New Features - Prisma Access - 6.1 Preferred and Innovation

Prisma Access adds the following locations.

Note: Note that these locations support a limited functionality set ; if you require additional functionality, we recommend that you onboard alternate locations.

• Colombia Central (Chia)
• France South East (Marseille)
• India South Central (Hyderabad)
• Israel Central (Jerusalem)
• Mexico Northeast (Monterrey)
• Saudi Arabia West (Jeddah)
• US Midwest (Chicago)
• US West Central (Phoenix)

This feature allows you to integrate with AWS CloudHSM or an on-premises hardware security module (HSM) solution to store and manage the issuing Certificate Authority (CA) private keys externally, enhancing the security of your cryptographic operations. The SSL decryption functionality on Prisma Access mandates that you bring your own public key infrastructure (PKI) to the platform or create a new self-signed PKI within Prisma Access. This feature requires an issuing CA or forward trust certificate (consisting of public and private keys) to generate new certificates for visited sites and domains. Prisma Access requires that all cryptographic secrets, including the TLS certificate private keys needed for SSL decryption, are stored inside the configuration file that resides on the Prisma Access service infrastructure and on each SPN that is part of the tenant. Some Prisma Access customers prefer not to provide the TLS private keys on PA infrastructure or reside on PA SPNs for SSL decryption operations (security and compliance requirements).

Monitor data on your Colo-Connect service connections to provide a comprehensive view of the health and connectivity of your deployment. Monitor Colo-Connect enables you to monitor your private connectivity to hybrid cloud and on-premises data centers over cloud interconnects.

Prisma Access Colo-Connect uses GCP interconnect technology to offer high-bandwidth service connections to your private applications. Colo-Connect can work alongside existing IPSec tunnel-based connections, allowing for private app access to smaller data centers with lower bandwidth requirements. Gain insight into your Colo-Connect deployment by checking metrics like the number of links and their status, throughput patterns, and details of individual tunnels, connections, and links.

Configure the new NGFW as Zero Trust Network Access (ZTNA) Connector to streamline secure private application access for Prisma Access Prisma®

Managing secure access to private applications often requires deploying multiple dedicated appliances, which increases operational overhead and infrastructure costs. The NGFW as Zero Trust Network Access (ZTNA) Connector addresses these challenges by leveraging your existing Palo Alto Networks® Next-Generation Firewalls (NGFWs) to bridge the gap between users and applications. This capability streamlines secure private application access for Prisma Access Prisma® Access users without requiring additional infrastructure.

By transforming your firewall into a ZTNA Connector, you reduce complexity through the automation of connectivity, NAT configurations, and application onboarding. You can achieve a unified security posture across your environment and automate your private application workflows to optimize resource allocation. This integrated approach ensures that security policies remain consistent while significantly reducing the time required to onboard new services across your distributed network architecture.

Additionally, Server Initiated Traffic for the NGFW Connector, managed by Panorama, extends network connectivity for data center application servers. This feature allows servers to initiate outbound TCP, UDP, and ICMP sessions to GlobalProtect users, Remote Network hosts, and ZTNA Connector or NGFW IP subnet targets, overcoming previous communication limitations. It integrates with existing NGFW capabilities for routing and security policy enforcement.

As environments transition from classical cryptography, such as RSA and elliptic-curve-based key exchange (ECDHE) used in TLS 1.2 and 1.3, to hybrid post-quantum encryption schemes, you need a way to maintain full security visibility without weakening protection. Prisma® Access supports PQC-ready TLS traffic handling and decryption workflows to solve this challenge.

By combining ECC with NIST-standardized algorithms like ML-KEM for quantum-resistant key establishment, Prisma Access ensures that your network remains secure against emerging quantum computing threats. You can safely inspect quantum-safe encrypted sessions to detect malware, ransomware, and data exfiltration hidden within these encrypted channels.

Enterprise private applications used by internal employees and contractors are often kept private because of their critical business data (such as intellectual property) or the difficulty in migrating them to a SaaS model. Because of the sensitive data they host, private apps are often prime targets for malicious actors. However, their internal accessibility often gives administrators a false sense of security.

While Secure Access Service Edge (SASE) and Zero Trust Network Access (ZTNA) principles such as least privilege access and data security contribute to protecting such private applications, they are still at risk of app-centric attacks (such as account takeovers [ATOs] and application logic exploits). These attacks increase the risk to applications, especially considering the prevalence of bring your own devices (BYODs) and "work from anywhere" environments, where compromised internal hosts should be a concern.

