New Features in Prisma Access 5.0 and 5.0.1
Focus
Focus
Prisma Access

New Features in Prisma Access 5.0 and 5.0.1

Table of Contents

New Features in Prisma Access 5.0 and 5.0.1

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Minimum Required Prisma Access Version 5.0 Preferred or Innovation
The following sections describe the new features that are available with Prisma Access 5.0 and 5.0.1 Preferred and Innovation, in addition to infrastructure, plugin, and dataplane dependencies for these.

Recommended Software Versions for Prisma Access 5.0 and 5.0.1 Preferred and Innovation

There are two Prisma Access 5.0 and 5.0.1 versions:
  • 5.0 and 5.0.1 Preferred run a PAN-OS dataplane earlier than 10.2.8. If you're running Prisma Access 4.0, 4.1, or 4.2, a dataplane upgrade isn't required.
  • 5.0 and 5.0.1 Innovation run a minimum PAN-OS dataplane of 10.2.8 and unlock the features that are available with that dataplane.
For new Prisma Access 5.0 Innovation features, Palo Alto Networks recommends that you upgrade your Prisma Access deployment to the versions listed in this section before installing the plugin (note that the Prisma Access 5.0 release supports the same minimum requirements as Prisma Access 4.0). Also note that, for access to all features, you will need to upgrade your dataplane to a minimum version of 10.2.8, which is required for Prisma Access 5.0 Innovation.

Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.0 and 5.0.1 Preferred and Innovation Features

Prisma Access 5.0 and 5.0.1 features require one of more of the following components to function:
  • Infrastructure Upgrade—The infrastructure includes the underlying service backend, orchestration, and monitoring infrastructure. Prisma Access upgrades the infrastructure before the general availability (GA) date of a Prisma Access release.
    Features that require only an infrastructure upgrade to be enabled take effect for all Prisma Access deployments, regardless of version, at the time of the infrastructure upgrade.
  • Plugin Upgrade (Prisma Access (Managed by Panorama) Deployments Only)—Installing the 5.0 plugin activates the features that are available with both Prisma Access 5.0 and 5.0.1. You download and install the 5.0 plugin on the Panorama that manages Prisma Access.
  • Dataplane Upgrade—The dataplane enables traffic inspection and security policy enforcement on your network and user traffic.
    For Prisma Access (Managed by Panorama) deployments, you can view your dataplane version by going to PanoramaCloud ServicesConfigurationService Setup and viewing the Prisma Access Version.
This dataplane upgrade to 5.0 Innovation is optional, and is only required if you want to take advantage of the features that require a dataplane upgrade. For minimum Panorama and GlobalProtect versions, the Prisma Access 5.0 release supports the same versions as
Use this table to determine what features require an infrastructure, plugin, and dataplane upgrade. A check mark (√) indicates that an upgrade is required, a dash (—) indicates that it's not required.
FeatureInfrastructure Upgrade RequiredPlugin Upgrade RequiredDataplane Upgrade Required
5.0 Features:
Support for Strata Logging Service Switzerland Region
Strata Cloud Manager Support for Prisma Access China
Service Connection Identity Redistribution Management
ZTNA Connector Wildcard and FQDN Support for Applications and Additional Diagnostic Tools
BGP MRAI Configuration Support
Enhanced IoT Policy Recommendation Workflow for Strata Cloud Manager
Integrate Prisma Access with Microsoft Defender for Cloud Apps (minimum 10.2.4 dataplane required)
App Acceleration in Prisma Access
Upgrade to 5.0 Innovation required.
Remote Browser Isolation
Upgrade to 5.0 Innovation required.
Traffic Replication Remote Network and Strata Cloud Manager Support
Upgrade to 5.0 Innovation required.
Maximum of 500 Remote Networks Per Termination Node for 1 Gbps Remote Networks
Upgrade to 5.0 Innovation required.
Enhanced SaaS Tenants Control
Upgrade to 5.0 Innovation required.
5.0.1 Features:
License Enforcement for Mobile Users (Enhancements)
Saudi Arabia Compute Location
Native SASE Integration with Prisma SD-WAN
Normalized Username Formats
IP Optimization for Mobile Users—GlobalProtect Deployments (available for new customers only and minimum GlobalProtect app 6.1.4+, 6.2.3+, or 6.3+ version required for endpoints)
App Acceleration—Dynamic Content Acceleration for Top SaaS Apps
Upgrade to 5.0 Innovation required.

