ZTNA Connector now provides secure and compliant multi-national enterprise level communication within and across mainland China. You will need a Prisma Access China L2 add-on license to enable the required functionalities. With Prisma Access China L2 add-on license, you get 10 Connectors, 20,000 FQDNs, and 1024 IP Subnets. If you need more than 10 Connectors, you need to get in addition a Private App add-on license.

South Africa is also added as a supported location for ZTNA Connector.

Depending on your license for ZTNA Connector, you can see the following updates in Strata Cloud Manager for visibility:

Select the number next to Total Connector Groups, Total Wildcards, FQDN, or IP Subnet to get the details for each ZTNA object. You can see the status related to each ZTNA object (UP, Partially Up, Down). Additionally, you can now monitor a Wildcard's bandwidth by selecting Action.

Prisma Access adds the following locations:

These locations have their own compute location (for example, Colombia Central uses the Colombia Central compute location) and support the following functionality:

If you require additional functionality, we recommend that you onboard alternate locations.

Traffic Replication for explicit proxy addresses the challenge enterprises face when transitioning from on-premises network security infrastructure to SASE by preserving access to your packet captures (PCAPs) for threat investigation, forensic analysis, and compliance requirements. Traffic replication provides a complete copy of traffic traversing Prisma Access explicit proxy available for analysis.

When you enable Traffic replication for explicit proxy, Prisma Access captures and replicates all traffic, including SSL-decrypted content when configured with the appropriate decryption rules. This capability enables you to meet regulatory requirements. The replicated traffic is secured while in motion and at rest, with no alterations to the original packet form, ensuring both directions of communication are preserved without packet loss.

Traffic replication for explicit proxy extends the existing capabilities already available for mobile users and remote networks, providing consistent traffic visibility across all Prisma Access connection methods. You can use this feature with various third-party network detection and response (NDR) tools for enhanced security analytics. The replicated traffic is stored as PCAP files in Cloud Object Storage, where they remain available for 72 hours, enabling your security teams adequate time to download and analyze the data with your preferred forensic tools.

You can enable Traffic replication selectively for specific explicit proxy locations to control data volume, and the system automatically accommodates auto scaling events and infrastructure changes to ensure continuous replication. The functionality operates without affecting existing Prisma Access performance or capabilities, providing you with valuable security insights without compromising the user experience.

For customers who need precise control over routing, Prisma Access offers new BGP capabilities to enhance network traffic and improve efficiency. The platform provides a UI-based configuration option on Panorama® and Cloud Management, enabling you to filter BGP prefixes advertised to remote networks (RNs) and service connections (SCs). This includes individual filtering options for all outbound mobile user, RN, and SC prefixes, as well as the ability to filter specific prefixes per RN and SC onboarding. BGP filtering can be configured per RN and SC BGP peer and also supports a global tenant-level configuration. Filtering options include both prefix and BGP community-based criteria.

This update allows you to create and apply custom routing policies to your service connections, including both regular and Colo-Connect connections. This functionality enables you to optimize traffic flow, improve network efficiency, and strengthen your security posture.

The BGP filtering and route metric support is integrated with the existing Prisma Access security platform. This means you can now leverage advanced routing capabilities alongside Palo Alto Networks' comprehensive suite of threat prevention features.

Today, large enterprises are building Colo-based performance hubs to reach private applications in hybrid, multicloud architectures because of the high-bandwidth and low-latency requirements. Typically, these hubs include interconnects to one or more cloud providers and connections to the on-premises data centers over a private or leased WAN. Performance hubs can route traffic between the public cloud and on-premises infrastructure at high speed, and are resilient because of the underlying interconnect infrastructure.

Prisma® Access Colo-Connect builds on the Colo-based performance hub concept, offering high-bandwidth private connections along with seamless Layer 2/3 connectivity to Prisma Access from existing performance hubs.

Colo-Connect handles inter-region traffic with a focus on high performance and scalable network solutions, ensuring seamless operation even if a compute location becomes unavailable. To address this need, Prisma Access has implemented an inter-region connectivity feature. This feature enables Colo-Connect instances across different regions to be interconnected and provides robust disaster recovery capabilities between regions.

This inter-region support provides higher bandwidth, enables seamless scalability across regions, and strengthens multicloud support.

