What's New in Prisma Access Agent
Focus
Focus
Prisma Access Agent

What's New in Prisma Access Agent

Table of Contents

What's New in Prisma Access Agent

Learn about the new features in the Prisma Access Agent.
Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
  • NGFW (Managed by Panorama)
  • Check the prerequisites for the deployment you're using
  • Contact your Palo Alto Networks account representative to activate the Prisma Access Agent feature
Review the latest feature updates for Prisma Access Agent.

What's New in Prisma Access Agent 25.4

The following features are new in Prisma Access Agent 25.4.

Administrator-Initiated Collection of Diagnostics in Prisma Access Agent

When network connectivity issues occur at remote endpoints, traditional troubleshooting requires time-consuming manual coordination between IT administrators and end users to collect diagnostic data, often resulting in delayed resolution and lost context by the time logs are gathered. Prisma Access Agent eliminates these bottlenecks by enabling you to remotely trigger comprehensive diagnostic collection from any managed endpoint instantly, automatically capturing logs and telemetry data to preserve the exact conditions when issues occur.
This enhanced version introduces on-demand diagnostic triggers that you can initiate directly from the Inventory page. You can initiate the immediate collection of endpoint logs, agent status information, network connectivity data, and system diagnostics without requiring any action from the end user. When you trigger a diagnostic session, the system automatically captures a complete snapshot of the endpoint's current state including tunnel status, gateway information, session duration, MTU settings, and operating system details. At the same time, Prisma Access Agent collects delta logs from the previous 10 minutes to preserve critical troubleshooting context.
Enhanced data collection provides deeper visibility into endpoint state than previous versions. It captures detailed machine information such as operating system type and version and comprehensive tunnel details including connection methods and optimization settings.
Diagnostic data retention is now fully configurable through the management interface, enabling you to set retention periods that align with your organization's compliance requirements and storage policies. The system defaults to a 45-day retention period for collected diagnostic data, with the flexibility to extend retention up to two years based on your troubleshooting and audit needs, ensuring that historical diagnostic information remains available for trend analysis and recurring issue investigation.
The improved administrative interface enables you to monitor diagnostic collection jobs in real-time, track the status of multiple concurrent diagnostic sessions, and access the collected data through a streamlined workflow that presents device details, agent status, and troubleshooting logs in an organized format. You can download complete diagnostic packages for offline analysis or sharing with support teams, ensuring that all relevant information is available for escalation when complex issues require specialized expertise.

Enhanced Anti-Tamper Protection for Prisma Access Agent

Enhanced anti-tamper protection for Prisma Access Agent extends the current anti-tamper protection implementation by introducing a secure and flexible approach to protecting agent services, processes, files, and registries from unauthorized tampering. The enhanced anti-tamper protection provides unique one-time passwords (OTPs) and more granular configuration where you can configure privileged access tokens per user and user group, enabling more granular control over who can modify the agent and when.
Enhanced anti-tamper protection supports the following use cases:
  • Granular anti-tamper protection—Gives you the flexibility to configure anti-tamper settings (also called privileged access protection settings) at a per-user or per-user group level.
  • Selective protection for operational teams—Temporarily disable privileged access protection for certain users or user groups who need the ability to modify files and folders, such as DevOps users, while maintaining anti-tamper protection for the rest of your users and user groups.
  • Streamlined bulk operations—Allow certain users to perform batch operations such as installing Prisma Access Agent on endpoints for specific users or user groups.
  • Offline access continuity—For emergency situations, such as when a device loses network connectivity, an emergency Privileged Access Token allows authorized users to perform necessary maintenance.
  • User-initiated troubleshooting—Provides time-bound access for problem resolution by providing time-limited Privileged Access OTPs for specific troubleshooting scenarios. This enables self-service problem resolutions while maintaining security controls.
The enhanced anti-tamper protection introduces several types of access passwords to address different scenarios. The Privileged Access Token serves as an emergency override solution for critical situations, such as when a device loses network connectivity. The Privileged Access OTP enables end users to execute any privileged command for troubleshooting. Specific operation OTPs are also available for targeted actions like disabling or uninstalling the agent. You can configure the duration for which protection remains disabled after using these tokens, with values ranging from 30-480 minutes.
Role-based access control (RBAC) ensures that only authorized administrators, such as superusers or security administrators, can access the Privileged Access Token. Any administrator who has access to the Inventory page can view and copy OTPs. All OTPs are automatically refreshed after one-time usage and are never stored on the endpoint, maintaining a secure environment even if a device is compromised.

