Focus

Prisma Access

Changes to Default Behavior for Prisma Access 6.1

Table of Contents

Filter

Expand All | Collapse All

Prisma Access Docs

Release Notes
Select a Document
- 6.1 Preferred and Innovation
- 6.0 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
Activation & Onboarding
Administration
Select a Document
- 4.0 & Later
- Prisma Access China
Integrations
Incidents & Alerts

New Features in Prisma Access 6.1

Prisma Access Known Issues

Changes to Default Behavior for `Prisma Access` 6.1

Where Can I Use This?	What Do I Need?
Prisma Access (Managed by Strata Cloud Manager) Prisma Access (Managed by Panorama)	Prisma Access license Prisma Access 6.1 version required

The following table details the changes in default behavior for Prisma Access version 6.1.

Component	Change
Location Groups Changing for the Mexico Central and Mexico West Mobile User Locations	The Mexico Central and Mexico West locations are changing their IP pool location group starting with the Prisma Access 6.1 release. You must take action if you have configured mobile user IP address pools for these locations based on location groups. If you have enabled the `Prisma Access`Mexico Central or Mexico West mobile user locations, and if you have configured Client IP Pool allocation based on the following legacy groups, you need to take action: A Mexico Central mobile user IP address pool assigned to ip-pool-group-31 (US-Central). Mexico Westmobile user IP address pool assigned to ip-pool-group-23 (US-Western). If you have not configured IP address pools based on these location groups, no action is required. The location groups are changing for the Mexico Central and Mexico West mobile user IP pool groups. The Mexico Central location group is changing from ip-pool-group-31 (US-Central) to ip-pool-group-1 (US-Eastern). The Mexico West location group is changing from ip-pool-group-23 (US-Western) to ip-pool-group-1 (US-Eastern). This change might cause connectivity issues if you have allowlisted access to internal applications based on the IP address. To align with the updated Private IP allocation structure, if you are affected, you must perform the following steps immediately: Preallocate public IP address for Mexico Central and Mexico West `Prisma Access` location using APIs, or contact your Palo Alto Networks account representative to assist with this process. Allow list these public IP addresses in your SaaS applications. Deboard the Mexico Central `Prisma Access` location. Deboard the Mexico West `Prisma Access` location. Push your configuration (Push ConfigPush for `Prisma Access (Managed by Strata Cloud Manager)` deployments or CommitCommit & Push `Prisma Access (Managed by Panorama)` deployments) to save the changes After the push is successful, re-onboard the Mexico Central and Mexico West PA locations. Configuring new mobile user IP address pool allocation for users coming from these locations, using the new, correct pool group: US-Eastern (ip-pool-group-1).
Remove TLS Max Version of Max for Mobile Users—GlobalProtect Deployments	For Mobile Users—GlobalProtect deployments, if you have TLS Protocol Settings enabled (PanoramaCloud ServicesConfigurationMobile Users—GlobalProtect`<hostname>`GeneralTLS Protocol Settings and have a Max Version of Max, change the protocol version to either TLSv1.2 or TLSv1.3 before upgrading your Cloud Services plugin to 6.1. Failure to do so will cause a commit validation error after you upgrade.

Component

Change

Location Groups Changing for the Mexico Central and Mexico West Mobile User Locations

The Mexico Central and Mexico West locations are changing their IP pool location group starting with the Prisma Access 6.1 release. You must take action if you have configured mobile user IP address pools for these locations based on location groups.

If you have enabled the Prisma AccessMexico Central or Mexico West mobile user locations, and if you have configured Client IP Pool allocation based on the following legacy groups, you need to take action:

A Mexico Central mobile user IP address pool assigned to ip-pool-group-31 (US-Central).
Mexico Westmobile user IP address pool assigned to ip-pool-group-23 (US-Western).

If you have not configured IP address pools based on these location groups, no action is required.

The location groups are changing for the Mexico Central and Mexico West mobile user IP pool groups.

The Mexico Central location group is changing from ip-pool-group-31 (US-Central) to ip-pool-group-1 (US-Eastern).
The Mexico West location group is changing from ip-pool-group-23 (US-Western) to ip-pool-group-1 (US-Eastern).

This change might cause connectivity issues if you have allowlisted access to internal applications based on the IP address.

To align with the updated Private IP allocation structure, if you are affected, you must perform the following steps immediately:

Preallocate public IP address for Mexico Central and Mexico West Prisma Access location using APIs, or contact your Palo Alto Networks account representative to assist with this process.
Allow list these public IP addresses in your SaaS applications.
Deboard the Mexico Central Prisma Access location.
Deboard the Mexico West Prisma Access location.
Push your configuration (Push ConfigPush for Prisma Access (Managed by Strata Cloud Manager) deployments or CommitCommit & Push Prisma Access (Managed by Panorama) deployments) to save the changes
After the push is successful, re-onboard the Mexico Central and Mexico West PA locations.
Configuring new mobile user IP address pool allocation for users coming from these locations, using the new, correct pool group: US-Eastern (ip-pool-group-1).

Remove TLS Max Version of Max for Mobile Users—GlobalProtect Deployments

For Mobile Users—GlobalProtect deployments, if you have TLS Protocol Settings enabled (PanoramaCloud ServicesConfigurationMobile Users—GlobalProtect<hostname>GeneralTLS Protocol Settings and have a Max Version of Max, change the protocol version to either TLSv1.2 or TLSv1.3 before upgrading your Cloud Services plugin to 6.1. Failure to do so will cause a commit validation error after you upgrade.

New Features in Prisma Access 6.1

Prisma Access Known Issues

Prisma Access Docs

Changes to Default Behavior for Prisma Access 6.1

Prisma Access Docs

Changes to Default Behavior for `Prisma Access` 6.1

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner