Features in Prisma Access 3.1

Features in Prisma Access 3.1

Table of Contents

Features in Prisma Access 3.1

This section lists the new features that are available in Prisma Access 3.1, along with upgrade information and considerations if you are upgrading from a previous Prisma Access version.

Cloud Services Plugin 3.1

Prisma Access 3.1 uses a single plugin for both 3.1 Preferred or 3.1 Innovation. By default, the plugin will run 3.1 Preferred. To upgrade to 3.1 Innovation, reach out to your Palo Alto Networks account representative and submit a request.

Upgrade Considerations for 3.1 Prisma Access Releases

To upgrade to Prisma Access 3.1 Preferred, use one of the following upgrade paths.
To find your plugin version, select
Cloud Services
Service Setup
in Panorama and check the plugin version in the
Plugin Alert
Installed Cloud Services Plugin Version
Targeted 3.1 Version
Upgrade Path
Releases earlier than 2.2 Preferred
3.1 Preferred
  1. Upgrade your deployment to Prisma Access 2.2.
    If your deployment is on a version of Prisma Access that is earlier than 2.2 Preferred, you must first upgrade to Prisma Access 2.2 before you can upgrade to 3.1. Upgrades from 2.0 or 2.1 versions of Prisma Access are not supported.
  2. Upgrade your deployment to Prisma Access 3.0.
  3. Upgrade your deployment to Prisma Access 3.1.
2.2 Preferred
3.1 Preferred
  1. Upgrade your deployment to Prisma Access 3.0.
  2. Upgrade your deployment to Prisma Access 3.1.
Direct upgrades from Prisma Access 2.2 to 3.1 are not supported.
All Prisma Access Releases
3.1 Innovation
To upgrade to 3.1 Innovation, reach out to your Palo Alto Networks account representative and submit a request. The request will be reviewed internally and, if approved, your deployment will be upgraded to 3.1 Innovation.

Minimum Required Software Versions

For the minimum Panorama version that is supported with Prisma Access 3.1, see Prisma Access and Panorama Version Compatibility in the Palo Alto Networks Compatibility Matrix.
If you have a Cloud Managed Prisma Access deployment, plugin upgrades are not required; however, the GlobalProtect versions apply to both Panorama and Cloud Managed versions of Prisma Access.
Prisma Access supports any GlobalProtect version that is not End-of-Life (EoL). A minimum of GlobalProtect 5.2.5 is required for GlobalProtect App Log Collection for Troubleshooting. The Autonomous DEM (ADEM) documentation has the minimum GlobalProtect and Content Release versions required for ADEM.

New Features—Prisma Access 3.1.2 Preferred and Innovation

The following features are added for Prisma Access 3.1.2 Preferred and Innovation. To find the new features for Cloud Managed Prisma Access, see the new features list in the Prisma Access Release Notes (Cloud Managed).
To unlock the 3.1.2 features, use a minimum Cloud Services plugin of 3.1.0-h50.
Panorama 10.2.2 Support
Starting with the Cloud Services plugin version of 3.1.0-h50, Prisma Access supports a Panorama version of 10.2.2.
A minimum Panorama version of 10.2.2-h1 is required.
Do not install Panorama 10.2.2-h1 on the Panorama that manages Prisma Access until after you have installed a minimum hotfix plugin version of 3.1.0-h50. In addition, 10.2 Panorama versions lower than 10.2.2 (for example, 10.2.1), or 10.2.2 versions lower than 10.2.2-h1, are not supported for use with Prisma Access.
If you use a Panorama of 10.2.2 with Prisma Access, be aware of the following PAN-OS Known Issues and Prisma Access Known Issues that are applicable to deployments running Panorama 10.2.2-h1 with Prisma Access:
You can still use other PAN-OS versions as described in the Compatibility Matrix.
Support for RFC 6598 Addresses in Prisma Access Infrastructure IP Addresses
If your enterprise uses RFC 6598 IP addresses as a part of your enterprise routable address space, you can use that address space in the following Prisma Access infrastructure IP addresses:
The following functionality is not supported with RFC 6598 addresses:
To enable the use of addresses in infrastructure addresses, reach out to your Palo Alto Networks account representative or partner and submit a request. An upgrade to 3.1 Innovation is required.
Block Incoming Connections from Specific Countries for GlobalProtect, Explicit Proxy, and Remote Network Deployments
Prisma Access allows you to create security policy rules to block login attempts for Remote Network, Mobile Users—GlobalProtect, and Mobile Users—Explicit Proxy deployments from countries you specify. Prisma Access blocks incoming connections from the countries you specify based on the geo location information from the source IP address of the client.
Block these countries using the following combination of Rule names, tags, and actions:
Rule names:
  • Mobile Users—GlobalProtect deployments: Mobile_User_EMBG_Source_Countries
  • Mobile Users—Explicit Proxy deployments: Explicit_Proxy_EMBG_Source_Countries
  • Remote Network deployments: Remote_Network_EMBG_Source_Countries
Tag: PA_predefined_embargo_rule
Action: Drop
To drop traffic by country, specify one or more countries in the
tab of the security policy rule.
Remapped Prisma Access Locations
To better optimize performance of Prisma Access locations, the following locations are remapped to the Chile compute location:
  • Argentina
  • Peru
  • Bolivia
New deployments have the new remapping applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to Add a new compute location to a deployed Prisma Access location.

