New Features - Prisma Access - 6.0 Preferred and Innovation

Today, large enterprises are building Colo-based performance hubs to reach private applications in hybrid, multicloud architectures because of the high-bandwidth and low-latency requirements. Typically, these hubs include interconnects to one or more cloud providers and connections to the on-premises data centers over a private or leased WAN. Performance hubs can route traffic between the public cloud and on-premises infrastructure at high speed, and are resilient because of the underlying interconnect infrastructure.

Prisma® Access Colo-Connect builds on the Colo-based performance hub concept, offering high-bandwidth private connections along with seamless Layer 2/3 connectivity to Prisma Access from existing performance hubs.

Colo-Connect handles inter-region traffic with a focus on high performance and scalable network solutions, ensuring seamless operation even if a compute location becomes unavailable. To address this need, Prisma Access has implemented an inter-region connectivity feature. This feature enables Colo-Connect instances across different regions to be interconnected and provides robust disaster recovery capabilities between regions.

This inter-region support provides higher bandwidth, enables seamless scalability across regions, and strengthens multicloud support.

If you need to enable Advanced WildFire Inline Cloud Analysis, configure a Vulnerability Protection profile, or configure best practices for Advanced WildFire or Advanced Threat Prevention, you might need to configure Content-ID settings. Strata Cloud Manager now supports the viewing and modification of Content-ID settings.

Organizations using Explicit Proxy often face challenges integrating their cloud security with specialized internal network infrastructure, particularly regarding custom Domain Name Service (DNS) resolution. This limitation can interrupt seamless access to both public internet applications and critical internal private resources. Explicit Proxy now expands its capabilities to include comprehensive DNS Proxy customization, solving this hybrid networking challenge. This feature allows you to seamlessly integrate regional DNS, custom third-party resolvers, or existing on-premises DNS infrastructure. By supporting FQDN-based resolution, the solution guarantees that all applications—whether public or privately hosted—are resolved correctly and securely. This optimization is supported on Panorama Managed Prisma® Access, delivering a more robust and flexible security posture for hybrid environments and optimizing the user experience.

We introduced the ability to extend Prisma Access user group policy with the short form format. Migrating security policies from NGFW to Prisma Access requires policy elements standardization. Prisma Access only supports long-form DN entries for group-based policies, while the NGFW allows using other formats such as SAML account name/Common Name and email address. This feature enables customers to define the group format choice for security policy creation, allowing standardized policy creation across Prisma Access and NGFW.

Use IP capacity planning to streamline the Prisma® Access tenant onboarding process by automating and simplifying egress IP address capacity planning. You can quickly allocate egress IP addresses for your mobile users based on the city and user count, significantly reducing the time it takes to allow list the IP addresses in your network. This feature provides an intuitive workflow for adding locations individually or through bulk upload, visualizing your global deployment on an interactive map, and automatically suggesting optimal Prisma Access locations based on your input. You can easily review and adjust these recommendations, ensuring that your deployment aligns with your specific needs.

The IP address capacity planner also offers a comprehensive view of your egress IP address allocations and user distributions, enabling you to make informed decisions about your network resources. By using this feature, you can expedite your Prisma Access deployment, and ensure a smooth end-user experience. The automated process lets you optimize your deployment and make it easier to scale your network as your needs evolve. This feature is valuable if you have a large, geographically diverse user base or need to frequently adjust your network capacity to meet changing demands.

This functionality is now added to the onboarding workflow for Prisma Access GlobalProtect deployments to enable you to allocate egress IP addresses for your mobile users during onboarding.

Prisma Access initially allowed only three main theaters (Americas, EMEA, APAC) for IP pool allocation. We now allow users to view IP pool utilization per pool locations and subpool regions.

Prisma Access supports the Mexico Central compute region.

ZTNA Connector now provides secure and compliant multi-national enterprise level communication within and across mainland China. You will need a Prisma Access China L2 add-on license to enable the required functionalities. With Prisma Access China L2 add-on license, you get 10 Connectors, 20,000 FQDNs, and 1024 IP Subnets. If you need more than 10 Connectors, you need to get in addition a Private App add-on license.

South Africa is also added as a supported location for ZTNA Connector.

Explicit proxy extends its support to the following regions :

• Bahrain
• Canada West
• France North
• Ireland
• Sweden
• South Africa West
• United Arab Emirates

South Africa is added as a support location for ZTNA Connector.

Managing remote network capacity using aggregate bandwidth licensing is complex, often requiring difficult resource estimation and manual redundancy configuration across compute regions. Prisma® Access 6.0 introduces site-based licensing for Remote Networks, enhancing flexibility and simplifying deployment for branch sites. This licensing model allows you to allocate your sites with predefined bandwidth capacities, ranging from 25 Mbps to 2.5 Gbps. By moving away from aggregate bandwidth-based licensing, you can more easily estimate and allocate resources for your remote sites.

With site-based licensing, you no longer need to pre-allocate bandwidth to specific Prisma Access compute regions or configure redundancy manually. This approach reduces complexity in network planning and provides a more straightforward way to manage and scale your branch sites.

Using this model, you can focus on the number and types of sites needed rather than estimating total bandwidth consumption across your network.

Site-based licensing in Prisma Access aligns better with your organizational structure and growth plans, providing a more intuitive and scalable approach to securing and connecting your branch sites. This licensing model aims to enhance your experience in deploying and managing Prisma Access, offering greater control and efficiency in resource allocation across your distributed network infrastructure.

Additionally, a simplified onboarding workflow for Prisma Access further reduces complexity by accelerating remote network setup.

