This section provides you with a list of new features in Prisma Access 6.0 and 6.0.1 Preferred and Innovation, along with
the recommended and required software versions you need to use.
Recommended Software Versions for Prisma Access 6.0.1 Preferred and
Innovation
Prisma Access 6.0.1 Preferred and Innovation run a PAN-OS 11.2.6 dataplane.
Prisma Access (Managed by Panorama) release 6.0.1 requires a minimum Cloud Services plugin
version of 6.0.0-h9.
For Prisma Access 6.0.1 features, Palo Alto Networks recommends
that you upgrade your Prisma Access to the following versions
before installing the plugin.
Prisma Access Version
Cloud Services Plugin Version
Required Dataplane Version for 6.0.1
Recommended GlobalProtect Version
Recommended Panorama Version
6.0.1
Minimum version of 6.0.0-h9
6.0.1 Preferred and Innovation: PAN-OS 11.2.6
6.0.1.7+
6.1.3+
6.2.1+
Minimum required versions for IPv6 Support for Public Apps for IP
Optimization:
6.2.6 client version for Windows and macOS
6.2.7 for Linux
6.1.7 for Android and IOS
10.2.10+
11.0.1+
11.1.0
11.2.6
12.1.2
Before you upgrade your Panorama to 12.1.2, upgrade your Cloud Services
plugin to 6.0.0-h22; then, upgrade your Panorama. Be
sure to follow the upgrade
path when upgrading your plugin.
Recommended Software Versions for Prisma Access 6.0 Preferred and
Innovation
Prisma Access 6.0 Preferred and Innovation run on a PAN-OS 11.2.6
dataplane.
For Prisma Access 6.0 features, Palo Alto Networks recommends
that you upgrade your Prisma Access to the following versions
before installing the plugin.
Prisma Access Version
Cloud Services Plugin Version
Required Dataplane Version for 6.0
Recommended GlobalProtect Version
Recommended Panorama Version
6.0
6.0
PAN-OS 11.2.6 for 6.0 Preferred and Innovation
6.0.7+
6.1.3+
6.2.1+
Minimum required versions for IPv6 Support for Public Apps for IP
Optimization:
6.2.6 client version for Windows and macOS
6.2.7 for Linux
6.1.7 for Android and IOS
10.2.10+
11.0.1+
11.1.0
11.2.6
12.1.2
Before you upgrade your Panorama to 12.1.2, upgrade your Cloud Services
plugin to 6.0.0-h22; then, upgrade your Panorama. Be
sure to follow the upgrade
path when upgrading your plugin.
Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 6.0.1
Preferred and Innovation Features
Prisma Access6.0.1 features require one of more of the following components
to function:
Infrastructure Upgrade—The infrastructure includes the underlying
service backend, orchestration, and monitoring infrastructure. Prisma Access upgrades the infrastructure before the general
availability (GA) date of a Prisma Access release.
Features that
require only an infrastructure upgrade to be unlocked take effect for
all Prisma Access deployments, regardless of version, at the
time of the infrastructure upgrade.
Plugin Upgrade (Prisma Access Panorama Managed Deployments
Only)— Prisma Access (Managed by Panorama) release 6.0.1 requires a
minimum Cloud Services plugin version of 6.0.0-h9.
Dataplane Upgrade—The dataplane enables traffic inspection and
security policy enforcement on your network and user traffic.
For Prisma Access (Managed by Strata Cloud Manager), go to ManageConfigurationNGFW and Prisma AccessOverviewPrisma Access Version.
For Prisma Access (Managed by Panorama) deployments, you can view your
dataplane version by going to PanoramaCloud ServicesConfigurationService Setup and viewing the Prisma Access
Version. Prisma Access Preferred and
Innovation run PAN-OS 11.2.6.
These features are activated with the infrastructure upgrade only for Prisma Access 6.0.1:
New Prisma Access Locations
These features require an infrastructure and plugin upgrade but don't require
a dataplane upgrade; however, a minimum dataplane version of 10.2.10 is required for
these features:
None
These features require an infrastructure, plugin, and dataplane upgrade to
PAN-OS 11.2.6, making them Prisma Access 6.0.1 Innovation features:
None
Infrastructure, Plugin, and Dataplane Dependencies for Prisma Access 6.0
Preferred and Innovation Features
Prisma Access6.0 features require one of more of the following components to
function:
Infrastructure Upgrade—The infrastructure includes the underlying
service backend, orchestration, and monitoring infrastructure. Prisma Access upgrades the infrastructure before the general
availability (GA) date of a Prisma Access release.
Features that
require only an infrastructure upgrade to be unlocked take effect for
all Prisma Access deployments, regardless of version, at the
time of the infrastructure upgrade.
