>
    Strata Copilot
    New Features in Prisma Access 5.1 and 5.1.1
    Focus
    Download PDF
    Focus
    1. Home
    2. Prisma Access
    3. Prisma Access Release Information
    4. New Features in Prisma Access 5.1 and 5.1.1
    Download PDF
    Prisma Access

    New Features in Prisma Access 5.1 and 5.1.1

    Table of Contents

    New Features in Prisma Access 5.1 and 5.1.1

    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    • Prisma Access license
    • Minimum Required Prisma Access Version 5.1 Preferred or Innovation
    This section provides you with a list of new features in Prisma Access 5.1 Preferred and Innovation, along with the recommended and required software versions you need to use.

    Recommended Software Versions for Prisma Access 5.1 and 5.1.1

    There are two Prisma Access 5.1 versions:
    • 5.1 Preferred runs a PAN-OS 10.2.4, 10.2.9, or 10.2.10 dataplane, depending on the features you implement. If your deployment is running a lower dataplane version, a dataplane upgrade is required to implement 5.1 Preferred features.
    • 5.1 Innovation runs a PAN-OS dataplane of 11.2.
    For new Prisma Access 5.1 Innovation features, Prisma Access recommends that you upgrade your Prisma Access to the following versions before installing the plugin.
    Prisma Access VersionCloud Services Plugin VersionRequired Dataplane Version for 5.1Recommended GlobalProtect VersionRecommended Panorama Version
    5.15.1PAN-OS 10.2.4 (required for 5.1 Preferred)
    PAN-OS 11.2 (required for 5.1 Innovation)
    6.0.7+
    6.1.3+
    6.2.1+
    10.1.8+
    10.2.4+
    11.0.1+
    11.1.0
    11.2.0

    Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.1 and 5.1.1 Features

    Prisma Access 5.1 features require one of more of the following components to function:
    • Infrastructure Upgrade—The infrastructure, also known as the Prisma Access Control Plane, includes the underlying service backend, orchestration, and monitoring infrastructure. Prisma Access upgrades the infrastructure before the general availability (GA) date of a Prisma Access release.
      Features that require only an infrastructure upgrade to be unlocked take effect for all Prisma Access deployments, regardless of version, at the time of the infrastructure upgrade.
    • Plugin Upgrade (Prisma Access Panorama Managed Deployments Only)—Installing the plugin activates the features that are available with that release. You download and install the plugin on the Panorama that manages Prisma Access.
    • Dataplane Upgrade—The dataplane enables traffic inspection and security policy enforcement on your network and user traffic.
      For Panorama Managed Prisma Access deployments, you can view your dataplane version by going to PanoramaCloud ServicesConfigurationService Setup and viewing the Prisma Access Version. Prisma Access 5.1 Innovation runs PAN-OS 11.2.
    This dataplane upgrade to 5.1 Innovation is optional, and is only required if you want to take advantage of the features that require a dataplane upgrade.
    These features are activated with the infrastructure upgrade for Prisma Access:
    • PAN-OS 11.2 Support for Panoramas that Manage Prisma Access 11.2
    • Calgary and South Africa Compute Locations
    • Explicit Proxy Support for South Africa Central Location
    These features require an infrastructure and plugin upgrade but don't require a dataplane upgrade:
    Prisma Access 5.1 Features:
    • Advanced Threat Prevention: Support for Zero-day Exploit Prevention
    Prisma Access 5.1.1 Features: None
    The following 5.1 features require an infrastructure and plugin upgrade and require a minimum dataplane version of PAN-OS 10.2.4 unless otherwise noted, making them Prisma Access 5.1 Preferred features:
    Prisma Access 5.1 Features:
    • Explicit Proxy SAML Authentication Improvements (requires a minimum dataplane upgrade to PAN-OS 10.2.10)
    • Fast-Session Delete
    • GlobalProtect Proxy Enhancements
    • Prisma Access Internal Gateway
    Prisma Access 5.1.1 Features:
    • ZTNA Connector Application Discovery, User-ID Across NAT, and IP Connector Block Deletion Support (User-ID Across NAT requires a minimum dataplane of 11.2 (5.1.1 Innovation)
    The following 5.1 features require an infrastructure, plugin, and dataplane upgrade to Prisma Access 11.2, making them Prisma Access 5.1 Innovation features:
    Prisma Access 5.1 Features:
    • Advanced DNS Security
    • Business Continuity During Mergers and Acquisitions
    • Dynamic DNS Registration Support for Mobile Users—GlobalProtect
    • FQDNs for Remote Network and Service Connection IPSec Tunnels
    • GlobalProtect Portal and Gateway Support for TLSv1.3
    • IPSec Serviceability
    • PAN-OS 11.0, 11.1, and 11.2 Dataplane Support
    • Static IP Address Allocation for Mobile Users
    • User-ID Across NAT
    Prisma Access 5.1.1 Features:
    • Native IPv6 Compatibility
    • View and Monitor Native IPv6 Compatibility

    Prisma Access 5.1 Features

    This section describes the new features that will be generally available with Prisma Access 5.1.

    Advanced DNS Security

    Supported in: Prisma Access (Managed by Panorama) deployments in Prisma Access 5.1 Innovation
    The Advanced DNS Security service is a new subscription offering by Palo Alto Networks that operates new domain detectors in the Advanced DNS Security cloud that inspect changes in DNS responses to detect various types of DNS hijacking in real-time. With access to Advanced DNS Security, you can detect and block DNS responses from hijacked domains and misconfigured domains. Hijacked and misconfigured domains can be introduced into your network by either directly manipulating DNS responses or by exploiting the DNS infrastructure configuration settings in order to redirect users to a malicious domain from which they initiate additional attacks. The primary difference between these two techniques is where the exploit occurs. In the case of DNS hijacking, the attackers gain the ability to resolve DNS queries to attacker-operated domains by compromising some aspect of an organization's DNS infrastructure, be it through unauthorized administrative access to a DNS provider or the DNS server itself, or an MiTM attack during the DNS resolution process. Misconfigured domains present a similar problem - the attacker seeks to incorporate their own malicious domain into an organization’s DNS by taking advantage of domain configuration issues, such as outdated DNS records, which can enable attackers to take ownership of the customer’s subdomain.
    Advanced DNS Security can detect and categorize hijacked and misconfigured domains in real-time by operating cloud based detection engines, which provide DNS health support by analyzing DNS responses using ML-based analytics to detect malicious activity. Because these detectors are located in the cloud, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages when changes to detectors are made. Upon initial release, Advanced DNS Security supports two analysis engines: DNS Misconfiguration Domains and Hijacking Domains. Additionally, DNS responses for all DNS queries are sent to the Advanced DNS Security cloud for enhanced response analysis to more accurately categorize and return a result in a real-time exchange. Analysis models are delivered through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no updates by the user. Advanced DNS Security is enabled and configured through the Anti-Spyware (or DNS Security) profile and require active Advanced DNS Security and Advanced Threat Prevention (or Threat Prevention) licenses.

    Advanced Threat Prevention: Support for Zero-day Exploit Prevention

    Supported in: Prisma Access (Managed by Panorama) deployments in Prisma Access 5.1 Preferred and Innovation
    Palo Alto Networks now operates new inline deep learning detection engines in the Advanced Threat Prevention cloud to analyze traffic for command injection and SQL injection vulnerabilities in real-time to protect users against zero-day threats. This also includes signature-based prevention for thousands of known vulnerabilities and industry-leading response times for critical and high CVEs for top vendors.
    By operating cloud-based detection engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages or operate process intensive, firewall-based analyzers which can sap resources. Inline cloud analysis operates under your Vulnerability Protection profile and supports two analysis engines upon initial release: SQL injection and Command injection. Additional analysis models are delivered through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no local update process. Inline cloud analysis is enabled and configured using the Vulnerability Protection profile and requires an active Advanced Threat Prevention license.