Some legacy networks use IP address-based authorization to restrict users’ access to internal or external resources. A Prisma® Access Mobile Users—GlobalProtect® deployment assigns users an IP address from the mobile users IP address pool you assign during onboarding, and this user-to-IP address mapping can change in subsequent logins. To retain user-to-IP address mapping, Prisma Access lets you assign static IP addresses to users. With this feature, Prisma® Access allows you to allocate IP addresses to users based on the User or User-group, along with Theatre and Location groups.

Prisma Access adds the following enhanced functionality for static IP address allocation: support for iOS and Android mobile devices and support for RFC6598 addresses.

Organizations often face complex, manual setup processes when deploying SASE solutions, leading to delayed security protection. The Prisma® Access onboarding workflow addresses this challenge by providing a simplified initial setup process for new deployments. This guided workflow rapidly deploys and configures the necessary components for securing mobile users (via GlobalProtect ® and Explicit Proxy) and for securing private applications (via Service Connection). By incorporating best-practice defaults, automating backend tasks, and seamlessly integrating the Cloud Identity Engine and Strata Cloud Manager with Prisma Access, this intuitive, action-oriented approach accelerates time-to-value and significantly reduces onboarding complexity.

Traffic Replication for explicit proxy addresses the challenge enterprises face when transitioning from on-premises network security infrastructure to SASE by preserving access to your packet captures (PCAPs) for threat investigation, forensic analysis, and compliance requirements. Traffic replication provides a complete copy of traffic traversing Prisma Access explicit proxy available for analysis.

When you enable Traffic replication for explicit proxy, Prisma Access captures and replicates all traffic, including SSL-decrypted content when configured with the appropriate decryption rules. This capability enables you to meet regulatory requirements. The replicated traffic is secured while in motion and at rest, with no alterations to the original packet form, ensuring both directions of communication are preserved without packet loss.

Traffic replication for explicit proxy extends the existing capabilities already available for mobile users and remote networks, providing consistent traffic visibility across all Prisma Access connection methods. You can use this feature with various third-party network detection and response (NDR) tools for enhanced security analytics. The replicated traffic is stored as PCAP files in Cloud Object Storage, where they remain available for 72 hours, enabling your security teams adequate time to download and analyze the data with your preferred forensic tools.

You can enable Traffic replication selectively for specific explicit proxy locations to control data volume, and the system automatically accommodates auto scaling events and infrastructure changes to ensure continuous replication. The functionality operates without affecting existing Prisma Access performance or capabilities, providing you with valuable security insights without compromising the user experience.

Depending on your license for ZTNA Connector, you can see the following updates in Strata Cloud Manager Strata Cloud Manager for visibility:

Select the number next to Total Connector Groups, Total Wildcards, FQDN, or IP Subnet to get the details for each ZTNA object. You can see the status related to each ZTNA object (UP, Partially Up, Down). Additionally, you can now monitor a Wildcard's bandwidth by selecting Action .

Preventing known malware from transferring while real-time signature lookups are underway often introduces a window of risk. If you have an active WildFire® or Advanced WildFire license, Prisma® Access now supports WildFire Hold Mode to immediately address this risk. Hold Mode enables you to configure Prisma® Access to hold the transfer of a sample file while the real-time signature cloud performs a signature lookup. When the lookup completes, Prisma Access releases the file to the requesting client (or blocks it, based on your organization's security policy for specific WildFire verdicts, preventing the initial transfer of known malware. You can configure Hold Mode on a per antivirus profile basis and apply a global setting for the signature lookup timeout and the associated action.

With your Prisma Access license or Private App add-on license, ZTNA Connector offers an enhancement that improves scalability, allowing users to onboard 20,000 applications per tenant across all Connector Groups.

Complex deployments, rigid licensing structures, and limited regional logging capabilities previously increased the administrative friction of adopting ZTNA Connector. These significant updates to the ZTNA Connector address these challenges by improving operational efficiency, expanding global visibility, and simplifying configuration.

Regional Support for Strata Logging Service Strata Logging Service

ZTNA Connector now supports sending logs to Strata Logging Service Strata Logging Service instances in new regions, addressing global data residency needs. The supported regions are:

• Indonesia
• Qatar
• Saudi Arabia
• Taiwan

Simplified Onboarding Workflow

Prisma Access Prisma® Access now offers a simplified Day 0 onboarding workflow to set up ZTNA Connector. This guided, step-by-step process helps you:

• Configure Prisma Access to secure private apps
• Apply best-practice defaults
• Automate backend tasks
• Integrate Cloud Identity Engine (CIE), Strata Cloud Manager Strata Cloud Manager, and Prisma Access

Streamlined Licensing

Prisma Access 6.0 introduces a streamlined licensing model for ZTNA Connector:

• You can now enable ZTNA Connector without a ZTNA Connector add-on license.
• Based on your existing Prisma Access licenses, you receive 10 ZTNA Connector licenses with the base license.
• If you purchase the Private Apps add-on, you unlock a number of Service Connections and ZTNA Connectors up to the limit supported by the product in each tenant.

Prisma Access 6.0 introduces new licensing for ZTNA Connector which streamlines the licensing structure, simplifying the process, and offers a more efficient approach.

This licensing model provides an option to Enable ZTNA Connector without a ZTNA add-on license. Based on your Prisma Access licenses, you receive free but limited licenses. If you purchase an unlimited private apps add-on license, you will get an unlimited Service Connections and ZTNA Connectors.

Support for DNS SRV records and SCCM

ZTNA Connector now supports:

• DNS SRV queries, allowing clients to intelligently locate AD domain controllers using structured, priority-based FQDNs.
• SCCM integration, enabling the ZTNA Connector to direct software updates through the correct AD site’s distribution point.