Prisma Access Private App Security not only offers foundational web application firewall (WAF) capabilities, such as protection against OWASP Top 10 attacks, rate limiters for DDoS protections, and bot controls, but it delivers next-generation functionalities that enable admins to overcome traditional WAF challenges above and protect the modern app-verse. This includes:

• Private App Security Intelligent Policy Recommendations, accompanied by rich impact evaluation reports, enable admins to maintain a strong app security posture while minimizing the risk of unintended effects when adopting new policies.
• Automatic App Fingerprinting allows Private App Security to accurately detect anomalies in the app by app usage behaviors, providing a high efficacy against new day-0 sophisticated attacks.

Private App Security is a Prisma SASE native component, providing complete visibility into all app traffic, regardless of user, device, or destination. This unique architectural advantage over legacy WAF solutions provides:

• Automatic discovery of private app inventory

• Critical contextual insights for the sources of the detected attacks such as user-ID, device-ID, branch, location: these are critical details in the mitigation process of a compromised host.

When regulatory compliance, data sovereignty, and geograpic location prevent you from using external cloud infrastructure, SASE Private Location enables you to deploy Prisma® Access services within your own infrastructure. This hybrid deployment model addresses compliance, data sovereignty, and geographic location requirements by keeping your network traffic and security processing within your premises, eliminating the need to route data through external cloud infrastructure. Using SASE private location, you can deploy agent-based Mobile Users in your data center. You continue to manage configurations, policy rules, and monitoring through the familiar Prisma Access UI.

Organizations in regulated industries, such as healthcare, financial services, and government sectors, benefit from SASE Private Location. These organizations often must comply with HIPAA regulations, data residency requirements, or FedRAMP standards that prohibit sending traffic to external cloud services. You can maintain the same Prisma Access security capabilities while ensuring that your data never leaves your controlled environment. This approach is valuable when you need low-latency access to critical applications or when your security policy rules mandate that network security functions operate within your physical premises. Use SASE Private Location when configuring your Prisma Access deployment to meet stringent compliance requirements

The GlobalProtect® portal continues to operate from the cloud for global accessibility, while the gateways run locally behind load balancers in your environment, providing the optimal balance of centralized management and localized performance.

SASE Private Location eliminates the traditional choice between cloud managed security services and on-premises compliance requirements. You can achieve regulatory compliance without sacrificing the operational benefits of cloud management, automated updates, and centralized policy enforcement that characterize modern SASE architectures. This capability becomes essential when your organization requires air-gapped environments, operates in countries with strict data sovereignty laws, or maintains corporate policies that restrict the use of external cloud services for security functions.

App Acceleration selective port control enables you to specify which network traffic receives acceleration based on destination server ports. This lets you boost application performance while maintaining granular control over which apps’ TCP traffic is accelerated.

You would typically use selective acceleration by port control when you need to accelerate only specific apps like while leaving other apps unaffected. For example, you can configure acceleration for only SMB traffic on standard ports like 445 or NetBIOS ports 137-139, enabling you to quickly realize performance benefits for targeted apps.

You can use this feature to exclude custom or legacy apps from acceleration due to compatibility concerns. Proactively excluding apps from acceleration prevents potential issues with apps that don't interact well with acceleration technology.

Selective Acceleration by Port integrates seamlessly with other Prisma® Access services, preventing conflicts while maintaining the security and functionality of your other Prisma Access services.

Organizations face a critical data protection challenge in needing to permit access to sanctioned corporate SaaS apps while blocking personal or unsanctioned instances of the same app. To address this, we introduced a CASB/DLP enhancement, Tenant Control for Google Workspace Applications. This session-tracking capability allows the system to identify the specific Google tenant (such as corporate your.company.com vs. personal gmail.com) a user is accessing. This enables administrators to create granular policies that permit sanctioned Google Workspace access while blocking or controlling personal accounts, directly preventing data exfiltration. This feature requires an active SaaS Inline license. See SaaS policy rule recommendations to help you understand which Google Workspace applications are included in this feature and how to enable this capability.

If you use IPv6 networking in your Mobile Users: GlobalProtect deployment, you can configure Prisma Access to use IPv6 addresses in your mobile user networking. To view information about IPv6 in your GlobalProtect deployment, go to Activity InsightsUsers in Strata Cloud Manager Command Center.