New Features - Prisma Access - 5.0 Preferred and Innovation

When your users access apps, they can experience poor app performance due to decreased throughput. This condition can be caused by degraded wireless connectivity, network congestion, and other factors. These networking issues can adversely affect the employee experience and can reduce their productivity.

App Acceleration directly addresses the causes of poor app performance and acts in real-time to boost throughput while maintaining best-in-class security, dramatically improving the user experience for Prisma Access GlobalProtect and Remote Network users.

Without requiring any changes to your applications, App Acceleration securely builds an understanding of:

• Device capability —The type of client endpoint

• Network capability —The type of network

• App Context — The type of app being used

Using its understanding of network, device, and application context, App Acceleration maximizes throughput and adjusts in real-time to account for changing network conditions.

When compared to direct internet access, App Acceleration offers a marked throughput improvement for TCP traffic when connecting through Prisma Access.

You can view these improvements using Autonomous DEM (ADEM), which provides you with metrics such as throughput per application and the data and apps that were accelerated. Using this information, you can pinpoint how App Acceleration improved the app experience for your users.

Enterprises today employ workers everywhere, connecting to apps that are anywhere. Hybrid workforces rely on high-performing app experiences, but slowdowns caused by cloud latency and adverse network conditions drain productivity and frustrate workers. The major causes of poor performance can consist of:

• Cloud latency experienced when apps are processing dynamic content
• Wireless connectivity issues

Both of these issues exist outside the control of the enterprise. Apps use Content Delivery Network (CDN) caching, but modern apps are powered by dynamic content that can't be cached. And consumer-grade Wi-Fi and wireless connectivity have no performance service-level agreements (SLAs) because wireless conditions like interference and signal strength are continuously changing.

App Acceleration for Prisma SASE directly addresses the causes of poor performance by accelerating dynamic content in top SaaS apps, and has added support for these apps:

• AWS S3

• Azure Storage

• Box

• Google Drive

• Microsoft OneDrive

• Salesforce

• SAP Ariba

• ServiceNow

• Slack ( file downloads )

• Zoom ( file downloads from chat, recording downloads )

These enhancements provide you with the following benefits:

• Up to five times the improvement over direct-to-internet app performance (measured in app response time and throughput metrics)

• Enriches AI-powered ADEM with Real User Metrics (RUM) to enhance observability into performance issues

• No code changes required

You can accelerate traffic for top SaaS apps including Salesforce, Google Drive, SAP, Ariba, and more. The enhancement speeds up dynamic content (for example, dashboards) up to 5 times faster than direct-to-internet access. If you have already purchased App Acceleration, you receive this enhancement automatically.

Maintaining optimal BGP routing requires balancing fast network convergence with minimizing update overhead, a process often complicated by fixed Minimum Route Advertisement Interval (MRAI) settings. Prisma® Access now offers configurable BGP MRAI support, which provides a timer you can use to tailor routing convergence in your network.

MRAI acts to rate-limit updates on a per-destination basis. BGP routers wait for at least the configured MRAI time before sending an advertisement for the same prefix. A smaller number gives you faster convergence time but creates more advertisements, while a larger number decreases advertisements but can slow routing convergence. You can configure a flexible MRAI range with a customizable default value, allowing you to achieve the best balance between speed and network stability.

To ensure comprehensive web security for managed desktops, Remote Browser Isolation (RBI) now supports the Mozilla Firefox browser. This expanded support adds to existing isolated browsing compatibility alongside the Google Chrome, Microsoft Edge, and Safari browsers on both macOS and Windows operating systems. By extending browser support to Firefox, RBI, integrated with Prisma® Access, ensures that you can maintain security policy adherence across a wider variety of desktop environments, improving security adoption and maintaining consistent threat defense regardless of the browser choice. This broad support simplifies administration and strengthens your organization’s security posture by extending crucial protection against malware and zero-day attacks across most major desktop browsing surfaces.

