New Features - Prisma Access - 5.1 Preferred and Innovation

ADEM Agent is now modularized and called Access Experience. Access Experience can be used for multiple features based on the license activated, such as ADEM and App Acceleration. Other enhancements include:

• An agent out-of-band upgrade.
• New Access Experience Agent configuration options for GlobalProtect version 6.3 and above:
  • Install —Install the agent on the endpoint.
  • Uninstall —Uninstall the agent from the endpoint.
  • No Action —Retain the last agent state.

The Advanced DNS Security service is a new subscription offering by Palo Alto Networks that operates new domain detectors in the Advanced DNS Security cloud that inspect changes in DNS responses to detect various types of DNS hijacking in real-time. With access to Advanced DNS Security, you can detect and block DNS responses from hijacked domains and misconfigured domains. Hijacked and misconfigured domains can be introduced into your network by either directly manipulating DNS responses or by exploiting the DNS infrastructure configuration settings in order to redirect users to a malicious domain from which they initiate additional attacks. The primary difference between these two techniques is where the exploit occurs. In the case of DNS hijacking, the attackers gain the ability to resolve DNS queries to attacker-operated domains by compromising some aspect of an organization's DNS infrastructure, be it through unauthorized administrative access to a DNS provider or the DNS server itself, or an MiTM attack during the DNS resolution process. Misconfigured domains present a similar problem - the attacker seeks to incorporate their own malicious domain into an organization’s DNS by taking advantage of domain configuration issues, such as outdated DNS records, which can enable attackers to take ownership of the customer’s subdomain.

Advanced DNS Security can detect and categorize hijacked and misconfigured domains in real-time by operating cloud based detection engines, which provide DNS health support by analyzing DNS responses using ML-based analytics to detect malicious activity. Because these detectors are located in the cloud, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages when changes to detectors are made. Upon initial release, Advanced DNS Security supports two analysis engines: DNS Misconfiguration Domains and Hijacking Domains. Additionally, DNS responses for all DNS queries are sent to the Advanced DNS Security cloud for enhanced response analysis to more accurately categorize and return a result in a real-time exchange. Analysis models are delivered through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no updates by the user. Advanced DNS Security is enabled and configured through the Anti-Spyware (or DNS Security) profile and require active Advanced DNS Security and Advanced Threat Prevention (or Threat Prevention) licenses.

Palo Alto Networks now operates new inline deep learning detection engines in the Advanced Threat Prevention cloud to analyze traffic for command injection and SQL injection vulnerabilities in real-time to protect users against zero-day threats. This also includes signature-based prevention for thousands of known vulnerabilities and industry-leading response times for critical and high CVEs for top vendors.

By operating cloud-based detection engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages or operate process intensive, firewall-based analyzers which can sap resources. Inline cloud analysis operates under your Vulnerability Protection profile and supports two analysis engines upon initial release: SQL injection and Command injection. Additional analysis models are delivered through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no local update process. Inline cloud analysis is enabled and configured using the Vulnerability Protection profile and requires an active Advanced Threat Prevention license.

Enterprises today employ workers everywhere, connecting to apps that are anywhere. Hybrid workforces rely on high-performing app experiences, but slowdowns caused by cloud latency and adverse network conditions drain productivity and frustrate workers. The major causes of poor performance can consist of:

• Cloud latency experienced when apps are processing dynamic content
• Wireless connectivity issues

Both of these issues exist outside the control of the enterprise. Apps use Content Delivery Network (CDN) caching, but modern apps are powered by dynamic content that can't be cached. And consumer-grade Wi-Fi and wireless connectivity have no performance service-level agreements (SLAs) because wireless conditions like interference and signal strength are continuously changing.