New Features—Prisma Access 3.1.1 Preferred and Innovation

The following features are added for Prisma Access 3.1.1 Preferred and Innovation.
To unlock the 3.1.1 features, use a minimum Cloud Services plugin of 3.1.0-h10.
Prisma Access supports the updating of enterprise DNS servers with mobile users’ A (Address) and PTR (Pointer) records using Dynamic DNS (DDNS) registration. This functionality allows system administrators or user management software to access the remote endpoint with FQDN for troubleshooting and software updates.

New Features—Prisma Access 3.1 Preferred

The following table describes the new features that are available with Prisma Access 3.1 Preferred.
To optimize performance and reduce latency, Prisma Access adds a new compute location that is hosted in Chile (South America West), and maps the Chile location to that compute location. This new compute region is available as of March 28, 2022, at 12 p.m. UTC.
If you add Chile after you install the Cloud Services 3.1 plugin, Prisma Access associates the new compute location automatically. If you are upgrading from an existing Prisma Access location, you can use this procedure to migrate to the new compute location for Chile.
New Cloud Managed Prisma Access deployments support multitenancy using a single cloud-based Prisma SASE Multitanant Cloud Management Platform, which allows Managed Security Service Providers (MSSPs) and distributed enterprises to manage the tenants and users that you create for your Prisma Access instances, and to monitor those instances.
Alternatively, if you are a new customer but not licensed as an MSSP, you can still use cloud-managed multitenancy if you want to configure your new Prisma Access deployment into a hierarchy of business verticals or geographic locations.
Support for CASB Bundle and Activation
Palo Alto Networks provides a SKU that allows you to purchase and activate all the components required for the cloud access security broker (CASB) security offering, which includes the following products:
Multitenant Support for Cloud Managed Explicit Proxy Deployments
New Cloud Managed Prisma Access deployments will support using multitenancy in Explicit Proxy deployments, which will allow managed security service providers to manage multiple Prisma Access tenants from a single cloud-based Prisma SASE Multitenant Platform.

New Features—Prisma Access 3.1 Innovation

Version 3.1 Innovation includes all the features in 3.1 Preferred and adds the following features.
If you use QoS with your current Prisma Access remote network deployment and you allocate bandwidth by location, you can migrate to an aggregate bandwidth deployment (a deployment that allocates bandwidth by compute location instead of Prisma Access location), while retaining your existing QoS policies and profiles.
Using the aggregate bandwidth model, you allocate bandwidth at an aggregate level per compute location, and Prisma Access dynamically allocates the bandwidth based on load or demand per location.
When you migrate to the allocated bandwidth model, the bandwidth per location can change if you have multiple locations onboarded in a single compute location; for this reason, Palo Alto Networks recommends that you change your QoS profiles to have a
Class Bandwidth Type
Explicit Proxy Enhancements
In addition to the Explicit Proxy enhancements described for 3.0 Preferred, Prisma Access offers the following additional enhancements for 3.0 Innovation:
  • SNI Spoofing Prevention
    —Explicit Proxy can protect network traffic from Server Name Indication (SNI) spoofing attacks in cases where the SNI domain does not match the domain used for HTTP Requests or HTTP Connect requests.
  • Blocking domains at HTTP Connect
    —In addition to DNS Security categories, you can block HTTP Connect requests at the following additional pre-defined URL filtering categories:
    • Dynamic DNS Hosted Domains
    • Grayware Domains
    • Newly Registered Domains
    • Parked Domains
    • Phishing Domains
    • Proxy Avoidance and Anonymizers
    Command and Control Domains and Malware Domains are currently supported URL filtering categories.
To provide additional redundancy for service connections, Prisma Access will let you onboard active and backup service connections from different cloud providers in the same location, or from different Prisma Access compute locations. Prisma Access provides you with a list of the supported in-country service connections you can use as active and backup locations.

Recommended For You