New Features - Prisma Access - 6.1 Preferred and Innovation

Prisma Access adds the following locations.

Note: Note that these locations support a limited functionality set ; if you require additional functionality, we recommend that you onboard alternate locations.

• Colombia Central (Chia)
• France South East (Marseille)
• India South Central (Hyderabad)
• Israel Central (Jerusalem)
• Mexico Northeast (Monterrey)
• Saudi Arabia West (Jeddah)
• US Midwest (Chicago)
• US West Central (Phoenix)

Many organizations face strict data residency requirements that mandate the local processing and storage of security data. For certain Advanced WildFire customers using Prisma Access in select regions, using the local Advanced WildFire cloud for file analysis, can lead to potential non-compliance issues with regional regulatory policies, preventing these customers from adopting the service.

To help you meet these regulatory obligations and ensure optimal performance, Prisma Access now automatically selects the nearest and most compliant WildFire® region based on the Prisma Access Compute location. This critical enhancement ensures all customer data processing and storage automatically adheres to regional requirements.

The selection process is fully automated in the back end, using a static mapping between your deployment region and the closest WildFire service instance. This capability removes the operational burden of manual regional configuration and guarantees that you receive the best possible security analysis experience from a regionally compliant service instance. The focus is placed entirely on the value gained: seamless compliance and better performance through automatic configuration.

For the Prisma Access 6.1 release, Prisma Access Compute locations for Spain, Saudi Arabia, and Qatar, point to their respective regional WildFire cloud locations for sample processing.

When users accessing remote desktops through a web browser cannot hear audio from applications running on the remote server, they are prevented from using applications that require audio output such as training videos, notification alerts, or communication tools. You can enable audio passthrough in a Privileged Remote Access (PRA) profile to allow audio from the remote RDP server to be heard on the user's device. Audio passthrough is disabled by default in the default PRA profile. You configure this setting per PRA profile, which allows you to enable audio for specific user groups or application types based on your security requirements. This configuration is only available for RDP applications.

To improve application performance and meet strict regional data residency requirements, Prisma® Access adds two new compute locations in the Brazil Southeast and UK West regions. This expansion addresses the challenge of high latency for users in these areas by providing localized processing power closer to the end user.

When you configure your deployment, you can now leverage these mappings:

• The Brazil Southeast location maps to the Brazil Southeast compute location and is in IP pool group 13.

• The UK West location maps to the UK West compute location and is in IP pool group 4.

Because these regions currently support a subset of full Prisma Access capabilities. When planning your rollout, ensure you review the Prisma Access locations list to understand the specific functional limitations for locations denoted with an asterisk. Integrating these new compute locations allows for better traffic distribution and ensures a more responsive user experience for your global workforce.

To maintain a robust defense against emerging threats, Prisma Access now includes support for the following Cloud-Delivered Security Services (CDSS) capabilities:

Note: These features require a minimum Cloud Services plugin of 6.0 (for Prisma Access (Managed by Panorama deployments only) and a minimum dataplane version of PAN-OS® 11.2.

• Advanced DNS Security Powered by Precision AI® —The Advanced DNS Security service defends against sophisticated DNS-related threats to maintain network integrity and data security.

  • DNS hijacking and misconfiguration prevention —Meticulously detects and immediately blocks DNS hijacking (where attackers alter DNS records to redirect traffic) and accidental or malicious DNS misconfigurations. This ensures the integrity of DNS resolution by preventing unauthorized redirection through advanced monitoring and analysis.

  • Malicious traffic distribution system (TDS) —Combats threats hidden within malicious TDS—sophisticated attack frameworks that use complex DNS schemes to distribute malware and exploit kits. The service analyzes DNS traffic patterns to identify indicators of compromise (IOCs), effectively blocking access to these malicious distribution channels.

  • Domain masquerading protection —Safeguards against domain masquerading by identifying and blocking malicious domains that closely resemble legitimate ones (typosquatting). It uses cutting-edge AI and machine learning algorithms to analyze vast amounts of DNS data, detecting subtle patterns and characteristic behaviors associated with spoofed or malicious domains.

