rules by using Forwarding Profiles instead of only a single PAC file. Forwarding Profiles enable you to define forwarding rules and objects from a dedicated interface rather than dealing with the inherent technical complexity of a PAC file.

If you currently use a PAC file, you can migrate to Forwarding Profiles by importing the PAC file into a profile. Additionally, if you manage multiple PAC files for different traffic types, you can import these PAC files into separate profiles to use them simultaneously. In addition to standard proxy deployments, you can also use Forwarding Profiles to define the flow of traffic through GlobalProtect GlobalProtect® in Proxy or Tunnel and Proxy mode.

For simpler SAML authentication configuration, Explicit Proxy no longer requires that you create a policy rule to allow pre-authentication user traffic.

South Africa Central is added as a supported location for Prisma Access Explicit Proxy.

When you onboard a Service Connection or Remote Network connection, a public IP address is assigned for the other side of the IPSec tunnel (the Service IP Address). You use these public IP addresses for your CPE in your branch site or headquarters or data center location. Keeping records of all the IP addresses you need to configure on your CPE can be time consuming.

Instead of IP addresses, Prisma® Access provides you FQDNs or Service Endpoint Addresses to use for the other end of the IPSec tunnel for Service Connections and Remote Network Connections, thus facilitating the IPSec tunnel setup on your CPE at your branch sites or headquarters or data center locations.

GlobalProtect Proxy now

1. supports all IPv4 TCP connections, including non-proxy-aware traffic, to better support the needs of your network beyond only proxy-aware traffic
2. supports multiple Explicit Proxy channels to different regions, enabling you to support apps and destinations that have region-specific requirements.

Additionally, Prisma AccessInsights now surfaces GlobalProtect Proxy data under Mobile Users - GlobalProtect and includes additional metrics, such as connection method, so that you can have greater visibility into your GlobalProtect Proxy performance.

GlobalProtect in proxy-only mode now no longer requires that you deploy a mobile user gateway, which simplifies initial configuration.

Prisma® Access uses IPSec to securely connect branch offices and data centers to the service. If there is an issue with bringing up the IPSec tunnel, it can be challenging to read logs related to IKE and IPSec events in an attempt to troubleshoot the issue.

A new UI allows you to check routing information, clear security associations for an existing IPSec tunnels, or retrieve the service endpoint address for your service connections and remote network connections. With the UI, you have a more complete picture of your IPSec tunnels. You can also trigger an IKE renegotiation for a given service connections or remote network connections.

This tunnel information reflects real-time monitoring status, along with an explanation of why any tunnels have gone down.

Organizations are increasingly adopting IPv6 endpoints and require seamless, end-to-end IPv6 access across their entire Secure Access Service Edge (SASE) environment. Previously, IPv6 support in Prisma® Access was limited to private applications. This feature now encompasses comprehensive end-to-end IPv6 support for Mobile Users, Remote Networks, and Service Connections. One key benefit of native IPv6 support is the ability for Mobile Users utilizing IPv6-only endpoints to establish connections with Prisma Access via IPv6 connections using GlobalProtect®. Additionally, this support enables secure access to public SaaS applications over the internet, even when those destinations necessitate IPv6 connections. This enhancement, leveraging the significantly larger IPv6 address space, ensures compatibility with both IPv6 and dual-stack connections, accelerating your organization's migration to modern, cloud-based, and IPv6-enabled networks.

Organizations require the most advanced security features for their Prisma® Access deployments to counter evolving zero-day threats. To utilize the most advanced traffic inspection, deep learning security, and optimized performance features, Prisma Access 5.1 Innovation now fully supports the security features available with PAN-OS® 11.1 and 11.2. This immediate compatibility allows organizations to leverage cutting-edge security capabilities, including enhanced visibility into encrypted traffic and superior threat detection, without requiring a full platform migration. This seamless support helps protect your organization’s end-users, business assets, and security posture across your entire SASE deployment.

Organizations require the most advanced security features for their Prisma® Access deployments to counter evolving zero-day threats. To utilize the most advanced traffic inspection, deep learning security, and optimized performance features, Prisma Access 5.1 Innovation now fully supports management by Panorama® appliances running PAN-OS® 11.2. This immediate compatibility enables organizations to leverage cutting-edge security capabilities, including enhanced visibility into encrypted traffic and superior threat detection, directly from their updated management platform. This seamless support helps protect your organization’s end-users, business assets, and security posture across your entire SASE deployment.

Prisma® Access introduces a native internal gateway solution within the Prisma®Access architecture. This new capability reduces the need to implement GlobalProtect® alongside an on-premises internal gateway to learn User-ID for users on an internal network. Prisma® Access deployments can enable a native internal gateway within the architecture.

