New Features in Prisma Access 6.0 and 6.0.1
Focus
Focus
Prisma Access

New Features in Prisma Access 6.0 and 6.0.1

Table of Contents

New Features in Prisma Access 6.0 and 6.0.1

Where Can I Use This?What Do I Need?
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
This section provides you with a list of new features in Prisma Access 6.0 and 6.0.1 Preferred and Innovation, along with the recommended and required software versions you need to use.

Recommended Software Versions for Prisma Access 6.0.1 Preferred and Innovation

Prisma Access 6.0.1 Preferred and Innovation run a PAN-OS 11.2.6 dataplane. Prisma Access (Managed by Panorama) release 6.0.1 requires a minimum Cloud Services plugin version of 6.0.0-h9.
For Prisma Access 6.0.1 features, Palo Alto Networks recommends that you upgrade your Prisma Access to the following versions before installing the plugin.
Prisma Access VersionCloud Services Plugin VersionRequired Dataplane Version for 6.0.1Recommended GlobalProtect VersionRecommended Panorama Version
6.0.1Minimum version of 6.0.0-h9 6.0.1 Preferred and Innovation: PAN-OS 11.2.6
6.0.1.7+
6.1.3+
6.2.1+
Minimum required versions for IPv6 Support for Public Apps for IP Optimization:
  • 6.2.6 client version for Windows and macOS
  • 6.2.7 for Linux
  • 6.1.7 for Android and IOS
10.2.10+
11.0.1+
11.1.0
11.2.6
12.1.2
Before you upgrade your Panorama to 12.1.2, upgrade your Cloud Services plugin to 6.0.0-h22; then, upgrade your Panorama. Be sure to follow the upgrade path when upgrading your plugin.

Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 6.0.1 Preferred and Innovation Features

Prisma Access6.0.1 features require one of more of the following components to function:
  • Infrastructure Upgrade—The infrastructure includes the underlying service backend, orchestration, and monitoring infrastructure. Prisma Access upgrades the infrastructure before the general availability (GA) date of a Prisma Access release.
    Features that require only an infrastructure upgrade to be unlocked take effect for all Prisma Access deployments, regardless of version, at the time of the infrastructure upgrade.
  • Plugin Upgrade (Prisma Access Panorama Managed Deployments Only)Prisma Access (Managed by Panorama) release 6.0.1 requires a minimum Cloud Services plugin version of 6.0.0-h9.
  • Dataplane Upgrade—The dataplane enables traffic inspection and security policy enforcement on your network and user traffic.
    • For Prisma Access (Managed by Strata Cloud Manager), go to ManageConfigurationNGFW and Prisma AccessOverviewPrisma Access Version.
    • For Prisma Access (Managed by Panorama) deployments, you can view your dataplane version by going to PanoramaCloud ServicesConfigurationService Setup and viewing the Prisma Access Version. Prisma Access Preferred and Innovation run PAN-OS 11.2.6.
These features are activated with the infrastructure upgrade only for Prisma Access 6.0.1:
  • New Prisma Access Locations
These features require an infrastructure and plugin upgrade but don't require a dataplane upgrade; however, a minimum dataplane version of 10.2.10 is required for these features:
  • None
These features require an infrastructure, plugin, and dataplane upgrade to PAN-OS 11.2.6, making them Prisma Access 6.0.1 Innovation features:
  • None

Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 6.0 Preferred and Innovation Features

Prisma Access6.0 features require one of more of the following components to function:
  • Infrastructure Upgrade—The infrastructure includes the underlying service backend, orchestration, and monitoring infrastructure. Prisma Access upgrades the infrastructure before the general availability (GA) date of a Prisma Access release.
    Features that require only an infrastructure upgrade to be unlocked take effect for all Prisma Access deployments, regardless of version, at the time of the infrastructure upgrade.
  • Plugin Upgrade (Prisma Access Panorama Managed Deployments Only)—Installing the plugin activates the features that are available with that release. You download and install the plugin on the Panorama that manages Prisma Access.
    Prisma Access (Managed by Panorama) release 6.0 uses the Cloud Services Plugin 6.0.
  • Dataplane Upgrade—The dataplane enables traffic inspection and security policy enforcement on your network and user traffic.
    • For Prisma Access (Managed by Strata Cloud Manager), go to ManageConfigurationNGFW and Prisma AccessOverviewPrisma Access Version.'
    • For Prisma Access (Managed by Panorama) deployments, you can view your dataplane version by going to PanoramaCloud ServicesConfigurationService Setup and viewing the Prisma Access Version. Prisma Access Preferred and Innovation run PAN-OS 11.2.6.
A dataplane upgrade to 6.0 Innovation is optional, and is only required if you want to take advantage of the features that require a dataplane upgrade.
These features are activated with the infrastructure upgrade only for Prisma Access 6.0:
  • Advanced ZTNA Connector
  • Extend Prisma Access User Group Policy Support with Short Form Format
  • Mexico Central Compute Region Support
  • Remote Network Site-Based Licensing and Simplified Onboarding
  • Simplified Onboarding Workflow
These features require an infrastructure and plugin upgrade but don't require a dataplane upgrade; however, a minimum datapane version of 10.2.4 is required for these features:
  • BGP Filtering and Route Metric Support for Prisma Access
These features require an infrastructure, plugin, and dataplane upgrade to PAN-OS 11.2.6, making them Prisma Access 6.0 Preferred and Innovation features:
  • Colo-Connect Inter-Region
  • RFC6598, iOS, and Android Support for Static IP Address Allocation
  • WildFire Hold Mode Support (11.2.4 or later dataplane required)

Prisma Access 6.0.1 Features

Here are the features in Prisma Access 6.0.1.

ZTNA Connector: Scalability Improvements

With your Prisma Access license or Private App add-on license, ZTNA Connector offers an enhancement that improves scalability, allowing users to onboard 20,000 applications per tenant across all Connector Groups.

New Region Support for ZTNA Connector

ZTNA Connector now provides secure and compliant multi-national enterprise level communication within and across mainland China. You will need a Prisma Access China L2 add-on license to enable the required functionalities. With Prisma Access China L2 add-on license, you get 10 Connectors, 20,000 FQDNs, and 1024 IP Subnets. If you need more than 10 Connectors, you need to get in addition a Private App add-on license.
South Africa is also added as a supported location for ZTNA Connector.

Visibility for ZTNA Connector

Depending on your license for ZTNA Connector, you can see the following updates in Strata Cloud Manager for visibility:
Select the number next to Total Connector Groups, Total Wildcards, FQDN, or IP Subnet to get the details for each ZTNA object. You can see the status related to each ZTNA object (UP, Partially Up, Down). Additionally, you can now monitor a Wildcard's bandwidth by selecting Action.

New Prisma Access Locations

Prisma Access adds the following locations:
To activate these locations, reach out to your Palo Alto Networks account representative.
  • Colombia Central
  • France South East
  • India South Central
  • US West Central
  • Saudi Arabia West
  • Mexico Northeast
  • US Midwest
These locations have their own compute location (for example, Colombia Central uses the Colombia Central compute location) and support the following functionality:
If you require additional functionality, we recommend that you onboard alternate locations.

Traffic Replication for Explicit Proxy: Enhanced Visibility for SASE

Traffic Replication for explicit proxy addresses the challenge enterprises face when transitioning from on-premises network security infrastructure to SASE by preserving access to your packet captures (PCAPs) for threat investigation, forensic analysis, and compliance requirements. Traffic replication provides a complete copy of traffic traversing Prisma Access explicit proxy available for analysis.
When you enable Traffic replication for explicit proxy, Prisma Access captures and replicates all traffic, including SSL-decrypted content when configured with the appropriate decryption rules. This capability enables you to meet regulatory requirements. The replicated traffic is secured while in motion and at rest, with no alterations to the original packet form, ensuring both directions of communication are preserved without packet loss.
Traffic replication for explicit proxy extends the existing capabilities already available for mobile users and remote networks, providing consistent traffic visibility across all Prisma Access connection methods. You can use this feature with various third-party network detection and response (NDR) tools for enhanced security analytics. The replicated traffic is stored as PCAP files in Cloud Object Storage, where they remain available for 72 hours, enabling your security teams adequate time to download and analyze the data with your preferred forensic tools.
You can enable Traffic replication selectively for specific explicit proxy locations to control data volume, and the system automatically accommodates auto scaling events and infrastructure changes to ensure continuous replication. The functionality operates without affecting existing Prisma Access performance or capabilities, providing you with valuable security insights without compromising the user experience.

Prisma Access 6.0 Features

Here are the features in Prisma Access 6.0.0.