• Advanced URL Filtering —Use Prisma Access to add support for the following categories:
  • Compromised website —This category specifically identifies legitimate websites that have been hacked or infected with malicious content. This allows you to use granular policy control to distinguish between inherently malicious sites and otherwise trustworthy sites that have been temporarily compromised.
  • File converter —This categorizes sites that allow users to convert, compress, or modify files. This new category helps organizations manage access to these tools, mitigating data leakage and compliance risks associated with unauthorized file sharing and modification.

  • ML-powered quishing (QR code) protection —Blocks quishing attacks by introducing an ML-powered QR code detector. This feature specifically addresses the growing threat of malicious QR codes embedded on legitimate websites, which attackers use to bypass the perimeter defenses of enterprise-protected networks and target unmanaged personal devices.

  • Deepfake content detection —Protects against hyper-realistic social engineering. A new deep learning model is active to identify and block malicious content featuring deepfake videos. This provides essential protection from attackers who use highly convincing deepfake impersonations of trusted individuals in phishing attacks.

• Advanced WildFire® Powered by Precision AI —Enhanced defenses against evasive threats including a new deep learning model for PDF phishing, multi-CPU sandboxing for advanced malware, and ML-powered API Vector Categorization for fileless attacks.
  • PDF analysis for phishing —A new Convolutional Neural Network (CNN)-based deep learning model is available. This model analyzes the visual appearance (in addition to the text) of embedded URLs in PDF files to detect highly evasive, embedded phishing attacks that exploit the PDF format.
  • API vector categorization —Leverages Machine Learning (ML) to perform in-memory analysis of the patterns and sequences of API calls made by malware during runtime. This advanced approach creates a unique behavioral "fingerprint" (API Vector) to accurately identify and classify highly evasive, fileless, and memory-resident attacks that bypass conventional analysis.
  • Multi-CPU advanced dynamic analysis —Enhances Advanced Dynamic Analysis (sandboxing) by including multiple virtual CPUs (vCPUs) in the Windows guest sandbox environment. This capability is specifically designed to defeat sophisticated malware that evades detection by checking for and refusing to execute in single-CPU virtual environments.
• Advanced Threat Prevention Powered by Precision AI —The following new features enhance threat detection, custom threat coverage, and protection against advanced data exfiltration attempts.

  • • Exfiltration shield for advanced threat prevention —Introduces a sophisticated machine learning (ML) model to combat advanced data exfiltration. This feature focuses on detecting stealthy data egress over common protocols like DNS relay and HTTP headers, which are frequently used to bypass traditional security. Integration is seamless with existing Advanced DNS Security and ATP subscriptions.

This feature allows you to integrate with AWS CloudHSM or an on-premises hardware security module (HSM) solution to store and manage the issuing Certificate Authority (CA) private keys externally, enhancing the security of your cryptographic operations. The SSL decryption functionality on Prisma Access mandates that you bring your own public key infrastructure (PKI) to the platform or create a new self-signed PKI within Prisma Access. This feature requires an issuing CA or forward trust certificate (consisting of public and private keys) to generate new certificates for visited sites and domains. Prisma Access requires that all cryptographic secrets, including the TLS certificate private keys needed for SSL decryption, are stored inside the configuration file that resides on the Prisma Access service infrastructure and on each SPN that is part of the tenant. Some Prisma Access customers prefer not to provide the TLS private keys on PA infrastructure or reside on PA SPNs for SSL decryption operations (security and compliance requirements).

Attackers frequently hide malicious payloads deep within nested compressed files to evade standard security scanning tools that only inspect initial layers. To combat this evasive technique and strengthen your protection against advanced threats, the ability to inspect deeply compressed content has been expanded to include Prisma Access.

This feature increases the depth to which the Prisma Access can decode encoded or compressed files, such as those using the ZIP format, from the default four levels up to a maximum of seven levels. Once decoded, the system automatically inspects the internal file and forwards unknown files for Advanced WildFire® analysis. This ensures that threats concealed within seven layers of compression are fully revealed and blocked by your security policies.

Because enabling higher compression depths can significantly impact performance, adjustments to the default depth should be closely monitored to ensure system stability. If your security requirements necessitate increasing the decoding depth beyond the default four levels, Palo Alto Networks recommends incrementally increasing the compressed file level inspection, starting with the minimum value that meets the security requirements for inspecting compressed files.

Update:

Firewall support added in PAN-OS 11.0.

