When your users access apps, they can experience poor app performance due to decreased throughput. This condition can be caused by degraded wireless connectivity, network congestion, and other factors. These networking issues can adversely affect the employee experience and can reduce their productivity.

App Acceleration directly addresses the causes of poor app performance and acts in real-time to boost throughput while maintaining best-in-class security, dramatically improving the user experience for Prisma Access GlobalProtect and Remote Network users.

Without requiring any changes to your applications, App Acceleration securely builds an understanding of:

Using its understanding of network, device, and application context, App Acceleration maximizes throughput and adjusts in real-time to account for changing network conditions.

When compared to direct internet access, App Acceleration offers a marked throughput improvement for TCP traffic when connecting through Prisma Access.

You can view these improvements using Autonomous DEM (ADEM), which provides you with metrics such as throughput per application and the data and apps that were accelerated. Using this information, you can pinpoint how App Acceleration improved the app experience for your users.

Browser and web-based attacks are continuously evolving, resulting in security challenges for many enterprises. Web browsers, being a major entry point for malware to penetrate networks, pose a significant security risk to enterprises, prompting the increasing need to protect networks and devices from zero day attacks. Highly regulated industries, such as government and financial institutions, also require browser traffic isolation as a mandatory compliance requirement.

While most enterprises want to block 100% of attacks by using network security and endpoint security methods, such a goal might not be realistic. Most attacks start with the compromise of an endpoint that connects to malicious or compromised sites or by opening malicious content from those sites. An attacker only needs one miss to take over an endpoint and compromise the network. When this happens, the consequences of that compromise and the impact to your organization can be damaging.

Remote Browser Isolation (RBI) creates a safe isolation environment for your users' local browsers, preventing website code and files from executing on their local browser. Unlike other isolation solutions, RBI uses next-generation isolation technologies to deliver near-native experiences for users accessing websites without compromising on security.

RBI is a service that transfers all browsing activity away from your users' managed devices and corporate networks to an outside entity, such as Prisma® Access, which securely isolates potentially malicious code and content within its platform. Natively integrated with Prisma Access, RBI allows you to apply isolation profiles easily to existing security policies. Isolation profiles can restrict many user controls such as copy and paste actions, keyboard inputs, and sharing options like file uploading, downloading, and printing files to keep sensitive data and information secure. All traffic in isolation undergoes analysis and threat prevention provided by Cloud-Delivered Security Services (CDSS), ensuring robust security before content reaches the user.

Sometimes, granular controls are needed for user-ID redistribution in particularly large scale Prisma Access deployments. Service Connection Identity Redistribution Management lets you select specific service connections for identity redistribution.

By default, all of your service connections, in order of proximity, are used for identity redistribution. However, you may not know which specific service connections are being used for identity redistribution at a given moment. And, depending on the number of service connections you have and the number of User-ID agents you’ve configured, this method for identity redistribution can test the limits of your system resources. To solve this, we now give you the option to decide which service connections you want to use for identity redistribution.

Service Providers (SPs) managing tenant connectivity often lack the granular control required to manage egress traffic precisely, forcing reliance on public cloud providers for network backbone and potentially increasing costs or complexity. The Service Provider Backbone Integration feature addresses this by integrating Prisma® Access with a service provider (SP) backbone, which allows you (the SP) to assign specific region and egress internet capabilities to your tenants, providing more granular control over the Prisma Access egress traffic. Without the SP Backbone feature, Prisma Access egress traffic uses public cloud providers for network backbone instead.

This diagram shows Prisma Access egress traffic without SP Backbone integration.

This diagram shows Prisma Access egress traffic with SP Backbone integration.

On-premises network recorders have been a powerful tool for organizations to perform forensic and breach analysis. It's common in on-premises topologies to implement a parallel infrastructure of tap ports, span ports, or packet brokers that would deliver a copy of the traffic to be used for such out-of-band analysis. However, along with the accelerated adoption of hybrid work and cloud, organizations are migrating to SASE architectures to address these challenges. Adhering to SASE cloud security solutions created blind spots for these forensic analysis tools, where a copy of the traffic from a remote user to a SaaS application is no longer available.

Prisma® Access traffic replication adds full visibility into forensic and post-mortem analysis involving SASE architectures by making available a copy of the traffic that is traversing Prisma Access.

In addition to providing a copy of the traffic generated by mobile users, traffic replication support for Remote Networks provides a similar function for the traffic generated by the branches. This support allows you to have complete visibility for all use cases, along with consistency in the way the traffic is being captured. This extension ensures comprehensive visibility across all branch traffic, providing the necessary consistency and flexibility to apply forensic analysis across both mobile user and remote network use cases seamlessly.

Prisma Access (Managed by Strata Cloud Manager) deployments now support Traffic Replication.

Managing access to private applications that rely on complex addressing schemes or require deep network monitoring typically creates significant management overhead. Prisma® Access ZTNA Connector now simplifies application definition using FQDN wildcards and IP subnets and includes new diagnostic tools to streamline troubleshooting.

