Prisma Access
New Features in Prisma Access 5.2
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
- Prisma Access China
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
-
-
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
New Features in Prisma Access 5.2
Prisma Access
5.2Where Can I Use This? | What Do I Need? |
---|---|
|
|
This section provides you with a list of new features in
Prisma Access
5.2
Preferred and Innovation, along with the recommended and required software versions you
need to use.This document contains roadmap information and is being shared for INFORMATIONAL
AND PLANNING PURPOSES ONLY. It is not a binding commitment and is subject to
change.
Recommended Software Versions for Prisma Access 5.2 and Innovation
Prisma Access
5.2 and InnovationThere are two
Prisma Access
5.2 versions:- 5.2 Preferred runs a PAN-OS 10.2.10 dataplane. If your deployment is running a lower dataplane version, a dataplane upgrade to PAN-OS 10.2.10 might be required to implement 5.2 Preferred features. If you're an existing customer, see Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.2 Preferred and Innovation Features to see if a dataplane upgrade is required for aPrisma Access5.2 feature.
- 5.2 Innovation runs on the PAN-OS dataplane of 11.2.3 dataplane. An upgrade to PAN-OS 11.2.3 is required to implement 5.2 Innovation features.
For new
Prisma Access
5.2 Innovation features, Prisma Access
recommends that you upgrade your
before installing the plugin. Prisma Access
to the following
versionsPrisma Access Version | Cloud Services Plugin Version | Required Dataplane Version for 5.2 | Recommended GlobalProtect Version | Recommended Panorama Version |
---|---|---|---|---|
5.2 | 5.2 | PAN-OS 10.2.10 (required for 5.2 Preferred) PAN-OS 11.2.3
(required for 5.2 Innovation) | 6.0.7+ 6.1.3+ 6.2.1+ | 10.2.10+ 11.0.1+ 11.1.0 11.2.3 |
Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.2
Preferred and Innovation Features
Prisma Access
5.2
Preferred and Innovation FeaturesPrisma Access
5.2 features require one of more of the following components
to function:- Infrastructure Upgrade—The infrastructure includes the underlying service backend, orchestration, and monitoring infrastructure.Prisma Accessupgrades the infrastructure before the general availability (GA) date of aPrisma Accessrelease.Features that require only an infrastructure upgrade to be unlocked take effect for allPrisma Accessdeployments, regardless of version, at the time of the infrastructure upgrade.
- Plugin Upgrade (—Installing the plugin activates the features that are available with that release. You download and install the plugin on the Panorama that manages)Prisma AccessPanorama Managed Deployments OnlyPrisma Access.
- Dataplane Upgrade—The dataplane enables traffic inspection and security policy enforcement on your network and user traffic.
- ForPrisma Access (Managed by Strata Cloud Manager), go to.'ManageConfigurationNGFW and Prisma AccessOverview
- ForPrisma Access (Managed by Panorama)deployments, you can view your dataplane version by going toand viewing thePanoramaCloud ServicesConfigurationService Setup.Prisma AccessVersionPrisma Access5.2 Preferred runs PAN-OS 10.2.10 andPrisma AccessInnovation runs PAN-OS 11.2.3.
A dataplane upgrade to 5.2 Innovation is optional, and is
only required if you want to take advantage of the features that require a dataplane
upgrade.