Plugin Upgrade (Prisma Access Panorama Managed Deployments
Only)—Installing the plugin activates the features that are
available with that release. You download and install the plugin on the
Panorama that manages Prisma Access.
Prisma Access (Managed by Panorama)
release 6.0 uses the Cloud Services Plugin 6.0.
Dataplane Upgrade—The dataplane enables traffic inspection and
security policy enforcement on your network and user traffic.
For Prisma Access (Managed by Strata Cloud Manager), go to ManageConfigurationNGFW and Prisma AccessOverviewPrisma Access Version.'
For Prisma Access (Managed by Panorama) deployments, you can view your
dataplane version by going to PanoramaCloud ServicesConfigurationService Setup and viewing the Prisma Access
Version. Prisma Access Preferred and
Innovation run PAN-OS 11.2.6.
A dataplane upgrade to 6.0 Innovation is optional, and is
only required if you want to take advantage of the features that require a dataplane
upgrade.
These features are activated with the infrastructure upgrade only for Prisma Access 6.0:
Advanced ZTNA Connector
Extend Prisma Access User Group Policy Support with Short Form Format
Mexico Central Compute Region Support
Remote Network Site-Based Licensing and Simplified
Onboarding
Simplified Onboarding Workflow
These features require an infrastructure and plugin upgrade but don't require
a dataplane upgrade; however, a minimum datapane version of 10.2.4 is required for
these features:
BGP Filtering and Route Metric Support for Prisma Access
These features require an infrastructure, plugin, and dataplane upgrade to
PAN-OS 11.2.6, making them Prisma Access 6.0 Preferred and Innovation features:
Colo-Connect Inter-Region
RFC6598, iOS, and Android Support for Static IP Address Allocation
WildFire Hold Mode Support (11.2.4 or later dataplane required)
Prisma Access 6.0.1 Features
Here are the features in Prisma Access 6.0.1.
ZTNA Connector: Scalability Improvements
With your Prisma Access license or Private App add-on license, ZTNA Connector
offers an enhancement that improves scalability, allowing users to onboard 20,000 applications per tenant across all
Connector Groups.
New Region Support for ZTNA Connector
ZTNA Connector now provides secure and compliant multi-national enterprise level
communication within and across mainland China. You will need a Prisma Access China L2 add-on license to enable the required functionalities.
With Prisma Access China L2 add-on license, you get 10 Connectors, 20,000 FQDNs,
and 1024 IP Subnets. If you need more than 10 Connectors, you need to get in
addition a Private App add-on license.
South Africa is also added as a supported location for ZTNA Connector.
Visibility for ZTNA Connector
Depending on your license for ZTNA Connector, you can see the following updates in
Strata Cloud Manager for visibility:
Select the number next to Total Connector Groups,
Total Wildcards, FQDN, or
IP Subnet to get the details for each ZTNA object. You
can see the status related to each ZTNA object (UP, Partially Up, Down).
Additionally, you can now monitor a Wildcard's bandwidth by selecting
Action.
New Prisma Access Locations
Prisma Access adds the following locations:
To activate these locations, reach out to your Palo Alto Networks
account representative.
Colombia Central
France South East
India South Central
US West Central
Saudi Arabia West
Mexico Northeast
US Midwest
These locations have their own compute location (for example, Colombia Central uses
the Colombia Central compute location) and support the following functionality:
Using
Prisma Access Agent with Explicit Proxy is not supported; however using the
GlobalProtect app with Explicit Proxy in proxy mode or tunnel and proxy mode is
supported.
If you require additional functionality, we recommend that you onboard alternate locations.
Traffic Replication for Explicit Proxy: Enhanced Visibility for SASE
Traffic Replication for explicit proxy
addresses the challenge enterprises face when transitioning from on-premises network
security infrastructure to SASE by preserving access to your packet captures (PCAPs)
for threat investigation, forensic analysis, and compliance requirements. Traffic
replication provides a complete copy of traffic traversing Prisma Access
explicit proxy available for analysis.
When you enable Traffic replication for explicit proxy, Prisma Access
captures and replicates all traffic, including SSL-decrypted content when configured
with the appropriate decryption rules. This capability enables you to meet
regulatory requirements. The replicated traffic is secured while in motion and at
rest, with no alterations to the original packet form, ensuring both directions of
communication are preserved without packet loss.
Traffic replication for explicit proxy extends the existing capabilities
already available for mobile users and remote networks, providing consistent traffic
visibility across all Prisma Access connection methods. You can use this feature
with various third-party network detection and response (NDR) tools for enhanced
security analytics. The replicated traffic is stored as PCAP files in Cloud Object
Storage, where they remain available for 72 hours, enabling your security teams
adequate time to download and analyze the data with your preferred forensic
tools.
