New Features in Prisma Access 5.0 and 5.0.1

When your users access apps, they can experience poor app performance due to decreased throughput. This condition can be caused by degraded wireless connectivity, network congestion, and other factors. These networking issues can adversely affect the employee experience and can reduce their productivity.

App Acceleration directly addresses the causes of poor app performance and acts in real-time to boost throughput while maintaining best-in-class security, dramatically improving the user experience for Prisma Access GlobalProtect and Remote Network users.

Without requiring any changes to your applications, App Acceleration securely builds an understanding of:

Using its understanding of network, device, and application context, App Acceleration maximizes throughput and adjusts in real-time to account for changing network conditions.

When compared to direct internet access, App Acceleration offers a marked throughput improvement for TCP traffic when connecting through Prisma Access.

You can view these improvements using Autonomous DEM (ADEM), which provides you with metrics such as throughput per application and the data and apps that were accelerated. Using this information, you can pinpoint how App Acceleration improved the app experience for your users.

Browser and web-based attacks are continuously evolving, resulting in security challenges for many enterprises. Web browsers, being a major entry point for malware to penetrate networks, pose a significant security risk to enterprises, prompting the increasing need to protect networks and devices from zero day attacks. Highly regulated industries, such as government and financial institutions, also require browser traffic isolation as a mandatory compliance requirement.

While most enterprises want to block 100% of attacks by using network security and endpoint security methods, such a goal might not be realistic. Most attacks start with the compromise of an endpoint that connects to malicious or compromised sites or by opening malicious content from those sites. An attacker only needs one miss to take over an endpoint and compromise the network. When this happens, the consequences of that compromise and the impact to your organization can be damaging.

Remote Browser Isolation (RBI) creates a no-code execution isolation environment for a user's local browser, so that no website code and files are executed on their local browser. Unlike other isolation solutions, RBI uses next-generation isolation technologies to deliver near-native experiences for users accessing websites without compromising on security.

RBI is a service that isolates and transfers all browsing activity away from the user's managed devices and corporate networks to an outside entity such as Prisma Access, which secures and isolates potentially malicious code and content within their platform. Natively integrated with Prisma Access, RBI allows you to apply isolation profiles easily to existing security policies. Isolation profiles can restrict many user controls such as copy and paste actions, keyboard inputs, and sharing options like file uploading, downloading, and printing files to keep sensitive data and information secure. All traffic in isolation undergoes analysis and threat prevention provided by Cloud-Delivered Security Services (CDSS) such as Advanced Threat Prevention, Advanced WildFire, Advanced URL Filtering, DNS Security, and SaaS Security.

Sometimes, granular controls are needed for user-ID redistribution in particularly large scale Prisma Access deployments. Service Connection Identity Redistribution Management lets you select specific service connections for identity redistribution.

By default, all of your service connections, in order of proximity, are used for identity redistribution. However, you may not know which specific service connections are being used for identity redistribution at a given moment. And, depending on the number of service connections you have and the number of User-ID agents you’ve configured, this method for identity redistribution can test the limits of your system resources. To solve this, we now give you the option to decide which service connections you want to use for identity redistribution.

Integrate Prisma Access with a service provider (SP) backbone, which allows you (the SP) to assign specific region and egress internet capabilities to your tenants, providing more granular control over the Prisma Access egress traffic. Without the SP Backbone feature, Prisma Access egress traffic uses public cloud providers for network backbone instead.

The following diagram represents Prisma Access egress traffic without SP Backbone integration.

The following diagram represents Prisma Access egress traffic with SP Backbone integration.

In addition to providing a copy of the traffic generated by mobile users, traffic replication support for Remote Networks provides a similar function for the traffic generated by the branches. This support allows you to have complete visibility for all use cases, along with consistency in the way the traffic is being captured. The copy of the remote networks traffic is shared from the same storage buckets as the mobile users traffic, so existing customers do not have to modify the current deployments. This option is fully configurable and you have the ability to decide if for a certain location you need Traffic Replication enabled for mobile users, remote networks, or both.

Traffic Replication configuration support is added for Cloud Managed Prisma Access and Strata Cloud Manager.