These features are activated with the
infrastructure upgrade
for Prisma Access
: - Simplify Prisma Access SaaS Connectivity with IP Optimization for Mobile Users and Explicit Proxy Deployments
- TLS 1.3 and PubSub Support for Traffic Replication
- View and Monitor Colo-Connect
These features require an
infrastructure and plugin upgrade
but don't require
a dataplane upgrade: - 25,000 Remote Network and 50,000 IKE Gateway Support
- Agent Proxy: Private IP from Branches
- Simplified Prisma Access Private App Connectivity
- View Prisma Access, Dataplane, and Application and Threats Content Versions in Strata Cloud Manager
The following 5.2 features require an
infrastructure and plugin
upgrade and
require a minimum dataplane version of PAN-OS 10.2.10, making them Prisma Access 5.2
Preferred features: - Remote Networks—High Performance
The following 5.2 features require an
infrastructure, plugin, and dataplane
upgrade to Prisma Access 11.2.3, making them Prisma Access 5.2 Innovation features: - Dynamic Privilege Access Support for ZTNA Connector
- SC-NAT Support for Dynamic Privilege Access with CIAM
- ZTNA Connector Support for Commitless App Onboarding
Prisma Access 5.2 Features
Prisma Access
5.2 FeaturesThe following table describes the new features that will be generally available with
Prisma Access
5.2. 25,000 Remote Network and 50,000 IKE Gateway Support
Supported in:
Prisma Access 5.2 Preferred and Innovation |
To implement this feature, reach out to your Palo Alto Networks account team, who
will open an SRE case to accommodate the request.
You can onboard a maximum of 25,000 remote networks and 50,000 IKE gateways
per tenant in a Prisma Access deployment. To accommodate this enhancement, the
following changes have been made to the Strata Cloud Manager web interface starting
with Prisma Access 5.1:
- Introducing pagination so that you can choose how many rows to display in a given page.
- Filtering is enabled for remote networks.After you apply filtering, you can sort the resulting output by name.
- A newGroup Byfield is added. If you select a group byCompute Location, all groups display but are collapsed, and the page size you selected applies to the groups. If you select a compute location to expand it, the rows display based on the page size you selected.
- When remote networks are displayed in a drop-down, the web interface displays the first 500 items. You can find the desired Remote Network in the list by typing in the text box.In addition, the total number of remote networks displays.
- The following additional pages have pagination applied:
- IPSec Tunnels:
- QoS:
- QoS Statistics:
- Troubleshooting—Remote NetworksunderExternal Dynamic Lists:
Agent Proxy: Private IP from Branches
Supported in:
Prisma Access 5.2 Preferred and Innovation |
When utilizing GlobalProtect in Proxy Mode or GlobalProtect in Tunnel and Proxy Mode on
desktops and systems in the branches, you have the capability to view the source IP
address of the device in the branch instead of the public egress IP address of the
branch. This capability allows you to view the device's source IP address in the
logs, and you can also use this address to enforce policy.
IP Optimization for Explicit Proxy Users- Proxy Deployments
Supported in:
Prisma Access 5.2 Preferred and Innovation |
IP Optimization is a set of architectural enhancements that reduce the overall number
of IP addresses in your deployment, simplifying your allow listing workflows while
improving resiliency and enabling faster onboarding of
Prisma Access
tenants and
enabling faster onboarding of Prisma Access
tenants.IP Stickiness
In Explicit Proxy, when traffic egresses from a
Prisma Access
, it uses an
external IP address being allocated to the Explicit Proxy security processing node
(EP-SPN). This means that multiple HTTP connections from the same user session can
use different external IP addresses because they pass-through different EP-SPN. Once
the IP stickiness feature is enabled, the traffic from a user always egresses out
using the same IP address. No additional configuration is required for this
feature.Simplify SaaS Onboarding
Adding a
Prisma Access
location or experiencing a scaling event at an existing Prisma Access
location or the large deployments could lead to higher number of
IP addresses being allocated to the explicit proxy security processing node
(EP-SPN). It's a best practice to retrieve the new egress and gateway IP
addresses and add them to an allow list of the SaaS application or in
your network to avoid disruption. This can result in a situation where you're
managing a large number of Prisma Access
IP addresses. IP Optimization help
reduces the number of Prisma Access
IP addresses you have to manage. This
feature also helps in large deployments.Explicit Proxy China Support
Supported in:
Prisma Access 5.2 Preferred and Innovation |
Prisma Access
supports Explicit Proxy deployments in China.Remote Networks—High Performance
Supported in:
Prisma Access 5.2 Preferred and Innovation |
Prisma Access offers a comprehensive solution for high-bandwidth IPSec
termination, supporting large sites, automated load balancing, simplified
onboarding, regional redundancy, single egress IP management, and compatibility with
various SD-WAN solutions including Prisma SD-WAN. These features collectively
enhance the scalability, performance, and reliability of remote site connectivity.