Features in Prisma Access 5.0

The following section describes the new features that are available with Prisma Access 5.0.

Prisma Access Application Name Update

Supported in: Prisma Access (Managed by Strata Cloud Manager) starting November 18, 2023
The application tile names on the hub for Prisma Access, Prisma SD-WAN, and AIOps for NGFW (the premium app only) are now changed to Strata Cloud Manager. With this update, the application URL has also changed to stratacloudmanager.paloaltonetworks.com, and you’ll also now see the Strata Cloud Manager logo on the left navigation pane.
Moving forward, continue using the Strata Cloud Manager app to manage and monitor your deployments.

App Acceleration in Prisma Access

Supported in: Prisma Access starting with release 5.0 Innovation.
When your users access apps, they can experience poor app performance due to decreased throughput. This condition can be caused by degraded wireless connectivity, network congestion, and other factors. These networking issues can adversely affect the employee experience and can reduce their productivity.
App Acceleration directly addresses the causes of poor app performance and acts in real-time to boost throughput while maintaining best-in-class security, dramatically improving the user experience for Prisma Access GlobalProtect and Remote Network users.
Without requiring any changes to your applications, App Acceleration securely builds an understanding of:
  • Device capability—The type of client endpoint
  • Network capability—The type of network
  • App Context— The type of app being used
Using its understanding of network, device, and application context, App Acceleration maximizes throughput and adjusts in real-time to account for changing network conditions.
When compared to direct internet access, App Acceleration offers a marked throughput improvement for TCP traffic when connecting through Prisma Access.
You can view these improvements using Autonomous DEM (ADEM), which provides you with metrics such as throughput per application and the data and apps that were accelerated. Using this information, you can pinpoint how App Acceleration improved the app experience for your users.

Remote Browser Isolation

Supported in: Prisma Access starting with release 5.0 Innovation.
Browser and web-based attacks are continuously evolving, resulting in security challenges for many enterprises. Web browsers, being a major entry point for malware to penetrate networks, pose a significant security risk to enterprises, prompting the increasing need to protect networks and devices from zero day attacks. Highly regulated industries, such as government and financial institutions, also require browser traffic isolation as a mandatory compliance requirement.
While most enterprises want to block 100% of attacks by using network security and endpoint security methods, such a goal might not be realistic. Most attacks start with the compromise of an endpoint that connects to malicious or compromised sites or by opening malicious content from those sites. An attacker only needs one miss to take over an endpoint and compromise the network. When this happens, the consequences of that compromise and the impact to your organization can be damaging.
Remote Browser Isolation (RBI) creates a no-code execution isolation environment for a user's local browser, so that no website code and files are executed on their local browser. Unlike other isolation solutions, RBI uses next-generation isolation technologies to deliver near-native experiences for users accessing websites without compromising on security.
RBI is a service that isolates and transfers all browsing activity away from the user's managed devices and corporate networks to an outside entity such as Prisma Access, which secures and isolates potentially malicious code and content within their platform. Natively integrated with Prisma Access, RBI allows you to apply isolation profiles easily to existing security policies. Isolation profiles can restrict many user controls such as copy and paste actions, keyboard inputs, and sharing options like file uploading, downloading, and printing files to keep sensitive data and information secure. All traffic in isolation undergoes analysis and threat prevention provided by Cloud-Delivered Security Services (CDSS) such as Advanced Threat Prevention, Advanced WildFire, Advanced URL Filtering, DNS Security, and SaaS Security.

Service Connection Identity Redistribution Management

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) starting November 2023
  • Prisma Access (Managed by Panorama) starting with release 5.0 Innovation
Sometimes, granular controls are needed for user-ID redistribution in particularly large scale Prisma Access deployments. Service Connection Identity Redistribution Management lets you select specific service connections for identity redistribution.
By default, all of your service connections, in order of proximity, are used for identity redistribution. However, you may not know which specific service connections are being used for identity redistribution at a given moment. And, depending on the number of service connections you have and the number of User-ID agents you’ve configured, this method for identity redistribution can test the limits of your system resources. To solve this, we now give you the option to decide which service connections you want to use for identity redistribution.

Service Provider Backbone Integration Enhancements

Supported in:
  • Prisma Access (Cloud Management) starting November 2023
Integrate Prisma Access with a service provider (SP) backbone, which allows you (the SP) to assign specific region and egress internet capabilities to your tenants, providing more granular control over the Prisma Access egress traffic. Without the SP Backbone feature, Prisma Access egress traffic uses public cloud providers for network backbone instead.
The following diagram represents Prisma Access egress traffic without SP Backbone integration.
The following diagram represents Prisma Access egress traffic with SP Backbone integration.

