Prisma Access Agent
What's New in Prisma Access Agent
Table of Contents
What's New in Prisma Access Agent
Learn about the new features in the Prisma Access Agent.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
|
Review the latest feature updates for Prisma Access Agent.
What's New in May 2025
The following features are new in the May 2025 release of Prisma Access Agent.
Customizable Prisma Access Agent Session Timeout Settings
Unexpected session timeouts and inactivity logouts can significantly disrupt user
productivity and lead to increased helpdesk tickets. The Prisma Access Agent
addresses this issue by introducing configurable notifications that alert users
before their sessions expire or terminate due to inactivity. You can now set up
timely warnings and custom messages to keep your users informed and provide them
with the option to extend their sessions when needed.
You can customize sessions by setting their
duration, scheduling logout notifications, and creating custom expiration messages.
You can set the duration a user can stay logged in to a session, and also set the
amount of time to wait before the agent session ends due to user inactivity. The
ability to customize session timeouts and notifications helps balance user access
needs with network security. It enables you to control session timeouts, keep users
informed about their session status, and communicate important information.
Disable Prisma Access Agent with One-Time Password
To address the potential risks of end users disabling the Prisma Access Agent, your
users can now use a one-time password (OTP) system to
securely disable the agent. With the OTP system, Prisma Access Agent can generate
unique, single-use codes for agent disabling, enhancing security and administrative
control. You can configure the OTP system on a per-user or per-user group basis,
providing granular control over who can disable agents and when. When users enter
the correct OTP, the agent verifies it locally and disables itself, ensuring
functionality even in offline scenarios. This feature also improves auditing
capabilities by logging all OTP-related activities, helping you track and monitor
agent disabling events across your network. By implementing this OTP system, you can
meet compliance requirements, align with industry standards, and provide a more
secure and flexible solution for managing Prisma Access Agents.
Endpoint Insights for Prisma Access Agent
IT administrators and support teams often face challenges with limited visibility
into endpoints, making it difficult to troubleshoot any access issues that arise
from agent rollouts, upgrades, configuration changes, or changes to the endpoint
environment. Prisma Access Agent addresses these challenges by collecting endpoint insights data that provides
comprehensive endpoint visibility and troubleshooting data collection
capabilities.
Prisma Access Agent simplifies troubleshooting endpoint access issues by
automatically collecting diagnostic data. Understanding the endpoint insights can
help you reduce the mean time to resolve (MTTR) issues by minimizing the need for
human involvement when troubleshooting endpoint issues. Prisma Access Agent collects
comprehensive data on the endpoint state and health, agent deployment and
performance, and troubleshooting data periodically or based on critical triggers.
This streamlines the process to collect and access the data necessary for
troubleshooting endpoint issues, reducing downtime, and improving the overall
reliability of Prisma Access Agent deployments.
Endpoint insights assist in troubleshooting various use cases, such as
interoperability conflicts with third-party software, OS compatibility issues, and
agent performance problems by collecting detailed information about the endpoints
such as installed applications, agent details, and performance and troubleshooting
data.
IPv6 Sinkholing
While the Prisma Access Agent routes mobile user IPv4 traffic through a protected
tunnel to Prisma Access, IPv6 traffic is conventionally sent to the local network
adapter on an endpoint. Prisma Access offers the ability to enhance security for
dual-stack endpoints by sinkholing IPv6 traffic. By enabling IPv6 sinkholing, you can
effectively mitigate risks associated with IPv6-based threats, thus reducing your
overall attack surface. This feature is valuable in scenarios where you need to
maintain a secure environment for mobile users accessing the internet. As endpoints
can automatically fall back to IPv4 addresses, you can ensure a continuous and
protected user experience without compromising on security. By implementing this
capability, you strike an optimal balance between robust threat prevention and
uninterrupted connectivity for your mobile workforce.
LDAP Support for Prisma Access Agent
Organizations transitioning to Prisma Access Agent face challenges when their
existing authentication infrastructure uses LDAP/LDAPS, as Prisma Access Agent
previously only supported SAML and certificate authentication through Cloud Identity
Engine (CIE). This can create significant adoption barriers, especially in regions
where LDAP usage is prevalent. LDAP support for Prisma Access Agent addresses this
challenge by enabling you to leverage your existing GlobalProtect™ portal LDAP
authentication infrastructure, eliminating the need to reconfigure authentication
methods when migrating to Prisma Access Agent.
With LDAP authentication support, you can now
configure your Prisma Access Agent to authenticate users against your existing
directory services through the GlobalProtect portal. This integration provides a
seamless authentication experience for your users while maintaining your existing
security policies. The feature supports all standard LDAP configuration options,
including Base DN, Bind DN, multiple LDAP servers, SSL/TLS secure connections, and
server certificate verification for SSL sessions. You can also combine LDAP
authentication with client certificate authentication using AND/OR logic to meet
your specific security requirements.
