Features Introduced in Prisma Access

The following table describes the new features introduced in Prisma Access version 1.7.
Feature
Description
Continuously monitor the health and performance of your Prisma Access environment with the new Insights app. Visually scan and interact with a variety of Insights dashboards to get status on your mobile users, remote network sites, service connections to your HQ and data centers, and the Prisma Access cloud infrastructure.
When Insights detects an issue in your environment, the app generates an alert that gives you context and lets you know where to take action. Insights alerts also give you visibility into fixes that the Prisma Access team is addressing.
Insights is available to you as part of a
public beta
for all Prisma Access admins.
Learn more about Insights, including the role you might need to access the app, and access it directly from Panorama:
Prisma Access supports PAN-OS 9.1, and you can use 9.1 features with Prisma Access, including the following features:
You must upgrade your Panorama to a version of 9.1.1 or later to take advantage of PAN-OS 9.1 features.
If you want your mobile users to upgrade to a GlobalProtect app version that is different than the one that Prisma Access manages by default, you can request activation of that version on the Prisma Access portal in Panorama. Previously, Prisma Access hosted a single GlobalProtect app version on the Prisma Access portal.
Administrators control how and when mobile users can upgrade to the newly-activated GlobalProtect app version by configuring GlobalProtect app configuration options in Panorama.
The ability to forward internet-directed traffic through service connections for remote network and mobile user deployments is enhanced and has a new name—
Traffic Steering
.
Traffic steering expands the scope of directing internet-bound traffic through service connections. In addition to specifying FQDNs, IP addresses, and URLs and forwarding only HTTP and HTTPS internet-bound traffic through service connections, you can send all traffic or a subset of the traffic based on the following additional criteria:
You can then configure Prisma Access to split internet-bound remote network or mobile user traffic into multiple service connections based on the criteria you specified.
Traffic steering is supported for mobile user and remote network deployments.
If you are currently using traffic forwarding through service connections and are using Panorama versions 9.0.6, 9.1.0, or 9.1.3 to manage Prisma Access, you might need to make changes to your forwarding rules after you upgrade the plugin to 1.7 or you could experience failures during commit. See Changes to Default Behavior for details.
If you want to forward all internet-bound mobile user traffic to one or more service connections as a part of Traffic Steering, you can configure service connections so that Prisma Access can receive default routes from your CPE. For example, you could send internet-bound traffic through a service connection directly to the headquarters or data center location using a default route, where it is processed by a security stack before being sent to the internet.
You can combine a default route with other traffic steering criteria to create multiple paths for internet-bound traffic.
New Compute Region for South Africa West Location
To optimize performance and improve latency for the South Africa West location, Prisma Access has created a new compute region, South Africa, for the South Africa West location.
If you add the South Africa West location after the 1.7 plugin is released, Prisma Access associates the new compute region automatically.
If you are an existing customer and want to take advantage of the new compute region, delete the South Africa West location and commit and push the configuration; then, re-add the South Africa West location and commit and push the new configuration. Since the new compute region will have new egress IP addresses for the South Africa West location, Palo Alto Networks recommends that you schedule this change during a maintenance window or during off-peak hours.
You can implement IP tags with Dynamic Address Groups and User tags with dynamic user groups with Prisma Access (Panorama 9.1 required for dynamic user groups). You can register tags using auto-tagging on the firewall. You can also register IP tags or User tags using an XML API on Panorama or on your on-premise firewall and redistribute them using User-ID agent redistribution.
You can only register users using
Local
registration; using the
Panorama User-ID Agent
or
Remote Device User-ID Agent
to register users is not supported.
To let you follow the progress of a mobile user, remote network, or service connection onboarding while it is being deployed, Prisma Access adds a field in the
Panorama
Cloud Services
Status
Status
page called
Deployment Status
that provides you with the details of the deployment.
The Cloud Services plugin provides the following information about your Prisma Access deployment in Service Setup (
Panorama
Cloud Services
Configuration
Service Setup
):
  • Current Panorama version
  • Current Cloud Services plugin version
  • Current PAN-OS version running on the Prisma Access dataplane
To provide you with sufficient advance notice to upgrade, Prisma Access will provide you with alerts related to plugin and Panorama version upgrade requirements. For example, if your Panorama is running 9.0.x, Prisma Access provides you with advance notice about Panorama 9.0 End-of-Support (EoS) information.
You can optionally provide contact information (company and contact name, email address, and phone number) in Service Setup so that Palo Alto Networks can provide you information regarding Prisma Access service upgrades. This ability is helpful for system administrators whose information is not available in the Customer Support Portal (CSP) but who want to know the latest upgrade information.
You can also update or delete your contact information after you provide it.
To reduce the number of mobile user IP subnet advertisements over BGP to your customer premises equipment (CPE), you can specify Prisma Access to summarize the subnets before it advertises them. Select route summarization when you configure service connections and remote networks.
This summarization can reduce the number of routes stored in CPE routing tables. For example, you can use IP pool summarization with cloud VPN gateways (Virtual Private Gateways (VGWs) or Transit Gateways (TGWs)) that can accept a limited number of routes.
To support the use of Windows Internet Name Service (WINS)-based applications, Prisma Access supports the use of WINS to resolve NetBIOS name-to-IP address mapping. You can specify primary and secondary WINS servers, either per Prisma Access region or worldwide, for WINS support.
Prisma Access can now push WINS configuration to mobile users’ endpoints over GlobalProtect.

Recommended For You