Optimized Prisma Access Agent MTU for macOS

Your organization might face challenges with agent connections traversing multiple ISPs and network hops, resulting in varying MTU values lower than the standard 1500 bytes. This situation can lead to excessive fragmentation, additional overhead, lower throughput, and dropped packets, ultimately causing poor performance and user frustration. Manual configuration of optimal MTU in such diverse environments is time-consuming, repetitive, and not scalable.
The optimized Prisma Access Agent MTU feature addresses these pain points by automatically determining and applying the optimal maximum transmission unit (MTU) size for agent connections. Optimized MTU is enabled by default in Prisma Access Agent to help improve connection stability and performance without manual intervention across various network conditions. This feature supports IPv4 tunnels and is compatible with IPSec and SSL tunnel protocols. It's valuable for organizations with remote users connecting through different ISPs or those frequently encountering MTU-related connectivity issues. By utilizing this feature, you can expect improved network throughput, reduced packet fragmentation, fewer retransmissions, enhanced end-user experience, and increased productivity. You might also experience a decrease in support escalations related to connection performance issues.
Originally available on Windows Prisma Access Agents, optimized MTU support is extended to macOS agents, providing consistent MTU optimization across both major desktop platforms.
Although optimized MTU is enabled by default for all Prisma Access Agents, you can manually configure and override the PMTU value if needed.

Prisma Access Agent Certificate Authentication for Panorama Managed Deployments

Prisma Access Agent extends client certificate authentication support to Panorama Managed Prisma Access and NGFW deployments, enabling you to implement certificate-based security controls through the Prisma Access Agent Manager (EPM) configuration interface. This feature provides you with three authentication options: Client Certificate through Cloud Identity Engine, Client Certificate OR SAML through Cloud Identity Engine, and Client Certificate AND SAML through Cloud Identity Engine. You can configure these options based on your organization's security requirements and compliance needs. Certificate authentication is essential when you need strong device identity verification before granting network access. This capability enables you to enforce certificate-based policies consistently across NGFW and Prisma Access gateways in hybrid deployments. The feature integrates with Cloud Identity Engine to provide centralized certificate management and validation.

Prisma Access Agent Endpoint OS Type Support on Panorama Managed Deployments

Match criteria for user authentication now includes endpoint operating system (OS) type support in the Prisma Access Agent configuration interface for Panorama Managed Prisma Access and NGFW deployments, enabling you to create authentication policies based on operating system types. This feature enables you to apply different authentication requirements for the supported OS types. You can configure platform-specific authentication rules that align with your organization's security posture for different OS types. This capability is valuable when you need to implement varying security controls based on device capabilities or organizational policies. Platform-based authentication helps you balance security requirements with user experience across diverse endpoint environments.

Prisma Access Agent Stale Configuration Management on Panorama Managed Deployments

Prisma Access Agent extends configuration validation and notification capabilities to Panorama managed deployments, providing you with real-time alerts about outdated or invalid configurations that could impact service availability. When you initially set up the agent using the Prisma Access Agent configuration interface (EPM), the agent inherits objects managed in Panorama like gateway settings and certificates. After the initial setup, any changes in Panorama are not reflected in the EPM, causing the agent configurations in the EPM to become outdated. The Prisma Access Agent configuration interface now displays notification banners when dependent objects such as gateways or certificates become stale. For example, you will receive notifications when gateways deleted on Panorama remain in use in EPM configurations, or when expired or deleted authentication override certificates on Panorama remain in use in the EPM configuration interface. You will also receive a notification when certificate profiles in the HIP section of the Prisma Access Agent Settings page become outdated. These notifications appear as banners that can’t be dismissed across all configuration pages until you resolve the underlying issues, ensuring that critical configuration problems are not overlooked or ignored.