The enhanced user experience includes support for saved user credentials, enabling
seamless authentication across device states such as sleep-wake cycles, hibernation,
and network transitions. When properly configured, users won't need to repeatedly
enter their credentials after logging into their operating system.
By supporting LDAP authentication through the GlobalProtect portal, Prisma Access
Agent provides you with a smoother migration path from GlobalProtect to Prisma
Access Agent, preserving your authentication setup while enabling you to transition
to a newer access agent. This feature is valuable for existing deployments where
reconfiguring authentication methods would otherwise increase deployment complexity
and time.
Pre-Logon for Prisma Access Agent
Organizations face difficulties in pushing updates to remote machines without
requiring users to log in to their machines, which can delay critical updates and
impact user productivity. Pre-logon for Prisma Access Agent
addresses this challenge by establishing a secure connection before user
authentication occurs. This feature enables you to manage and update remote devices
efficiently, improving IT productivity, and enhancing the overall security
posture.
With pre-logon, you can establish a tunnel as soon as a device boots up, using
machine certificate authentication. This enables access to critical resources like
domain controllers or LDAP servers, even when they are only accessible through the
tunnel. You can now perform essential management tasks, such as applying group
policies, installing software updates, and synchronizing roaming profiles, without
waiting for user login.
Pre-logon is useful for remote users. It enables scenarios such as the application of
group policies and software updates before user login, and synchronization of
roaming profiles. For kiosks like ATM machines, it allows connection to the
corporate network without user intervention.
The feature requires client certificates for authentication. You can configure
certificate-based authentication for pre-logon while maintaining SAML or other
methods for user login. This flexibility ensures that your security policies remain
intact while improving device management capabilities.
You can troubleshoot the agent using existing Prisma Access Agent tools like log
retrieval and HIP reports even when the pre-logon tunnel is active. The feature
supports agent upgrades and downgrades, ensuring your devices remain current and
secure.
By implementing pre-logon, you can significantly improve the management of remote and
corporate-owned devices, reduce IT overhead, and enhance security by ensuring
devices are properly configured and updated before users gain full network access.
This feature is designed to work across system restarts and sleep-wake cycles,
providing consistent connectivity for your managed devices.
Prisma Access Agent Captive Portal Support
Mobile users often struggle to connect securely when working from locations with
captive portals, such as hotels, cafes, and airports. These captive portals require
authentication before allowing internet access. Prisma Access Agent automatically
detects when a user has connected to a network with a captive portal and opens the
captive portal authentication page in its embedded browser, enabling users to
authenticate without bypassing security policies. This approach enhances security by
containing the captive portal interaction within the controlled environment of the
embedded browser, mitigating risks associated with external browser use.
By using captive portal support with Prisma Access
Agent's embedded browser functionality, you ensure that your mobile workforce
maintains secure access to corporate resources across diverse network environments.
It prevents scenarios where employees are unable to access the internet or corporate
resources due to undetected captive portals, while also addressing security concerns
related to captive portal interactions. This solution significantly reduces
connectivity-related support tickets, improves overall user productivity, and
provides an integrated, secure experience for your remote and traveling employees
while maintaining the stringent security standards your organization requires.
Prisma Access Agent Embedded Browser Support for SAML Authentication
Managing SAML authentication across various web browsers poses significant challenges
for administrators, often resulting in a cumbersome user experience with annoying
pop-ups and redirections between the access agent and browser.
The Prisma Access Agent embedded browser addresses this issue by
integrating a dedicated browser directly into the agent, providing your users with a
consistent in-app experience for Prisma Access Agent logins, simplifying
administration and enhancing security. By keeping the authentication process within
the application, you eliminate the need for external browser interactions, reduce
the risk of user confusion, and mitigate potential security vulnerabilities
associated with browser redirections.
With support for various authentication methods, compatibility with existing Prisma
Access Agent features, the embedded browser significantly improves both security and
usability in your remote access infrastructure.
Transparent Proxy Support for Prisma Access Agent
Prisma Access Agent now supports transparent proxy connections, offering
always-on internet security and private app access for your mobile users. This
feature enables seamless coexistence with third-party VPN agents, enhancing your
organization's security posture. You can use it to secure all internet traffic from
browser and nonbrowser apps, even when users are disconnected from the tunnel. The
solution forwards internet traffic to Prisma Access, preventing users from bypassing
Prisma Access.