Advanced ZTNA Connector

Supported in: Prisma Access 6.0
Complex deployments, rigid licensing structures, and limited regional logging capabilities previously increased the administrative friction of adopting ZTNA Connector. These significant updates to the ZTNA Connector address these challenges by improving operational efficiency, expanding global visibility, and simplifying configuration.
Regional Support for Strata Logging Service
ZTNA Connector now supports sending logs to Strata Logging Service instances in new regions, addressing global data residency needs. The supported regions are:
  • Indonesia
  • Qatar
  • Saudi Arabia
  • Taiwan
Simplified Onboarding Workflow
Prisma® Access now offers a simplified Day 0 onboarding workflow to set up ZTNA Connector. This guided, step-by-step process helps you:
  • Configure Prisma Access to secure private apps
  • Apply best-practice defaults
  • Automate backend tasks
  • Integrate Cloud Identity Engine (CIE), Strata Cloud Manager, and Prisma Access
This intuitive, action-oriented setup significantly reduces complexities during onboarding.
Streamlined Licensing
Prisma Access 6.0 introduces a streamlined licensing model for ZTNA Connector:
  • You can now enable ZTNA Connector without a ZTNA Connector add-on license.
  • Based on your existing Prisma Access licenses, you receive 10 ZTNA Connector licenses with the base license.
  • If you purchase the Private Apps add-on, you unlock a number of Service Connections and ZTNA Connectors up to the limit supported by the product in each tenant.
Prisma Access 6.0 introduces new licensing for ZTNA Connector which streamlines the licensing structure, simplifying the process, and offers a more efficient approach.
This licensing model provides an option to Enable ZTNA Connector without a ZTNA add-on license. Based on your Prisma Access licenses, you receive free but limited licenses. If you purchase an unlimited private apps add-on license, you will get an unlimited Service Connections and ZTNA Connectors.
Support for DNS SRV records and SCCM
ZTNA Connector now supports:
  • DNS SRV queries, allowing clients to intelligently locate AD domain controllers using structured, priority-based FQDNs.
  • SCCM integration, enabling the ZTNA Connector to direct software updates through the correct AD site’s distribution point.
This enhancement improves resource access, strengthens endpoint management, and maintains ZTNA-level security.

BGP Filtering and Route Metric Support for Prisma Access

Supported in: Prisma Access 6.0 (minimum 10.2.4 dataplane required)
For customers who need precise control over routing, Prisma Access offers new BGP capabilities to enhance network traffic and improve efficiency. The platform provides a UI-based configuration option on Panorama® and Cloud Management, enabling you to filter BGP prefixes advertised to remote networks (RNs) and service connections (SCs). This includes individual filtering options for all outbound mobile user, RN, and SC prefixes, as well as the ability to filter specific prefixes per RN and SC onboarding. BGP filtering can be configured per RN and SC BGP peer and also supports a global tenant-level configuration. Filtering options include both prefix and BGP community-based criteria.
This update allows you to create and apply custom routing policies to your service connections, including both regular and Colo-Connect connections. This functionality enables you to optimize traffic flow, improve network efficiency, and strengthen your security posture.
The BGP filtering and route metric support is integrated with the existing Prisma Access security platform. This means you can now leverage advanced routing capabilities alongside Palo Alto Networks' comprehensive suite of threat prevention features.

Colo-Connect Inter-Region

Supported in: Prisma Access 6.0
Today, large enterprises are building Colo-based performance hubs to reach private applications in hybrid, multicloud architectures because of the high-bandwidth and low-latency requirements. Typically, these hubs include interconnects to one or more cloud providers and connections to the on-premises data centers over a private or leased WAN. Performance hubs can route traffic between the public cloud and on-premises infrastructure at high speed, and are resilient because of the underlying interconnect infrastructure.
Prisma® Access Colo-Connect builds on the Colo-based performance hub concept, offering high-bandwidth private connections along with seamless Layer 2/3 connectivity to Prisma Access from existing performance hubs.
Colo-Connect handles inter-region traffic with a focus on high performance and scalable network solutions, ensuring seamless operation even if a compute location becomes unavailable. To address this need, Prisma Access has implemented an inter-region connectivity feature. This feature enables Colo-Connect instances across different regions to be interconnected and provides robust disaster recovery capabilities between regions.
This inter-region support provides higher bandwidth, enables seamless scalability across regions, and strengthens multicloud support.

DNS Resolution for Mobile Users—Explicit Proxy Deployments

Supported in: Prisma Access 6.0
Organizations using Explicit Proxy often face challenges integrating their cloud security with specialized internal network infrastructure, particularly regarding custom Domain Name Service (DNS) resolution. This limitation can interrupt seamless access to both public internet applications and critical internal private resources. Explicit Proxy now expands its capabilities to include comprehensive DNS Proxy customization, solving this hybrid networking challenge. This feature allows you to seamlessly integrate regional DNS, custom third-party resolvers, or existing on-premises DNS infrastructure. By supporting FQDN-based resolution, the solution guarantees that all applications—whether public or privately hosted—are resolved correctly and securely. This optimization is supported on Panorama Managed Prisma ® Access, delivering a more robust and flexible security posture for hybrid environments and optimizing the user experience.