Traffic Replication Remote Network and Strata Cloud Manager Support

Supported in: Prisma Access starting with release 5.0 Innovation.
In addition to providing a copy of the traffic generated by mobile users, traffic replication support for Remote Networks provides a similar function for the traffic generated by the branches. This support allows you to have complete visibility for all use cases, along with consistency in the way the traffic is being captured. The copy of the remote networks traffic is shared from the same storage buckets as the mobile users traffic, so existing customers do not have to modify the current deployments. This option is fully configurable and you have the ability to decide if for a certain location you need Traffic Replication enabled for mobile users, remote networks, or both.
Traffic Replication configuration support is added for Cloud Managed Prisma Access and Strata Cloud Manager.

ZTNA Connector Wildcard and FQDN Support for Applications and Additional Diagnostic Tools

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) starting December 2023
  • Prisma Access (Managed by Panorama) starting with release 5.0 Preferred and Innovation
ZTNA Connector offers the following enhancements:
  • Applications Based on Wildcards and IP Subnets—In addition to setting up applications based on FQDNs, you can set up applications based on FQDN wildcards and IP subnets.
    • For wildcard-based apps, you create an FQDN-based connector group, then specify the wildcard to use (for example, *.example.com) for the app target.
      When users access sites that match the wildcard, those apps are automatically onboarded for access from ZTNA Connector for your mobile users and remote network users. For example, given a wildcard of *.example.com, when users access the app at app1.example.com, ZTNA Connector automatically allows that app to be accessed for mobile users and users at remote network sites.
    • For IP subnet-based apps, you create an IP subnet-based Connector group, then enter the IP subnet to use for the app target.
  • Additional Diagnostic Tools—In addition to the existing ZTNA Connector diagnostic tools, more diagnostic tools are available to help you troubleshoot ZTNA Connector issues:
    • Dump Overview—Allows you to collect a dump of the ZTNA Connector's status.
    • Packet Captures—Allows you to capture packets from the ZTNA Connector internal, external, or tunnel interface.
    • Tech Support—Allows you to generate and download a tech support file.
  • FQDN DNS Resolution to Multiple IP Addresses—If an application FQDN resolves to multiple private IP addresses, the ZTNA connector performs an application probe to determine the status of all resolved IP addresses and load balances the FQDN access to multiple resolved IP addresses that have an application status of Up.

BGP MRAI Configuration Support

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) starting September 2023
  • Prisma Access (Managed by Panorama) starting with release 5.0 Preferred and Innovation
BGP routing offers a timer you can use to tailor BGP routing convergence in your network called the Minimum Route Advertisement Interval (MRAI).
MRAI acts to rate-limit updates on a per-destination basis, and the BGP routers wait for at least the configured MRAI time before sending an advertisement for the same prefix. A smaller number gives you faster convergence time but creates more advertisements in your network. A larger number decreases the number of advertisements that can be sent, but can also make routing convergence slower. You decide the number to put in your network for the best balance between faster routing convergence and fewer advertisements.
You can configure an MRAI range of between 1 and 600 seconds, with a default value of 30 seconds.

Support for Strata Logging Service Switzerland Region

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) starting November 2023
  • Prisma Access (Managed by Panorama) starting with release 5.0 Preferred and Innovation
Prisma Access supports the Switzerland Strata Logging Service region.

Prisma Access (Managed by Strata Cloud Manager)/Strata Cloud Manager Support for Prisma Access China

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) and Strata Cloud Manager starting November 2023
Prisma Access deployments in China provide you with the following enhanced functionalities:
  • To provide you with greater management flexibility, Cloud Managed Prisma Access is added, allowing you to use either Cloud Managed or Panorama Managed Prisma Access to manage your deployment in China.
    Cloud Managed Prisma Access includes the ability to manage your Prisma Access deployment using Strata Cloud Manager. With Strata Cloud Manager, you can easily manage and monitor your network security infrastructure from a single, streamlined user interface. The new platform gives you:
    • Best practice recommendations and workflows to strengthen security posture and eliminate risk.
    • A common alerting framework that identifies network disruptions, so you can maintain optimal health and performance.
    • Enhanced user experience, with contextual and interactive use-case driven dashboards and license-aware data enrichment.
    Using cloud management, you can quickly onboard branches and mobile users through task-driven workflows that allow you to set up and test your environment in minutes. Cloud management with Strata Cloud Manager simplifies the onboarding process by providing predefined internet access and decryption policy rules based on best practices. You can quickly set up IPSec tunnels using defaults suitable for the most common IPSec-capable devices and turn on SSL decryption for recommended URL categories.
  • Cloud managed deployments provide you access to the Prisma SASE Multitenant Portal, allowing you to access Common Services for multiple tenants such as subscription and tenant management and identity and access management.