    App Acceleration Support for Additional Apps

    Supported in: Prisma Access (Managed by Panorama) and Prisma Access (Managed by Strata Cloud Manager) deployments in Prisma Access 5.1 Preferred and Innovation
    Requires a minimum PAN-OS dataplane of 10.2.10.
    Enterprises today employ workers everywhere, connecting to apps that are anywhere. Hybrid workforces rely on high-performing app experiences, but slowdowns caused by cloud latency and adverse network conditions drain productivity and frustrate workers. The major causes of poor performance can consist of:
    • Cloud latency experienced when apps are processing dynamic content
    • Wireless connectivity issues
    Both of these issues exist outside the control of the enterprise. Apps use Content Delivery Network (CDN) caching, but modern apps are powered by dynamic content that can't be cached. And consumer-grade Wi-Fi and wireless connectivity have no performance service-level agreements (SLAs) because wireless conditions like interference and signal strength are continuously changing.
    App Acceleration for Prisma SASE directly addresses the causes of poor performance by accelerating dynamic content in top SaaS apps, and has added support for these apps:
    • AWS S3
    • Azure Storage
    • Box
    • Google Drive
    • Microsoft OneDrive
    • Salesforce
    • SAP Ariba
    • ServiceNow
    • Slack (file downloads)
    • Zoom (file downloads from chat, recording downloads)
    These enhancements provide you with the following benefits:
    • Up to five times the improvement over direct-to-internet app performance (measured in app response time and throughput metrics)
    • Enriches AI-powered ADEM with Real User Metrics (RUM) to enhance observability into performance issues
    • No code changes required

    Business Continuity During Mergers and Acquisitions

    Supported in: Prisma Access 5.1 Preferred and Innovation
    To implement this feature, reach out to your Palo Alto Networks account team, who will open an SRE case to accommodate the request. Palo Alto Networks recommends that you schedule this change during a maintenance window or during off-peak hours. Palo Alto Networks upgrades all gateways in your deployment that require the name change during the maintenance window.
    When organizations engage in merger and acquisition (M&A) activity, a critical and often overlooked technical requirement is the need to update existing network gateways. These gateways, which serve as essential connection points, frequently bear the brand name of the original company. To ensure a seamless transition and maintain business continuity, these gateways must either cease referencing the old brand or adopt the new one. This is where the functionality of Prisma® Access becomes invaluable. By integrating this capability, Prisma Access allows for the effortless renaming of gateways, ensuring the new brand name is reflected not only in the user interface (UI) but also consistently across all logs and any other system references. This update is crucial for a smooth operational handover and prevents confusion among users and IT administrators. Ultimately, this functionality simplifies the post-merger integration process, allowing the organization to operate cohesively under a unified brand identity without the need for a costly and disruptive infrastructure overhaul.

    Canada West (Calgary) and South Africa Central Compute Locations

    Supported in: Prisma Access 5.1 Preferred and Innovation
    Prisma Access adds two new compute locations: Canada West (Calgary) and South Africa Central. The following locations are remapped to the new compute location:
    • The South Africa Central location is remapped to the South Africa Central compute location.
    • The Canada West location is remapped to the Canada West (Calgary) compute location.
    New deployments have the new remapping applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma Access location.

    Dynamic DNS Registration Support for Remote Troubleshooting and Updates

    Supported in: Prisma Access 5.1 Innovation
    When a mobile user connects remotely to Prisma® Access using GlobalProtect®, your enterprise's DNS and IP Address Management (IPAM) servers do not update with the GlobalProtect gateway-assigned client IP address and endpoint FQDN. This results in your IT administrator and your apps not being able to identify and update remote endpoints with FQDN. With Dynamic DNS registration, Prisma Access integrates with IPAM vendors to dynamically create A and PTR records in the DNS servers with IPAM updates.
    Dynamic DNS registration support for GlobalProtect mobile users offers the following benefits:
    • Direct integration with leading IPAM vendors such as InfoBlox, BlueCat, and Windows.
    • Dynamic DNS updates use either transaction signature (TSIG) or Kerberos as the authentication protocol to ensure secure updates to the DNS database.
    • Prisma Access performs real-time DDNS updates to the DNS server using batched nsupdate calls based on GlobalProtect® connect and disconnect events. These updates use a DDNS service on the Mobile Users Security Processing Node (MU-SPN).
    The feature enables IT and help desk staff to easily manage and update GlobalProtect® endpoints using the device's FQDN.