Session Timeout for Prisma Access Agents in Panorama Managed Deployments

Session timeout controls for Prisma Access Agent are extended to Panorama Managed Prisma Access and NGFW deployments, providing you with granular control over user session duration and expiration handling. You can configure session timeouts in days, minutes, or hours based on your security policies. The feature includes a notification system that warns users before their session expires, with a default value of 0 and a maximum of 120 minutes for the notification period. You can customize the session timeout expiration message to provide users with appropriate guidance when their session ends. This capability helps you enforce security policies while providing users with adequate warning to save their work and maintain productivity.

Single Icon for Accessing Prisma Access Agent and Access Experience

To streamline the troubleshooting process, Prisma Access Agent now directly integrates the Access Experience icon into its main application interface, giving your users a convenient way to get help for their issues. This applies if you enabled the installation of the Access Experience app along with the installation of Prisma Access Agent. With this feature, you no longer need to instruct users to find and click a separate icon in the Windows system tray or macOS menu bar when they encounter connectivity issues. Instead, users simply open the Prisma Access Agent app and access the integrated Access Experience icon, creating a more intuitive workflow for resolving problems. This integration reduces interface clutter and provides a more straightforward path to diagnostic tools.
The streamlined path to Access Experience provides your users with immediate access to troubleshooting resources for connectivity issues, device health assessments, and other common access problems. When users encounter difficulties, they can launch the Prisma Access Agent, click the Access Experience icon within the application, and immediately access diagnostic and self-help tools. To enable your users to access the Access Experience app from Prisma Access Agent, you will need to configure the agent to install Access Experience with Prisma Access Agent.

Traffic Enforcement for Non-TCP and Non-UDP Protocols

Enhance Prisma Access Agent traffic enforcement by blocking all non-TCP and non-UDP traffic when the agent is connected to the tunnel. This feature expands Prisma Access Agent protocol coverage by implementing controls to block all non-TCP and non-UDP traffic in kernel mode, providing an option to enforce security policy for these protocol types.
When you enable this feature in your Prisma Access Agent deployment, the system blocks non-TCP and non-UDP traffic while the tunnel is active. This applies to protocols like ICMP, GRE, IPSec, and other IP-based protocols, ensuring these protocols can’t bypass your security policy. You can optionally allow ICMP traffic for network troubleshooting while still blocking other non-TCP and non-UDP traffic.
This capability supports organizations that need strict traffic control for specific projects or users by ensuring that non-TCP and non-UDP traffic gets blocked when the agent is connected. The feature integrates with existing Prisma Access Agent forwarding profiles and rules, enhancing your security posture without disrupting current configurations.
You can configure the feature with two primary options: blocking all non-TCP and non-UDP traffic when connected to the tunnel, and optionally allowing ICMP traffic for troubleshooting purposes. The ICMP allowance option becomes available only when you enable the primary blocking feature, providing flexibility for network diagnostics while maintaining security controls.

What's New in Prisma Access Agent 25.3.0 (Mobile)

The following features are new in Prisma Access Agent mobile versions 25.3.0 (iOS) and 25.3.0.11 (Android).

Mobile Support for Prisma Access Agent

Prisma Access Agent adds mobile support for Android OS, iOS, and iPadOS devices, enabling you to extend secure network access to your mobile workforce through a next-generation mobile access solution. You can deploy the agent to deliver consistent security protection and network access controls across all applications (browser and native apps), while maintaining visibility for your IT and security teams. The mobile agent integrates with your existing Prisma Access or Next-Generation Firewall (NGFW) infrastructure to provide secure connectivity for both internet and private app access, ensuring that mobile users receive the same level of protection as desktop endpoints.
You can leverage the mobile agent to support hybrid work environments where employees require secure access from various locations and network conditions. The agent simplifies your mobile security operations by eliminating the need for complex VPN configurations while providing secure tunnel establishment between mobile devices and your security infrastructure. You benefit from unified management capabilities that enable you to configure and monitor mobile agents through familiar administrative interfaces, reducing the complexity associated with managing separate mobile security solutions.
The mobile agent addresses the operational challenges of securing diverse mobile device fleets by providing consistent policy enforcement across different operating systems. You can maintain the same security posture and access controls that you apply to desktop endpoints, extending your organization's security perimeter to include mobile devices without compromising control.

