The following table describes the new features that will be available with Prisma
Access 4.1 Preferred.
Prisma Access on the New Strata Cloud Manager Platform
Prisma Access is now supported on the new Strata Cloud Manager platform. We'll be
updating Prisma Access so that it is on the Strata Cloud Manager platform,
alongside your other Palo Alto Networks products and subscriptions that are
supported for unified management. If you've been using the Prisma Access app for
Prisma Access Cloud Management or for Prisma Access monitoring and visibility
features (including Autonomous DEM, Insights, and Activity dashboards and
reports), the update to Strata Cloud Manager introduces a new management and
visibility experience.
Introducing Strata Cloud Manager: The AI-Powered
Network Security Platform
Palo Alto Networks
Strata Cloud Manager
is the new AI-Powered network security management and operations platform. With
Strata Cloud Manager
, you can easily manage and monitor your Palo Alto Networks
network security infrastructure ━ your NGFWs and SASE environment ━ from a single,
streamlined user interface. This new cloud management experience gives you:
Shared policy for SASE and your NGFWs, and a unified view into
security effectiveness.
AI-Powered ADEM for Prisma SASE; this new Prisma Access add-on
license automates complex IT operations, to increase productivity and reduce
time to resolution for issues.
Best practice recommendations and workflows to strengthen security
posture and eliminate risk.
A common alerting framework that identifies network disruptions, so
you can maintain optimal health and performance.
Enhanced user experience, with contextual and interactive use-case
driven dashboards and license-aware data enrichment.
High-Bandwidth Private App Access with Colo-Connect
Learn how you can create a high-bandwidth connection to access private apps in Prisma
Access using Colo-Connect.
Does your organization require high-bandwidth (more than 10 Gbps) access between its
network infrastructure and Prisma Access at multiple locations as part of your hybrid
multicloud strategy? Perhaps you’ve thought about aggregating multiple service
connections to achieve high bandwidth, but you’re concerned about scalability. If so,
Colo-Connect has you covered.
Today, large enterprises are building Colo-based performance hubs to reach private
applications in hybrid, multicloud architectures because of the high-bandwidth and
low-latency requirements. Typically, these hubs include interconnects to one or more
cloud providers and connections to the on-premises data centers over a private or leased
WAN. Performance hubs can route traffic between the public cloud and on-premises
infrastructure at high speed, and are resilient because of the underlying interconnect
infrastructure.
Colo-Connect builds on the Colo-based performance hub concept, offering high-bandwidth
(10-20 Gbps) low-latency connections, seamless Layer 2/3 connectivity to Prisma Access
from existing performance hubs. The following figure shows Prisma Access being onboarded
in a GCP instance using service connections and cloud interconnects. This setup limits
exposure to the internet and allows the use of private connections for private
application connectivity.
Colo-Connect allows you to use Prisma Access to secure private apps using a cloud
interconnect that can provide high-bandwidth service connections using the following
capabilities:
High bandwidth (up to 20-Gbps) throughput per region for private
application access
Support for multiple VLAN attachments (up to 20) per interconnect
link
Redundant connectivity support per region
Third-Party Device-ID in Prisma Access
Use Prisma Access and the Cloud Identity Engine to configure third-party Device-ID
for third-party IoT devices.
You can use the Cloud Identity Engine along with Prisma Access to apply information from
third-party IoT detection sources to simplify the task of identifying and closing
security gaps for devices in your network. After you set up Third-Party Device-ID in the
Cloud Identity Engine using an API, you can set up a device object and a security policy
rule in Prisma Access to obtain and use information from third-party IoT visibility
solutions through the Cloud Identity Engine for device visibility and control.
In the following figure, the Third-Party Device-ID service receives the device
information from the third-party IoT solutions, which it then transmits as IP
address-to-device mappings to the Cloud Identity Engine and the Prisma Access Security
Processing Nodes (SPNs).
Traffic Mirroring and PCAP Support
Use Prisma Access to save and download PCAP files for forensics and analysis.
Prisma Access secures your traffic in real time based on traffic inspection, threat
analysis, and security policies. While you can view Prisma Access logs to view security
events, your organization might have a requirement to save packet capture (PCAP) files for forensic and
analytical purposes, for example:
You need to examine your traffic using industry-specific or privately-developed
monitoring and threat tools in your organization and those tools require PCAPs
for additional content inspection, threat monitoring, and troubleshooting.
After an intrusion attempt or the detection of a new zero-day threat, you need to
preserve and collect PCAPs for forensic analysis both before and after the
attempt. After you analyze the PCAPs and determine the root cause of the
intrusion event, you could then create a new policy or implement a new security
posture.
Your organization needs to download and archive PCAPs for a specific period of time
and retrieve as needed for legal or compliance requirements.
Your organization requires PCAPs for network-level troubleshooting (for example,
your networking team requires data at a packet level to debug application
performance or other network issues).
To accomplish these objectives, you can enable traffic replication which uses the Prisma
Access cloud to replicate traffic and encrypt PCAP files using your organization's
encryption certificates. To store the PCAP files, you create a GCP service account, which Prisma Access uses as the storage
location of the PCAP files.
Service Provider Backbone Integration
Learn about how services providers can use their backbone in Prisma Access.
Prisma Access can integrate with a service provider (SP) backbone, which allows you (the
SP) to assign specific region and egress internet capabilities to your tenants,
providing more granular control over the Prisma Access egress traffic.
Transparent SafeSearch Support
Learn how to use FQDN-to-IP address mapping to implement SafeSearch in your Prisma
Access deployment.
Prisma Access allows you to resolve mobile users' search engine queries to the engine's
SafeSearch portal by performing an FQDN-to-IP mapping. This functionality can be useful
if you have guest internet services at your organization and you want your guests to
safely use search engines, preventing them from searching for potentially inappropriate
or offensive material that could be against company policy.
Private IP Visibility and Enforcement for Explicit Proxy Traffic Originating from Remote
Networks
Learn how to preserve the source IP address for Explicit Proxy traffic originating
from remote networks.
You can now leverage the private IP addresses of the systems in your branch locations
that are forwarding traffic to Explicit Proxy using Proxy mode. You can use the private IP
address to skip authentication of headless systems that can't authenticate, set up
security policies, and get visibility of the traffic on Prisma Access Explicit Proxy.
You can enable this functionality when you secure users and devices at a branch with a
site-to-site IPSec tunnel using Remote Network
and Explicit Proxy Secure Processing Nodes (SPNs).
New and Remapped Prisma Access Locations and Compute Locations
Learn about new and remapped locations and compute locations for Prisma Access 4.1.
—The following new compute locations are added, and the
following locations are moved to these compute locations:
Europe North (Stockholm)
—The new Sweden location is added to this
compute location.
Middle-East Central (UAE)
—The United Arab Emirates location is moved
to this location.
Middle-East Central (Qatar)
—The new Qatar location is added to this
compute location.
New Prisma Access Locations
—The following new Prisma Access locations are
added:
Sweden
Kazakhstan
Qatar
Senegal
Remapped Prisma Access Locations
—To better optimize performance of Prisma
Access, the following locations have been remapped to the following compute
locations:
Ecuador
—Remapped from the US Central compute location to the US
Southeast compute location
Jordan
—Remapped from the Europe Central compute location to the
Europe South compute location
New deployments have the new remapping applied automatically. If you have an
existing Prisma Access deployment that uses one of these locations and you want
to take advantage of the remapped compute location, follow the procedure to
add a new compute location to a deployed
Prisma Access location.