New Features in Prisma Access 5.1 and 5.1.1
Focus
Focus
Prisma Access

New Features in Prisma Access 5.1

Table of Contents

New Features in
Prisma Access
5.1 and 5.1.1

Where Can I Use This?
What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
  • Minimum Required Prisma Access Version
    5.1 Preferred or Innovation
This section provides you with a list of new features in
Prisma Access
5.1 Preferred and Innovation, along with the recommended and required software versions you need to use.

Recommended Software Versions for
Prisma Access
5.1 and 5.1.1

There are two
Prisma Access
5.1 versions:
  • 5.1 Preferred runs a PAN-OS 10.2.4, 10.2.9, or 10.2.10 (
    coming soon
    ) dataplanes, depending on the features you implement. If your deployment is running a lower dataplane version, a dataplane upgrade is required to implement 5.1 Preferred features.
  • 5.1 Innovation runs on the PAN-OS dataplane of 11.2 dataplane.
For new
Prisma Access
5.1 Innovation features,
Prisma Access
recommends that you upgrade your
Prisma Access
to the following versions
before installing the plugin.
Prisma Access
Version
Cloud Services Plugin Version
Required Dataplane Version for 5.1
Recommended GlobalProtect Version
Recommended Panorama Version
5.1
5.1
PAN-OS 10.2.4 (required for 5.1 Preferred)
PAN-OS 11.2 (required for 5.1 Innovation)
6.0.7+
6.1.3+
6.2.1+
10.1.8+
10.2.4+
11.0.1+
11.1.0
11.2.0

Infrastructure, Plugin, and Dataplane Dependencies for
Prisma Access
5.1 and 5.1.1 Features

Prisma Access
5.1 features require one of more of the following components to function:
  • Infrastructure Upgrade
    —The infrastructure, also known as the
    Prisma Access
    Control Plane
    , includes the underlying service backend, orchestration, and monitoring infrastructure.
    Prisma Access
    upgrades the infrastructure before the general availability (GA) date of a
    Prisma Access
    release.
    Features that require only an infrastructure upgrade to be unlocked take effect for all
    Prisma Access
    deployments, regardless of version, at the time of the infrastructure upgrade.
  • Plugin Upgrade (
    Prisma Access
    Panorama Managed Deployments Only
    )
    —Installing the plugin activates the features that are available with that release. You download and install the plugin on the Panorama that manages
    Prisma Access
    .
  • Dataplane Upgrade
    —The dataplane enables traffic inspection and security policy enforcement on your network and user traffic.
    For Panorama Managed
    Prisma Access
    deployments, you can view your dataplane version by going to
    Panorama
    Cloud Services
    Configuration
    Service Setup
    and viewing the
    Prisma Access
    Version
    .
    Prisma Access
    5.1 Innovation runs PAN-OS 11.2.
This dataplane upgrade to 5.1 Innovation is optional, and is only required if you want to take advantage of the features that require a dataplane upgrade.
These features are activated with the
infrastructure upgrade
for
Prisma Access
:
  • PAN-OS 11.2 Support for Panoramas that Manage Prisma Access 11.2
  • Calgary and South Africa Compute Locations
  • Explicit Proxy Support for South Africa Central Location
These features require an
infrastructure and plugin upgrade
but don't require a dataplane upgrade:
Prisma Access
5.1 Features:
  • Advanced Threat Prevention: Support for Zero-day Exploit Prevention
Prisma Access
5.1.1 Features:
None
The following 5.1 features require an
infrastructure and plugin
upgrade and require a minimum dataplane version of PAN-OS 10.2.4 unless otherwise noted, making them Prisma Access 5.1 Preferred features:
Prisma Access
5.1 Features:
  • Explicit Proxy SAML Authentication Improvements (requires a minimum dataplane upgrade to PAN-OS 10.2.10)
  • Fast-Session Delete
  • GlobalProtect Proxy Enhancements
  • Prisma Access
    Internal Gateway
Prisma Access
5.1.1 Features:
  • ZTNA Connector Application Discovery, User-ID Across NAT, and IP Connector Block Deletion Support (User-ID Across NAT requires a minimum dataplane of 11.2 (5.1.1 Innovation)
The following 5.1 features require an
infrastructure, plugin, and dataplane
upgrade to Prisma Access 11.2, making them Prisma Access 5.1 Innovation features:
Prisma Access
5.1 Features:
  • Advanced DNS Security
  • Business Continuity During Mergers and Acquisitions
  • Dynamic DNS Registration Support for Mobile Users—GlobalProtect
  • FQDNs for Remote Network and Service Connection IPSec Tunnels
  • GlobalProtect Portal and Gateway Support for TLSv1.3
  • IPSec Serviceability
  • PAN-OS 11.0, 11.1, and 11.2 Dataplane Support
  • Static IP Address Allocation for Mobile Users
  • User-ID Across NAT
Prisma Access
5.1.1 Features:
  • Native IPv6 Compatibility
  • View and Monitor Native IPv6 Compatibility