What's New in Prisma Accces Agent 25.3.1

The following feature is new in Prisma Access Agent 25.3.1.

Prisma Access Agent Endpoint DLP Support

You can now deploy Endpoint DLP capabilities with Prisma Access Agent to prevent exfiltration of sensitive data to peripheral devices such as USB devices, printers, and network shares, or to control access to them. This integration extends your Enterprise DLP policies directly to endpoints, enabling you to monitor and control data movement on laptops, desktops, and mobile devices regardless of their network location. You can manage how users handle sensitive information on their devices, including file transfers, removable media usage, and printer interactions.
Start by configuring your Endpoint DLP policy rules and deploying Prisma Access Agent to the endpoints that you need to protect. The agent will detect file movement between the endpoint and the peripheral device and then will evaluate and enforce your Endpoint DLP policy rules. When necessary, the Prisma Access Agent forwards the traffic to Enterprise DLP for inspection and to render a verdict. Enterprise DLP then communicates the verdict to the Prisma Access Agent, which executes the action you configured in the Endpoint DLP policy rule. Additionally, the Prisma Access Agent is responsible for displaying a notification to the end user when they generate a DLP incident.

What's New in Prisma Access Agent 25.3

The following features are new in Prisma Access Agent 25.3.

Mobile Support for Prisma Access Agent

Prisma Access Agent adds mobile support for Android OS, iOS, and iPadOS devices, enabling you to extend secure network access to your mobile workforce through a next-generation mobile access solution. You can deploy the agent to deliver consistent security protection and network access controls across all applications (browser and native apps), while maintaining visibility for your IT and security teams. The mobile agent integrates with your existing Prisma Access or Next-Generation Firewall (NGFW) infrastructure to provide secure connectivity for both internet and private app access, ensuring that mobile users receive the same level of protection as desktop endpoints.
You can leverage the mobile agent to support hybrid work environments where employees require secure access from various locations and network conditions. The agent simplifies your mobile security operations by eliminating the need for complex VPN configurations while providing secure tunnel establishment between mobile devices and your security infrastructure. You benefit from unified management capabilities that enable you to configure and monitor mobile agents through familiar administrative interfaces, reducing the complexity associated with managing separate mobile security solutions.
The mobile agent addresses the operational challenges of securing diverse mobile device fleets by providing consistent policy enforcement across different operating systems. You can maintain the same security posture and access controls that you apply to desktop endpoints, extending your organization's security perimeter to include mobile devices without compromising control.

Customizable Prisma Access Agent Session Timeout Settings

Unexpected session timeouts and inactivity logouts can significantly disrupt user productivity and lead to increased helpdesk tickets. The Prisma Access Agent addresses this issue by introducing configurable notifications that alert users before their sessions expire or terminate due to inactivity. You can now set up timely warnings and custom messages to keep your users informed and provide them with the option to extend their sessions when needed.
You can customize sessions by setting their duration, scheduling logout notifications, and creating custom expiration messages. You can set the duration a user can stay logged in to a session, and also set the amount of time to wait before the agent session ends due to user inactivity. The ability to customize session timeouts and notifications helps balance user access needs with network security. It enables you to control session timeouts, keep users informed about their session status, and communicate important information.

Disable Prisma Access Agent with One-Time Password

To address the potential risks of end users disabling the Prisma Access Agent, your users can now use a one-time password (OTP) system to securely disable the agent. With the OTP system, Prisma Access Agent can generate unique, single-use codes for agent disabling, enhancing security and administrative control. You can configure the OTP system on a per-user or per-user group basis, providing granular control over who can disable agents and when. When users enter the correct OTP, the agent verifies it locally and disables itself, ensuring functionality even in offline scenarios. This feature also improves auditing capabilities by logging all OTP-related activities, helping you track and monitor agent disabling events across your network. By implementing this OTP system, you can meet compliance requirements, align with industry standards, and provide a more secure and flexible solution for managing Prisma Access Agents.