App Acceleration for Prisma SASE directly addresses the causes of poor performance by accelerating dynamic content in top SaaS apps, and has added support for these apps:

• AWS S3

• Azure Storage

• Box

• Google Drive

• Microsoft OneDrive

• Salesforce

• SAP Ariba

• ServiceNow

• Slack ( file downloads )

• Zoom ( file downloads from chat, recording downloads )

These enhancements provide you with the following benefits:

• Up to five times the improvement over direct-to-internet app performance (measured in app response time and throughput metrics)

• Enriches AI-powered ADEM with Real User Metrics (RUM) to enhance observability into performance issues

• No code changes required

Prisma Access adds the following functionality for Prisma Access China:

• Autonomous DEM (visibility only) —You can use the visibility features of Autonomous DEM with Prisma Access China.

• Intelligent Portal —You can be automatically routed to the appropriate Prisma Access portal based on your location. When users travel to China, they are directed to the China Prisma Access portal, while those traveling outside China are seamlessly connected to the non-China Prisma Access portal.

To ensure comprehensive web security for managed desktops, Remote Browser Isolation (RBI) now supports the Mozilla Firefox browser. This expanded support adds to existing isolated browsing compatibility alongside the Google Chrome, Microsoft Edge, and Safari browsers on both macOS and Windows operating systems. By extending browser support to Firefox, RBI, integrated with Prisma® Access, ensures that you can maintain security policy adherence across a wider variety of desktop environments, improving security adoption and maintaining consistent threat defense regardless of the browser choice. This broad support simplifies administration and strengthens your organization’s security posture by extending crucial protection against malware and zero-day attacks across most major desktop browsing surfaces.

When organizations engage in merger and acquisition (M & A) activity, a critical and often overlooked technical requirement is the need to update existing network gateways. These gateways, which serve as essential connection points, frequently bear the brand name of the original company. To ensure a seamless transition and maintain business continuity, these gateways must either cease referencing the old brand or adopt the new one. This is where the functionality of Prisma® Access becomes invaluable. By integrating this capability, Prisma Access allows for the effortless renaming of gateways, ensuring the new brand name is reflected not only in the user interface (UI) but also consistently across all logs and any other system references. This update is crucial for a smooth operational handover and prevents confusion among users and IT administrators. Ultimately, this functionality simplifies the post-merger integration process, allowing the organization to operate cohesively under a unified brand identity without the need for a costly and disruptive infrastructure overhaul.

Prisma Access adds two new compute locations: Canada West (Calgary) and South Africa Central. The following locations are remapped to the new compute location:

• The South Africa Central location is remapped to the South Africa Central compute location.
• The Canada West location is remapped to the Canada West (Calgary) compute location.

New deployments have the new remapping applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma Access location.

Managing network security often leaves behind unused or obsolete Connector IP blocks, increasing administrative burden and potentially leading to IP resource waste. Previously, cleaning up these blocks was complex and error-prone. To resolve this, we enhanced management flexibility for Prisma Access Prisma® Access ZTNA Connector deployments, enabling you to update and securely delete unused Connector IP blocks as needed.

This functionality streamlines network configuration, recovers valuable IP address pools, and improves overall management efficiency by preventing network clutter. You can delete unused connector IP blocks only after you remove all associated ZTNA Connector objects (connectors, applications, wildcards, and connector groups) from the tenant. Additionally, the system performs a strict validation check to ensure technical accuracy. If you attempt to delete a connector IP block still included in an active IP address pool, the commit and push process will fail, and the system displays a validation error message protecting the integrity of your network configuration.

When a mobile user connects remotely to Prisma® Access using GlobalProtect®, your enterprise's DNS and IP Address Management (IPAM) servers do not update with the GlobalProtect gateway-assigned client IP address and endpoint FQDN. This results in your IT administrator and your apps not being able to identify and update remote endpoints with FQDN. With Dynamic DNS registration, Prisma Access integrates with IPAM vendors to dynamically create A and PTR records in the DNS servers with IPAM updates.