Organizations often struggle to manage security policies and logs effectively when usernames originate from various identity sources that use inconsistent formats, mixed capitalization, and different delimiters. To address this complexity and ensure seamless security policy enforcement across your network fabric, Prisma® Access now applies a global normalization standard to all usernames integrated through the Cloud Identity Engine.

This powerful feature automatically converts inconsistent username inputs—including mixed case and varying domain prefixes or suffixes—into a single, standardized, and unified format for use in policy matching, reporting, and logs. This standardization can reduce administrative overhead and can minimize the risk of user-based policy lookup failures due to format variations. This functionality applies only to the username representation within Prisma Access; it does not affect security policies based on user groups and members configured using the Cloud Identity Engine.

For example, Prisma Access normalizes these usernames to test.user :

• test.User@abc.com
• abc/Test.User
• abc//Test.useR

This functionality does not affect security policies based on user groups and members configured using the Cloud Identity Engine.

Rapid IoT adoption is creating new attack vectors and implementing policy recommendations to apply least privilege Zero Trust policies to secure your organization's devices is key. If you use Strata Cloud Manager to configure Prisma® Access, you can use enhanced IoT policy recommendation workflows to accomplish these goals and keep your devices and users secure. Device Security provides Strata Cloud Manager with automatically generated Security policy rule recommendations organized by device profile. This enhanced integration simplifies the deployment and enforcement of these recommended policies across all your security endpoints, including next-generation firewalls and Prisma Access. The new workflow and automatically generated rules from Device Security translate into faster, more secure, and more precise deployment of Zero Trust policies compared to manual methods.

Prisma Access allows you to granularly manage and apply distinct policies for specific tenants for an extended list of SaaS applications (for example, Github or Bitbucket). The complete list of apps is documented at Create SaaS Policy Rule Recommendations.

This functionality allows you to enforce use cases where you might need to allow all actions (for example, uploads and downloads) for a corporate Github account, but block uploads for a partner instance of the same Github SaaS application.

Unmanaged cloud services and shadow IT applications can introduce significant security risks to your network. To address this issue, you can now integrate Prisma® Access with Microsoft Defender for Cloud Apps. This integration automatically syncs and blocks the list of unsanctioned applications inline, providing crucial closed-loop remediation. This integration enables you to gain visibility and to discover all cloud applications and shadow IT applications being used. The automated syncing and blocking provide crucial closed-loop remediation for unsanctioned applications.

Microsoft Defender is one of many Microsoft products that Prisma Access integrates with so that you can protect your applications and data on Azure, in Office 365, on the network, and the endpoint.

Mobile user deployments in GlobalProtect® often require security teams to manage a large, constantly changing set of public egress, gateway, and network load balancer IP addresses. Maintaining an accurate allow-list for these addresses is complex, leading to administrative overhead and potential disruptions when scaling events or new Prisma® Access locations introduce new IP addresses.

IP Optimization solves this challenge by implementing architectural enhancements that significantly reduce the total number of IP addresses required in your deployment. By managing fewer public IP addresses, you simplify your administrative allow-listing workflows, improve the resiliency of your remote access architecture, and enable faster, more efficient onboarding of new Prisma® Access tenants. This feature focuses purely on improving network efficiency and simplifies operations so you can focus on security outcomes.

It's a best practice to retrieve the new egress, gateway, and network load balancer IP addresses that Prisma Access assigns and add them to an allow list in your network to avoid SaaS application or corporate firewall disruption. This can result in a situation where you're managing a large number of IP addresses. IP Optimization reduces the number of IP addresses you have to manage.

Note: The API to retrieve Prisma Access IP addresses continues to work as it always has, even with IP Optimization enabled.

Prisma Access enforces policies for mobile user licenses over 30 days instead of 90 days. Though there is no strict policing of the mobile user count, the service tracks the number of unique users over the last 30 days to ensure that you have purchased the proper license tier for your user base, and stricter policing of user count may be enforced if continued overages occur. This change is applicable for all types of mobile user licenses.

