New Features in Prisma Access 4.1

Prisma Access

New Features in Prisma Access 4.1

Table of Contents

New Features in Prisma Access 4.1

Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • Minimum Required Prisma Access Version
    4.1 Preferred

Prisma Access Application Name Update

November 18, 2023
The application tile name on the hub for Prisma Access is now changed to Strata Cloud Manager.
The application tile names on the hub for Prisma Access, Prisma SD-WAN, and AIOps for NGFW (the premium app only) are now changed to
Strata Cloud Manager
. With this update, the application URL has also changed to
, and you’ll also now see the
Strata Cloud Manager
logo on the left navigation pane.
Moving forward, continue using the Strata Cloud Manager app to manage and monitor your deployments.

Prisma Access on the New Strata Cloud Manager Platform

Prisma Access is now supported on the new Strata Cloud Manager platform. We'll be updating Prisma Access so that it is on the Strata Cloud Manager platform, alongside your other Palo Alto Networks products and subscriptions that are supported for unified management. If you've been using the Prisma Access app for Prisma Access Cloud Management or for Prisma Access monitoring and visibility features (including Autonomous DEM, Insights, and Activity dashboards and reports), the update to Strata Cloud Manager introduces a new management and visibility experience.
Learn more:
Introducing Strata Cloud Manager: The AI-Powered Network Security Platform
Palo Alto Networks Strata Cloud Manager is the new AI-Powered network security management and operations platform. With Strata Cloud Manager, you can easily manage and monitor your Palo Alto Networks network security infrastructure ━ your NGFWs and SASE environment ━ from a single, streamlined user interface. This new cloud management experience gives you:
  • Shared policy for SASE and your NGFWs, and a unified view into security effectiveness.
  • AI-Powered ADEM for Prisma SASE; this new Prisma Access add-on license automates complex IT operations, to increase productivity and reduce time to resolution for issues.
  • Best practice recommendations and workflows to strengthen security posture and eliminate risk.
  • A common alerting framework that identifies network disruptions, so you can maintain optimal health and performance.
  • Enhanced user experience, with contextual and interactive use-case driven dashboards and license-aware data enrichment.
Learn more about Strata Cloud Manager

High-Bandwidth Private App Access with Colo-Connect

Supported in:
  • Cloud Managed Prisma Access starting September 2023
  • Panorama Managed Prisma Access starting with release 4.1
Does your organization require high-bandwidth (more than 10 Gbps) access between its network infrastructure and Prisma Access at multiple locations as part of your hybrid multicloud strategy? Perhaps you’ve thought about aggregating multiple service connections to achieve high bandwidth, but you’re concerned about scalability. If so, Colo-Connect has you covered.
Today, large enterprises are building Colo-based performance hubs to reach private applications in hybrid, multicloud architectures because of the high-bandwidth and low-latency requirements. Typically, these hubs include interconnects to one or more cloud providers and connections to the on-premises data centers over a private or leased WAN. Performance hubs can route traffic between the public cloud and on-premises infrastructure at high speed, and are resilient because of the underlying interconnect infrastructure.
Colo-Connect builds on the Colo-based performance hub concept, offering high-bandwidth (10-20 Gbps) low-latency connections, seamless Layer 2/3 connectivity to Prisma Access from existing performance hubs. The following figure shows Prisma Access being onboarded in a GCP instance using service connections and cloud interconnects. This setup limits exposure to the internet and allows the use of private connections for private application connectivity.
Colo-Connect allows you to use Prisma Access to secure private apps using a cloud interconnect that can provide high-bandwidth service connections using the following capabilities:
  • High bandwidth (up to 20-Gbps) throughput per region for private application access
  • Support for
    Dedicated and Partner interconnects
    using Google Cloud Platform (GCP)
  • Support for multiple VLAN attachments (up to 20) per interconnect link
  • Redundant connectivity support per region

Third-Party Device-ID

Supported in:
  • Cloud Managed Prisma Access starting June 2023
  • Panorama Managed Prisma Access starting with release 4.1
You can use the Cloud Identity Engine along with Prisma Access to apply information from third-party IoT detection sources to simplify the task of identifying and closing security gaps for devices in your network. After you set up Third-Party Device-ID in the Cloud Identity Engine using an API, you can set up a device object and a security policy rule in Prisma Access to obtain and use information from third-party IoT visibility solutions through the Cloud Identity Engine for device visibility and control.
In the following figure, the Third-Party Device-ID service receives the device information from the third-party IoT solutions, which it then transmits as IP address-to-device mappings to the Cloud Identity Engine and the Prisma Access Security Processing Nodes (SPNs).