Endpoint Insights for Prisma Access Agent

IT administrators and support teams often face challenges with limited visibility into endpoints, making it difficult to troubleshoot any access issues that arise from agent rollouts, upgrades, configuration changes, or changes to the endpoint environment. Prisma Access Agent addresses these challenges by collecting endpoint insights data that provides comprehensive endpoint visibility and troubleshooting data collection capabilities.
Prisma Access Agent simplifies troubleshooting endpoint access issues by automatically collecting diagnostic data. Understanding the endpoint insights can help you reduce the mean time to resolve (MTTR) issues by minimizing the need for human involvement when troubleshooting endpoint issues. Prisma Access Agent collects comprehensive data on the endpoint state and health, agent deployment and performance, and troubleshooting data periodically or based on critical triggers. This streamlines the process to collect and access the data necessary for troubleshooting endpoint issues, reducing downtime, and improving the overall reliability of Prisma Access Agent deployments.
Endpoint insights assist in troubleshooting various use cases, such as interoperability conflicts with third-party software, OS compatibility issues, and agent performance problems by collecting detailed information about the endpoints such as installed applications, agent details, and performance and troubleshooting data.

IPv6 Sinkholing

While the Prisma Access Agent routes mobile user IPv4 traffic through a protected tunnel to Prisma Access, IPv6 traffic is conventionally sent to the local network adapter on an endpoint. Prisma Access offers the ability to enhance security for dual-stack endpoints by sinkholing IPv6 traffic. By enabling IPv6 sinkholing, you can effectively mitigate risks associated with IPv6-based threats, thus reducing your overall attack surface. This feature is valuable in scenarios where you need to maintain a secure environment for mobile users accessing the internet. As endpoints can automatically fall back to IPv4 addresses, you can ensure a continuous and protected user experience without compromising on security. By implementing this capability, you strike an optimal balance between robust threat prevention and uninterrupted connectivity for your mobile workforce.

LDAP Support for Prisma Access Agent

Organizations transitioning to Prisma Access Agent face challenges when their existing authentication infrastructure uses LDAP/LDAPS, as Prisma Access Agent previously only supported SAML and certificate authentication through Cloud Identity Engine (CIE). This can create significant adoption barriers, especially in regions where LDAP usage is prevalent. LDAP support for Prisma Access Agent addresses this challenge by enabling you to leverage your existing GlobalProtect™ portal LDAP authentication infrastructure, eliminating the need to reconfigure authentication methods when migrating to Prisma Access Agent.
With LDAP authentication support, you can now configure your Prisma Access Agent to authenticate users against your existing directory services through the GlobalProtect portal. This integration provides a seamless authentication experience for your users while maintaining your existing security policies. The feature supports all standard LDAP configuration options, including Base DN, Bind DN, multiple LDAP servers, SSL/TLS secure connections, and server certificate verification for SSL sessions. You can also combine LDAP authentication with client certificate authentication using AND/OR logic to meet your specific security requirements.
The enhanced user experience includes support for saved user credentials, enabling seamless authentication across device states such as sleep-wake cycles, hibernation, and network transitions. When properly configured, users won't need to repeatedly enter their credentials after logging into their operating system.
By supporting LDAP authentication through the GlobalProtect portal, Prisma Access Agent provides you with a smoother migration path from GlobalProtect to Prisma Access Agent, preserving your authentication setup while enabling you to transition to a newer access agent. This feature is valuable for existing deployments where reconfiguring authentication methods would otherwise increase deployment complexity and time.