If your IPSec termination node that you use for remote network onboarding is configured to support 1 Gbps of bandwidth, the maximum number of remote networks those IPSec termination nodes can support is increasing from 400 to 500. You must allocate a minimum of 501 Mbps for the compute locations associated with the IPSec termination nodes to have it support up to 1 Gbps of bandwidth.

Note: Deployments using remote networks to onboard Prisma SD-WANs cannot take advantage of this enhancement.

The native SASE integration features an onboarding process that effortlessly integrates Prisma SD-WAN with Prisma Access. With previous Prisma Access versions, you needed to configure the additional component — Prisma Access for Networks (Cloud Managed) CloudBlade to onboard Prisma SD-WAN sites to Prisma Access. The native SASE integration between Prisma SD-WAN and Prisma Access further simplifies onboarding by eliminating the need to set up the CloudBlade. Prisma Access currently supports this integration only for new Prisma SASE (Strata Cloud Manager) deployments. For Panorama Managed Prisma Access deployments, continue using CloudBlades for integration with Prisma SD-WAN. Prisma SASE Easy Onboarding works seamlessly with both Prisma Access Cloud Managed and Panorama Managed deployments.

Users requiring high-performance, locally-anchored secure access within the Kingdom of Saudi Arabia require a dedicated cloud compute infrastructure. Prisma® Access adds a dedicated and enhanced compute node specifically for Saudi Arabia, which can improve data locality for your users. The Saudi Arabia compute location can offer improved latency for connections originating within the region and allow a better Quality of Experience (QoE). The new compute location ensures that new Prisma Access deployments automatically benefit from the advanced compute architecture, simplifying deployment for regional customers.

This feature applies directly to existing Prisma Access deployments that currently utilize the previous Saudi Arabia access location. If your organization has already deployed Prisma Access in this region, you can migrate to this new compute location to immediately take advantage of the performance and resilience upgrades offered by the new compute location.

Sometimes, granular controls are needed for user-ID redistribution in particularly large scale Prisma Access deployments. Service Connection Identity Redistribution Management lets you select specific service connections for identity redistribution.

By default, all of your service connections, in order of proximity, are used for identity redistribution. However, you may not know which specific service connections are being used for identity redistribution at a given moment. And, depending on the number of service connections you have and the number of User-ID agents you’ve configured, this method for identity redistribution can test the limits of your system resources. To solve this, we now give you the option to decide which service connections you want to use for identity redistribution.

Service Providers (SPs) managing tenant connectivity often lack the granular control required to manage egress traffic precisely, forcing reliance on public cloud providers for network backbone and potentially increasing costs or complexity. The Service Provider Backbone Integration feature addresses this by integrating Prisma® Access with a service provider (SP) backbone, which allows you (the SP) to assign specific region and egress internet capabilities to your tenants, providing more granular control over the Prisma Access egress traffic. Without the SP Backbone feature, Prisma Access egress traffic uses public cloud providers for network backbone instead.

This diagram shows Prisma Access egress traffic with SP Backbone integration.

Service Provider Backbone Integration was introduced with Prisma Access 4.1. Starting with Prisma Access version 5.0, you can allow inbound flows to other remote networks over the Service Provider (SP) backbone when you configure the non-inbound access remote network.

Note: SP interconnect supports only the following:

• Mobile users, service connections, and remote networks

• GCP Regions

• New Prisma Access deployments

• Explicit proxy egress traffic

Starting March 2024, you can configure, view, and monitor Service Provider IP address pools to leverage your own IP addresses for Prisma Access egress traffic instead of the egress through public cloud providers.

Managing security infrastructure in China often involves reliance on specialized or separate management systems, limiting operational flexibility and efficiency. Prisma® Access now addresses this complexity by introducing Cloud Managed Prisma Access, allowing you to use either Strata Cloud Manager or Panorama to manage your deployment in China.