As your business scales and your office locations become geographically distributed,
you can quickly onboard a branch site with a high bandwidth using a Prisma Access
performant remote network, also known as a
Remote
Network—High Performance
. These networks offer the following benefits: - Supports up to 3 Gbps aggregate bandwidth per service IP address or service endpoint address, providing you with a reduced number of IP addresses or FQDNs to use for IPSec tunnel termination.
- Includes regional redundancy to improve availability and fault tolerance.
- Uses NAT to reduce public egress IP addresses.
- Simplifies onboarding with in-product recommendations for choosing locations based on geographic availability.
- Includes support for Link Quality Metrics (LQM), where Prisma SD-WAN determines link quality by actively probing the Secure Fabric VPN paths over public and private transports and the private WAN underlay paths. The probes provide a constant measurement of network performance metrics, such as jitter, latency, and packet loss. These metrics, along with application-specific performance metrics and Layer 1 through Layer 7 reachability, inform traffic forwarding decisions for new and existing application flows.
Route Summarization for Dynamic Privilege Access
Supported in:
Prisma Access (Managed by Strata Cloud Manager) 5.2 Innovation |
On Dynamic Privilege Access enabled Prisma
Access tenants, you can summarize routes when advertising the Mobile User (MU)
routes to your on-premises network. Route summarization is beneficial for
enterprises that have on-premises equipment that has limited capacity such as basic
cloud routers. By reducing the demand on these devices, route summarization ensures
that the devices won't exceed their route capacity when communicating with the data
center.
To enable route summarization, configure
global summary pools that consist of lists of large IP pools that can be used across
multiple projects. Then, enable route summarization in the Prisma Access service
connection. When a user uses the Prisma Access Agent to connect to a project that
has an IP address within the range of the configured global summary pools, the
service connection will advertise the global summary pool instead of the smaller
project-level route. This helps reduce the number of routes that are sent to the
network.
SC-NAT Support for Dynamic Privilege Access with CIAM
Supported in:
Prisma Access 5.2 Innovation |
Use SC-NAT support for Dynamic Privilege Access (DPA) if you use
DPA and have created service connections to access private apps in your data center
or headquarters location. Multiple projects in your DPA environment can experience
IP address exhaustion if the IP addresses of the Infrastructure Subnet overlap. To
fix this issue, Prisma Access can implement source NAT (SNAT) for IP addresses,
which:
- Lets Prisma Access map a single IP address for a mobile user accessing private apps using a service connection
- Provides you with SNAT for easy routing
- Eliminates IP Pool overlap
- Eliminates IP Pool IPv4 exhaustion between Prisma Access and your data center or headquarters location
Simplified Prisma Access Private App Connectivity
Supported in:
Prisma Access 5.2 Preferred and Innovation |
One way to access a private app is by using a service connection, also known as a
Service Connection-Corporate Access Node
(SC-CAN). It can be difficult to
connect to private apps using service connections because:- Indeterministic throughput of the private app due to SC-CAN bottlenecks
- Latency due to incorrect transit hops
- Operational complexity in deploying SC-CANs
To solve this issue, Prisma Access has enhanced its routing infrastructure routing
enhancements that:
- Eliminates SC-CAN bottlenecks by improving the internal network
- Orchestrates an anchor SC-CAN when required, preventing incorrect transit hops and inefficient routing
This design offers the following benefits:
- Routing setup that is easier to deploy
- Easy day zero setup
- Deterministic 1 Gbps bandwidth from a given SC-CAN to the data center or headquarters location where the private app is located
Simplify Prisma Access SaaS Connectivity with IP Optimization for Mobile Users
and Explicit Proxy Deployments
Supported in:
Prisma Access 5.2 Preferred and Innovation |
Prisma Access expands on the IP Optimization functionality by offering it for
Explicit Proxy as well as Mobile Users—GlobalProtect.