Integrate Prisma Access with Microsoft Defender for Cloud Apps

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) starting September 2023
Integrate Prisma Access with Microsoft Defender for Cloud Apps to sync unsanctioned applications and block them inline using Prisma Access automatically.
After you integrate Microsoft Defender for Cloud Apps with Prisma Access, Prisma Access creates a block security policy for URLs that are blocked in Microsoft Defender for Cloud Apps. You can view the list of unsanctioned applications after configuring the integration settings. The Prisma Access-Microsoft Defender for Cloud Apps integration enables you to gain visibility and to discover all cloud applications and shadow IT applications being used as well as provide closed loop remediation for unsanctioned applications.

Maximum of 500 Remote Networks Per Termination Node for 1 Gbps Remote Networks

Supported in: Prisma Access starting with release 5.0 Innovation.
If your IPSec termination node that you use for remote network onboarding is configured to support 1 Gbps of bandwidth, the maximum number of remote networks those IPSec termination nodes can support is increasing from 400 to 500. You must allocate a minimum of 501 Mbps for the compute locations associated with the IPSec termination nodes to have it support up to 1 Gbps of bandwidth.
Deployments using remote networks to onboard Prisma SD-WANs cannot take advantage of this enhancement.

Enhanced SaaS Tenants Control

Supported in: Prisma Access starting with release 5.0 Innovation.
Prisma Access allows you to granularly manage and apply distinct policies for specific tenants for an extended list of SaaS applications (for example, Github or Bitbucket). The complete list of apps is documented at https://docs.paloaltonetworks.com/saas-security/saas-security-admin/saas-security-inline/remediate-risks-saas-security-inline/manage-saas-security-inline-policy/create-saas-policy-rule-recommendations
This functionality allows you to enforce use cases where you might need to allow all actions (for example, uploads and downloads) for a corporate Github account, but block uploads for a partner instance of the same Github SaaS application.

Enhanced IoT Policy Recommendation Workflow for Strata Cloud Manager

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) starting November 2023
Rapid IoT adoption is creating new attack vectors and implementing policy recommendations to apply least privilege Zero Trust policies to secure your organization's devices is key. If you use Strata Cloud Manager to configure Prisma Access, you can use enhanced IoT policy recommendation workflows to accomplish these goals and keep your devices and users secure.

View and Monitor App Acceleration

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) starting November 2023
App Acceleration addresses the causes of poor app performance and acts in real-time to boost throughput while maintaining best-in-class security, improving the user experience for Prisma Access GlobalProtect and Remote Network users. You can view and monitor App Acceleration to see details about accelerated applications in your environment. In Strata Cloud Manager, select MonitorApplications to view details about all accelerated applications.

View and Monitor Remote Browser Isolation

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) starting November 2023
Remote Browser Isolation (RBI) creates a no-code execution isolation environment for a user's local browser, so that no website code and files are executed on their local browser. Unlike other isolation solutions, RBI uses next-generation isolation technologies to deliver near-native experiences for users accessing websites without compromising on security.View and monitor RBI to get comprehensive visibility across your network traffic and for RBI. Gain visibility into your RBI deployment by viewing metrics such as the number of active RBI users, trends, connectivity status, RBI location status, traffic measurements, and license consumption.

View and Monitor ZTNA Connector Access Objects

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) starting November 2023
View and monitor private apps that were added through ZTNA Connector access objects by viewing data such as the number of apps added by FQDNs, IP subnets, and wildcards, each access object's connectivity status, and the Connector Groups and Connectors associated with each access object.
The private apps in the data centers connect to Prisma Access through your Connector virtual machines (VMs). You can add apps based on these access objects—FQDNs, FQDN wildcards, or IP subnets.
  • FQDNs—Prisma Access resolves the FQDNs of the applications you onboard to ZTNA Connector to the IP addresses in the Application IP address block.
  • Wildcards—For wildcard-based apps, create an FQDN-based connector group, then specify the wildcard to use (for example, *.example.com) for the app target. When users access sites that match the wildcard, those apps are automatically onboarded for access from ZTNA Connector for your mobile users and remote network users.
  • IP Subnets—Create an IP subnet-based Connector group, and then enter the IP subnet to use for the app target.