With Strata Cloud Manager, the new platform provides streamlined management and monitoring capabilities, including:

• Best practice recommendations and workflows to strengthen security posture and eliminate risk.

• A common alerting framework that identifies network disruptions, so you can maintain optimal health and performance.

• Enhanced user experience, with contextual and interactive use-case driven dashboards and license-aware data enrichment.

• You can quickly onboard branches and mobile users through task-driven workflows that allow you to set up and test your environment in minutes. Strata Cloud Manager simplifies the onboarding process by providing predefined internet access and decryption policy rules based on best practices. You can quickly set up IPSec tunnels using defaults suitable for the most common IPSec-capable devices and turn on SSL decryption for recommended URL categories.

• Cloud managed deployments provide you access to the Prisma SASE Multitenant Portal, allowing you to access Common Services for multiple tenants such as subscription and tenant management and identity and access management.

Prisma Access supports the Switzerland Strata Logging Service region.

On-premises network recorders have been a powerful tool for organizations to perform forensic and breach analysis. It's common in on-premises topologies to implement a parallel infrastructure of tap ports, span ports, or packet brokers that would deliver a copy of the traffic to be used for such out-of-band analysis. However, along with the accelerated adoption of hybrid work and cloud, organizations are migrating to SASE architectures to address these challenges. Adhering to SASE cloud security solutions created blind spots for these forensic analysis tools, where a copy of the traffic from a remote user to a SaaS application is no longer available.

Prisma® Access traffic replication adds full visibility into forensic and post-mortem analysis involving SASE architectures by making available a copy of the traffic that is traversing Prisma Access.

In addition to providing a copy of the traffic generated by mobile users, traffic replication support for Remote Networks provides a similar function for the traffic generated by the branches. This support allows you to have complete visibility for all use cases, along with consistency in the way the traffic is being captured. This extension ensures comprehensive visibility across all branch traffic, providing the necessary consistency and flexibility to apply forensic analysis across both mobile user and remote network use cases seamlessly.

Prisma Access (Managed by Strata Cloud Manager) deployments now support Traffic Replication.

View and monitor private apps that were added through ZTNA Connector access objects by viewing data such as the number of apps added by FQDNs, IP subnets, and wildcards, each access object's connectivity status, and the Connector Groups and Connectors associated with each access object.

The private apps in the data centers connect to Prisma Access through your Connector virtual machines (VMs). You can add apps based on these access objects—FQDNs, FQDN wildcards, or IP subnets.

• FQDNs —Prisma Access resolves the FQDNs of the applications you onboard to ZTNA Connector to the IP addresses in the Application IP address block.
• Wildcards —For wildcard-based apps, create an FQDN-based connector group, then specify the wildcard to use (for example, *.example.com) for the app target. When users access sites that match the wildcard, those apps are automatically onboarded for access from ZTNA Connector for your mobile users and remote network users.
• IP Subnets —Create an IP subnet-based Connector group, and then enter the IP subnet to use for the app target.

Managing access to private applications that rely on complex addressing schemes or require deep network monitoring typically creates significant management overhead. Prisma® Access ZTNA Connector now simplifies application definition using FQDN wildcards and IP subnets and includes new diagnostic tools to streamline troubleshooting.

ZTNA Connector offers the following enhancements:

• Applications Based on Wildcards and IP Subnets —In addition to setting up applications based on FQDNs, you can set up applications based on FQDN wildcards and IP subnets.

• Additional Diagnostic Tools —In addition to the existing ZTNA Connector diagnostic tools, more diagnostic tools, such as dump overview, packet captures, and tech support.
• FQDN DNS Resolution to Multiple IP Addresses —If an application FQDN resolves to multiple private IP addresses, the ZTNA connector performs an application probe to determine the status of all resolved IP addresses and load balances the FQDN access to multiple resolved IP addresses that have an application status of Up.