    Dynamic Privilege Access

    Supported in: Prisma Access (Managed by Strata Cloud Manager) 5.1 Innovation
    For Enterprise IT and IT Enabled Services (ITES) companies that need to control which users have access to their customer projects, Dynamic Privilege Access provides a seamless, secure, and compartmentalized way for your users to access only those projects that they are assigned to. Employees are typically assigned to several customer projects and are provided with siloed access to these projects so that an authorized user can access only one customer project at a time.
    The Dynamic Privilege Access feature in Prisma Access provides dynamic privileges for your users based on the workflow or project that your users select in the Prisma Access Agent. Your users can have dynamic privileges based on the combination of the user group and IP pool that is assigned to a project. This unique combination defines a project. With Dynamic Privilege Access, you can isolate resources in your network so that they are only accessible to your users according to the projects they are assigned to.
    A new predefined role called the Project Admin is available to allow project administrators to create and manage project definitions. Project administrators have the ability to map projects to select Prisma Access location groups, and create IP address assignments using DHCP based on the project and location group.
    You can gain visibility into your Prisma Access Agent deployment by using Strata Cloud Manager to monitor your users' project activity, and view the service consumption and security posture in your network.

    Explicit Proxy SAML Authentication Improvements

    Supported in: Prisma Access 5.1 Preferred and Innovation
    Requires a minimum PAN-OS dataplane version of 10.2.10.
    For simpler SAML authentication configuration, Explicit Proxy no longer requires that you create a policy rule to allow pre-authentication user traffic.

    Explicit Proxy Forwarding Profiles with Multiple PAC File Support

    Supported in: Prisma Access (Managed by Strata Cloud Manager) 5.1 Preferred and Innovation
    You can now more easily manage the traffic flowing through or bypassing Explicit Proxy by using Forwarding Profiles instead of only a single PAC file. Forwarding Profiles enable you to define forwarding rules and objects from a simple, easy to use interface rather than dealing with the complexity of a PAC file.
    If you already employ a PAC file, you can seamlessly transition to Forwarding Profiles by importing the PAC file into a profile. Furthermore, if you have had to manage multiple PAC files for different kinds of traffic, you can now import these PAC files into profiles to use them simultaneously.
    In addition to using Forwarding Profiles with a standard proxy, you can also use them to simplify how you define the flow of traffic through GlobalProtect in Proxy or Tunnel and Proxy mode.

    Explicit Proxy Support for South Africa Central Location

    Supported in: Prisma Access 5.1 Preferred and Innovation
    South Africa Central is added as a supported location for Prisma Access Explicit Proxy.

    Fast-Session Delete

    Supported in: Prisma Access (Managed by Panorama) deployments in Prisma Access 5.1 Preferred and Innovation and SCM R3 2024
    If your Prisma® Access deployment uses a large number of sessions, and you would like to delete those sessions quickly, you can enable fast session delete, which allows Prisma Access to reuse TCP port numbers before the TCP TIME_WAIT period expires. This reuse of the TCP port numbers can be useful if your deployment has a large number of SSL decrypted sessions that may be short-lived. You can choose to enable this functionality for Prisma Access Remote Networks, Service Connections, and Mobile Users—GlobalProtect®; for Mobile Users—Explicit Proxy deployments, this functionality is enabled by default and you cannot disable it.

    FQDNs for Remote Network and Service Connection IPSec Tunnels

    Supported in: Prisma Access (Managed by Panorama) deployments in Prisma Access 5.1 Preferred and Innovation and SCM R3 2024
    When you onboard a Service Connection or Remote Network connection, a public IP address is assigned for the other side of the IPSec tunnel (the Service IP Address). You use these public IP addresses for your CPE in your branch site or headquarters or data center location. Keeping records of all the IP addresses you need to configure on your CPE can be time consuming.
    Instead of IP addresses, Prisma® Access provides you FQDNs or Service Endpoint Addresses to use for the other end of the IPSec tunnel for Service Connections and Remote Network Connections, thus facilitating the IPSec tunnel setup on your CPE at your branch sites or headquarters or data center locations.