Prisma Access
5.1 Features

This section describes the new features that will be generally available with
Prisma Access
5.1.1.

Advanced DNS Security

Supported in:
Prisma Access (Managed by Panorama)
deployments in
Prisma Access
5.1 Innovation
The Advanced DNS Security service is a new subscription offering by Palo Alto Networks that operates new domain detectors in the Advanced DNS Security cloud that inspect changes in DNS responses to detect various types of DNS hijacking in real-time. With access to Advanced DNS Security, you can detect and block DNS responses from hijacked domains and misconfigured domains. Hijacked and misconfigured domains can be introduced into your network by either directly manipulating DNS responses or by exploiting the DNS infrastructure configuration settings in order to redirect users to a malicious domain from which they initiate additional attacks. The primary difference between these two techniques is where the exploit occurs. In the case of DNS hijacking, the attackers gain the ability to resolve DNS queries to attacker-operated domains by compromising some aspect of an organization's DNS infrastructure, be it through unauthorized administrative access to a DNS provider or the DNS server itself, or an MiTM attack during the DNS resolution process. Misconfigured domains present a similar problem - the attacker seeks to incorporate their own malicious domain into an organization’s DNS by taking advantage of domain configuration issues, such as outdated DNS records, which can enable attackers to take ownership of the customer’s subdomain.
Advanced DNS Security can detect and categorize hijacked and misconfigured domains in real-time by operating cloud based detection engines, which provide DNS health support by analyzing DNS responses using ML-based analytics to detect malicious activity. Because these detectors are located in the cloud, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages when changes to detectors are made. Upon initial release, Advanced DNS Security supports two analysis engines: DNS Misconfiguration Domains and Hijacking Domains. Additionally, DNS responses for all DNS queries are sent to the Advanced DNS Security cloud for enhanced response analysis to more accurately categorize and return a result in a real-time exchange. Analysis models are delivered through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no updates by the user. Advanced DNS Security is enabled and configured through the Anti-Spyware (or DNS Security) profile and require active Advanced DNS Security and Advanced Threat Prevention (or Threat Prevention) licenses.

Advanced Threat Prevention: Support for Zero-day Exploit Prevention

Supported in:
Prisma Access (Managed by Panorama)
deployments in
Prisma Access
5.1 Preferred and Innovation
Palo Alto Networks now operates new inline deep learning detection engines in the Advanced Threat Prevention cloud to analyze traffic for command injection and SQL injection vulnerabilities in real-time to protect users against zero-day threats. This also includes signature-based prevention for thousands of known vulnerabilities and industry-leading response times for critical and high CVEs for top vendors.
By operating cloud-based detection engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages or operate process intensive, firewall-based analyzers which can sap resources. Inline cloud analysis operates under your Vulnerability Protection profile and supports two analysis engines upon initial release: SQL injection and Command injection. Additional analysis models are delivered through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no local update process. Inline cloud analysis is enabled and configured using the Vulnerability Protection profile and requires an active Advanced Threat Prevention license.