You can enable Traffic replication selectively for specific explicit proxy
locations to control data volume, and the system automatically accommodates auto
scaling events and infrastructure changes to ensure continuous replication. The
functionality operates without affecting existing Prisma Access performance or
capabilities, providing you with valuable security insights without compromising the
user experience.
Prisma Access 6.0 Features
Here are the features in Prisma Access 6.0.0.
Advanced ZTNA Connector
Supported in: Prisma Access 6.0
Complex deployments, rigid licensing structures, and limited regional logging
capabilities previously increased the administrative friction of adopting ZTNA
Connector. These significant updates to the ZTNA Connector address these challenges
by improving operational efficiency, expanding global visibility, and simplifying
configuration.
Regional Support for Strata Logging
Service
ZTNA Connector now supports sending logs to Strata Logging
Service instances in new regions, addressing global data
residency needs. The supported regions are:
Indonesia
Qatar
Saudi Arabia
Taiwan
Simplified Onboarding Workflow
Prisma® Access now offers a simplified Day 0 onboarding workflow to set up ZTNA
Connector. This guided, step-by-step process helps you:
This intuitive, action-oriented setup significantly reduces complexities during
onboarding.
Streamlined Licensing
Prisma Access 6.0 introduces a streamlined licensing model for ZTNA Connector:
You can now enable ZTNA Connector without a ZTNA Connector add-on
license.
Based on your existing Prisma Access licenses, you receive 10 ZTNA
Connector licenses with the base license.
If you purchase the Private Apps add-on, you unlock a number of Service
Connections and ZTNA Connectors up to the limit supported by the product in
each tenant.
Prisma Access 6.0 introduces new licensing for ZTNA Connector which
streamlines the licensing structure, simplifying the process, and offers a more
efficient approach.
This licensing model provides an option to Enable ZTNA Connector
without a ZTNA add-on license. Based on your Prisma Access licenses, you receive
free but limited licenses. If you purchase an unlimited private apps add-on license,
you will get an unlimited Service Connections and ZTNA Connectors.
Support for DNS SRV records and SCCM
ZTNA Connector now supports:
DNS SRV queries, allowing clients
to intelligently locate AD domain controllers using structured,
priority-based FQDNs.
SCCM integration, enabling the ZTNA Connector to direct software updates
through the correct AD site’s distribution point.
This enhancement improves resource access, strengthens endpoint management, and
maintains ZTNA-level security.
BGP Filtering and Route Metric Support for Prisma Access
For customers who need precise control over routing, Prisma Access offers new BGP capabilities
to enhance network traffic and improve efficiency. The platform provides a UI-based
configuration option on Panorama® and Cloud Management, enabling you to filter BGP
prefixes advertised to remote networks (RNs) and service connections (SCs). This
includes individual filtering options for all outbound mobile user, RN, and SC
prefixes, as well as the ability to filter specific prefixes per RN and SC
onboarding. BGP filtering can be configured per RN and SC BGP peer and also supports
a global tenant-level configuration. Filtering options include both prefix and BGP
community-based criteria.
This update allows you to create and apply custom routing policies to your service
connections, including both regular and Colo-Connect connections. This functionality
enables you to optimize traffic flow, improve network efficiency, and strengthen
your security posture.
The BGP filtering and route metric support is integrated with the existing Prisma
Access security platform. This means you can now leverage advanced routing
capabilities alongside Palo Alto Networks' comprehensive suite of threat prevention
features.
Colo-Connect Inter-Region
Supported in: Prisma Access 6.0
Today, large enterprises are building Colo-based performance hubs to reach private
applications in hybrid, multicloud architectures because of the high-bandwidth and
low-latency requirements. Typically, these hubs include interconnects to one or more
cloud providers and connections to the on-premises data centers over a private or
leased WAN. Performance hubs can route traffic between the public cloud and
on-premises infrastructure at high speed, and are resilient because of the
underlying interconnect infrastructure.
Prisma® Access Colo-Connect builds on the Colo-based
performance hub concept, offering high-bandwidth private connections along with
seamless Layer 2/3 connectivity to Prisma Access from existing performance hubs.
Colo-Connect handles inter-region traffic
with a focus on high performance and scalable network solutions, ensuring seamless
operation even if a compute location becomes unavailable. To address this need,
Prisma Access has implemented an inter-region connectivity feature. This feature
enables Colo-Connect instances across different regions to be interconnected and
provides robust disaster recovery capabilities between regions.
This inter-region support provides higher bandwidth, enables seamless scalability
across regions, and strengthens multicloud support.
DNS Resolution for Mobile Users—Explicit Proxy Deployments
Supported in: Prisma Access 6.0
Organizations using Explicit Proxy often face challenges integrating their cloud
security with specialized internal network infrastructure, particularly regarding
custom Domain Name Service (DNS) resolution. This limitation can interrupt seamless
access to both public internet applications and critical internal private resources.