Dynamic DNS registration support for GlobalProtect mobile users offers the following benefits:

• Direct integration with leading IPAM vendors such as InfoBlox, BlueCat, and Windows.
• Dynamic DNS updates use either transaction signature (TSIG) or Kerberos as the authentication protocol to ensure secure updates to the DNS database.
• Prisma Access performs real-time DDNS updates to the DNS server using batched nsupdate calls based on GlobalProtect® connect and disconnect events. These updates use a DDNS service on the Mobile Users Security Processing Node (MU-SPN).

The feature enables IT and help desk staff to easily manage and update GlobalProtect® endpoints using the device's FQDN.

For Enterprise IT and IT Enabled Services (ITES) companies that need to control which users have access to their customer projects, Dynamic Privilege Access provides a seamless, secure, and compartmentalized way for your users to access only those projects that they are assigned to. Employees are typically assigned to several customer projects and are provided with siloed access to these projects so that an authorized user can access only one customer project at a time.

The Dynamic Privilege Access feature in Prisma Access provides dynamic privileges for your users based on the workflow or project that your users select in the Prisma Access Agent. Your users can have dynamic privileges based on the combination of the user group and IP pool that is assigned to a project. This unique combination defines a project. With Dynamic Privilege Access, you can isolate resources in your network so that they are only accessible to your users according to the projects they are assigned to.

A new predefined role called the Project Admin is available to allow project administrators to create and manage project definitions. Project administrators have the ability to map projects to select Prisma Access location groups, and create IP address assignments using DHCP based on the project and location group.

You can gain visibility into your Prisma Access Agent deployment by using Strata Cloud Manager to monitor your users' project activity, and view the service consumption and security posture in your network.

Dynamic Privilege Access enables Prisma Access to apply different network and Security policy rules to mobile user flows based on the project your users are working on. In the Strata Cloud Manager Command Center, navigate to Activity InsightsProjects, where you can view user-based access information in your environment

Managing explicit proxy traffic using single or multiple Proxy Auto-Configuration (PAC) files introduces complexity and management burden. You can now manage traffic flow and bypass rules by using Forwarding Profiles instead of only a single PAC file. Forwarding Profiles enable you to define forwarding rules and objects from a dedicated interface rather than dealing with the inherent technical complexity of a PAC file.

If you currently use a PAC file, you can migrate to Forwarding Profiles by importing the PAC file into a profile. Additionally, if you manage multiple PAC files for different traffic types, you can import these PAC files into separate profiles to use them simultaneously. In addition to standard proxy deployments, you can also use Forwarding Profiles to define the flow of traffic through GlobalProtect GlobalProtect® in Proxy or Tunnel and Proxy mode.

For simpler SAML authentication configuration, Explicit Proxy no longer requires that you create a policy rule to allow pre-authentication user traffic.

Saudi Arabia is added as a supported location for Prisma Access Explicit Proxy.

South Africa Central is added as a supported location for Prisma Access Explicit Proxy.

When you onboard a Service Connection or Remote Network connection, a public IP address is assigned for the other side of the IPSec tunnel (the Service IP Address). You use these public IP addresses for your CPE in your branch site or headquarters or data center location. Keeping records of all the IP addresses you need to configure on your CPE can be time consuming.

Instead of IP addresses, Prisma® Access provides you FQDNs or Service Endpoint Addresses to use for the other end of the IPSec tunnel for Service Connections and Remote Network Connections, thus facilitating the IPSec tunnel setup on your CPE at your branch sites or headquarters or data center locations.

You can now configure SSL/TLS service profiles using TLSv1.3 on the firewall that is hosting the GlobalProtect portal or gateway to establish TLS connectivity between GlobalProtect components. TLSv1.3 is the latest version of the TLS protocol, which provides increased network security by removing the weak ciphers supported in the earlier versions of TLS and adding more secure cipher suites. In addition, the GlobalProtect gateway and portal now support the following TLSv1.3 cipher suites:

• TLS-AES-128-GCM-SHA256
• TLS-AES-256-GCM-SHA384
• TLS-CHACHA20-POLY1305-SHA256

You can configure SSL/TLS service profiles with TLSv1.3 to provide enhanced security and a faster TLS handshake while establishing connection between GlobalProtect components. To provide the strongest security, you must set both the minimum and maximum supported version as TLSv1.3 in the SSL/TLS service profile.

