New Features - Prisma Access - 4.0 Preferred

Onboarding Cisco Meraki MX SD-WAN devices to Prisma® Access previously required manual tunnel configuration, which was time-consuming and error-prone for large deployments. You can now secure Cisco Meraki MX SD-WAN devices using Prisma Access Cloud Management with simplified and automated tunnel creation, eliminating the need for manual onboarding.

This integration uses the Meraki API to automate the discovery and configuration of IPSec tunnels between Meraki MX devices and Prisma Access, reducing deployment time and ensuring consistent configuration across all Meraki SD-WAN locations. As your SD-WAN estate grows, new Meraki sites can be onboarded quickly without requiring manual intervention for each tunnel.

To optimize Prisma® Access performance for users in Central Europe and the central United States, the following compute location updates are made:

• (Remapped) Poland —The Poland location moves to the Europe Central (Warsaw) compute location.
• (New) US Central West —The new US Central West location uses the US Central West compute location.

New deployments have these remappings applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma Access location.

To better accommodate worldwide Prisma® Access deployments and provide enhanced local coverage, the following new locations are added:

• Ghana —Added to the Europe Northwest compute location.
• Guatemala —Added to the US East compute location.
• Latvia —Added to the Belgium compute location.
• US Central West —Added to the new US Central West compute location.
• Uruguay —Added to the South America West compute location.
• Uganda —Added to the Switzerland compute location.

Prisma® Access users in regions not previously supported by Explicit Proxy had to rely on other connectivity methods or accept suboptimal proxy performance due to geographic distance from available proxy egress points. Prisma Access now supports the following new Explicit Proxy locations :

• US Central West
• Poland
• Israel

These additions extend the geographic reach of Prisma Access Explicit Proxy, enabling users in those regions to connect to a nearby proxy egress point for improved performance and lower latency when accessing internet resources through Prisma Access.

Prisma® Access adds locations in local zones, each with their own dedicated compute locations to provide lower-latency connectivity. The following local zone locations are supported:

• Australia West (Perth)
• US-Central (Chicago)
• US-Southeast (Miami)

You onboard local zones the same way as any other Prisma Access location, and the local zones are available for Mobile Users—GlobalProtect, Remote Network, and Service Connection deployments. Local zone locations are denoted with two asterisks in Panorama Managed deployments and as a Local Zone in Cloud Managed deployments.

Keep in mind the following when deploying local zones:

• Local zone locations do not support IPv6.
• Local zone locations do not use Palo Alto Networks registered IP addresses—1 Gbps remote network support is not available.
• Remote network and service connection node redundancy across availability zones is not available when both nodes are in the same local zone.
• Some SaaS applications might experience higher latency in local zones compared to non-local zone locations.

Large-scale Prisma® Access deployments with many service connections and remote network connections were previously constrained by a limit on the number of outbound route prefixes, restricting routing flexibility. When you specify the prefixes for which Prisma Access adds static routes across all service connections and remote network connections, you can now specify up to 500 outbound routes for Panorama Managed Prisma Access deployments. Routes you specify are routed to these prefixes over the internet.

This increase was added to Panorama Managed Prisma Access with the 4.0.0-h20 Cloud Services plugin. Note that Cloud Managed Prisma Access deployments continue to support a maximum of 10 outbound routes.

Prisma® Access now supports PAN-OS® 10.2, enabling you to take advantage of the latest security capabilities in your Prisma Access deployment. Review the PAN-OS 10.2 Upgrade Considerations before upgrading your dataplane or Panorama® to 10.2. PAN-OS 10.2 includes the following new features available in Prisma Access:

• Management: Selective commit of configuration changes
• Policy: Security policy rule top-down order when wildcard masks overlap
• Content inspection: Advanced Threat Prevention Inline Cloud Analysis and Domain Fronting Detection
• Decryption: Multiple certificate support for SSL inbound inspection
• URL filtering: Inline deep learning analysis for Advanced URL Filtering and HTTP header expansion
• Enterprise DLP: Web form data inspection

You must have a Panorama appliance running 10.2 to take advantage of PAN-OS 10.2 features in Prisma Access.

Managing Prisma® Access separately from your other Palo Alto Networks products created fragmented visibility and required switching between multiple management consoles. Prisma Access is now supported on the Strata™ Cloud Manager platform, placing it alongside your other Palo Alto Networks products and subscriptions in a single unified management experience.

If you have been using the Prisma Access app for Cloud Management or for monitoring and visibility features—including Autonomous DEM, Insights, and Activity dashboards and reports—the update to Strata Cloud Manager gives you a new management and visibility experience. Key resources to help with the transition include:

• What to expect when Prisma Access is updated to give you the new management experience
• Prisma Access visibility and monitoring with Strata Cloud Manager

Global enterprises and managed service providers with very large branch office footprints needed a platform that could accommodate their full scale within a unified security framework. Prisma® SASE now supports up to 15,000 branch sites in a single tenant, enabling distributed global enterprises to manage their entire branch network from one place without splitting across multiple tenants.

If your deployment requires more than 15,000 branch sites, you can take advantage of Prisma SASE's multi-tenant capability, which is built for distributed global enterprises and managed service providers (MSPs) with support for an effectively unlimited number of remote users across tenants.

You can create up to 15,000 Remote Networks to secure branch sites with Prisma Access.

Prisma Access 3.2 brought you high-bandwidth 1 Gbps remote networks. Now, Prisma Access 4.0 raises the previous limit of 250 sites per IPSec termination node to 400 sites per IPSec termination node.

Enterprises that use RFC 6598 (100.64.0.0/10) shared address space as part of their enterprise routable address space can now use that address space in Prisma® Access infrastructure IP configurations. RFC 6598 support applies to the following infrastructure address types:

• Infrastructure subnet IP addresses
• IP address pools
• Static subnets for service connections and remote networks
• Secure inbound access, overlapping subnets, and traffic steering configurations

To enable RFC 6598 address support, reach out to your Palo Alto Networks account representative or partner. Note that Clientless VPN is not supported with RFC 6598 addresses, and implementing this support means you can no longer use the 169.254.0.0/16 subnet for infrastructure addresses. You also cannot specify Outbound Routes for the Service for service connections that use RFC 6598 addresses.

Organizations that use third-party IoT visibility solutions have device intelligence that was previously not accessible for security policy enforcement in Prisma® Access. You can now leverage IP address-to-device mappings from third-party IoT detection sources to identify and close security gaps for devices in your network. Third-party Device-ID enables Prisma Access to obtain and use information from third-party IoT visibility solutions through the Cloud Identity Engine for device visibility and control.

This integration allows you to apply device-based security policies in Prisma Access without requiring all devices to be managed through a Palo Alto Networks solution. By bringing third-party device context into Prisma Access policy enforcement, you gain consistent security across your entire device fleet regardless of the discovery tool used.

Providing secure access to private applications traditionally required complex IPSec tunnel setup and routing configuration, creating barriers to deployment and ongoing operational overhead. The Zero Trust Network Access (ZTNA) Connector lets you connect mobile users and users at branch locations to your organization's private apps simply and securely through an automated secure tunnel, eliminating the requirement to set up IPSec tunnels and routing definitions.

The ZTNA Connector does not require any routing from your customer infrastructure and can provide access to applications that use overlapping IP addresses in your networks. This makes it particularly valuable in complex multi-tenant or merged network environments where IP address conflicts would otherwise complicate private app access. Prisma® Access enforces zero trust principles for all connections through the ZTNA Connector, ensuring that only authorized users can access authorized applications.