    GlobalProtect Portal and Gateway Support for TLSv1.3

    Supported in: Prisma Access 5.1 Innovation
    You can now configure SSL/TLS service profiles using TLSv1.3 on the firewall that is hosting the GlobalProtect portal or gateway to establish TLS connectivity between GlobalProtect components. TLSv1.3 is the latest version of the TLS protocol, which provides increased network security by removing the weak ciphers supported in the earlier versions of TLS and adding more secure cipher suites. In addition, the GlobalProtect gateway and portal now support the following TLSv1.3 cipher suites:
    • TLS-AES-128-GCM-SHA256
    • TLS-AES-256-GCM-SHA384
    • TLS-CHACHA20-POLY1305-SHA256
    You can configure SSL/TLS service profiles with TLSv1.3 to provide enhanced security and a faster TLS handshake while establishing connection between GlobalProtect components. To provide the strongest security, you must set both the minimum and maximum supported version as TLSv1.3 in the SSL/TLS service profile.

    GlobalProtect Proxy: Simplified Configuration

    Supported in: Prisma Access (Managed by Panorama) and Prisma Access (Managed by Strata Cloud Manager) deployments in Prisma Access 5.1 Preferred and Innovation
    Requires a minimum PAN-OS dataplane of 10.2.9.
    GlobalProtect in proxy-only mode now no longer requires that you deploy a mobile user gateway, which simplifies initial configuration.

    GlobalProtect Proxy: TCP and Multi-Channel Support

    Supported in: Prisma Access (Managed by Strata Cloud Manager) deployments in Prisma Access 5.1 Preferred and Innovation
    Requires a minimum GlobalProtect version of 6.3 and a minimum PAN-OS dataplane of 10.2.9.
    GlobalProtect Proxy now
    1. supports all IPv4 TCP connections, including non-proxy-aware traffic, to better support the needs of your network beyond only proxy-aware traffic
    2. supports multiple Explicit Proxy channels to different regions, enabling you to support apps and destinations that have region-specific requirements.

    IPSec Serviceability

    Supported in: Prisma Access 5.1 Innovation
    Prisma® Access uses IPSec to securely connect branch offices and data centers to the service. If there is an issue with bringing up the IPSec tunnel, it can be challenging to read logs related to IKE and IPSec events in an attempt to troubleshoot the issue.
    A new UI provides clear diagnostic IPSec tunnel information, including the reason for the tunnel failure, the configured and exchanged IPSec and IKE parameters, and recommended settings for IKE and IPSec crypto values for service connections and remote network connections. With the UI, you have a full picture of your IPSec tunnels. You can also trigger an IKE renegotiation for a given service connections or remote network connections.
    This tunnel information reflects real-time monitoring status, along with an explanation of why any tunnels have gone down.

    Juniper Mist Integration for SASE Health

    Supported in: Strata Cloud Manager and Prisma Access 5.1 Innovation
    The Juniper Mist integration with Prisma Access in SASE Health enables visibility and management of third-party network devices and alerts from the Strata Cloud Manager (SCM) interface. This integration provides a single pane of glass for diagnosing and resolving branch site issues by extending LAN health and performance insights to the SCM dashboard. Administrators gain visibility into access points, switches, and WAN edge devices within branch locations, ensuring network reliability.
    SASE Health offers a view of Juniper Mist infrastructure, including device inventory, high availability status, impacted users, and root causes of service degradation. Key features include site visualization, Juniper Mist device inventory display, alert integration, and cross-launch capability for incident analysis.

    PAN-OS 11.0, 11.1, and 11.2 Dataplane Support

    Supported in: Prisma Access 5.1 Innovation
    Organizations require the most advanced security features for their Prisma® Access deployments to counter evolving zero-day threats. To utilize the most advanced traffic inspection, deep learning security, and optimized performance features, Prisma Access 5.1 Innovation now fully supports the security features available with PAN-OS® 11.1 and 11.2. This immediate compatibility allows organizations to leverage cutting-edge security capabilities, including enhanced visibility into encrypted traffic and superior threat detection, without requiring a full platform migration. This seamless support helps protect your organization’s end-users, business assets, and security posture across your entire SASE deployment.
    The following PAN-OS features are not supported:

    PAN-OS 11.2 Support for Panoramas that Manage Prisma Access

    Supported in: Prisma Access 5.1 Preferred and Innovation
    Organizations require the most advanced security features for their Prisma® Access deployments to counter evolving zero-day threats. To utilize the most advanced traffic inspection, deep learning security, and optimized performance features, Prisma Access 5.1 Innovation now fully supports management by Panorama® appliances running PAN-OS® 11.2. This immediate compatibility enables organizations to leverage cutting-edge security capabilities, including enhanced visibility into encrypted traffic and superior threat detection, directly from their updated management platform. This seamless support helps protect your organization’s end-users, business assets, and security posture across your entire SASE deployment.

