Focus

Prisma Access

Changes to Default Behavior for Prisma Access 6.1

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Release Notes
Select a Document
- 6.1 Preferred and Innovation
- 6.0 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Activation & Onboarding
Administration
Select a Document
- 4.0 & Later
- Prisma Access China
Integrations
Incidents & Alerts

New Features in Prisma Access 6.1

Prisma Access Known Issues

Changes to Default Behavior for `Prisma Access` 6.1

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama)	Prisma Access license Prisma Access 6.1 version required

The following table details the changes in default behavior for Prisma Access version 6.1.

Component	Change
Locations added to New and Existing Prisma Access Deployments	The following locations Prisma Access are supported starting with `Prisma Access` 6.1. New deployments have these locations added automatically; for existing deployments, each out to your Palo Alto Networks account representative to add them, who will contact the Site Reliability Engineering (SRE) team and submit a request. The following functionality is not supported for these locations: App Acceleration Colo-Connect Dynamic Privilege Access IPv6 Private App Security Privileged Remote Access Remote Browser Isolation (RBI) Remote Networks Service Provider Interconnects Static IP Address Allocation Traffic Replication If you require additional functionality, we recommend that you onboard alternate locations.
Location Groups Changing for the Mexico Central and Mexico West Mobile User Locations	The Mexico Central and Mexico West locations are changing their IP pool location group starting with the Prisma Access 6.1 release. If you have enabled the `Prisma Access`Mexico Central or Mexico West mobile user locations, and have created mobile user IP address pools based on location groups, be aware that the location groups have changed: The Mexico Central location changed from ip-pool-group-31 (US-Central) to ip-pool-group-1 (US-Eastern). If you’ve enabled the Mexico Central Prisma Access Mobile User location and have added a mobile user IP address pool based on ip-pool-group-31 (US-Central), an update in the Prisma Access infrastructure caused the Strata Cloud Manager or Panorama UI to show Mexico Central in its new pool group ip-pool-group-1 (US-Eastern). However, the Prisma Access infrastructure continues to provide IP addresses from ip-pool-group-31 (US-Central). This is a cosmetic issue and will not cause connectivity issues provided that the IP address pool group is not modified. The Mexico West location changed from ip-pool-group-23 (US-Western) to ip-pool-group-1 (US-Eastern). If you’ve enabled the Mexico West Prisma Access Mobile User location and have added a mobile user IP address pool based on ip-pool-group-23 (US-Western), an update in the Prisma Access infrastructure caused the Strata Cloud Manager or Panorama UI to show Mexico West in its new pool group ip-pool-group-1 (US-Eastern). However, the Prisma Access infrastructure continues to provide IP addresses from ip-pool-group-23 (US-Western). This is a cosmetic issue and will not cause connectivity issues provided that the IP address pool group is not modified. To align with the updated Private IP allocation structure, if you are affected, you must perform the following steps immediately: Preallocate public IP address for Mexico Central and Mexico West `Prisma Access` location using APIs, or contact your Palo Alto Networks account representative to assist with this process. Allow list these public IP addresses in your SaaS applications. Deboard the Mexico Central `Prisma Access` location. Deboard the Mexico West `Prisma Access` location. Push your configuration (Push ConfigPush for `Prisma Access (Managed by Strata Cloud Manager)` deployments or CommitCommit & Push `Prisma Access (Managed by Panorama)` deployments) to save the changes After the push is successful, re-onboard the Mexico Central and Mexico West PA locations. Configuring new mobile user IP address pool allocation for users coming from these locations, using the new, correct pool group: US-Eastern (ip-pool-group-1).
Remove TLS Max Version of Max for Mobile Users—GlobalProtect Deployments	For Mobile Users—GlobalProtect deployments, if you have TLS Protocol Settings enabled (PanoramaCloud ServicesConfigurationMobile Users—GlobalProtect`<hostname>`GeneralTLS Protocol Settings and have a Max Version of Max, change the protocol version to either TLSv1.2 or TLSv1.3 before upgrading your Cloud Services plugin to 6.1. Failure to do so will cause a commit validation error after you upgrade.

Component

Change

Locations added to New and Existing Prisma Access Deployments

The following locations Prisma Access are supported starting with Prisma Access 6.1. New deployments have these locations added automatically; for existing deployments, each out to your Palo Alto Networks account representative to add them, who will contact the Site Reliability Engineering (SRE) team and submit a request.

The following functionality is not supported for these locations:

If you require additional functionality, we recommend that you onboard alternate locations.

Location Groups Changing for the Mexico Central and Mexico West Mobile User Locations

The Mexico Central and Mexico West locations are changing their IP pool location group starting with the Prisma Access 6.1 release. If you have enabled the Prisma AccessMexico Central or Mexico West mobile user locations, and have created mobile user IP address pools based on location groups, be aware that the location groups have changed:

The Mexico Central location changed from ip-pool-group-31 (US-Central) to ip-pool-group-1 (US-Eastern).
If you’ve enabled the Mexico Central Prisma Access Mobile User location and have added a mobile user IP address pool based on ip-pool-group-31 (US-Central), an update in the Prisma Access infrastructure caused the Strata Cloud Manager or Panorama UI to show Mexico Central in its new pool group ip-pool-group-1 (US-Eastern). However, the Prisma Access infrastructure continues to provide IP addresses from ip-pool-group-31 (US-Central). This is a cosmetic issue and will not cause connectivity issues provided that the IP address pool group is not modified.
The Mexico West location changed from ip-pool-group-23 (US-Western) to ip-pool-group-1 (US-Eastern).
If you’ve enabled the Mexico West Prisma Access Mobile User location and have added a mobile user IP address pool based on ip-pool-group-23 (US-Western), an update in the Prisma Access infrastructure caused the Strata Cloud Manager or Panorama UI to show Mexico West in its new pool group ip-pool-group-1 (US-Eastern). However, the Prisma Access infrastructure continues to provide IP addresses from ip-pool-group-23 (US-Western). This is a cosmetic issue and will not cause connectivity issues provided that the IP address pool group is not modified.

To align with the updated Private IP allocation structure, if you are affected, you must perform the following steps immediately:

Preallocate public IP address for Mexico Central and Mexico West Prisma Access location using APIs, or contact your Palo Alto Networks account representative to assist with this process.
Allow list these public IP addresses in your SaaS applications.
Deboard the Mexico Central Prisma Access location.
Deboard the Mexico West Prisma Access location.
Push your configuration (Push ConfigPush for Prisma Access (Managed by Strata Cloud Manager) deployments or CommitCommit & Push Prisma Access (Managed by Panorama) deployments) to save the changes
After the push is successful, re-onboard the Mexico Central and Mexico West PA locations.
Configuring new mobile user IP address pool allocation for users coming from these locations, using the new, correct pool group: US-Eastern (ip-pool-group-1).

Remove TLS Max Version of Max for Mobile Users—GlobalProtect Deployments

For Mobile Users—GlobalProtect deployments, if you have TLS Protocol Settings enabled (PanoramaCloud ServicesConfigurationMobile Users—GlobalProtect<hostname>GeneralTLS Protocol Settings and have a Max Version of Max, change the protocol version to either TLSv1.2 or TLSv1.3 before upgrading your Cloud Services plugin to 6.1. Failure to do so will cause a commit validation error after you upgrade.

New Features in Prisma Access 6.1

Prisma Access Known Issues

Prisma Access Docs

Changes to Default Behavior for Prisma Access 6.1

Prisma Access Docs

Changes to Default Behavior for `Prisma Access` 6.1

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner