Do your security and compliance requirements prevent you from storing Transport Layer Security (TLS) private keys directly on your Prisma® Access service infrastructure for SSL decryption? This feature allows you to integrate with AWS CloudHSM or an on-premises hardware security module (HSM) solution to store and manage the issuing Certificate Authority (CA) private keys externally, enhancing the security of your cryptographic operations. The SSL decryption functionality on Prisma Access mandates that you bring your own public key infrastructure (PKI) to the platform or create a new self-signed PKI within Prisma Access. This feature requires an issuing CA or forward trust certificate (consisting of public and private keys) to generate new certificates for visited sites and domains. Prisma Access requires that all cryptographic secrets, including the TLS certificate private keys needed for SSL decryption, are stored inside the configuration file that resides on the Prisma Access service infrastructure and on each SPN that is part of the tenant. Some Prisma Access customers prefer not to provide the TLS private keys on PA infrastructure or reside on PA SPNs for SSL decryption operations (security and compliance requirements).

The Federal Risk and Authorization Management Program (FedRAMP) is a United States government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services for government users. Prisma Access demonstrates FedRAMP Moderate compliance.

This release adds FedRAMP Moderate support for the following features:

• Encrypted DNS. This feature is provided as a preview and is only available upon request. It enables Prisma Access to act as a DNS proxy, allowing Federal customers to meet CISA mandates by securely forwarding all external DNS traffic to CISA’s DNS service using DNS over HTTPs (DoH) or DNS over TLS (DoT) protocols, while maintaining split DNS for internal domains and providing the compliance logging required by OMB mandates.
• NGPA (IP Optimization). IP Optimization is a set of architectural enhancements that reduce the overall number of IP addresses in your deployment, simplifying your allow listing workflows while improving resiliency and enabling faster onboarding of Prisma Access tenants. It simplifies the management of IP addresses in a Mobile Users—GlobalProtect™ deployment. In deployments that don't use IP Optimization, you receive a single Mobile Users Security Processing Node (MU-SPN) for each Prisma Access location you allocate, and each node provides you with two egress IP addresses. Prisma Access uses the egress IP addresses to egress traffic to the internet, and you must also add these addresses to an allow list to give Prisma Access access to internet resources.

Granular data profiles enhance your Enterprise Data Loss Prevention (E-DLP) detection capabilities by allowing you to apply differentiated inline content inspection requirements and response actions within the same Security policy rule. For example, you can use a single granular data profile to block high-risk data patterns while alerting on lower-risk ones, set varying log severities for different data profiles, and set specific file types for each data profile included in the granular data profile.

Granular data profiles simplify policy rulebase management by consolidating multiple rules into a single, more flexible Security policy rule. Furthermore, they reduce false positive detections and allow your data security admins to achieve a more nuanced approach to data protection that aligns closely with your organization's risk management strategy while maintaining a lean and efficient Security policy rulebase.

Many organizations face strict data residency requirements that mandate the local processing and storage of security data. For certain Advanced WildFire customers using Prisma Access in select regions, using the local Advanced WildFire cloud for file analysis, can lead to potential non-compliance issues with regional regulatory policies, preventing these customers from adopting the service.

To help you meet these regulatory obligations and ensure optimal performance, Prisma Access now automatically selects the nearest and most compliant WildFire® region based on the Prisma Access Compute location. This critical enhancement ensures all customer data processing and storage automatically adheres to regional requirements.

The selection process is fully automated in the back end, using a static mapping between your deployment region and the closest WildFire service instance. This capability removes the operational burden of manual regional configuration and guarantees that you receive the best possible security analysis experience from a regionally compliant service instance. The focus is placed entirely on the value gained: seamless compliance and better performance through automatic configuration.

Organizations previously faced limitations with consistent branding because current response pages provided restricted customization options, small buffer sizes, and complex workflows. The customizable response pages feature addresses these technical restrictions by expanding the response page buffer size to 45 KB and providing an intuitive upload interface for custom HTML templates. You can create detailed response pages that include stylesheets, images, and JavaScript, which allows you to maintain brand consistency while clearly communicating information to your users.

When users encounter blocked content or need to acknowledge policies, the response pages now pass specific context, such as user identity, URL category, and rule details. This contextual information helps users understand why access was blocked and provides administrators with troubleshooting data when users open support tickets. You can configure flexible match criteria based on source (IP addresses, hostname, users/groups) and destination (IP addresses, URL hostnames, URL category), and apply specific response pages for each scenario.

