Direct upgrades from Prisma Access 2.2 to 3.1 are not supported.

Starting with the Cloud Services plugin version of 3.1.0-h50, Prisma Access supports a Panorama version of 10.2.2.

If you use a Panorama of 10.2.2 with Prisma Access, be aware of the following PAN-OS Known Issues and Prisma Access Known Issues that are applicable to deployments running Panorama 10.2.2-h1 with Prisma Access:

You can still use the Panorama versions as described in the Compatibility Matrix.

If your enterprise uses RFC 6598 IP addresses as a part of your enterprise routable address space, you can use that address space in the following Prisma Access infrastructure IP addresses:

The following functionality is not supported with RFC 6598 addresses:

To enable the use of 100.64.0.0/10 addresses in infrastructure addresses, reach out to your Palo Alto Networks account representative or partner and submit a request. An upgrade to 3.1 Innovation is required.

Prisma Access allows you to create security policy rules to block login attempts for Remote Network, Mobile Users—GlobalProtect, and Mobile Users—Explicit Proxy deployments from countries you specify. Prisma Access blocks incoming connections from the countries you specify based on the geo location information from the source IP address of the client.

Block these countries using the following combination of Rule names, tags, and actions:

Rule names:

Tag: PA_predefined_embargo_rule

Action: Drop

To drop traffic by country, specify one or more countries in the Source tab of the security policy rule.

To optimize performance and reduce latency, Prisma Access adds a new compute location that is hosted in Chile (South America West), and maps the Chile location to that compute location. This new compute region is available as of March 28, 2022, at 12 p.m. UTC.

If you add Chile after you install the Cloud Services 3.1 plugin, Prisma Access associates the new compute location automatically. If you are upgrading from an existing Prisma Access location, you can use this procedure to migrate to the new compute location for Chile.

New Cloud Managed Prisma Access deployments support multitenancy using a single cloud-based Prisma SASE Multitanant Cloud Management Platform, which allows Managed Security Service Providers (MSSPs) and distributed enterprises to manage the tenants and users that you create for your Prisma Access instances, and to monitor those instances.

Alternatively, if you are a new customer but not licensed as an MSSP, you can still use cloud-managed multitenancy if you want to configure your new Prisma Access deployment into a hierarchy of business verticals or geographic locations.

Palo Alto Networks provides a SKU that allows you to purchase and activate all the components required for the cloud access security broker (CASB) security offering, which includes the following products:

If you use QoS with your current Prisma Access remote network deployment and you allocate bandwidth by location, you can migrate to an aggregate bandwidth deployment (a deployment that allocates bandwidth by compute location instead of Prisma Access location), while retaining your existing QoS policies and profiles.

Using the aggregate bandwidth model, you allocate bandwidth at an aggregate level per compute location, and Prisma Access dynamically allocates the bandwidth based on load or demand per location.

When you migrate to the allocated bandwidth model, the bandwidth per location can change if you have multiple locations onboarded in a single compute location; for this reason, Palo Alto Networks recommends that you change your QoS profiles to have a Class Bandwidth Type of Percentage.

In addition to the Explicit Proxy enhancements described for 3.0 Preferred, Prisma Access offers the following additional enhancements for 3.0 Innovation: