New Features in Prisma Access 5.0
Focus
Focus

Prisma Access

New Features in Prisma Access 5.0

Table of Contents

New Features in
Prisma Access
5.0

Where Can I Use This?
What Do I Need?
  • Prisma Access (Cloud Management)
  • Prisma Access (Panorama Managed)
  • Minimum Required Prisma Access Version
    5.0 Preferred or Innovation
The following sections describes the new features that are available with
Prisma Access
5.0 Preferred and Innovation, in addition to infrastructure, plugin, and dataplane dependencies for the 5.0 features.

Recommended Software Versions for
Prisma Access
5.0 Preferred and Innovation

There are two
Prisma Access
5.0 versions:
  • 5.0 Preferred runs a PAN-OS dataplane earlier than 10.2.8. If you are running
    Prisma Access
    4.0, 4.1, or 4.2, a dataplane upgrade is not required.
  • 5.0 Innovation runs on the PAN-OS 10.2.8 (
    coming soon
    ) dataplane and unlocks the features that are available with that dataplane.
For new
Prisma Access
5.0 Innovation features, Palo Alto Networks
recommends that you upgrade your
Prisma Access
deployment to the following version(s)
recommends that you upgrade your before installing the plugin
(note that the
Prisma Access
5.0 release supports the same
minimum requirements as
Prisma Access
4.0
)
. Also note that, for access to all features, you will need to upgrade your dataplane to 10.2.8, which is required for
Prisma Access
5.0 Innovation.

Infrastructure, Plugin, and Dataplane Dependencies for
Prisma Access
5.0 Preferred and Innovation Features

Prisma Access
5.0 features require one of more of the following components to function:
  • Infrastructure Upgrade
    —The infrastructure includes the underlying service backend, orchestration, and monitoring infrastructure.
    Prisma Access
    upgrades the infrastructure before the general availability (GA) date of a
    Prisma Access
    release.
    Features that require only an infrastructure upgrade to be unlocked take effect for all
    Prisma Access
    deployments, regardless of version, at the time of the infrastructure upgrade.
  • Plugin Upgrade (
    Prisma Access (Panorama Managed)
    Deployments Only
    )
    —Installing the plugin activates the features that are available with that release. You download and install the plugin on the Panorama that manages
    Prisma Access
    .
  • Dataplane Upgrade
    —The dataplane enables traffic inspection and security policy enforcement on your network and user traffic.
    For
    Prisma Access (Panorama Managed)
    deployments, you can view your dataplane version by going to
    Panorama
    Cloud Services
    Configuration
    Service Setup
    and viewing the
    Prisma Access Version
    .
    Prisma Access
    5.0 Innovation runs PAN-OS 10.2.8.
This dataplane upgrade to 5.0 Innovation is optional, and is only required if you want to take advantage of the features that require a dataplane upgrade. For minimum Panorama and GlobalProtect versions, the
Prisma Access
5.0 release supports the same versions as
These features are activated with the
infrastructure upgrade
for
Prisma Access
:
  • Support for Cortex Data Lake Switzerland Region
  • Cloud Managed Support for
    Prisma Access
    China
These features require an
infrastructure and plugin upgrade
but do not require a dataplane upgrade:
  • Service Connection Identity Redistribution Management
  • ZTNA Connector Wildcard and FQDN Support for Applications and Additional Diagnostic Tools
  • BGP MRAI Configuration Support
  • Enhanced IoT Policy Recommendation Workflow for
    Prisma Access (Cloud Management)
  • Integrate
    Prisma Access
    with Microsoft Defender for Cloud Apps (
    minimum 10.2.4 dataplane required
    )
The following 5.0 Innovation features require an
infrastructure, plugin, and dataplane
upgrade:
  • App Acceleration in
    Prisma Access
  • Remote Browser Isolation
  • Traffic Replication Remote Network and
    Prisma Access (Cloud Management)
    Support
  • Maximum of 500 Remote Networks Per Termination Node for 1 Gbps Remote Networks
  • Enhanced SaaS Tenants Control

General Availability Features—
Prisma Access
5.0

The following section describes the new features are generally available with
Prisma Access
5.0. There are also features released in preview mode.

Prisma Access
Application Name Update

Supported in:
Prisma Access (Cloud Management)
starting November 18, 2023
The application tile names on the hub for Prisma Access, Prisma SD-WAN, and AIOps for NGFW (the premium app only) are now changed to
Strata Cloud Manager
. With this update, the application URL has also changed to
stratacloudmanager.paloaltonetworks.com
, and you’ll also now see the
Strata Cloud Manager
logo on the left navigation pane.
Moving forward, continue using the Strata Cloud Manager app to manage and monitor your deployments.