Pre-Logon for Prisma Access Agent

Organizations face difficulties in pushing updates to remote machines without requiring users to log in to their machines, which can delay critical updates and impact user productivity. Pre-logon for Prisma Access Agent addresses this challenge by establishing a secure connection before user authentication occurs. This feature enables you to manage and update remote devices efficiently, improving IT productivity, and enhancing the overall security posture.
With pre-logon, you can establish a tunnel as soon as a device boots up, using machine certificate authentication. This enables access to critical resources like domain controllers or LDAP servers, even when they are only accessible through the tunnel. You can now perform essential management tasks, such as applying group policies, installing software updates, and synchronizing roaming profiles, without waiting for user login.
Pre-logon is useful for remote users. It enables scenarios such as the application of group policies and software updates before user login, and synchronization of roaming profiles. For kiosks like ATM machines, it allows connection to the corporate network without user intervention.
The feature requires client certificates for authentication. You can configure certificate-based authentication for pre-logon while maintaining SAML or other methods for user login. This flexibility ensures that your security policies remain intact while improving device management capabilities.
You can troubleshoot the agent using existing Prisma Access Agent tools like log retrieval and HIP reports even when the pre-logon tunnel is active. The feature supports agent upgrades and downgrades, ensuring your devices remain current and secure.
By implementing pre-logon, you can significantly improve the management of remote and corporate-owned devices, reduce IT overhead, and enhance security by ensuring devices are properly configured and updated before users gain full network access. This feature is designed to work across system restarts and sleep-wake cycles, providing consistent connectivity for your managed devices.

Prisma Access Agent Captive Portal Support

Mobile users often struggle to connect securely when working from locations with captive portals, such as hotels, cafes, and airports. These captive portals require authentication before allowing internet access. Prisma Access Agent automatically detects when a user has connected to a network with a captive portal and opens the captive portal authentication page in its embedded browser, enabling users to authenticate without bypassing security policies. This approach enhances security by containing the captive portal interaction within the controlled environment of the embedded browser, mitigating risks associated with external browser use.
By using captive portal support with Prisma Access Agent's embedded browser functionality, you ensure that your mobile workforce maintains secure access to corporate resources across diverse network environments. It prevents scenarios where employees are unable to access the internet or corporate resources due to undetected captive portals, while also addressing security concerns related to captive portal interactions. This solution significantly reduces connectivity-related support tickets, improves overall user productivity, and provides an integrated, secure experience for your remote and traveling employees while maintaining the stringent security standards your organization requires.

Prisma Access Agent Embedded Browser Support for SAML Authentication

Managing SAML authentication across various web browsers poses significant challenges for administrators, often resulting in a cumbersome user experience with annoying pop-ups and redirections between the access agent and browser.
The Prisma Access Agent embedded browser addresses this issue by integrating a dedicated browser directly into the agent, providing your users with a consistent in-app experience for Prisma Access Agent logins, simplifying administration and enhancing security. By keeping the authentication process within the application, you eliminate the need for external browser interactions, reduce the risk of user confusion, and mitigate potential security vulnerabilities associated with browser redirections.
With support for various authentication methods, compatibility with existing Prisma Access Agent features, the embedded browser significantly improves both security and usability in your remote access infrastructure.

Transparent Proxy Support for Prisma Access Agent

Prisma Access Agent now supports transparent proxy connections, offering always-on internet security and private app access for your mobile users. This feature enables seamless coexistence with third-party VPN agents, enhancing your organization's security posture. You can use it to secure all internet traffic from browser and nonbrowser apps, even when users are disconnected from the tunnel. The solution forwards internet traffic to Prisma Access, preventing users from bypassing Prisma Access.
You can support various scenarios including users connecting from home, branch offices, or public Wi-Fi. It's compatible with endpoints running third-party VPNs in full or split tunnel modes. The feature prevents conflicts on endpoints and offers admin controls to maintain smooth operation. You will find this useful for maintaining consistent security across diverse networks. It supports continuous trust verification for mobile users through device posture checks. By implementing this functionality, you can enforce security policies regardless of user location or connection method, strengthening your overall security stance and strengthening your overall security posture with always-on connectivity.

What's New in Prisma Access Agent 25.1

The following features are new in Prisma Access Agent 25.1.