You can support various scenarios including users connecting from home, branch
offices, or public Wi-Fi. It's compatible with endpoints running third-party VPNs in
full or split tunnel modes. The feature prevents conflicts on endpoints and offers
admin controls to maintain smooth operation. You will find this useful for
maintaining consistent security across diverse networks. It supports continuous
trust verification for mobile users through device posture checks. By implementing
this functionality, you can enforce security policies regardless of user location or
connection method, strengthening your overall security stance and strengthening your
overall security posture with always-on connectivity.
What's New in April 2025
The following features are new in the April 2025 release of Prisma Access Agent.
Automatic Tunnel Restoration
Automatic tunnel restoration in
Prisma Access Agents automatically restores secure connections after
interruptions like network disruptions or system sleep modes. This feature
operates in both Always On and On Demand connectivity modes. In Always On
mode, the Prisma Access Agent continuously attempts to maintain a
connection, while On Demand mode allows your users to control when to
connect or disconnect. The secure tunnel restoration process efficiently
decides whether to reconnect to the last known Prisma Access location or use
the best location. This feature is useful for mobile workers, remote
employees, and organizations requiring secure and stable network access. It
helps maintain productivity by reducing manual reconnection efforts and
minimizing downtime across various network conditions and device states.
Disable the Prisma Access Agent
You can give your end users the flexibility to temporarily disable the Prisma
Access Agent when necessary. You can configure this feature on a per-user
or user group basis, giving you granular control over who has the ability to
disable the agent. When configured, users can conveniently disable and re-enable
the agent through the Prisma Access Agent
app.
This feature is useful in environments where other secure access solutions
coexist, such as the GlobalProtect app. After disabling the Prisma Access Agent,
your users will be able to switch to the GlobalProtect app without interference.
This feature is compatible with various connection methods, including Always On
and On Demand modes, and is compatible with the anti-tamper feature, which
prevents an unauthorized user from tampering with the agent. By enabling this
feature, you allow your users to manage their secure access connections more
effectively while maintaining overall security and control.
Forwarding Profiles Configuration Validator
The Forwarding Profiles Setup page
provides a forwarding profiles configuration validator for destination domains,
which can validate the FQDN and IP address that you enter. This ensures that the
values you enter are valid and follows predefined standards, and is essential
for preventing misconfigurations that could lead to system failures, security
vulnerabilities, or degraded performance.
NGFW Support for Prisma Access Agent
NGFW Support for Prisma Access Agent
enables organizations that use NGFW to adopt and manage Prisma Access Agents.
This feature enhances secure access management while maintaining compatibility
with existing authentication methods and NGFW setups, offering a smooth
transition path to advanced Prisma Access Agent capabilities.
Optimized Prisma Access Agent MTU
Your organization might face challenges with agent connections traversing
multiple ISPs and network hops, resulting in varying MTU values lower than the
standard 1500 bytes. This situation can lead to excessive fragmentation,
additional overhead, lower throughput, and dropped packets, ultimately causing
poor performance and user frustration. Manual configuration of optimal MTU in
such diverse environments is time-consuming, repetitive, and not scalable.
The optimized Prisma Access Agent MTU feature addresses these pain points by
automatically determining and applying the optimal maximum transmission unit
(MTU) size for agent connections. Optimized MTU is enabled by default in Prisma
Access Agent to help improve connection stability and performance without manual
intervention across various network conditions. This feature supports IPv4
tunnels and is
compatible with IPSec and SSL tunnel protocols. It's valuable for organizations
with remote users connecting through different ISPs or those frequently
encountering MTU-related connectivity issues. By utilizing this feature, you can
expect improved network throughput, reduced packet fragmentation, fewer
retransmissions, enhanced end-user experience, increased productivity, and a
decrease in support escalations related to connection performance issues.
Although optimized MTU is enabled by default for all Prisma Access Agents, you
can manually configure and override the PMTU value if needed.
Panorama Support for Prisma Access Agent
Panorama Support for Prisma Access
Agent enables you to manage and configure Prisma Access Agents on
Strata Cloud Manager while continuing to use Panorama for your Prisma Access
deployment. This feature allows Panorama Managed Prisma Access customers to
utilize Prisma Access Agents without migrating to the Strata Cloud Manager
management interface. You can configure agent behavior, forwarding profiles,
authentication methods, and infrastructure settings specific to Prisma Access
Agents through Strata Cloud Manager. The feature supports both Prisma Access
gateways and on-premises gateways, allowing you to manage Prisma Access Agent
configurations across your hybrid deployments. You can take advantage of the
advanced security capabilities of the Prisma Access Agent while maintaining your
current Panorama-based management approach.
By
using this feature, you can enhance your security posture with Prisma Access
Agents while preserving your investment in Panorama and maintaining operational
continuity.