App Acceleration in
Prisma Access
(5.0 Innovation Feature)

Supported in:
Prisma Access
starting with release 5.0 Innovation.
When your users access apps, they can experience poor app performance due to decreased throughput. This condition can be caused by degraded wireless connectivity, network congestion, and other factors. These networking issues can adversely affect the employee experience and can reduce their productivity.
App Acceleration directly addresses the causes of poor app performance and acts in real-time to boost throughput while maintaining best-in-class security, dramatically improving the user experience for Prisma Access GlobalProtect and Remote Network users.
Without requiring any changes to your applications, App Acceleration securely builds an understanding of:
  • Device capability
    —The type of client endpoint
  • Network capability
    —The type of network
  • App Context
    — The type of app being used
Using its understanding of network, device, and application context, App Acceleration maximizes throughput and adjusts in real-time to account for changing network conditions.
When compared to direct internet access, App Acceleration offers a marked throughput improvement for TCP traffic when connecting through Prisma Access.
You can view these improvements using Autonomous DEM (ADEM), which provides you with metrics such as throughput per application and the data and apps that were accelerated. Using this information, you can pinpoint how App Acceleration improved the app experience for your users.

Remote Browser Isolation (5.0 Innovation Feature)

Supported in:
Prisma Access
starting with release 5.0 Innovation.
Browser and web-based attacks are continuously evolving, resulting in security challenges for many enterprises. Web browsers, being a major entry point for malware to penetrate networks, pose a significant security risk to enterprises, prompting the increasing need to protect networks and devices from zero day attacks. Highly regulated industries, such as government and financial institutions, also require browser traffic isolation as a mandatory compliance requirement.
While most enterprises want to block 100% of attacks by using network security and endpoint security methods, such a goal might not be realistic. Most attacks start with the compromise of an endpoint that connects to malicious or compromised sites or by opening malicious content from those sites. An attacker only needs one miss to take over an endpoint and compromise the network. When this happens, the consequences of that compromise and the impact to your organization can be damaging.
Remote Browser Isolation (RBI) creates a no-code execution isolation environment for a user's local browser, so that no website code and files are executed on their local browser. Unlike other isolation solutions, RBI uses next-generation isolation technologies to deliver near-native experiences for users accessing websites without compromising on security.
RBI is a service that isolates and transfers all browsing activity away from the user's managed devices and corporate networks to an outside entity such as Prisma Access, which secures and isolates potentially malicious code and content within their platform. Natively integrated with Prisma Access, RBI allows you to apply isolation profiles easily to existing security policies. Isolation profiles can restrict many user controls such as copy and paste actions, keyboard inputs, and sharing options like file uploading, downloading, and printing files to keep sensitive data and information secure. All traffic in isolation undergoes analysis and threat prevention provided by Cloud-Delivered Security Services (CDSS) such as Advanced Threat Prevention, Advanced WildFire, Advanced URL Filtering, DNS Security, and SaaS Security.

Service Connection Identity Redistribution Management

Supported in:
  • Prisma Access (Cloud Management)
    starting November 2023
  • Prisma Access (Panorama Managed)
    starting with release 5.0 Innovation
Sometimes, granular controls are needed for user-ID redistribution in particularly large scale Prisma Access deployments. Service Connection Identity Redistribution Management lets you select specific service connections for identity redistribution.
By default, all of your service connections, in order of proximity, are used for identity redistribution. However, you may not know which specific service connections are being used for identity redistribution at a given moment. And, depending on the number of service connections you have and the number of User-ID agents you’ve configured, this method for identity redistribution can test the limits of your system resources. To solve this, we now give you the option to decide which service connections you want to use for identity redistribution.

Service Provider Backbone Integration Enhancements

Supported in:
  • Prisma Access
    (Cloud Management) starting November 2023
From Prisma Access 4.1, you can integrate Prisma Access with a service provider (SP) backbone, which allows you (the SP) to assign specific region and egress internet capabilities to your tenants, providing more granular control over the Prisma Access egress traffic.
From Prisma Access version 5.0, you can allow inbound flows to other remote networks over the Service Provider (SP) backbone when you configure the non-inbound access remote network.
SP interconnect supports only the following:
  • Mobile users, service connections, and remote networks
  • GCP Regions
  • New Prisma Access deployments
  • Explicit proxy egress traffic

Traffic Replication Remote Network and
Strata Cloud Manager
Support (5.0 Innovation Feature)

Supported in:
Prisma Access
starting with release 5.0 Innovation.
In addition to providing a copy of the traffic generated by mobile users, traffic replication support for Remote Networks provides a similar function for the traffic generated by the branches. This support allows you to have complete visibility for all use cases, along with consistency in the way the traffic is being captured. The copy of the remote networks traffic is shared from the same storage buckets as the mobile users traffic, so existing customers do not have to modify the current deployments. This option is fully configurable and you have the ability to decide if for a certain location you need Traffic Replication enabled for mobile users, remote networks, or both.
Traffic Replication configuration support is added for Cloud Managed Prisma Access and Strata Cloud Manager.