App Acceleration Support for Additional Apps

Supported in:
Prisma Access (Managed by Panorama)
and
Prisma Access (Managed by Strata Cloud Manager)
deployments in
Prisma Access
5.1 Preferred and Innovation
Requires a minimum PAN-OS dataplane of 10.2.10.
Enterprises today employ workers everywhere, connecting to apps that are anywhere. Hybrid workforces rely on high-performing app experiences, but slowdowns caused by cloud latency and adverse network conditions drain productivity and frustrate workers. The major causes of poor performance can consist of:
  • Cloud latency experienced when apps are processing dynamic content
  • Wireless connectivity issues
Both of these issues exist outside the control of the enterprise. Apps use Content Delivery Network (CDN) caching, but modern apps are powered by dynamic content that can't be cached. And consumer-grade Wi-Fi and wireless connectivity have no performance service-level agreements (SLAs) because wireless conditions like interference and signal strength are continuously changing.
App Acceleration for Prisma SASE directly addresses the causes of poor performance by accelerating dynamic content in top SaaS apps, and has added support for these apps:
  • AWS S3
  • Azure Storage
  • Box
  • Google Drive
  • Microsoft OneDrive
  • Salesforce
  • SAP Ariba
  • ServiceNow
  • Slack (
    file downloads
    )
  • Zoom (
    file downloads from chat, recording downloads
    )
These enhancements provide you with the following benefits:
  • Up to five times the improvement over direct-to-internet app performance (measured in app response time and throughput metrics)
  • Enriches AI-powered ADEM with Real User Metrics (RUM) to enhance observability into performance issues
  • No code changes required

Business Continuity During Mergers and Acquisitions

Supported in:
Prisma Access
5.1 Preferred and Innovation
To implement this feature, reach out to your Palo Alto Networks account team, who will open an SRE case to accommodate the request. Palo Alto Networks recommends that you schedule this change during a maintenance window or during off-peak hours. Palo Alto Networks upgrades all gateways in your deployment that require the name change during the maintenance window.
If your organization has merger and acquisition (M&A) activity, you might have a need for existing gateways to either not reference an earlier brand name or reference a new brand name. With this functionality, Prisma Access ensures business continuity by updating the gateway name to the new brand name and displaying the new name in the UI, in logs, and anywhere else the gateway name is referenced.

Canada West (Calgary) and South Africa Central Compute Locations

Supported in:
Prisma Access
5.1 Preferred and Innovation
Prisma Access adds two new compute locations: Canada West (Calgary) and South Africa Central. The following locations are remapped to the new compute location:
  • The
    South Africa Central
    location is remapped to the South Africa Central compute location.
  • The
    Canada West
    location is remapped to the Canada West (Calgary) compute location.
New deployments have the new remapping applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma Access location.

Dynamic DNS Registration Support for Mobile Users—GlobalProtect

Supported in:
Prisma Access
5.1 Innovation
When a mobile user connects remotely to Prisma Access using GlobalProtect, the DNS and IP Address Management (IPAM) servers in your enterprise are not updated with the GlobalProtect gateway-assigned client IP address and endpoint FQDN. This results in your IT administrator and your apps not being able to identify and update remote endpoints with FQDN. With Dynamic DNS registration, Prisma Access integrates with IPAM vendors to dynamically create A and PTR records in the DNS servers with IPAM updates.

Dynamic Privilege Access

Supported in:
Prisma Access (Managed by Strata Cloud Manager)
5.1 Innovation
For Enterprise IT and IT Enabled Services (ITES) companies that need to control which users have access to their customer projects, Dynamic Privilege Access provides a seamless, secure, and compartmentalized way for your users to access only those projects that they are assigned to. Employees are typically assigned to several customer projects and are provided with siloed access to these projects so that an authorized user can access only one customer project at a time.
A new predefined role called the
Project Admin
is available to allow project administrators to create and manage project definitions. Project administrators have the ability to map projects to select Prisma Access location groups, and create IP address assignments using DHCP based on the project and location group.

Explicit Proxy SAML Authentication Improvements

Supported in:
Prisma Access
5.1 Preferred and Innovation
Requires a minimum PAN-OS dataplane version of 10.2.10.
For simpler SAML authentication configuration, Explicit Proxy no longer requires that you create a policy rule to allow pre-authentication user traffic.

Explicit Proxy Forwarding Profiles with Multiple PAC File Support

Supported in:
Prisma Access (Managed by Strata Cloud Manager)
5.1 Preferred and Innovation
You can now more easily manage the traffic flowing through or bypassing Explicit Proxy by using Forwarding Profiles instead of only a single PAC file. Forwarding Profiles enable you to define forwarding rules and objects from a simple, easy to use interface rather than dealing with the complexity of a PAC file.
If you already employ a PAC file, you can seamlessly transition to Forwarding Profiles by importing the PAC file into a profile. Furthermore, if you have had to manage multiple PAC files for different kinds of traffic, you can now import these PAC files into profiles to use them simultaneously.
In addition to using Forwarding Profiles with a standard proxy, you can also use them to simplify how you define the flow of traffic through GlobalProtect in Proxy or Tunnel and Proxy mode.

