Prisma Access
New Features in Prisma Access 5.1
Table of Contents
New Features in Prisma Access 5.1
Prisma Access
5.1Where Can I Use This? | What Do I Need? |
|---|---|
|
|
This section provides you with a list of new features in
Prisma Access
5.1
Preferred and Innovation, along with the recommended and required software versions you
need to use.Recommended Software Versions for Prisma Access 5.1 and Innovation
Prisma Access
5.1 and InnovationThere are two
Prisma Access
5.1 versions:- 5.1 Preferred runs a PAN-OS 10.2.4, 10.2.9, or 10.2.10 (coming soon) dataplanes, depending on the features you implement. If your deployment is running a lower dataplane version, a dataplane upgrade is required to implement 5.1 Preferred features.
- 5.1 Innovation runs on the PAN-OS dataplane of 11.2 dataplane.
For new
Prisma Access
5.1 Innovation features, Prisma Access
recommends that you upgrade your
before installing the plugin. Prisma Access
to the following
versionsPrisma Access Version | Cloud Services Plugin Version | Required Dataplane Version for 5.1 | Recommended GlobalProtect Version | Recommended Panorama Version |
|---|---|---|---|---|
5.1 | 5.1 | PAN-OS 10.2.4 (required for 5.1 Preferred) PAN-OS 11.2
(required for 5.1 Innovation) | 6.0.7+ 6.1.3+ 6.2.1+ | 10.1.8+ 10.2.4+ 11.0.1+ 11.1.0 11.2.0 |
Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 5.1
Preferred and Innovation Features
Prisma Access
5.1
Preferred and Innovation FeaturesPrisma Access
5.1 features require one of more of the following components
to function:- Infrastructure Upgrade—The infrastructure includes the underlying service backend, orchestration, and monitoring infrastructure.Prisma Accessupgrades the infrastructure before the general availability (GA) date of aPrisma Accessrelease.Features that require only an infrastructure upgrade to be unlocked take effect for allPrisma Accessdeployments, regardless of version, at the time of the infrastructure upgrade.
- Plugin Upgrade (—Installing the plugin activates the features that are available with that release. You download and install the plugin on the Panorama that manages)Prisma AccessPanorama Managed Deployments OnlyPrisma Access.
- Dataplane Upgrade—The dataplane enables traffic inspection and security policy enforcement on your network and user traffic.For Panorama ManagedPrisma Accessdeployments, you can view your dataplane version by going to and viewing the.Prisma AccessVersionPrisma Access5.1 Innovation runs PAN-OS 11.2.
![]()
This dataplane upgrade to 5.1 Innovation is optional, and is
only required if you want to take advantage of the features that require a dataplane
upgrade.
These features are activated with the
infrastructure upgrade
for Prisma Access
: - PAN-OS 11.2 Support for Panoramas that Manage Prisma Access 11.2
- Calgary and South Africa Compute Locations
- Explicit Proxy Support for South Africa Central Location
These features require an
infrastructure and plugin upgrade
but don't require
a dataplane upgrade: - Advanced Threat Prevention: Support for Zero-day Exploit Prevention
The following 5.1 features require an
infrastructure and plugin
upgrade and
require a minimum dataplane version of PAN-OS 10.2.4 unless otherwise noted, making
them Prisma Access 5.1 Preferred features: - Fast-Session Delete
- GlobalProtect Proxy Enhancements
- Prisma AccessInternal Gateway
The following 5.1 features require an
infrastructure, plugin, and dataplane
upgrade to Prisma Access 11.2, making them Prisma Access 5.1 Innovation features: - Advanced DNS Security
- Business Continuity During Mergers and Acquisitions
- Dynamic DNS Registration Support for Mobile Users—GlobalProtect
- FQDNs for Remote Network and Service Connection IPSec Tunnels
- GlobalProtect Portal and Gateway Support for TLSv1.3
- IPSec Serviceability
- PAN-OS 11.0, 11.1, and 11.2 Dataplane Support
- Static IP Address Allocation for Mobile Users
- User-ID Across NAT
Prisma Access 5.1 Features
Prisma Access
5.1 FeaturesThe following table describes the new features that will be generally available with
Prisma Access
5.1. Advanced DNS Security
Supported in:
Prisma Access (Managed by Panorama) deployments in Prisma Access
5.1 Innovation |
The Advanced DNS Security service is a new
subscription offering by Palo Alto Networks that operates new domain detectors in
the Advanced DNS Security cloud that inspect changes in DNS responses to detect
various types of DNS hijacking in real-time. With access to Advanced DNS Security,
you can detect and block DNS responses from hijacked domains and misconfigured
domains. Hijacked and misconfigured domains can be introduced into your network by
either directly manipulating DNS responses or by exploiting the DNS infrastructure
configuration settings in order to redirect users to a malicious domain from which
they initiate additional attacks. The primary difference between these two
techniques is where the exploit occurs. In the case of DNS hijacking, the attackers
gain the ability to resolve DNS queries to attacker-operated domains by compromising
some aspect of an organization's DNS infrastructure, be it through unauthorized
administrative access to a DNS provider or the DNS server itself, or an MiTM attack
during the DNS resolution process. Misconfigured domains present a similar problem -
the attacker seeks to incorporate their own malicious domain into an organization’s
DNS by taking advantage of domain configuration issues, such as outdated DNS
records, which can enable attackers to take ownership of the customer’s subdomain.