ZTNA Connector Wildcard and FQDN Support for Applications and Additional Diagnostic Tools

Supported in:
  • Prisma Access (Cloud Management)
    starting September 2023
  • Prisma Access (Panorama Managed)
    starting with release 5.0 Preferred and Innovation
ZTNA Connector offers the following enhancements:
  • Applications Based on Wildcards and IP Subnets
    —In addition to setting up applications based on FQDNs, you can set up applications based on FQDN wildcards and IP subnets.
    • For wildcard-based apps, you create an FQDN-based connector group, then specify the wildcard to use (for example, *.example.com) for the app target.
      When users access sites that match the wildcard, those apps are automatically onboarded for access from ZTNA Connector for your mobile users and remote network users. For example, given a wildcard of *.example.com, when users access the app at app1.example.com, ZTNA Connector automatically allows that app to be accessed for mobile users and users at remote network sites.
    • For IP subnet-based apps, you create an IP subnet-based Connector group, then enter the IP subnet to use for the app target.
  • Additional Diagnostic Tools
    —In addition to the existing ZTNA Connector diagnostic tools, more diagnostic tools are available to help you troubleshoot ZTNA Connector issues:
    • Dump Overview
      —Allows you to collect a dump of the ZTNA Connector's status.
    • Packet Captures
      —Allows you to capture packets from the ZTNA Connector internal, external, or tunnel interface.
    • Tech Support
      —Allows you to generate and download a tech support file.
  • FQDN DNS Resolution to Multiple IP Addresses
    —If an application FQDN resolves to multiple private IP addresses, the ZTNA connector performs an application probe to determine the status of all resolved IP addresses and load balances the FQDN access to multiple resolved IP addresses that have an application status of Up.

BGP MRAI Configuration Support

Supported in:
  • Prisma Access (Cloud Management)
    starting September 2023
  • Prisma Access (Panorama Managed)
    starting with release 5.0 Preferred and Innovation
BGP routing offers a timer you can use to tailor BGP routing convergence in your network called the
Minimum Route Advertisement Interval
(MRAI).
MRAI acts to rate-limit updates on a per-destination basis, and the BGP routers wait for at least the configured MRAI time before sending an advertisement for the same prefix. A smaller number gives you faster convergence time but creates more advertisements in your network. A larger number decreases the number of advertisements that can be sent, but can also make routing convergence slower. You decide the number to put in your network for the best balance between faster routing convergence and fewer advertisements.
You can configure an MRAI range of between 1 and 600 seconds, with a default value of 30 seconds.

Support for Cortex Data Lake Switzerland Region

Supported in:
  • Prisma Access (Cloud Management)
    starting November 2023
  • Prisma Access (Panorama Managed)
    starting with release 5.0 Preferred and Innovation
Prisma Access supports the Switzerland Cortex Data Lake region.

Prisma Access (Cloud Management)
/
Strata Cloud Manager
Support for
Prisma Access
China

Supported in:
  • Prisma Access (Cloud Management)
    and
    Strata Cloud Manager
    starting November 2023
Prisma Access deployments in China provide you with the following enhanced functionalities:
  • To provide you with greater management flexibility, Cloud Managed Prisma Access is added, allowing you to use either Cloud Managed or Panorama Managed Prisma Access to manage your deployment in China.
    Cloud Managed Prisma Access includes the ability to manage your Prisma Access deployment using Strata Cloud Manager. With Strata Cloud Manager, you can easily manage and monitor your network security infrastructure from a single, streamlined user interface. The new platform gives you:
    • Best practice recommendations and workflows to strengthen security posture and eliminate risk.
    • A common alerting framework that identifies network disruptions, so you can maintain optimal health and performance.
    • Enhanced user experience, with contextual and interactive use-case driven dashboards and license-aware data enrichment.
    Using cloud management, you can quickly onboard branches and mobile users through task-driven workflows that allow you to set up and test your environment in minutes. Cloud management with Strata Cloud Manager simplifies the onboarding process by providing predefined internet access and decryption policy rules based on best practices. You can quickly set up IPSec tunnels using defaults suitable for the most common IPSec-capable devices and turn on SSL decryption for recommended URL categories.
  • Cloud managed deployments provide you access to the Prisma SASE Multitenant Portal, allowing you to access Common Services for multiple tenants such as subscription and tenant management and identity and access management.