Prisma Access support added in the Prisma Access 6.1.0 release.

Note: To enable configuration for compressed file level inspection; reach out to your Palo Alto Networks account team.

Organizations with stringent security requirements need the ability to enforce periodic validation to ensure continuous trust verification of user identities. Dynamic Privilege Access-enabled Prisma® Access Agents already deliver continuous trust verification today by seamlessly validating the user in the background without disrupting the end-user experience. Augmenting this capability, Prisma Access Agent now enables you to configure how frequently users are prompted to re-authenticate, with customizable intervals ranging from 10 hours to 30 days. You can set customizable warning timers to notify users before re-authentication is required, preventing unexpected disconnections and workflow disruption. The feature introduces a re-authentication frequency setting that controls user refresh token lifetime globally across your deployment. For stricter security enforcement, you can enable aggressive authentication to force immediate re-authentication when users connect or extend gateway sessions. The gateway session timeout setting has been renamed for clarity and notification preferences are now managed at the global level.

ZTNA Connector off-boarding allows you to disable ZTNA Connector and all associated dependencies within your environment. This capability streamlines ZTNA infrastructure lifecycle management by ensuring the complete, irreversible removal of Connectors, Connector Groups, and application targets. Be aware that this action immediately terminates all active user sessions and permanently deletes associated objects, impacting private application access.

App Acceleration adds support for the following Prisma® Access locations:

• Bahrain
• China
• Ireland
• South Africa West
• Sweden
• United Arab Emirates

Prisma Access support added in the Prisma Access 6.1.0 release.

Granular data profiles enhance your Enterprise Data Loss Prevention (E-DLP) detection capabilities by allowing you to apply differentiated inline content inspection requirements and response actions within the same Security policy rule. For example, you can use a single granular data profile to block high-risk data patterns while alerting on lower-risk ones, set varying log severities for different data profiles, and set specific file types for each data profile included in the granular data profile.

Granular data profiles simplify policy rulebase management by consolidating multiple rules into a single, more flexible Security policy rule. Furthermore, they reduce false positive detections and allow your data security admins to achieve a more nuanced approach to data protection that aligns closely with your organization's risk management strategy while maintaining a lean and efficient Security policy rulebase.

You can now secure your dedicated Colo-Connect links in Prisma® Access deployments managed by Strata Cloud Manager using MACsec encryption. Previously available only for Panorama-managed environments, MACsec prevents data interception on physical dedicated links by securing Layer 2 traffic. It provides hardware-level encryption to ensure confidentiality, data integrity, and anti-replay protection—all with zero performance impact.

Refer to the Prisma Access Administration Guide for detailed configuration requirements and setup workflows to implement Colo-Connect MACsec encryption in your production environment.

Configure the new NGFW as Zero Trust Network Access (ZTNA) Connector to streamline secure private application access for Prisma Access Prisma®

Managing secure access to private applications often requires deploying multiple dedicated appliances, which increases operational overhead and infrastructure costs. The NGFW as Zero Trust Network Access (ZTNA) Connector addresses these challenges by leveraging your existing Palo Alto Networks® Next-Generation Firewalls (NGFWs) to bridge the gap between users and applications. This capability streamlines secure private application access for Prisma Access Prisma® Access users without requiring additional infrastructure.

By transforming your firewall into a ZTNA Connector, you reduce complexity through the automation of connectivity, NAT configurations, and application onboarding. You can achieve a unified security posture across your environment and automate your private application workflows to optimize resource allocation. This integrated approach ensures that security policies remain consistent while significantly reducing the time required to onboard new services across your distributed network architecture.

Additionally, Server Initiated Traffic for the NGFW Connector, managed by Panorama, extends network connectivity for data center application servers. This feature allows servers to initiate outbound TCP, UDP, and ICMP sessions to GlobalProtect users, Remote Network hosts, and ZTNA Connector or NGFW IP subnet targets, overcoming previous communication limitations. It integrates with existing NGFW capabilities for routing and security policy enforcement.

As environments transition from classical cryptography, such as RSA and elliptic-curve-based key exchange (ECDHE) used in TLS 1.2 and 1.3, to hybrid post-quantum encryption schemes, you need a way to maintain full security visibility without weakening protection. Prisma® Access supports PQC-ready TLS traffic handling and decryption workflows to solve this challenge.