    Prisma Access Internal Gateway

    Supported in: Prisma Access 5.1 Preferred and Innovation
    Prisma® Access introduces a native internal gateway solution within the Prisma®Access architecture. This new capability reduces the need to implement GlobalProtect® alongside an on-premises internal gateway to learn User-ID for users on an internal network. Prisma® Access deployments can enable a native internal gateway within the architecture.
    The native internal gateway enforces user-based security policies for remote network traffic without requiring an on-premises internal gateway deployment.
    To use this feature, set up GlobalProtect®, add app settings, and onboard remote networks in both Strata Cloud Manager and Panorama®.

    Service Connection Support for Explicit Proxy

    Supported in: Prisma Access (Managed by Strata Cloud Manager) deployments in Prisma Access 5.1 Preferred and Innovation
    Requires GlobalProtect in Proxy Mode to access private and partner apps in a data center and a minimum PAN-OS dataplane of 10.2.10.
    Prisma Access Explicit Proxy now supports service connections to enable you to access resources in your data center. With this change, you will still be able to benefit from a proxy connection while accessing external dynamic lists, partner apps, or private apps hosted in your data center.

    Static IP Address Allocation for Mobile Users

    Supported in: Prisma Access (Managed by Strata Cloud Manager) deployments in Prisma Access 5.1 Innovation
    Requires a minimum GlobalProtect version of 6.1.4
    The Static IP Allocation feature allows you to assign a fixed IP address to Prisma Access Mobile Users. This is useful if your network deployments restrict user access to resources using IP addresses as part of their network and application design. With this functionality, you define IP pools based on one or more of the following criteria: theatre, user, user group, or location group.
    Static IP address allocation provides these benefits:
    • Predictable IP Assignment—Users always connect with the same IP address from the configured pool, simplifying access policies for internal resources.
    • Streamlined Subnet Allocation—Simplify your IP management strategy by automatically assigning addresses based on criteria such as User-ID™ and theater.
    • Granular IP Address-Based Policy Rules—Use persistent User-ID™ mapping and static IP addresses to enforce granular access controls on your network and application resources.

    User-ID Across NAT

    Supported in: Prisma Access 5.1 Innovation
    Prisma® Access mobile users access private apps using a service connection. If your deployment uses a Next-Generation Firewall (NGFW) in the data center or headquarters location where the private apps are located, and if your service connection has source NAT enabled, the NGFW can't retrieve the User-ID™ and Device-ID mapping. Source NAT on the service connection prevents the mobile users' User-ID and Device-ID mapping to be distributed to the NGFW. If the NGFW can't retrieve this mapping, it can't enforce zone-based security policy rules you have created on it based on User-ID or Device-ID mapping.
    User-ID Across NAT lets your network distribute the User- or Device-ID mapping from mobile users to the NGFW and then on to the headquarters or data center, thus allowing the NGFW to enforce security policy rules based on the User-ID mapping it has learned from the service connection. This configuration ensures a consistent security posture across your mobile user deployment.

    View and Monitor App Acceleration

    Supported in: Prisma Access 5.1 Preferred and Innovation
    App Acceleration addresses the causes of poor app performance and acts in real-time to boost throughput while maintaining best-in-class security, improving the user experience for Prisma Access GlobalProtect and Remote Network users. You can view and monitor App Acceleration to see details about accelerated applications in your environment. In Strata Cloud Manager, select MonitorApplications to view details about all accelerated applications.

    View and Monitor Dynamic Privilege Access

    Supported in: Prisma Access (Managed by Strata Cloud Manager) 5.1 Innovation
    Dynamic Privilege Access enables Prisma Access to apply different network and Security policy rules to mobile user flows based on the project your users are working on. In the Strata Cloud Manager Command Center, you can view user-based access information in your environment.
    Gain visibility into your Prisma Access Agent deployment by using Strata Cloud Manager to monitor your users' project activity. In the Strata Cloud Manager Command Center, you can view project-based access information in your environment.