Explicit Proxy Support for South Africa Central Location

Supported in:
Prisma Access
5.1 Preferred and Innovation
South Africa Central is added as a supported location for Prisma Access Explicit Proxy.

Fast-Session Delete

Supported in:
Prisma Access (Managed by Panorama)
deployments in
Prisma Access
5.1 Preferred and Innovation and SCM R3 2024
If your deployment has a requirement to delete sessions quickly, you can enable fast session delete, which allows Prisma Access to reuse TCP port numbers before the TCP TIME_WAIT period expires, and can be useful for SSL decrypted sessions that may be short-lived. You can enable this functionality for Remote Networks, Service Connections, and Mobile Users —GlobalProtect; for Mobile Users—Explicit Proxy deployments, this functionality is enabled by default and cannot be changed.

FQDNs for Remote Network and Service Connection IPSec Tunnels

Supported in:
Prisma Access (Managed by Panorama)
deployments in
Prisma Access
5.1 Preferred and Innovation and SCM R3 2024
When you onboard a Service Connection or Remote Network connection, a public IP address is assigned for the other side of the IPSec tunnel (the Service IP Address). You use these public IP addresses for your CPE in you branch site or headquarters or data center location. Keeping records of all the IP addresses you need to configure on your CPE can be time consuming.
Instead of IP addresses, Prisma Access provides you FQDNs to use for the other end of the IPSec tunnel for Service Connections and Remote Network Connections, thus facilitating CPE setup at your branch sites or headquarters or data center locations.

GlobalProtect Portal and Gateway Support for TLSv1.3

Supported in:
Prisma Access
5.1 Innovation
You can now configure SSL/TLS service profiles using TLSv1.3 on the firewall that is hosting the GlobalProtect portal or gateway to establish TLS connectivity between GlobalProtect components. TLSv1.3 is the latest version of the TLS protocol, which provides increased network security by removing the weak ciphers supported in the earlier versions of TLS and adding more secure cipher suites. In addition, the GlobalProtect gateway and portal now support the following TLSv1.3 cipher suites:
  • TLS-AES-128-GCM-SHA256
  • TLS-AES-256-GCM-SHA384
  • TLS-CHACHA20-POLY1305-SHA256
You can configure SSL/TLS service profiles with TLSv1.3 to provide enhanced security and a faster TLS handshake while establishing connection between GlobalProtect components. To provide the strongest security, you must set both the minimum and maximum supported version as TLSv1.3 in the SSL/TLS service profile.

GlobalProtect Proxy: Simplified Configuration

Supported in:
Prisma Access (Managed by Panorama)
and
Prisma Access (Managed by Strata Cloud Manager)
deployments in
Prisma Access
5.1 Preferred and Innovation
Requires a minimum PAN-OS dataplane of 10.2.9.
GlobalProtect in proxy-only mode now no longer requires that you deploy a mobile user gateway, which simplifies initial configuration.

GlobalProtect Proxy: TCP and Multi-Channel Support

Supported in:
Prisma Access (Managed by Strata Cloud Manager)
deployments in
Prisma Access
5.1 Preferred and Innovation
Requires a minimum GlobalProtect version of 6.3 and a minimum PAN-OS dataplane of 10.2.9.
GlobalProtect Proxy now
  1. supports all IPv4 TCP connections, including non-proxy-aware traffic, to better support the needs of your network beyond only proxy-aware traffic
  2. supports multiple Explicit Proxy channels to different regions, enabling you to support apps and destinations that have region-specific requirements.

IPSec Serviceability

Supported in:
Prisma Access
5.1 Innovation
Prisma Access uses IPSec to securely connect branch offices and data centers to the service. If there is an issue with bringing up the IPSec tunnel, it can be challenging to read logs related to IKE and IPSec events in an attempt to troubleshoot the issue.
A new UI provides clear diagnostic IPSec tunnel information, including the reason for the tunnel failure, the configured and exchanged IPSec and IKE parameters, and recommended settings for IKE and IPSec crypto values for service connections and remote network connections. With the UI, you have a full picture of your IPSec tunnels. You can also trigger an IKE renegotiation for a given service connections or remote network connections.
This tunnel information reflects real-time monitoring status, along with an explanation of why any tunnels have gone down.