Extend Prisma Access User Group Policy Support with Short Form Format

Supported in: Prisma Access 6.0
We introduced the ability to extend Prisma Access user group policy with the short form format. Migrating security policies from NGFW to Prisma Access requires policy elements standardization. Prisma Access only supports long-form DN entries for group-based policies, while the NGFW allows using other formats such as SAML account name/Common Name and email address. This feature enables customers to define the group format choice for security policy creation, allowing standardized policy creation across Prisma Access and NGFW.

Mexico Central Compute Region Support

Supported in: Prisma Access 6.0
Prisma Access supports the Mexico Central compute region.

Region Support for Explicit Proxy

Supported in: Prisma Access 6.0
Explicit proxy extends its support to the following regions:
  • Bahrain
  • Canada West
  • France North
  • Ireland
  • Sweden
  • South Africa West
  • United Arab Emirates

Remote Network Site-Based Licensing and Simplified Onboarding

Supported in: Prisma Access 6.0 (New Prisma Access Deployoments Only)
Managing remote network capacity using aggregate bandwidth licensing is complex, often requiring difficult resource estimation and manual redundancy configuration across compute regions. Prisma® Access 6.0 introduces site-based licensing for Remote Networks, enhancing flexibility and simplifying deployment for branch sites. This licensing model allows you to allocate your sites with predefined bandwidth capacities, ranging from 25 Mbps to 2.5 Gbps. By moving away from aggregate bandwidth-based licensing, you can more easily estimate and allocate resources for your remote sites.
With site-based licensing, you no longer need to pre-allocate bandwidth to specific Prisma Access compute regions or configure redundancy manually. This approach reduces complexity in network planning and provides a more straightforward way to manage and scale your branch sites.
Using this model, you can focus on the number and types of sites needed rather than estimating total bandwidth consumption across your network.
Site-based licensing in Prisma Access aligns better with your organizational structure and growth plans, providing a more intuitive and scalable approach to securing and connecting your branch sites. This licensing model aims to enhance your experience in deploying and managing Prisma Access, offering greater control and efficiency in resource allocation across your distributed network infrastructure.
Additionally, a simplified onboarding workflow for Prisma Access further reduces complexity by accelerating remote network setup.

RFC6598, iOS, and Android Support for Static IP Address Allocation

Supported in: Prisma Access 6.0
Some legacy networks use IP address-based authorization to restrict users’ access to internal or external resources. A Prisma® Access Mobile Users—GlobalProtect® deployment assigns users an IP address from the mobile users IP address pool you assign during onboarding, and this user-to-IP address mapping can change in subsequent logins. To retain user-to-IP address mapping, Prisma Access lets you assign static IP addresses to users. With this feature, Prisma® Access allows you to allocate IP addresses to users based on the User or User-group, along with Theatre and Location groups.
Prisma Access adds the following enhanced functionality for static IP address allocation: support for iOS and Android mobile devices and support for RFC6598 addresses.

Simplified Onboarding Workflow

Supported in: Prisma Access 6.0
Organizations often face complex, manual setup processes when deploying SASE solutions, leading to delayed security protection. The Prisma® Access onboarding workflow addresses this challenge by providing a simplified initial setup process for new deployments. This guided workflow rapidly deploys and configures the necessary components for securing mobile users (via GlobalProtect® and Explicit Proxy) and for securing private applications (via Service Connection). By incorporating best-practice defaults, automating backend tasks, and seamlessly integrating the Cloud Identity Engine and Strata Cloud Manager with Prisma Access, this intuitive, action-oriented approach accelerates time-to-value and significantly reduces onboarding complexity.

WildFire Hold Mode Support

Supported in: Prisma Access 6.0
Preventing known malware from transferring while real-time signature lookups are underway often introduces a window of risk. If you have an active WildFire® or Advanced WildFire license, Prisma® Access now supports WildFire Hold Mode to immediately address this risk. Hold Mode enables you to configure Prisma® Access to hold the transfer of a sample file while the real-time signature cloud performs a signature lookup. When the lookup completes, Prisma Access releases the file to the requesting client (or blocks it, based on your organization's security policy for specific WildFire verdicts, preventing the initial transfer of known malware. You can configure Hold Mode on a per antivirus profile basis and apply a global setting for the signature lookup timeout and the associated action.