Explicit Proxy now expands its capabilities to include comprehensive DNS Proxy customization, solving this
hybrid networking challenge. This feature allows you to seamlessly integrate
regional DNS, custom third-party resolvers, or existing on-premises DNS
infrastructure. By supporting FQDN-based resolution, the solution guarantees that
all applications—whether public or privately hosted—are resolved correctly and
securely. This optimization is supported on Panorama Managed Prisma ®
Access, delivering a more robust and flexible security posture for hybrid
environments and optimizing the user experience.
Extend Prisma Access User Group Policy Support with Short Form Format
Supported in: Prisma Access 6.0
We introduced the ability to extend Prisma Access user group policy
with the short form format. Migrating security policies from NGFW to Prisma Access
requires policy elements standardization. Prisma Access only supports long-form DN
entries for group-based policies, while the NGFW allows using other formats such as
SAML account name/Common Name and email address. This feature enables customers to
define the group format choice for security policy creation, allowing standardized
policy creation across Prisma Access and NGFW.
Explicit proxy extends its support to the following regions:
Bahrain
Canada West
France North
Ireland
Sweden
South Africa West
United Arab Emirates
Remote Network Site-Based Licensing and Simplified Onboarding
Supported in: Prisma Access 6.0 (New Prisma Access
Deployoments Only)
Managing remote network capacity using aggregate bandwidth licensing is
complex, often requiring difficult resource estimation and manual redundancy
configuration across compute regions. Prisma® Access 6.0 introduces site-based licensing for Remote Networks,
enhancing flexibility and simplifying deployment for branch sites. This licensing
model allows you to allocate your sites with predefined bandwidth capacities,
ranging from 25 Mbps to 2.5 Gbps. By moving away from aggregate bandwidth-based
licensing, you can more easily estimate and allocate resources for your remote
sites.
With site-based licensing, you no longer need to pre-allocate bandwidth to
specific Prisma Access compute regions or configure redundancy manually. This
approach reduces complexity in network planning and provides a more straightforward
way to manage and scale your branch sites.
Using this model, you can focus on the number and types of sites needed
rather than estimating total bandwidth consumption across your network.
Site-based licensing in Prisma Access aligns better with your
organizational structure and growth plans, providing a more intuitive and scalable
approach to securing and connecting your branch sites. This licensing model aims to
enhance your experience in deploying and managing Prisma Access, offering greater
control and efficiency in resource allocation across your distributed network
infrastructure.
Additionally, a simplified onboarding workflow for Prisma Access
further reduces complexity by accelerating remote network setup.
RFC6598, iOS, and Android Support for Static IP Address Allocation
Supported in: Prisma Access 6.0
Some legacy networks use IP address-based authorization to restrict users’ access to
internal or external resources. A Prisma® Access Mobile Users—GlobalProtect®
deployment assigns users an IP address from the mobile users IP address pool you
assign during onboarding, and this user-to-IP address mapping can change in
subsequent logins. To retain user-to-IP address mapping, Prisma Access lets you
assign static IP addresses to users. With
this feature, Prisma® Access allows you to allocate IP addresses to users based on
the User or User-group, along with Theatre and Location groups.
Prisma Access adds the following enhanced functionality for static IP address
allocation: support for iOS and Android mobile devices and support for RFC6598
addresses.
Simplified Onboarding Workflow
Supported in: Prisma Access 6.0
Organizations often face complex, manual setup processes when deploying SASE
solutions, leading to delayed security protection. The Prisma® Access onboarding
workflow addresses this challenge by providing a simplified initial setup process
for new deployments. This guided workflow rapidly deploys and configures the
necessary components for securing mobile users (via GlobalProtect® and Explicit Proxy) and for securing private
applications (via Service Connection). By incorporating
best-practice defaults, automating backend tasks, and seamlessly integrating the
Cloud Identity Engine and Strata Cloud Manager with Prisma Access,
this intuitive, action-oriented approach accelerates time-to-value and significantly
reduces onboarding complexity.
WildFire Hold Mode Support
Supported in: Prisma Access 6.0
Preventing known malware from transferring while real-time signature lookups are
underway often introduces a window of risk. If you have an active WildFire® or
Advanced WildFire license, Prisma® Access now supports WildFire Hold Mode to
immediately address this risk. Hold Mode enables you to configure Prisma® Access to
hold the transfer of a sample file while
the real-time signature cloud performs a signature lookup. When the lookup
completes, Prisma Access releases the file to the requesting client (or blocks it,
based on your organization's security policy for specific WildFire verdicts,
preventing the initial transfer of known malware. You can configure Hold Mode on a
per antivirus profile basis and apply a global setting for the signature lookup
timeout and the associated action.