PAN-OS 11.0, 11.1, and 11.2 Dataplane Support

Supported in:
Prisma Access
5.1 Innovation
Prisma Access 5.1 Innovation supports the PAN-OS features that are available with PAN-OS 11.0, 11.1, and 11.2.

PAN-OS 11.2 Support for Panoramas that Manage
Prisma Access

Supported in:
Prisma Access
5.1 Preferred and Innovation
If you have a Panorama Managed Prisma Access deployment, you can use a Panorama running 11.2 to manage Prisma Access.

Prisma Access
Internal Gateway

Supported in:
Prisma Access
5.1 Preferred and Innovation
Prisma Access introduces a native internal gateway solution within the Prisma Access architecture, reducing the need to implement GlobalProtect in conjunction with an on-premises internal gateway to learn User-ID for users on an internal network. Prisma Access deployments can enable a native internal gateway natively within the Prisma Access architecture.
Use the native internal gateway to enforce user-based security policies for remote network traffic without the need to deploy an on-premises internal gateway.

Service Connection Support for Explicit Proxy

Supported in:
Prisma Access (Managed by Strata Cloud Manager)
deployments in
Prisma Access
5.1 Preferred and Innovation
Requires GlobalProtect in Proxy Mode to access private and partner apps in a data center and a minimum PAN-OS dataplane of 10.2.10.
Prisma Access
Explicit Proxy now supports service connections to enable you to access resources in your data center. With this change, you will still be able to benefit from a proxy connection while accessing external dynamic lists, partner apps, or private apps hosted in your data center.

Static IP Address Allocation for Mobile Users

Supported in:
Prisma Access (Managed by Strata Cloud Manager)
deployments in
Prisma Access
5.1 Innovation
Requires a minimum GlobalProtect version of 6.1.4
The Static IP Allocation feature allows you to assign a fixed IP address to Prisma Access Mobile Users. This is useful if your network deployments restrict user access to resources using IP addresses as part of their network and application design. With this functionality, you can define IP pool based on the theatre and user.
Assigning static IP addresses to users provide you with the following benefits:
  • Static IP Address Allocation
    —Prisma Access assigns the IP address in the configured IP address pool to users every time they connect to Prisma Access.
  • IP Address Management
    —Prisma Access can assign IP addresses based on the User-ID and the theater which simplifies the subnet management and allocation.
  • Granular IP Address-Based Policy Rules
    —You can use the static IP addresses to create persistent User-ID mapping and use IP address based controls in your network and application resources..

User-ID Across NAT

Supported in:
Prisma Access
5.1 Innovation
Mobile users access private apps using a service connection. If your deployment uses a Next-Generation Firewall (NGFW) in the data center or headquarters location where the private apps are located, and if your service connection has source NAT enabled, the NGFW can't retrieve the User-ID and Device-ID mapping. Source NAT on the service connection prevents the mobile users' User-ID and Device-ID mapping to be distributed to the NGFW. If the NGFW can't retrieve this mapping, it can't enforce zone-based security policy rules you have created on it based on User-ID or Device-ID mapping.
User-ID Across NAT lets your network distribute the User- or Device-ID mapping from mobile users to the NGFW and then on to the headquarters or data center, thus allowing the NGFW to enforce security policy rules based on the User-ID mapping it has learned from the service connection. This configuration ensures a consistent security posture across your mobile user deployment.

View and Monitor App Acceleration

Supported in:
Prisma Access
5.1 Preferred and Innovation
App Acceleration addresses the causes of poor app performance and acts in real-time to boost throughput while maintaining best-in-class security, improving the user experience for Prisma Access GlobalProtect and Remote Network users. You can view and monitor App Acceleration to see details about accelerated applications in your environment. In Strata Cloud Manager, select
Monitor
Applications
to view details about all accelerated applications.

View and Monitor Dynamic Privilege Access

Supported in:
Prisma Access (Managed by Strata Cloud Manager)
5.1 Innovation
Dynamic Privilege Access enables Prisma Access to apply different network and Security policy rules to mobile user flows based on the project your users are working on. In the Strata Cloud Manager Command Center, you can view user-based access information in your environment.
Gain visibility into your Prisma Access Agent deployment by using Strata Cloud Manager to monitor your users' project activity. In the Strata Cloud Manager Command Center, you can view project-based access information in your environment.