Advanced DNS Security can detect and categorize hijacked and misconfigured domains in
real-time by operating cloud based detection engines, which provide DNS health
support by analyzing DNS responses using ML-based analytics to detect malicious
activity. Because these detectors are located in the cloud, you can access a wide
array of detection mechanisms that are updated and deployed automatically without
requiring the user to download update packages when changes to detectors are made.
Upon initial release, Advanced DNS Security supports two analysis engines: DNS
Misconfiguration Domains and Hijacking Domains. Additionally, DNS responses for all
DNS queries are sent to the Advanced DNS Security cloud for enhanced response
analysis to more accurately categorize and return a result in a real-time exchange.
Analysis models are delivered through content updates, however, enhancements to
existing models are performed as a cloud-side update, requiring no updates by the
user. Advanced DNS Security is enabled and
configured through the Anti-Spyware (or DNS Security) profile and require
active Advanced DNS Security and Advanced Threat Prevention (or Threat Prevention)
licenses.
Advanced Threat Prevention: Support for Zero-day Exploit Prevention
Supported in:
Prisma Access (Managed by Panorama) deployments in Prisma Access
5.1 Preferred and Innovation |
Palo Alto Networks now operates new inline deep learning detection engines in the
Advanced Threat Prevention cloud to analyze traffic for command injection and SQL
injection vulnerabilities in real-time to protect users against zero-day threats.
This also includes signature-based prevention for thousands of known vulnerabilities
and industry-leading response times for critical and high CVEs for top vendors.
By operating cloud-based detection engines, you can access a wide array of detection
mechanisms that are updated and deployed automatically without requiring the user to
download update packages or operate process intensive, firewall-based analyzers
which can sap resources. Inline cloud analysis operates under your Vulnerability
Protection profile and supports two analysis engines upon initial release: SQL
injection and Command injection. Additional analysis models are delivered through
content updates, however, enhancements to existing models are performed as a
cloud-side update, requiring no local update process. Inline cloud analysis is enabled and configured
using the Vulnerability Protection profile and requires an active Advanced
Threat Prevention license.
App Acceleration Support for Additional Apps
Supported in:
Prisma Access (Managed by Panorama)
deployments in Prisma Access 5.1 Preferred and InnovationRequires a minimum PAN-OS dataplane of 10.2.10. |
Enterprises today employ workers everywhere, connecting to apps that are anywhere.
Hybrid workforces rely on high-performing app experiences, but slowdowns caused by
cloud latency and adverse network conditions drain productivity and frustrate
workers. The major causes of poor performance can consist of:
- Cloud latency experienced when apps are processing dynamic content
- Wireless connectivity issues
Both of these issues exist outside the control of the enterprise. Apps use Content
Delivery Network (CDN) caching, but modern apps are powered by dynamic content that
can't be cached. And consumer-grade Wi-Fi and wireless connectivity have no
performance service-level agreements (SLAs) because wireless conditions like
interference and signal strength are continuously changing.