By combining ECC with NIST-standardized algorithms like ML-KEM for quantum-resistant key establishment, Prisma Access ensures that your network remains secure against emerging quantum computing threats. You can safely inspect quantum-safe encrypted sessions to detect malware, ransomware, and data exfiltration hidden within these encrypted channels.

Prisma® Access simplifies the challenge of maintaining a unified security posture across your next-generation firewall and Secure Access Service Edge (SASE) environment by integrating the latest PAN-OS® software. This update extends key security capabilities introduced in PAN-OS 12.1 to your Prisma Access deployment. This functionality provides a more consistent, zero-trust framework for access to public and private apps for users and branch sites, closing security gaps that arise from managing disparate platforms.

Prisma Access supports the following PAN-OS 12.1 features:

• Comprehensive decryption log fields and error messages
• DNS security log type
• Enhanced application logs for ICMPv6
• Granular data profiles
• PAN-OS system certificates
• Post-quantum cryptography (PQC) support for TLSv1.3 decryption
• Security enhancement with integrity management architecture (IMA)
• Support for Brotli decompression
• User session tracking for SaaS Security Inline ( PAN-OS 11.2.5 feature )

The Prisma 5G SASE feature has been enhanced to deliver deeper monitoring, richer observability, and a more streamlined configuration experience for both RADIUS and API-based integrations. The configuration workflow is also enhanced and combined with the Service Provider Interconnect (SPI) workflow, enabling administrators to configure and monitor 5G and interconnect environments seamlessly from a unified interface.

Key Enhancements

Unified Configuration Workflow

• Administrators can define the connection type (RADIUS or API) during setup.

• Enables end-to-end configuration and monitoring across both 5G and SPI environments.

Enhanced 5G SASE Monitoring

• Existing monitoring capabilities are extended with dynamic metrics that adjust automatically based on the selected integration type.

• Provides detailed proxy and API usage metrics, including:

  • Active, added, and cleared mappings.

  • Connection and processing status for each interface.

New UE Mapping Tab

• Introduced within the SASE Monitoring feature to deliver comprehensive device-level visibility.

• Supports search and filter options for IMSI, IMEI, IP address, tenant, and region.

• Features a simplified UE Metrics Trend widget to track 5G registration and unknown IP trends, enabling quick analysis of user activity and connection patterns.

Enterprise private applications used by internal employees and contractors are often kept private because of their critical business data (such as intellectual property) or the difficulty in migrating them to a SaaS model. Because of the sensitive data they host, private apps are often prime targets for malicious actors. However, their internal accessibility often gives administrators a false sense of security.

While Secure Access Service Edge (SASE) and Zero Trust Network Access (ZTNA) principles such as least privilege access and data security contribute to protecting such private applications, they are still at risk of app-centric attacks (such as account takeovers [ATOs] and application logic exploits). These attacks increase the risk to applications, especially considering the prevalence of bring your own devices (BYODs) and "work from anywhere" environments, where compromised internal hosts should be a concern.

Prisma Access Private App Security not only offers foundational web application firewall (WAF) capabilities, such as protection against OWASP Top 10 attacks, rate limiters for DDoS protections, and bot controls, but it delivers next-generation functionalities that enable admins to overcome traditional WAF challenges above and protect the modern app-verse. This includes:

• Private App Security Intelligent Policy Recommendations, accompanied by rich impact evaluation reports, enable admins to maintain a strong app security posture while minimizing the risk of unintended effects when adopting new policies.
• Automatic App Fingerprinting allows Private App Security to accurately detect anomalies in the app by app usage behaviors, providing a high efficacy against new day-0 sophisticated attacks.

Private App Security is a Prisma SASE native component, providing complete visibility into all app traffic, regardless of user, device, or destination. This unique architectural advantage over legacy WAF solutions provides:

• Automatic discovery of private app inventory

• Critical contextual insights for the sources of the detected attacks such as user-ID, device-ID, branch, location: these are critical details in the mitigation process of a compromised host.

You can now configure Remote Networks using the Service Provider Interconnect (SP Interconnect) option to enable Native IP connectivity for high-bandwidth sites without relying on IPsec tunnels. This capability streamlines the onboarding of large campus and branch networks while supporting scalable, high-performance traffic flows.