Features in Prisma Access 5.0.1

The following section describes the new features are available with Prisma Access 5.0.1.

License Enforcement for Mobile Users (Enhancements)

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) starting February 2024
  • Prisma Access (Managed by Panorama) starting with release 5.0.1 Preferred and Innovation
Prisma Access enforces policies for mobile user licenses over 30 days instead of 90 days. Though there is no strict policing of the mobile user count, the service tracks the number of unique users over the last 30 days to ensure that you have purchased the proper license tier for your user base, and stricter policing of user count may be enforced if continued overages occur. This change is applicable for all types of mobile user licenses.

Saudi Arabia Compute Location

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) starting February 2024
  • Prisma Access (Managed by Panorama) starting with release 5.0.1 Preferred and Innovation
There is a new compute location, Saudi Arabia. As a result, the Saudi Arabia location has been remapped to the new Saudi Arabia compute location.
New deployments have the new remapping applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma Access location.

Native SASE Integration with Prisma SD-WAN (Strata Cloud Manager Only)

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) starting February 2024
Effortlessly integrate Prisma SD-WAN with Prisma Access through a native onboarding process. With previous Prisma Access versions, you needed to configure the additional component — Prisma Access for Networks (Cloud Managed) CloudBlade to onboard Prisma SD-WAN sites to Prisma Access. With the native SASE integration between Prisma SD-WAN and Prisma Access, we have further simplified the onboarding without the need to set up the CloudBlade.
Prisma Access currently supports this integration only for new Prisma SASE (Strata Cloud Manager) deployments. For Panorama Managed Prisma Access deployments, continue using CloudBlades for integration with Prisma SD-WAN.

IP Optimization for Mobile Users—GlobalProtect Deployments

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) starting February 2024
  • Prisma Access (Managed by Panorama) starting with release 5.0.1 Innovation
This functionality is for new Prisma Access GlobalProtect deployments only. Existing Global Protect deployments are not eligible, including new tenants you create from an existing multitenant deployment. In addition, if you are migrating your GlobalProtect deployment from using on-premises gateways and portals to Prisma Access, be sure that all users are running a minimum GlobalProtect app version of 6.1.4+, 6.2.3+, or 6.3+ before enabling this functionality.
IP Optimization is a set of architectural enhancements that reduce the overall number of IP addresses in your deployment, simplifying your allow-listing workflows while improving resiliency and enabling faster onboarding of Prisma Access tenants.
  • Simpler Public IP Address allow-listing–Adding a Prisma Access location or experiencing a scaling event at an existing Prisma Access location could lead to new IP addresses being allocated to the mobile user security processing node (MU-SPN). It's a best practice to retrieve the new egress and gateway IP addresses that Prisma Access assigns and add them to an allow list in your network to avoid SaaS application or corporate firewall disruption. This can result in a situation where you're managing a large number of IP addresses. IP Optimization reduces the number of IP addresses you have to manage.
  • Faster Onboarding of Prisma Access Tenants–Without IP Optimization, you’d need to assign unique private IP addresses to each device across Prisma Access and your private networks, requiring you to allocate large IP blocks from your limited corporate routable IP address space. IP Optimization lets Prisma Access allocate addresses from shared address space by default and NAT private application traffic.

App Acceleration—Dynamic Content Acceleration for Top SaaS Apps

Supported in:
  • Prisma Access (Managed by Strata Cloud Manager) and Prisma Access (Managed by Panorama) starting March 2024
You can accelerate traffic for top SaaS apps including Salesforce, Google Drive, SAP, Ariba, and more. The enhancement speeds up dynamic content (for example, dashboards) up to 5 times faster than direct-to-internet access. If you have already purchased App Acceleration, you receive this enhancement automatically.

Normalized Username Formats

To better standardize usernames across your organization, all usernames in Prisma Access have been normalized.
The usernames are standardized based on the following examples.
Original UsernameNormalized Username
test.User@abc.comtest.user
abc/Test.Usertest.user
abc//Test.useRtest.user
This functionality does not affect security policies based on user groups and members configured using the Cloud Identity Engine.