Traffic Replication and PCAP Support

Supported in:
  • Cloud Managed Prisma Access starting September 2023
  • Panorama Managed Prisma Access starting with release 4.1
Prisma Access secures your traffic in real time based on traffic inspection, threat analysis, and security policies. While you can view Prisma Access logs to view security events, your organization might have a requirement to save packet capture (PCAP) files for forensic and analytical purposes, for example:
  • You need to examine your traffic using industry-specific or privately-developed monitoring and threat tools in your organization and those tools require PCAPs for additional content inspection, threat monitoring, and troubleshooting.
  • After an intrusion attempt or the detection of a new zero-day threat, you need to preserve and collect PCAPs for forensic analysis both before and after the attempt. After you analyze the PCAPs and determine the root cause of the intrusion event, you could then create a new policy or implement a new security posture.
  • Your organization needs to download and archive PCAPs for a specific period of time and retrieve as needed for legal or compliance requirements.
  • Your organization requires PCAPs for network-level troubleshooting (for example, your networking team requires data at a packet level to debug application performance or other network issues).
To accomplish these objectives, you can enable traffic replication which uses the Prisma Access cloud to replicate traffic and encrypt PCAP files using your organization's encryption certificates. To store the PCAP files, you create a GCP service account, which Prisma Access uses as the storage location of the PCAP files.

Service Provider Backbone Integration

Supported in:
  • Cloud Managed Prisma Access starting June 2023
  • Panorama Managed Prisma Access starting with release 4.1
Prisma Access can integrate with a service provider (SP) backbone, which allows you (the SP) to assign specific region and egress internet capabilities to your tenants, providing more granular control over the Prisma Access egress traffic.

Transparent SafeSearch Support

Supported in:
  • Cloud Managed Prisma Access starting June 2023
  • Panorama Managed Prisma Access starting with release 4.2
Prisma Access allows you to resolve mobile users' search engine queries to the engine's SafeSearch portal by performing an FQDN-to-IP mapping. This functionality can be useful if you have guest internet services at your organization and you want your guests to safely use search engines, preventing them from searching for potentially inappropriate or offensive material that could be against company policy.

Private IP Visibility and Enforcement for Explicit Proxy Traffic Originating from Remote Networks

Supported in:
  • Cloud Managed Prisma Access starting June 2023
  • Panorama Managed Prisma Access starting with release 4.2
You can now leverage the private IP addresses of the systems in your branch locations that are forwarding traffic to Explicit Proxy using Proxy mode. You can use the private IP address to skip authentication of headless systems that can't authenticate, set up security policies, and get visibility of the traffic on Prisma Access Explicit Proxy.
You can enable this functionality when you secure users and devices at a branch with a site-to-site IPSec tunnel using Remote Network and Explicit Proxy Secure Processing Nodes (SPNs).

New and Remapped Prisma Access Locations and Compute Locations

Supported in:
  • Cloud Managed Prisma Access starting June 2023
  • Panorama Managed Prisma Access starting with release 4.2
The following location and compute location changes are made:
  • New Compute Locations
    —The following new compute locations are added, and the following locations are moved to these compute locations:
    • Europe North (Stockholm)
      —The new Sweden location is added to this compute location.
    • Middle-East Central (UAE)
      —The United Arab Emirates location is moved to this location.
    • Middle-East Central (Qatar)
      —The new Qatar location is added to this compute location.
  • New Prisma Access Locations
    —The following new Prisma Access locations are added:
    • Sweden
    • Kazakhstan
    • Qatar
    • Senegal
  • Remapped Prisma Access Locations
    —To better optimize performance of Prisma Access, the following locations have been remapped to the following compute locations:
    • Ecuador
      —Remapped from the US Central compute location to the US Southeast compute location
    • Jordan
      —Remapped from the Europe Central compute location to the Europe South compute location
    New deployments have the new remapping applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma Access location.

Recommended For You