During configuration, service providers can define key parameters such as transport type, bandwidth, routing, and VLAN attachments to align with network design and throughput needs. To ensure seamless bidirectional communication, static routes must be created based on branch CIDRs and advertised by the Service Provider colocation router, enabling efficient and reliable traffic exchange between Prisma Access and customer networks.

The current response pages provided restricted customization options, small buffer sizes, and complex workflows. For Prisma Access Prisma Access Mobile users, the customizable response pages feature addresses the technical restrictions by expanding the response page size and providing an intuitive upload interface for custom HTML templates. You can create detailed response pages that include variables, stylesheets, images, and JavaScript, which allows you to maintain brand consistency while clearly communicating information to your users.

Using Internet Security policies, you can configure flexible match criteria based on source (IP addresses, hostname, users/groups) and destination (IP addresses, URL hostnames, URL category), and apply specific response pages for each scenario.

When users encounter blocked content or need to acknowledge policies, the response pages now pass specific context, such as user identity, URL category, and rule details. These enhancements deliver an improved administrative experience and create a more consistent and informative experience for end users. The solution scaled to support large deployments while maintaining performance across your security infrastructure.

Managing security policy rules for numerous SaaS applications across various deployment points can be complex and time-consuming. SaaS policy rule recommendations simplify this process by allowing you to create, apply, or copy recommendations for your network security administrators. SaaS Security Inline pushes SaaS policy rule recommendations to your NGFW or Prisma® Access. Your NGFW administrator or Prisma Access administrator will see your policy rule recommendations in the NGFW web interface or Prisma Access web interface, then accept and commit the SaaS Security policy rule. After your NGFW administrator or Prisma Access administrator commits the policy rule, the policy rule becomes active. You can update your SaaS rule recommendations at any time. Alternatively, SaaS Security administrators can create Internet Access rules instead of policy rule recommendations to simplify policy rule creation for SaaS app security. This allows you to enforce consistent SaaS app security regardless of the enforcement point, eliminate policy implementation delay, and reduce the risk of misconfigurations. This streamlined workflow enables you to fully utilize the SaaS Security Inline capabilities, achieve a stronger security posture for your SaaS environment all while reducing the managerial overhead of implementing new Security policy rules for your SaaS apps.

When regulatory compliance, data sovereignty, and geograpic location prevent you from using external cloud infrastructure, SASE Private Location enables you to deploy Prisma® Access services within your own infrastructure. This hybrid deployment model addresses compliance, data sovereignty, and geographic location requirements by keeping your network traffic and security processing within your premises, eliminating the need to route data through external cloud infrastructure. Using SASE private location, you can deploy agent-based Mobile Users in your data center. You continue to manage configurations, policy rules, and monitoring through the familiar Prisma Access UI.

Organizations in regulated industries, such as healthcare, financial services, and government sectors, benefit from SASE Private Location. These organizations often must comply with HIPAA regulations, data residency requirements, or FedRAMP standards that prohibit sending traffic to external cloud services. You can maintain the same Prisma Access security capabilities while ensuring that your data never leaves your controlled environment. This approach is valuable when you need low-latency access to critical applications or when your security policy rules mandate that network security functions operate within your physical premises. Use SASE Private Location when configuring your Prisma Access deployment to meet stringent compliance requirements

The GlobalProtect® portal continues to operate from the cloud for global accessibility, while the gateways run locally behind load balancers in your environment, providing the optimal balance of centralized management and localized performance.

SASE Private Location eliminates the traditional choice between cloud managed security services and on-premises compliance requirements. You can achieve regulatory compliance without sacrificing the operational benefits of cloud management, automated updates, and centralized policy enforcement that characterize modern SASE architectures. This capability becomes essential when your organization requires air-gapped environments, operates in countries with strict data sovereignty laws, or maintains corporate policies that restrict the use of external cloud services for security functions.

App Acceleration selective port control enables you to specify which network traffic receives acceleration based on destination server ports. This lets you boost application performance while maintaining granular control over which apps’ TCP traffic is accelerated.

You would typically use selective acceleration by port control when you need to accelerate only specific apps like while leaving other apps unaffected. For example, you can configure acceleration for only SMB traffic on standard ports like 445 or NetBIOS ports 137-139, enabling you to quickly realize performance benefits for targeted apps.