For Mobile Users—GlobalProtect deployments, when a large number of users access a
GlobalProtect gateway from a location, Prisma Access autoscales the location and
adds another GlobalProtect gateway. IP Optimization uses a NAT layer so that the
autoscaled gateway uses the same IP address as the previously allocated IP address,
thus eliminating the need to add extra IP addresses to your organization's allow
lists.
Prisma Access expands the NAT layer to Explicit Proxy Security Processing Nodes
(SPNs) as well as Mobile User SPNs, reducing the need to allow list IP addresses for
Explicit Proxy deployments. This Explicit Proxy NAT layer is beneficial if you're
setting up a Mobile Users and Explicit Proxy deployment in Proxy Mode or Tunnel and Proxy Mode.
TLS 1.3 and PubSub Support for Traffic Replication
Supported in:
Prisma Access 5.2 Preferred and Innovation |
If you're a large organization using Traffic Replication, you can have the
following challenges in deploying and using it:
- Tools that consume the packet capture (PCAP) files require frequent queries of the buckets to cope with a large number of PCAP files. The tools might create overhead on the buckets and their use might be limited by the cloud providers.
- When using the PCAP files for forensic analysis, accessing SSL decrypted traffic provides better efficacy, and a significant amount of the traffic is TLS 1.3 encrypted.
To solve these issues, Prisma Access offers these enhancements that allow third-party
tools to be more efficient and easier to scale:
- Pub/Sub Notifications—Prisma Access proactively sends a Pub/Sub notification when a new PCAP file is uploaded to the storage bucket. Using Pub/Sub notifications for new PCAP files eliminates the need to develop tools that notify you when there are new files in the buckets.
- TLS 1.3 Decryption Support—Prisma Access uses TLS 1.3 when decrypting PCAP files, thus providing deeper visibility into the traffic. This support applies to remote network deployments where you have enabled the use of SSL/TLS decryption policy rules on PCAP files.
View and Monitor Colo-Connect
Supported in:
Prisma Access 5.2 Preferred and Innovation |
Prisma Access
Colo-Connect builds on the Colo-based
performance hub concept, with high-bandwidth private connections along with Layer
2/3 connectivity to Prisma Access from existing performance hubs. Colo-Connect
leverages the cloud native GCP interconnect technology to provide high-bandwidth
service connections to your private applications. Go to Monitor
Data Centers
Service Connections
View Prisma Access, Dataplane, and Application and Threats Content Versions in
Strata Cloud Manager and Panorama
Supported in:
Prisma Access (Managed by Strata Cloud Manager) 5.2 Preferred and Innovation |
To allow you to gain more information about your Prisma Access (managed by Strata Cloud
Manager) deployments, the Software Information area in the Overview page ( in Strata Cloud Manager and Prisma Access Version () in Panorama provide you with the following information:
Manage
Configuration
NGFW and Prisma Access
Overview
Panorama
Cloud Services
Configuration
Service Setup
ZTNA Connector Support for Commitless App Onboarding
Supported in:
Prisma Access 5.2 Innovation |
With commitless onboarding enhancement, you have an improved experience when
onboarding, modifying, or removing applications. The previous delay of 5-10 minutes
is eliminated, resulting in a faster process. Your application onboarding time now takes
less than 1 minute, allowing you to quickly and efficiently manage your
applications. Additionally, the enhanced scale of the ZTNA Connector caters to the
needs of large customers who manage more than 10,000 applications. You have the
capability to onboard a larger number of applications, providing you with greater
flexibility and efficiency in your operations.