ZTNA Connector offers the following enhancements:

BGP routing offers a timer you can use to tailor BGP routing convergence in your network called the Minimum Route Advertisement Interval (MRAI).

MRAI acts to rate-limit updates on a per-destination basis, and the BGP routers wait for at least the configured MRAI time before sending an advertisement for the same prefix. A smaller number gives you faster convergence time but creates more advertisements in your network. A larger number decreases the number of advertisements that can be sent, but can also make routing convergence slower. You decide the number to put in your network for the best balance between faster routing convergence and fewer advertisements.

You can configure an MRAI range of between 1 and 600 seconds, with a default value of 30 seconds.

Prisma Access supports the Switzerland Strata Logging Service region.

Prisma Access deployments in China provide you with the following enhanced functionalities:

Integrate Prisma Access with Microsoft Defender for Cloud Apps to sync unsanctioned applications and block them inline using Prisma Access automatically.

After you integrate Microsoft Defender for Cloud Apps with Prisma Access, Prisma Access creates a block security policy for URLs that are blocked in Microsoft Defender for Cloud Apps. You can view the list of unsanctioned applications after configuring the integration settings. The Prisma Access-Microsoft Defender for Cloud Apps integration enables you to gain visibility and to discover all cloud applications and shadow IT applications being used as well as provide closed loop remediation for unsanctioned applications.

If your IPSec termination node that you use for remote network onboarding is configured to support 1 Gbps of bandwidth, the maximum number of remote networks those IPSec termination nodes can support is increasing from 400 to 500. You must allocate a minimum of 501 Mbps for the compute locations associated with the IPSec termination nodes to have it support up to 1 Gbps of bandwidth.

Prisma Access allows you to granularly manage and apply distinct policies for specific tenants for an extended list of SaaS applications (for example, Github or Bitbucket). The complete list of apps is documented at https://docs.paloaltonetworks.com/saas-security/saas-security-admin/saas-security-inline/remediate-risks-saas-security-inline/manage-saas-security-inline-policy/create-saas-policy-rule-recommendations

This functionality allows you to enforce use cases where you might need to allow all actions (for example, uploads and downloads) for a corporate Github account, but block uploads for a partner instance of the same Github SaaS application.

Rapid IoT adoption is creating new attack vectors and implementing policy recommendations to apply least privilege Zero Trust policies to secure your organization's devices is key. If you use Strata Cloud Manager to configure Prisma Access, you can use enhanced IoT policy recommendation workflows to accomplish these goals and keep your devices and users secure.

App Acceleration addresses the causes of poor app performance and acts in real-time to boost throughput while maintaining best-in-class security, improving the user experience for Prisma Access GlobalProtect and Remote Network users. You can view and monitor App Acceleration to see details about accelerated applications in your environment. In Strata Cloud Manager, select MonitorApplications to view details about all accelerated applications.

Remote Browser Isolation (RBI) creates a no-code execution isolation environment for a user's local browser, so that no website code and files are executed on their local browser. Unlike other isolation solutions, RBI uses next-generation isolation technologies to deliver near-native experiences for users accessing websites without compromising on security.View and monitor RBI to get comprehensive visibility across your network traffic and for RBI. Gain visibility into your RBI deployment by viewing metrics such as the number of active RBI users, trends, connectivity status, RBI location status, traffic measurements, and license consumption.

View and monitor private apps that were added through ZTNA Connector access objects by viewing data such as the number of apps added by FQDNs, IP subnets, and wildcards, each access object's connectivity status, and the Connector Groups and Connectors associated with each access object.

The private apps in the data centers connect to Prisma Access through your Connector virtual machines (VMs). You can add apps based on these access objects—FQDNs, FQDN wildcards, or IP subnets.

• FQDNs—Prisma Access resolves the FQDNs of the applications you onboard to ZTNA Connector to the IP addresses in the Application IP address block.
• Wildcards—For wildcard-based apps, create an FQDN-based connector group, then specify the wildcard to use (for example, *.example.com) for the app target. When users access sites that match the wildcard, those apps are automatically onboarded for access from ZTNA Connector for your mobile users and remote network users.
• IP Subnets—Create an IP subnet-based Connector group, and then enter the IP subnet to use for the app target.