You can use this feature to exclude custom or legacy apps from acceleration due to compatibility concerns. Proactively excluding apps from acceleration prevents potential issues with apps that don't interact well with acceleration technology.

Selective Acceleration by Port integrates seamlessly with other Prisma® Access services, preventing conflicts while maintaining the security and functionality of your other Prisma Access services.

Prisma Access Prisma® Access ZTNA Connector server-initiated traffic flow allows applications running in your data center to initiate connections to remote endpoints, solving a critical limitation where connections previously could only flow from clients to servers. This feature enables your data center servers to establish TCP, UDP, and ICMP connections to GlobalProtect GlobalProtect® users, Remote Network hosts, and IP subnet hosts in other ZTNA Connector data centers.

When you enable server-initiated traffic on a ZTNA Connector group, you gain bidirectional communication capability without deploying separate Service Connections, significantly reducing operational overhead. Your data center applications can now proactively reach out to endpoints, which is essential for remote troubleshooting, device management, patch distribution, and Voice Over IP (VoIP) applications. For example, your IT helpdesk can use applications like TeamViewer or LogMeIn to remotely access and troubleshoot user devices, inventory management systems can scan and update remote endpoints, and VoIP servers can initiate calls to users on managed devices.

The server-initiated feature integrates with your existing network architecture through either static or dynamic routing. With dynamic BGP routing, your data center routers automatically learn routes to permitted destinations, simplifying network management. For security, you control which destinations your servers can initiate connections to by selecting specific mobile user pools, remote network prefixes, and ZTNA Connector IP subnet targets.

When server-initiated traffic is enabled, all outbound flows are source-NATed with the ZTNA Connector’s IPsec tunnel interface IP, ensuring consistent routing regardless of overlapping data center IP spaces. This approach maintains compatibility with existing security policies while allowing you to enforce more granular security through your data center firewall or at the destination endpoints. The server-initiated traffic feature works seamlessly with Dynamic DNS Updates, allowing data center applications to resolve connected GlobalProtect users.

The Service Provider Interconnect (SPI) feature, formerly known as Service Provider Backbone (Cleanpipe), has been transformed to support native IP ingress and high-bandwidth connectivity, enabling service providers to deliver Prisma Access services more efficiently. With support for up to 20 Gbps per tenant and 400 Gbps per interconnect, SPI eliminates IPsec tunnel overhead and enhances throughput and scalability for large enterprise and MPLS deployments. It also unlocks the complete Prisma Access feature set—including ZTNA, CASB, and IoT Security—while maintaining strict multi-tenant isolation and offering flexible egress options through either the service provider’s network or Prisma Access-managed points.

Guided Configuration Workflow

The new Configuration Center provides a guided workflow that assists administrators in the end-to-end configuration of interconnects. The workflow covers all key stages, including ingress configuration involving cloud service provider setup, interconnect configuration, VLAN and IP pool configuration, and egress path definition. This guided process simplifies complex setup tasks and ensures accuracy and consistency across all interconnect deployments.

Visibility and Monitoring Enhancements

Management and monitoring interfaces are enhanced to offer a unified, centralized experience across all interconnects and associated tenants. You can:

• View interconnect type, operational status, and capacity utilization at a glance.

• Access detailed per-tenant insights on VLAN health, traffic usage, and routing states.

Static IP address allocation with user geolocation provides the precise IP assignment capabilities you need. This feature ensures that the source IP address for a mobile user remains consistent based on user groups and their geographic location, allowing you to enforce finer-grained access policies and maintain compliance with export control regulations more reliably.

Organizations face a critical data protection challenge in needing to permit access to sanctioned corporate SaaS apps while blocking personal or unsanctioned instances of the same app. To address this, we introduced a CASB/DLP enhancement, Tenant Control for Google Workspace Applications. This session-tracking capability allows the system to identify the specific Google tenant (such as corporate your.company.com vs. personal gmail.com) a user is accessing. This enables administrators to create granular policies that permit sanctioned Google Workspace access while blocking or controlling personal accounts, directly preventing data exfiltration. This feature requires an active SaaS Inline license. See SaaS policy rule recommendations to help you understand which Google Workspace applications are included in this feature and how to enable this capability.