View and Monitor Third-Party Device-IDs

Supported in:
Prisma Access
5.1 Preferred and Innovation
You can use the Cloud Identity Engine with Prisma Access to apply information from third-party IoT detection sources to simplify the task of identifying and closing security gaps for devices in your network. See Configure Third-Party Device-ID in Prisma Access for details about setup and configuration.
Go to
Monitor
Devices
IOT
to get insights on your IoT devices, such as the number of IoT devices connected within the last 30 minutes, all IoT devices connected during the time range selected, and details about all connected IoT devices.

Prisma Access
5.1.1 Features

This section describes the new features that will be generally available with
Prisma Access
5.1.1.

Native IPv6 Compatibility

Supported in:
Prisma Access (Managed by Panorama)
deployments in
Prisma Access
5.1.1 Preferred and Innovation and SCM R3 2024 (new
Prisma Access
deployments only)
Prisma Access is extending its support for IPv6 from
private applications
to encompass comprehensive end-to-end IPv6 support for Mobile Users, Remote Networks, and Service Connections. One advantageous aspect of native IPv6 support is its capacity to enable Mobile Users utilizing IPv6-only endpoints to establish connections with Prisma Access via IPv6 connections using GlobalProtect. Additionally, this support facilitates accessing public SaaS applications over the internet, particularly where those destinations necessitate IPv6 connections.
IPv6 boasts a significantly larger address space compared to IPv4, thereby accommodating an almost limitless number of unique IP addresses. Through native IPv6 support, Prisma Access is engineered to be compatible with both IPv6 and dual-stack connections, facilitating the migration process from IPv4 to IPv6. This compatibility ensures backward compatibility and empowers organizations in their transition to cloud-based and IPv6-enabled networks.

View and Monitor Native IPv6 Compatibility

Supported in:
Prisma Access (Managed by Panorama)
deployments in
Prisma Access
5.1.1 Preferred and Innovation and SCM R3 2024 (new
Prisma Access
deployments only)
If you use IPv6 networking in your Mobile Users—GlobalProtect deployment, you can configure Prisma Access to use IPv6 addresses in your mobile user networking. To view information about IPv6 in your GlobalProtect deployment, go to
Insights
Users
in Strata Cloud Manager Command Center.

ZTNA Connector Application Discovery, User-ID Across NAT, and IP Connector Block Deletion Support

Supported in:
Prisma Access (Managed by Panorama)
deployments in
Prisma Access
5.1.1 Preferred and Innovation. User-ID Across NAT requires a minimum dataplane of 11.2 (5.1.1 Innovation).
ZTNA Connector provides the following new functionalities with this release:
  • Application Discovery
    —Your enterprise network can have many applications hosted in its cloud or data center environment. In many cases, the network security teams are unaware of all the applications that are hosted in the network. As a result, when you deploy a ZTNA Connector and start to add application targets in connector groups, it can be difficult to determine which applications you need to add.
    Private application target discovery simplifies application hosting and discovery of applications that are hosted in AWS.
    The private application target discovery service:
    • Finds the Prisma Access tenant you have deployed and allows you to onboard that tenant to start the app discovery process, or lets you remove an existing tenant to remove apps that are discovered.
    • Retrieves application relevant information from one or more cloud providers accounts using Assumed Role and Work Load Identity (WLI).
    • Allows you to view the application discovery results.
    • Provides a way for other modules to query for the discovered applications.
  • User-ID Across NAT
    —Mobile users access private apps using a ZTNA Connector. If your deployment uses a Next-Generation Firewall (NGFW) in the data center or headquarters location where the private apps are located, and ZTNA Connector has source NAT enabled, the NGFW can't retrieve the User-ID and Device-ID mapping. Source NAT on the service connection or ZTNA Connector prevents the mobile users' User-ID and Device-ID mapping to be distributed to the NGFW. If the NGFW can't retrieve this mapping, it can't enforce zone-based Security policy rules you have created on it based on User-ID or Device-ID mapping.
    User-ID Across NAT lets your network distribute the User- or Device-ID mapping from mobile users to the NGFW, thus allowing the NGFW to enforce Security policy rules based on the User-ID mapping it has learned from the service connection or ZTNA Connector. This configuration ensures a consistent security posture across your mobile user deployment.
  • IP Connector Block Deletion
    —To allow you more flexibility after configuring Connector IP Blocks, you can now delete and update the Connector IP Blocks. You can delete the Connector IP Blocks only after you delete all the ZTNA objects such as connectors, applications, wildcards, and connector-groups on the tenant.

Recommended For You