To see the changes in default behavior after you upgrade to the
Cloud Services plugin 2.2 Preferred and Innovation, see Changes to Default Behavior.
Cloud Services Plugin 2.2 Preferred
Prisma Access 2.2 consists of a single Prisma Access
version and it uses the
Cloud Services Plugin 2.2 Preferred
There is no 2.2 Innovation version.
A dataplane upgrade is required to upgrade to 2.2 Preferred.
This upgrade is required whether you are currently running 2.1 Preferred,
2.1 Innovation, 2.0 Preferred, or 2.0 Innovation. 2.2 Preferred
runs on the PAN-OS version 10.0 dataplane.
Upgrade Considerations for 2.2 Prisma Access Releases
A dataplane and infrastructure
upgrade is required for all upgrades from an existing Panorama
Managed Prisma Access version to 2.2. Preferred. Your dataplane
will be upgraded to PAN-OS 10.0.
After you upgrade to the Cloud Services plugin 2.2 Preferred,
you receive all supported features in Prisma Access to date, including
all Innovation and Preferred features, along with the new features
introduced in 2.2 Preferred. If your 2.1 Innovation deployment uses Explicit Proxy for mobile
users, Palo Alto Networks will perform additional infrastructure upgrades as
a part of the dataplane upgrade. Palo Alto Networks will inform
you of these updates using email notifications in
the Prisma Access app.
For all upgrades, be sure that you have signed up for alerts in
the Prisma Access app. Palo Alto Networks will alert you 21 days
in advance for the scheduled date and available time windows for
the dataplane upgrade. If you are running a Prisma Access (Panorama
Managed) deployment, Palo Alto Networks will make the Cloud Services
plugin 2.2 available for you to download and install after Palo
Alto Networks upgrades your dataplane. While your existing Cloud
Services plugin may continue to work, it is recommended that you
install and upgrade your Cloud Services plugin to 2.2. For details
about the dataplane upgrade, see Upgrade Your Prisma Access Dataplane in
the Prisma Access Administrator’s
Guide (Panorama Managed).
until after Palo Alto Networks upgrades your dataplane
to PAN-OS 10.0 and you install the Cloud Services plugin version
2.2; any release later than 10.0 is not supported for use with current
versions of Prisma Access.
Prisma Access will support private app access
over IPv6 for dual-stack mobile users and single and dual-stack
endpoints at branch offices. The feature will help if you are moving
to modern networks that leverage IPv6. Prisma Access will allow
you to specify IPv6 addresses in components such as the infrastructure subnet,
mobile user IP address pools, and BGP peers. Prisma Access will
still use public IPv4 IP addresses for the Mobile Users (GlobalProtect) VPN
tunnels and service connection and remote network connection IPSec
Prisma Access supports the use of the WildFire
Germany Cloud (de.wildfire.paloaltonetworks.com), allowing you to
utilize the WildFire cloud-based threat analysis and prevention
engine, while ensuring that files submitted for analysis stay in
the country to address data location concerns.
certain metadata connected to submitted samples, as described in
the WildFire Privacy Datasheet,
are shared with our other regional clouds. While submissions stay
within German borders, German customers still benefit from the global security
intelligence and updates based on the network effect of Palo Alto
Networks 42,000+ WildFire customers. Sensitive data and submissions
are restricted from leaving Germany when using the WildFire cloud
threat analysis service. Samples submitted to the WildFire Germany
cloud and the resulting malware analysis, signature generation and delivery
occur and remain within German borders.
The following locations
will use WildFire Germany Cloud:
Andorra, Austria, Bulgaria,
Croatia, Czech Republic, Egypt, Germany Central, Germany North,
Germany South, Greece, Hungary, Israel, Italy, Jordan, Kenya, Kuwait,
Liechtenstein, Luxembourg, Moldova, Monaco, Nigeria, Poland, Portugal,
Romania, Saudi Arabia, Slovakia, Slovenia, South Africa Central,
Spain Central, Spain East, Turkey, Ukraine, United Arab Emirates,
Prisma Access supports the use of SaaS Security Inline to automatically
discover and analyze users’ SaaS activity and data usage for Sanctioned
and Unsanctioned applications. Having full visibility into the SaaS
applications usage, you can reduce the security risks to your organization, like
data leakage, malware entry points, and non-compliance.
Security Inline is a security service that also offers advanced
risk scoring, analytics, and reporting.
the following guidelines when implementing Enterprise DLP with Prisma
Access in a multi-tenant deployment:
If you have
an existing DLP deployment and are running a Prisma Access Preferred
release, you will need to upgrade from Enterprise DLP on Prisma
Access to the DLP plugin after you upgrade to Prisma Access 2.2
Preferred. See the Changes to Default Behavior for details.
you are upgrading from an Innovation release to 2.2 Preferred, you
are already using the Enterprise DLP plugin and no upgrade is required.
To provide better worldwide coverage, Prisma
Access will add support for the IoT Security region in the EU. The
IoT Security EU region (Germany—Europe) maps to the following Cortex
Data Lake locations:
If you have set up tunnel monitoring with static
routes, you can configure Prisma Access to withdraw the static routes
that are installed on service connections and remote network connections
when the IPSec tunnel goes down.
You cannot apply this change
if tunnel monitoring is not enabled.
This feature will be
automatically enabled for Cloud Managed Prisma Access deployments after
the 2.2 Preferred upgrade.