ZTNA Connector offers the following enhancements:

Maintaining optimal BGP routing requires balancing fast network convergence with minimizing update overhead, a process often complicated by fixed Minimum Route Advertisement Interval (MRAI) settings. Prisma® Access now offers configurable BGP MRAI support, which provides a timer you can use to tailor routing convergence in your network.

MRAI acts to rate-limit updates on a per-destination basis. BGP routers wait for at least the configured MRAI time before sending an advertisement for the same prefix. A smaller number gives you faster convergence time but creates more advertisements, while a larger number decreases advertisements but can slow routing convergence. You can configure a flexible MRAI range with a customizable default value, allowing you to achieve the best balance between speed and network stability.

Prisma Access supports the Switzerland Strata Logging Service region.

Managing security infrastructure in China often involves reliance on specialized or separate management systems, limiting operational flexibility and efficiency. Prisma® Access now addresses this complexity by introducing Cloud Managed Prisma Access, allowing you to use either Strata Cloud Manager or Panorama to manage your deployment in China.

With Strata Cloud Manager, the new platform provides streamlined management and monitoring capabilities, including:

Unmanaged cloud services and shadow IT applications can introduce significant security risks to your network. To address this issue, you can now integrate Prisma® Access with Microsoft Defender for Cloud Apps. This integration automatically syncs and blocks the list of unsanctioned applications inline, providing crucial closed-loop remediation. This integration enables you to gain visibility and to discover all cloud applications and shadow IT applications being used. The automated syncing and blocking provide crucial closed-loop remediation for unsanctioned applications.

Microsoft Defender is one of many Microsoft products that Prisma Access integrates with so that you can protect your applications and data on Azure, in Office 365, on the network, and the endpoint.

If your IPSec termination node that you use for remote network onboarding is configured to support 1 Gbps of bandwidth, the maximum number of remote networks those IPSec termination nodes can support is increasing from 400 to 500. You must allocate a minimum of 501 Mbps for the compute locations associated with the IPSec termination nodes to have it support up to 1 Gbps of bandwidth.

Prisma Access allows you to granularly manage and apply distinct policies for specific tenants for an extended list of SaaS applications (for example, Github or Bitbucket). The complete list of apps is documented at https://docs.paloaltonetworks.com/saas-security/saas-security-admin/saas-security-inline/remediate-risks-saas-security-inline/manage-saas-security-inline-policy/create-saas-policy-rule-recommendations

This functionality allows you to enforce use cases where you might need to allow all actions (for example, uploads and downloads) for a corporate Github account, but block uploads for a partner instance of the same Github SaaS application.

Rapid IoT adoption is creating new attack vectors and implementing policy recommendations to apply least privilege Zero Trust policies to secure your organization's devices is key. If you use Strata Cloud Manager to configure Prisma® Access, you can use enhanced IoT policy recommendation workflows to accomplish these goals and keep your devices and users secure. IoT Security provides Strata Cloud Manager with automatically generated Security policy rule recommendations organized by device profile. This enhanced integration simplifies the deployment and enforcement of these recommended policies across all your security endpoints, including next-generation firewalls and Prisma Access. The new workflow and automatically generated rules from IoT Security translate into faster, more secure, and more precise deployment of Zero Trust policies compared to manual methods.

App Acceleration addresses the causes of poor app performance and acts in real-time to boost throughput while maintaining best-in-class security, improving the user experience for Prisma Access GlobalProtect and Remote Network users. You can view and monitor App Acceleration to see details about accelerated applications in your environment. In Strata Cloud Manager, select Activity InsightsApplications to view details about all accelerated applications.

Remote Browser Isolation (RBI) creates a no-code execution isolation environment for a user's local browser, so that no website code and files are executed on their local browser. Unlike other isolation solutions, RBI uses next-generation isolation technologies to deliver near-native experiences for users accessing websites without compromising on security.View and monitor RBI to get comprehensive visibility across your network traffic and for RBI. Gain visibility into your RBI deployment by viewing metrics such as the number of active RBI users, trends, connectivity status, RBI location status, traffic measurements, and license consumption.

View and monitor private apps that were added through ZTNA Connector access objects by viewing data such as the number of apps added by FQDNs, IP subnets, and wildcards, each access object's connectivity status, and the Connector Groups and Connectors associated with each access object.

The private apps in the data centers connect to Prisma Access through your Connector virtual machines (VMs). You can add apps based on these access objects—FQDNs, FQDN wildcards, or IP subnets.

• FQDNs—Prisma Access resolves the FQDNs of the applications you onboard to ZTNA Connector to the IP addresses in the Application IP address block.
• Wildcards—For wildcard-based apps, create an FQDN-based connector group, then specify the wildcard to use (for example, *.example.com) for the app target. When users access sites that match the wildcard, those apps are automatically onboarded for access from ZTNA Connector for your mobile users and remote network users.
• IP Subnets—Create an IP subnet-based Connector group, and then enter the IP subnet to use for the app target.