GlobalProtect Proxy now

1. supports all IPv4 TCP connections, including non-proxy-aware traffic, to better support the needs of your network beyond only proxy-aware traffic
2. supports multiple Explicit Proxy channels to different regions, enabling you to support apps and destinations that have region-specific requirements.

Additionally, Prisma AccessInsights now surfaces GlobalProtect Proxy data under Mobile Users - GlobalProtect and includes additional metrics, such as connection method, so that you can have greater visibility into your GlobalProtect Proxy performance.

GlobalProtect in proxy-only mode now no longer requires that you deploy a mobile user gateway, which simplifies initial configuration.

Prisma® Access uses IPSec to securely connect branch offices and data centers to the service. If there is an issue with bringing up the IPSec tunnel, it can be challenging to read logs related to IKE and IPSec events in an attempt to troubleshoot the issue.

A new UI allows you to check routing information, clear security associations for an existing IPSec tunnels, or retrieve the service endpoint address for your service connections and remote network connections. With the UI, you have a more complete picture of your IPSec tunnels. You can also trigger an IKE renegotiation for a given service connections or remote network connections.

This tunnel information reflects real-time monitoring status, along with an explanation of why any tunnels have gone down.

The Juniper Mist integration with Prisma Access in SASE Health enables visibility and management of third-party network devices and alerts from the Strata Cloud Manager (SCM) interface. This integration provides a single pane of glass for diagnosing and resolving branch site issues by extending LAN health and performance insights to the SCM dashboard. Administrators gain visibility into access points, switches, and WAN edge devices within branch locations, ensuring network reliability.

SASE Health offers a view of Juniper Mist infrastructure, including device inventory, high availability status, impacted users, and root causes of service degradation. Key features include site visualization, Juniper Mist device inventory display, alert integration, and cross-launch capability for incident analysis.

Organizations are increasingly adopting IPv6 endpoints and require seamless, end-to-end IPv6 access across their entire Secure Access Service Edge (SASE) environment. Previously, IPv6 support in Prisma® Access was limited to private applications. This feature now encompasses comprehensive end-to-end IPv6 support for Mobile Users, Remote Networks, and Service Connections. One key benefit of native IPv6 support is the ability for Mobile Users utilizing IPv6-only endpoints to establish connections with Prisma Access via IPv6 connections using GlobalProtect®. Additionally, this support enables secure access to public SaaS applications over the internet, even when those destinations necessitate IPv6 connections. This enhancement, leveraging the significantly larger IPv6 address space, ensures compatibility with both IPv6 and dual-stack connections, accelerating your organization's migration to modern, cloud-based, and IPv6-enabled networks.

Organizations require the most advanced security features for their Prisma® Access deployments to counter evolving zero-day threats. To utilize the most advanced traffic inspection, deep learning security, and optimized performance features, Prisma Access 5.1 Innovation now fully supports the security features available with PAN-OS® 11.1 and 11.2. This immediate compatibility allows organizations to leverage cutting-edge security capabilities, including enhanced visibility into encrypted traffic and superior threat detection, without requiring a full platform migration. This seamless support helps protect your organization’s end-users, business assets, and security posture across your entire SASE deployment.

Organizations require the most advanced security features for their Prisma® Access deployments to counter evolving zero-day threats. To utilize the most advanced traffic inspection, deep learning security, and optimized performance features, Prisma Access 5.1 Innovation now fully supports management by Panorama® appliances running PAN-OS® 11.2. This immediate compatibility enables organizations to leverage cutting-edge security capabilities, including enhanced visibility into encrypted traffic and superior threat detection, directly from their updated management platform. This seamless support helps protect your organization’s end-users, business assets, and security posture across your entire SASE deployment.