Organizations using Explicit Proxy often face challenges integrating their cloud security with specialized internal network infrastructure, particularly regarding custom Domain Name Service (DNS) resolution. This limitation can interrupt seamless access to both public internet applications and critical internal private resources. Explicit Proxy now expands its capabilities to include comprehensive DNS Proxy customization, solving this hybrid networking challenge. This feature allows you to seamlessly integrate regional DNS, custom third-party resolvers, or existing on-premises DNS infrastructure. By supporting FQDN-based resolution, the solution guarantees that all applications—whether public or privately hosted—are resolved correctly and securely. This optimization is supported on Panorama Managed Prisma ^® Access, delivering a more robust and flexible security posture for hybrid environments and optimizing the user experience.

We introduced the ability to extend Prisma Access user group policy with the short form format. Migrating security policies from NGFW to Prisma Access requires policy elements standardization. Prisma Access only supports long-form DN entries for group-based policies, while the NGFW allows using other formats such as SAML account name/Common Name and email address. This feature enables customers to define the group format choice for security policy creation, allowing standardized policy creation across Prisma Access and NGFW.

Prisma Access supports the Mexico Central compute region.

Explicit proxy extends its support to the following regions:

• Bahrain
• Canada West
• France North
• Ireland
• Sweden
• South Africa West
• United Arab Emirates

Managing remote network capacity using aggregate bandwidth licensing is complex, often requiring difficult resource estimation and manual redundancy configuration across compute regions. Prisma® Access 6.0 introduces site-based licensing for Remote Networks, enhancing flexibility and simplifying deployment for branch sites. This licensing model allows you to allocate your sites with predefined bandwidth capacities, ranging from 25 Mbps to 2.5 Gbps. By moving away from aggregate bandwidth-based licensing, you can more easily estimate and allocate resources for your remote sites.

With site-based licensing, you no longer need to pre-allocate bandwidth to specific Prisma Access compute regions or configure redundancy manually. This approach reduces complexity in network planning and provides a more straightforward way to manage and scale your branch sites.

Using this model, you can focus on the number and types of sites needed rather than estimating total bandwidth consumption across your network.

Site-based licensing in Prisma Access aligns better with your organizational structure and growth plans, providing a more intuitive and scalable approach to securing and connecting your branch sites. This licensing model aims to enhance your experience in deploying and managing Prisma Access, offering greater control and efficiency in resource allocation across your distributed network infrastructure.

Additionally, a simplified onboarding workflow for Prisma Access further reduces complexity by accelerating remote network setup.

Some legacy networks use IP address-based authorization to restrict users’ access to internal or external resources. A Prisma® Access Mobile Users—GlobalProtect® deployment assigns users an IP address from the mobile users IP address pool you assign during onboarding, and this user-to-IP address mapping can change in subsequent logins. To retain user-to-IP address mapping, Prisma Access lets you assign static IP addresses to users. With this feature, Prisma® Access allows you to allocate IP addresses to users based on the User or User-group, along with Theatre and Location groups.

Prisma Access adds the following enhanced functionality for static IP address allocation: support for iOS and Android mobile devices and support for RFC6598 addresses.

Organizations often face complex, manual setup processes when deploying SASE solutions, leading to delayed security protection. The Prisma® Access onboarding workflow addresses this challenge by providing a simplified initial setup process for new deployments. This guided workflow rapidly deploys and configures the necessary components for securing mobile users (via GlobalProtect® and Explicit Proxy) and for securing private applications (via Service Connection). By incorporating best-practice defaults, automating backend tasks, and seamlessly integrating the Cloud Identity Engine and Strata Cloud Manager with Prisma Access, this intuitive, action-oriented approach accelerates time-to-value and significantly reduces onboarding complexity.

Preventing known malware from transferring while real-time signature lookups are underway often introduces a window of risk. If you have an active WildFire® or Advanced WildFire license, Prisma® Access now supports WildFire Hold Mode to immediately address this risk. Hold Mode enables you to configure Prisma® Access to hold the transfer of a sample file while the real-time signature cloud performs a signature lookup. When the lookup completes, Prisma Access releases the file to the requesting client (or blocks it, based on your organization's security policy for specific WildFire verdicts, preventing the initial transfer of known malware. You can configure Hold Mode on a per antivirus profile basis and apply a global setting for the signature lookup timeout and the associated action.