The native internal gateway enforces user-based security policies for remote network traffic without requiring an on-premises internal gateway deployment.

To use this feature, set up GlobalProtect®, add app settings, and onboard remote networks in both Strata Cloud Manager and Panorama®.

If your Prisma® Access deployment uses a large number of sessions, and you would like to delete those sessions quickly, you can enable fast session delete, which allows Prisma Access to reuse TCP port numbers before the TCP TIME_WAIT period expires. This reuse of the TCP port numbers can be useful if your deployment has a large number of SSL decrypted sessions that may be short-lived. You can choose to enable this functionality for Prisma Access Remote Networks, Service Connections, and Mobile Users—GlobalProtect®; for Mobile Users—Explicit Proxy deployments, this functionality is enabled by default and you cannot disable it.

Integrating third-party SD-WAN solutions with cloud security services often requires complex, manual tunnel configurations, slowing deployment and increasing administrative risk. The Remote Network Tunnel Automation API addresses this challenge by enabling seamless, automated integration of third-party SD-WAN products with Prisma® Access to deliver essential cloud security services over your existing SD-WAN solution. This API supports deployments managed by both Panorama® and Strata Cloud Manager, drastically accelerating the onboarding of third-party SD-WAN branches to Prisma Access Remote Networks, thereby reducing manual effort and ensuring rapid time-to-value.

On Dynamic Privilege Access enabled Prisma Access tenants, you can summarize routes when advertising the Mobile User (MU) routes to your on-premises network. Route summarization is beneficial for enterprises that have on-premises equipment that has limited capacity such as basic cloud routers. By reducing the demand on these devices, route summarization ensures that the devices won't exceed their route capacity when communicating with the data center.

To enable route summarization, configure global summary pools that consist of lists of large IP pools that can be used across multiple projects. Then, enable route summarization in the Prisma Access service connection. When a user uses the Prisma Access Agent to connect to a project that has an IP address within the range of the configured global summary pools, the service connection will advertise the global summary pool instead of the smaller project-level route. This helps reduce the number of routes that are sent to the network.

Prisma Access uses SC-NAT support with Dynamic Privilege Access (DPA) to enforce service connections for access to private applications in your data center or headquarters. When you have multiple projects in your DPA environment, your network can experience IP address exhaustion when IP addresses in your infrastructure subnet overlap. SC-NAT support enables Prisma Access to implement source NAT (SNAT) for IP addresses to provide the following benefits:

• Map a single IP address for private application access through a service connection.
• Use SNAT for simplified routing.
• Eliminate IPv4 address pool overlap.
• Eliminate IPv4 address pool exhaustion between Prisma Access and your data center or headquarters.

Prisma Access Explicit Proxy now supports service connections to enable you to access resources in your data center. With this change, you will still be able to benefit from a proxy connection while accessing external dynamic lists, partner apps, or private apps hosted in your data center.

Prisma Access adds to the static IP address functionality for mobile users, where you can assign static IP addresses to users based on the Prisma Access theater or User-ID. To enhance IP address assignment for mobile users, you can now use location groups and user groups as a criteria, in addition to theater and User-ID. In addition, the number of supported IP address pool profiles is increased to 10,000. Activity Insights: Users allows you to view and monitor static IP address enhancements for mobile users.

Prisma® Access mobile users access private apps using a service connection. If your deployment uses a Next-Generation Firewall (NGFW) in the data center or headquarters location where the private apps are located, and if your service connection has source NAT enabled, the NGFW can't retrieve the User-ID™ and Device-ID mapping. Source NAT on the service connection prevents the mobile users' User-ID and Device-ID mapping to be distributed to the NGFW. If the NGFW can't retrieve this mapping, it can't enforce zone-based security policy rules you have created on it based on User-ID or Device-ID mapping.

User-ID Across NAT lets your network distribute the User- or Device-ID mapping from mobile users to the NGFW and then on to the headquarters or data center, thus allowing the NGFW to enforce security policy rules based on the User-ID mapping it has learned from the service connection. This configuration ensures a consistent security posture across your mobile user deployment.

You can use the Cloud Identity Engine with Prisma Access to apply information from third-party IoT detection sources to simplify the task of identifying and closing security gaps for devices in your network. See Configure Third-Party Device-ID in Prisma Access for details about setup and configuration.

Go to InsightsSecurityDevice Security to get insights on your IoT devices, such as the number of IoT devices connected within the last 30 minutes, all IoT devices connected during the time range selected, and details about all connected IoT devices.