Prisma® Access introduces a native internal gateway solution within the Prisma®Access architecture. This new capability reduces the need to implement GlobalProtect® alongside an on-premises internal gateway to learn User-ID for users on an internal network. Prisma® Access deployments can enable a native internal gateway within the architecture.

The native internal gateway enforces user-based security policies for remote network traffic without requiring an on-premises internal gateway deployment.

To use this feature, set up GlobalProtect®, add app settings, and onboard remote networks in both Strata Cloud Manager and Panorama®.

If your Prisma® Access deployment uses a large number of sessions, and you would like to delete those sessions quickly, you can enable fast session delete, which allows Prisma Access to reuse TCP port numbers before the TCP TIME_WAIT period expires. This reuse of the TCP port numbers can be useful if your deployment has a large number of SSL decrypted sessions that may be short-lived. You can choose to enable this functionality for Prisma Access Remote Networks, Service Connections, and Mobile Users—GlobalProtect®; for Mobile Users—Explicit Proxy deployments, this functionality is enabled by default and you cannot disable it.

Integrating third-party SD-WAN solutions with cloud security services often requires complex, manual tunnel configurations, slowing deployment and increasing administrative risk. The Remote Network Tunnel Automation API addresses this challenge by enabling seamless, automated integration of third-party SD-WAN products with Prisma® Access to deliver essential cloud security services over your existing SD-WAN solution. This API supports deployments managed by both Panorama® and Strata Cloud Manager, drastically accelerating the onboarding of third-party SD-WAN branches to Prisma Access Remote Networks, thereby reducing manual effort and ensuring rapid time-to-value.

Prisma Access Explicit Proxy now supports service connections to enable you to access resources in your data center. With this change, you will still be able to benefit from a proxy connection while accessing external dynamic lists, partner apps, or private apps hosted in your data center.

Prisma Access adds to the static IP address functionality for mobile users, where you can assign static IP addresses to users based on the Prisma Access theater or User-ID. To enhance IP address assignment for mobile users, you can now use location groups and user groups as a criteria, in addition to theater and User-ID. In addition, the number of supported IP address pool profiles is increased to 10,000. Activity Insights: Users allows you to view and monitor static IP address enhancements for mobile users.

Prisma® Access mobile users access private apps using a service connection. If your deployment uses a Next-Generation Firewall (NGFW) in the data center or headquarters location where the private apps are located, and if your service connection has source NAT enabled, the NGFW can't retrieve the User-ID™ and Device-ID mapping. Source NAT on the service connection prevents the mobile users' User-ID and Device-ID mapping to be distributed to the NGFW. If the NGFW can't retrieve this mapping, it can't enforce zone-based security policy rules you have created on it based on User-ID or Device-ID mapping.

User-ID Across NAT lets your network distribute the User- or Device-ID mapping from mobile users to the NGFW and then on to the headquarters or data center, thus allowing the NGFW to enforce security policy rules based on the User-ID mapping it has learned from the service connection. This configuration ensures a consistent security posture across your mobile user deployment.

If you use IPv6 networking in your Mobile Users: GlobalProtect deployment, you can configure Prisma Access to use IPv6 addresses in your mobile user networking. To view information about IPv6 in your GlobalProtect deployment, go to Activity InsightsUsers in Strata Cloud Manager Command Center.

You can use the Cloud Identity Engine with Prisma Access to apply information from third-party IoT detection sources to simplify the task of identifying and closing security gaps for devices in your network. See Configure Third-Party Device-ID in Prisma Access for details about setup and configuration.

Go to InsightsSecurityDevice Security to get insights on your IoT devices, such as the number of IoT devices connected within the last 30 minutes, all IoT devices connected during the time range selected, and details about all connected IoT devices.