App Acceleration for Prisma SASE directly addresses the causes of poor performance by
accelerating dynamic content in top SaaS apps, and has added support for these apps:
- AWS S3
- Azure Storage
- Box
- Google Drive
- Microsoft OneDrive
- Salesforce
- SAP Ariba
- ServiceNow
- Slack (file downloads)
- Zoom (file downloads from chat, recording downloads)
These enhancements provide you with the following benefits:
- Up to five times the improvement over direct-to-internet app performance (measured in app response time and throughput metrics)
- Enriches AI-powered ADEM with Real User Metrics (RUM) to enhance observability into performance issues
- No code changes required
Business Continuity During Mergers and Acquisitions
Supported in:
Prisma Access 5.1 Preferred and InnovationTo implement this feature, reach out to your Palo Alto
Networks account team, who will open an SRE case to
accommodate the request. Palo Alto Networks recommends that
you schedule this change during a maintenance window or
during off-peak hours. Palo Alto Networks upgrades all
gateways in your deployment that require the name change
during the maintenance window. |
If your organization has merger and acquisition (M&A) activity, you might have a
need for existing gateways to either not reference an earlier brand name or
reference a new brand name. With this functionality, Prisma Access ensures business
continuity by updating the gateway name to the new brand name and displaying the new
name in the UI, in logs, and anywhere else the gateway name is referenced.
Canada West (Calgary) and South Africa Central Compute Locations
Supported in:
Prisma Access 5.1 Preferred and Innovation |
Prisma Access adds two new compute locations: Canada West (Calgary) and South Africa
Central. The following locations are remapped to the new compute location:
- TheSouth Africa Centrallocation is remapped to the South Africa Central compute location.
- TheCanada Westlocation is remapped to the Canada West (Calgary) compute location.
New deployments have the new remapping applied automatically. If you have an existing
Prisma Access deployment that uses one of these locations and you want to take
advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma
Access location.
Dynamic DNS Registration Support for Mobile Users—GlobalProtect
Supported in:
Prisma Access 5.1 Innovation |
When a mobile user connects remotely to Prisma Access using GlobalProtect, the DNS
and IP Address Management (IPAM) servers in your enterprise are not updated with the
GlobalProtect gateway-assigned client IP address and endpoint FQDN. This results in
your IT administrator and your apps not being able to identify and update remote
endpoints with FQDN. With Dynamic DNS registration, Prisma Access integrates with
IPAM vendors to dynamically create A and PTR records in the DNS servers with IPAM
updates.
Explicit Proxy Support for South Africa Central Location
Supported in:
Prisma Access 5.1 Preferred and Innovation |
South Africa Central is added as a supported locations for Prisma Access Explicit
Proxy.
Fast-Session Delete
Supported in:
Prisma Access (Managed by Panorama) deployments in Prisma Access
5.1 Preferred and Innovation |
If your deployment has a requirement to delete sessions quickly, you can enable fast
session delete, which allows Prisma Access to reuse TCP port numbers before the TCP
TIME_WAIT period expires, and can be useful for SSL decrypted sessions that may be
short-lived. You can enable this functionality for Remote Networks, Service
Connections, and Mobile Users —GlobalProtect; for Mobile Users—Explicit Proxy
deployments, this functionality is enabled by default and cannot be changed.
FQDNs for Remote Network and Service Connection IPSec Tunnels
Supported in:
Prisma Access (Managed by Panorama) deployments in Prisma Access
5.1 Preferred and Innovation |
When you onboard a Service Connection or Remote Network connection, a public IP
address is assigned for the other side of the IPSec tunnel (the Service IP Address).
You use these public IP addresses for your CPE in you branch site or headquarters or
data center location. Keeping records of all the IP addresses you need to configure
on your CPE can be time consuming.
Instead of IP addresses, Prisma Access provides you FQDNs to use for the other end of
the IPSec tunnel for Service Connections and Remote Network Connections, thus
facilitating CPE setup at your branch sites or headquarters or data center
locations.
GlobalProtect Portal and Gateway Support for TLSv1.3
Supported in:
Prisma Access 5.1 Innovation |
You can now configure SSL/TLS service profiles using
TLSv1.3 on the firewall that is hosting the GlobalProtect portal or
gateway to establish TLS connectivity between GlobalProtect components. TLSv1.3 is
the latest version of the TLS protocol, which provides increased network security by
removing the weak ciphers supported in the earlier versions of TLS and adding more
secure cipher suites. In addition, the GlobalProtect gateway and portal now support
the following TLSv1.3 cipher suites:
- TLS-AES-128-GCM-SHA256
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256
You can configure SSL/TLS service profiles with TLSv1.3 to provide enhanced security
and a faster TLS handshake while establishing connection between GlobalProtect
components. To provide the strongest security, you must set both the minimum and
maximum supported version as TLSv1.3 in the SSL/TLS service profile.