    View and Monitor Third-Party Device-IDs

    Supported in: Prisma Access 5.1 Preferred and Innovation
    You can use the Cloud Identity Engine with Prisma Access to apply information from third-party IoT detection sources to simplify the task of identifying and closing security gaps for devices in your network. See Configure Third-Party Device-ID in Prisma Access for details about setup and configuration.
    Go to MonitorDevicesIOT to get insights on your IoT devices, such as the number of IoT devices connected within the last 30 minutes, all IoT devices connected during the time range selected, and details about all connected IoT devices.

    Prisma Access 5.1.1 Features

    This section describes the new features that will be generally available with Prisma Access 5.1.1.

    Native IPv6 Compatibility

    Supported in: Prisma Access (Managed by Panorama) deployments in Prisma Access 5.1.1 Preferred and Innovation and SCM R3 2024 (new Prisma Access deployments only)
    Organizations are increasingly adopting IPv6 endpoints and require seamless, end-to-end IPv6 access across their entire Secure Access Service Edge (SASE) environment. Previously, IPv6 support in Prisma® Access was limited to private applications. This feature now encompasses comprehensive end-to-end IPv6 support for Mobile Users, Remote Networks, and Service Connections. One key benefit of native IPv6 support is the ability for Mobile Users utilizing IPv6-only endpoints to establish connections with Prisma Access via IPv6 connections using GlobalProtect®. Additionally, this support enables secure access to public SaaS applications over the internet, even when those destinations necessitate IPv6 connections. This enhancement, leveraging the significantly larger IPv6 address space, ensures compatibility with both IPv6 and dual-stack connections, accelerating your organization's migration to modern, cloud-based, and IPv6-enabled networks.

    View and Monitor Native IPv6 Compatibility

    Supported in: Prisma Access (Managed by Panorama) deployments in Prisma Access 5.1.1 Preferred and Innovation and SCM R3 2024 (new Prisma Access deployments only)
    If you use IPv6 networking in your Mobile Users—GlobalProtect deployment, you can configure Prisma Access to use IPv6 addresses in your mobile user networking. To view information about IPv6 in your GlobalProtect deployment, go to InsightsUsers in Strata Cloud Manager Command Center.

    ZTNA Connector Application Discovery, User-ID Across NAT, and IP Connector Block Deletion Support

    Supported in: Prisma Access (Managed by Panorama) deployments in Prisma Access 5.1.1 Preferred and Innovation. User-ID Across NAT requires a minimum dataplane of 11.2 (5.1.1 Innovation).
    • Application Discovery Simplifies ZTNA Connector Onboarding—Your enterprise network can host many applications in its cloud or data center environment that the network security teams are unaware of. As a result, when you deploy a ZTNA Connector and start to add application targets, determining which applications to include can be difficult.
      Private application target discovery solves this visibility challenge and simplifies application hosting by:
      • Finding the Prisma® Access tenant you have deployed and allowing you to onboard that tenant to start the app discovery process, or letting you remove an existing tenant.
      • Retrieving application-relevant information from one or more cloud provider accounts using Assumed Role and Work Load Identity (WLI).
      • Allowing you to view the application discovery results.
      • Providing a way for other modules to query for the discovered applications.
    • User-ID Across NAT Ensures Consistent Enforcement—If your deployment uses a Next-Generation Firewall (NGFW) where private apps are located, Source NAT on the service connection or ZTNA Connector prevents the NGFW from retrieving the mobile users' User-ID and Device-ID mapping. This limitation prevents the NGFW from enforcing zone-based Security policy rules based on User-ID or Device-ID mapping.
      User-ID Across NAT lets your network distribute the User- or Device-ID mapping from mobile users to the NGFW, thus allowing the NGFW to enforce Security policy rules based on the mapping it has learned. This configuration ensures a consistent security posture across your mobile user deployment.
    • IP Connector Block Deletion Increases Management Flexibility—Managing connector IP blocks was previously inflexible, making it difficult to update your IP resource allocation. This enhancement allows you more flexibility to delete and update the Connector IP Blocks after configuration.
      You can delete the Connector IP Blocks only after you delete all the ZTNA Connector objects such as connectors, applications, wildcards, and connector-groups on the tenant.

    © 2025 Palo Alto Networks, Inc. All rights reserved.