Enhancements to the Continue Pages feature enable you to set custom timers for different categories of content. The system tracks user acknowledgment within the platform and can report this information to external services. You can also configure URL redirects to guide users to organizational login pages without requiring custom JavaScript, making it simpler to implement corporate access policies for SaaS applications.

These enhancements deliver an improved administrative experience and create a more consistent and informative experience for end users. The solution scales to support large user populations while maintaining performance across your security infrastructure.

When regulatory compliance, data sovereignty, and geograpic location prevent you from using external cloud infrastructure, SASE Private Location enables you to deploy Prisma® Access services within your own infrastructure. This hybrid deployment model addresses compliance, data sovereignty, and geographic location requirements by keeping your network traffic and security processing within your premises, eliminating the need to route data through external cloud infrastructure. Using SASE private location, you can deploy agent-based Mobile Users in your data center. You continue to manage configurations, policy rules, and monitoring through the familiar Prisma Access UI.

Organizations in regulated industries, such as healthcare, financial services, and government sectors, benefit from SASE Private Location. These organizations often must comply with HIPAA regulations, data residency requirements, or FedRAMP standards that prohibit sending traffic to external cloud services. You can maintain the same Prisma Access security capabilities while ensuring that your data never leaves your controlled environment. This approach is valuable when you need low-latency access to critical applications or when your security policy rules mandate that network security functions operate within your physical premises. Use SASE Private Location when configuring your Prisma Access deployment to meet stringent compliance requirements

The GlobalProtect® portal continues to operate from the cloud for global accessibility, while the gateways run locally behind load balancers in your environment, providing the optimal balance of centralized management and localized performance.

SASE Private Location eliminates the traditional choice between cloud managed security services and on-premises compliance requirements. You can achieve regulatory compliance without sacrificing the operational benefits of cloud management, automated updates, and centralized policy enforcement that characterize modern SASE architectures. This capability becomes essential when your organization requires air-gapped environments, operates in countries with strict data sovereignty laws, or maintains corporate policies that restrict the use of external cloud services for security functions.

Prisma^® Access ZTNA Connector server-initiated traffic flow allows applications running in your data center to initiate connections to remote endpoints, solving a critical limitation where connections previously could only flow from clients to servers. This feature enables your data center servers to establish TCP, UDP, and ICMP connections to GlobalProtect^® users, Remote Network hosts, and IP subnet hosts in other ZTNA Connector data centers.

When you enable server-initiated traffic on a ZTNA Connector group, you gain bidirectional communication capability without deploying separate Service Connections, significantly reducing operational overhead. Your data center applications can now proactively reach out to endpoints, which is essential for remote troubleshooting, device management, patch distribution, and Voice Over IP (VoIP) applications. For example, your IT helpdesk can use applications like TeamViewer or LogMeIn to remotely access and troubleshoot user devices, inventory management systems can scan and update remote endpoints, and VoIP servers can initiate calls to users on managed devices.

The server-initiated feature integrates with your existing network architecture through either static or dynamic routing. With dynamic BGP routing, your data center routers automatically learn routes to permitted destinations, simplifying network management. For security, you control which destinations your servers can initiate connections to by selecting specific mobile user pools, remote network prefixes, and ZTNA Connector IP subnet targets.

When server-initiated traffic is enabled, all outbound flows are source-NATed with the ZTNA Connector’s IPsec tunnel interface IP, ensuring consistent routing regardless of overlapping data center IP spaces. This approach maintains compatibility with existing security policies while allowing you to enforce more granular security through your data center firewall or at the destination endpoints. The server-initiated traffic feature works seamlessly with Dynamic DNS Updates, allowing data center applications to resolve connected GlobalProtect users.

Organizations face a critical data protection challenge in needing to permit access to sanctioned corporate SaaS apps while blocking personal or unsanctioned instances of the same app. To address this, we introduced a CASB/DLP enhancement, Tenant Control for Google Workspace Applications. This session-tracking capability allows the system to identify the specific Google tenant (such as corporate your.company.com vs. personal gmail.com) a user is accessing. This enables administrators to create granular policies that permit sanctioned Google Workspace access while blocking or controlling personal accounts, directly preventing data exfiltration. This feature requires an active SaaS Inline license. See SaaS policy rule recommendationsto help you understand which Google Workspace applications are included in this feature and how to enable this capability.