GlobalProtect Proxy: Simplified Configuration
Supported in:
Prisma Access (Managed by Panorama)
deployments in Prisma Access 5.1 Preferred and InnovationRequires a minimum PAN-OS dataplane of 10.2.9. |
GlobalProtect in proxy-only mode now no
longer requires that you deploy a mobile user gateway, which simplifies
initial configuration.
IPSec Serviceability
Supported in:
Prisma Access 5.1 Innovation |
Prisma Access uses IPSec to securely connect branch offices and data centers to the
service. If there is an issue with bringing up the IPSec tunnel, it can be
challenging to read logs related to IKE and IPSec events in an attempt to
troubleshoot the issue.
A new UI provides clear diagnostic IPSec tunnel information, including the reason for
the tunnel failure, the configured and exchanged IPSec and IKE parameters, and
recommended settings for IKE and IPSec crypto values for service connections and
remote network connections. With the UI, you have a full picture of your IPSec
tunnels. You can also trigger an IKE renegotiation for a given service connections
or remote network connections.
This tunnel information reflects real-time monitoring status, along with an
explanation of why any tunnels have gone down.
PAN-OS 11.0, 11.1, and 11.2 Dataplane Support
Supported in:
Prisma Access 5.1 Innovation |
Prisma Access 5.1 Innovation supports the PAN-OS features
that are available with PAN-OS 11.0, 11.1, and 11.2.
The following PAN-OS features are not supported:
PAN-OS 11.2 Support for Panoramas that Manage Prisma Access
Prisma Access
Supported in:
Prisma Access 5.1 Preferred and Innovation |
If you have a Panorama Managed Prisma Access deployment, you can use a Panorama
running 11.2 to manage Prisma Access.
Prisma Access Internal Gateway
Prisma Access
Internal GatewaySupported in:
Prisma Access 5.1 Preferred and Innovation |
Prisma Access introduces a native internal gateway solution within
the Prisma Access architecture, reducing the need to implement GlobalProtect in
conjunction with an on-premises internal gateway to learn User-ID for users on an
internal network. Prisma Access deployments can enable a native internal gateway
natively within the Prisma Access architecture.
Use the native internal gateway to enforce user-based security policies for remote
network traffic without the need to deploy an on-premises internal gateway.
Static IP Address Allocation for Mobile Users
Supported in:
Prisma Access (Managed by Strata Cloud Manager) deployments in Prisma Access
5.1 InnovationRequires a minimum GlobalProtect version of 6.1.4 |
The Static IP Allocation feature allows you to assign a fixed IP address to
Prisma Access Mobile Users. This is useful if your network deployments restrict user
access to resources using IP addresses as part of their network and application
design. With this functionality, you can define IP pool based on the theatre and
user.
Assigning static IP addresses to users provide you with the following
benefits:
- Static IP Address Allocation—Prisma Access assigns the IP address in the configured IP address pool to users every time they connect to Prisma Access.
- IP Address Management—Prisma Access can assign IP addresses based on the User-ID and the theater which simplifies the subnet management and allocation.
- Granular IP Address-Based Policy Rules—You can use the static IP addresses to create persistent User-ID mapping and use IP address based controls in your network and application resources..
User-ID Across NAT
Supported in:
Prisma Access 5.1 Innovation |
Mobile users access private apps using a service connection. If your deployment uses
a Next-Generation Firewall (NGFW) in the data center or headquarters location where
the private apps are located, and if your service connection has source NAT enabled,
the NGFW can't retrieve the User-ID and Device-ID mapping. Source NAT on the service
connection prevents the mobile users' User-ID and Device-ID mapping to be
distributed to the NGFW. If the NGFW can't retrieve this mapping, it can't enforce
zone-based security policy rules you have created on it based on User-ID or
Device-ID mapping.
User-ID Across NAT lets your network distribute the User- or Device-ID mapping from
mobile users to the NGFW and then on to the headquarters or data center, thus
allowing the NGFW to enforce security policy rules based on the User-ID mapping it
has learned from the service connection. This configuration ensures a consistent
security posture across your mobile user deployment.