Integrate
Prisma Access
with Microsoft Defender for Cloud Apps

Supported in:
  • Prisma Access (Cloud Management)
    starting September 2023
  • Prisma Access (Panorama Managed)
    starting with release 5.0 Preferred and Innovation
Integrate Prisma Access with Microsoft Defender for Cloud Apps to sync unsanctioned applications and block them inline using Prisma Access automatically.
After you integrate Microsoft Defender for Cloud Apps with Prisma Access, Prisma Access creates a block security policy for URLs that are blocked in Microsoft Defender for Cloud Apps. You can view the list of unsanctioned applications after configuring the integration settings. The Prisma Access-Microsoft Defender for Cloud Apps integration enables you to gain visibility and to discover all cloud applications and shadow IT applications being used as well as provide closed loop remediation for unsanctioned applications.

Maximum of 500 Remote Networks Per Termination Node for 1 Gbps Remote Networks (5.0 Innovation Feature)

Supported in:
Prisma Access
starting with release 5.0 Innovation.
If your IPSec termination node that you use for remote network onboarding is configured to support 1 Gbps of bandwidth, the maximum number of remote networks those IPSec termination nodes can support is increasing from 400 to 500. You must allocate a minimum of 501 Mbps for the compute locations associated with the IPSec termination nodes to have it support up to 1 Gbps of bandwidth.
Deployments using remote networks to onboard Prisma SD-WANs cannot take advantage of this enhancement.

Enhanced SaaS Tenants Control (5.0 Innovation Feature)

Supported in:
Prisma Access
starting with release 5.0 Innovation.
Prisma Access allows you to granularly manage and apply distinct policies for specific tenants for an extended list of SaaS applications (for example, Github or Bitbucket). The complete list of apps is documented at https://docs.paloaltonetworks.com/saas-security/saas-security-admin/saas-security-inline/remediate-risks-saas-security-inline/manage-saas-security-inline-policy/create-saas-policy-rule-recommendations
This functionality allows you to enforce use cases where you might need to allow all actions (for example, uploads and downloads) for a corporate Github account, but block uploads for a partner instance of the same Github SaaS application.

Enhanced IoT Policy Recommendation Workflow for
Strata Cloud Manager

Supported in:
  • Prisma Access (Cloud Management)
    starting November 2023
Rapid IoT adoption is creating new attack vectors and implementing policy recommendations to apply least privilege Zero Trust policies to secure your organization's devices is key. If you use Strata Cloud Manager to configure Prisma Access, you can use enhanced IoT policy recommendation workflows to accomplish these goals and keep your devices and users secure.

Preview Features—
Prisma Access
5.0

The following features are not generally available but are being released in Preview Mode for
Prisma Access
5.0.
Reach out to your Palo Alto Networks team to learn more about these Preview Mode features and their general availability timelines.

Support for End-to-End IPv6 Connectivity (5.0 Innovation Feature)

Supported in:
Prisma Access
starting with release 5.0 Innovation.
This feature is being released as Limited Availability and is available for new
Prisma Access
customers only.
Prisma Access
is expanding support for IPv6 beyond access to private applications to natively support IPv6 for GlobalProtect as well as Remote Networks.
One benefit of native IPv6 support is the ability for Mobile Users at IPv6 only and dual-stack endpoints to connect to Prisma Access over IPv6 connections using GlobalProtect. Another benefit is the ability for GlobalProtect and Remote Networks to access the internet and public SaaS application over the internet where those internet destinations require IPv6 connections.
IPv6 offers a significantly larger address space over IPv4, allowing for an almost unlimited number of unique IP addresses, while dual stack is a transitional approach that allows networks and devices to operate using both IPv4 and IPv6 simultaneously. Native IPv6 support makes Prisma Access compatible with both IPv6 and dual-stack connections to ease the migration process from IPv4 to IPv6, ensure backward compatibility, and empower your journey to the cloud and IPv6 enabled networks.

Simplified Branch Onboarding (5.0 Innovation Feature)

Supported in:
Prisma Access
starting with release 5.0 Innovation.
This feature is being released as Limited Availability and is available for new Prisma Access customers only.
To simplify onboarding your branch locations, a single FQDN and IP address now supports up to 5 Gbps of aggregate bandwidth. Therefore, you do not need to manage multiple IP addresses when configuring remote networks as long as the combined throughput remains below 5 Gbps. Only if throughput exceeds 5 Gbps will the service provide another FQDN and IP address.
Furthermore, the service now automatically load balances branches across the RN SPNs, which helps avoid surprises during the onboarding process when a branch consumes more bandwidth than expected.

Recommended For You