Automatic Tunnel Restoration

Automatic tunnel restoration in Prisma Access Agents automatically restores secure connections after interruptions like network disruptions or system sleep modes. This feature operates in both Always On and On Demand connectivity modes. In Always On mode, the Prisma Access Agent continuously attempts to maintain a connection, while On Demand mode allows your users to control when to connect or disconnect. The secure tunnel restoration process efficiently decides whether to reconnect to the last known Prisma Access location or use the best location. This feature is useful for mobile workers, remote employees, and organizations requiring secure and stable network access. It helps maintain productivity by reducing manual reconnection efforts and minimizing downtime across various network conditions and device states.

Disable the Prisma Access Agent

You can give your end users the flexibility to temporarily disable the Prisma Access Agent when necessary. You can configure this feature on a per-user or user group basis, giving you granular control over who has the ability to disable the agent. When configured, users can conveniently disable and re-enable the agent through the Prisma Access Agent app.
This feature is useful in environments where other secure access solutions coexist, such as the GlobalProtect app. After disabling the Prisma Access Agent, your users will be able to switch to the GlobalProtect app without interference. This feature is compatible with various connection methods, including Always On and On Demand modes, and is compatible with the anti-tamper feature, which prevents an unauthorized user from tampering with the agent. By enabling this feature, you allow your users to manage their secure access connections more effectively while maintaining overall security and control.

Forwarding Profiles Configuration Validator

The Forwarding Profiles Setup page provides a forwarding profiles configuration validator for destination domains, which can validate the FQDN and IP address that you enter. This ensures that the values you enter are valid and follows predefined standards, and is essential for preventing misconfigurations that could lead to system failures, security vulnerabilities, or degraded performance.

NGFW Support for Prisma Access Agent

NGFW Support for Prisma Access Agent enables organizations that use NGFW to adopt and manage Prisma Access Agents. This feature enhances secure access management while maintaining compatibility with existing authentication methods and NGFW setups, offering a smooth transition path to advanced Prisma Access Agent capabilities.

Optimized Prisma Access Agent MTU

Your organization might face challenges with agent connections traversing multiple ISPs and network hops, resulting in varying MTU values lower than the standard 1500 bytes. This situation can lead to excessive fragmentation, additional overhead, lower throughput, and dropped packets, ultimately causing poor performance and user frustration. Manual configuration of optimal MTU in such diverse environments is time-consuming, repetitive, and not scalable.
The optimized Prisma Access Agent MTU feature addresses these pain points by automatically determining and applying the optimal maximum transmission unit (MTU) size for agent connections. Optimized MTU is enabled by default in Prisma Access Agent to help improve connection stability and performance without manual intervention across various network conditions. This feature supports IPv4 tunnels and is compatible with IPSec and SSL tunnel protocols. It's valuable for organizations with remote users connecting through different ISPs or those frequently encountering MTU-related connectivity issues. By utilizing this feature, you can expect improved network throughput, reduced packet fragmentation, fewer retransmissions, enhanced end-user experience, increased productivity, and a decrease in support escalations related to connection performance issues.
Although optimized MTU is enabled by default for all Prisma Access Agents, you can manually configure and override the PMTU value if needed.

Panorama Support for Prisma Access Agent

Panorama Support for Prisma Access Agent enables you to manage and configure Prisma Access Agents on Strata Cloud Manager while continuing to use Panorama for your Prisma Access deployment. This feature allows Panorama Managed Prisma Access customers to utilize Prisma Access Agents without migrating to the Strata Cloud Manager management interface. You can configure agent behavior, forwarding profiles, authentication methods, and infrastructure settings specific to Prisma Access Agents through Strata Cloud Manager. The feature supports both Prisma Access gateways and on-premises gateways, allowing you to manage Prisma Access Agent configurations across your hybrid deployments. You can take advantage of the advanced security capabilities of the Prisma Access Agent while maintaining your current Panorama-based management approach. By using this feature, you can enhance your security posture with Prisma Access Agents while preserving your investment in Panorama and maintaining operational continuity.