Dataplane Upgrade Process for Existing Customers Using Prisma Access

—The Cloud Services plugin 2.0 Innovation requires a dataplane upgrade to for your existing locations. If you upgrade to the Cloud Services plugin 2.0 Innovation version, your dataplane is upgraded to 9.1.7.

You must use the Prisma Access app to receive dataplane upgrade notifications. After Prisma Access informs you that the upgrade is available, you will use Insights to select a from a list of time windows for the upgrade and the locations you want to upgrade first.

Palo Alto Networks also uses the Insights functionality in the Prisma Access app to inform you when all locations have been upgraded and when the Cloud Services 2.0 Innovation plugin is available; you can then download and upgrade the plugin to activate Prisma Access 2.0 capabilities. See Prisma Access Release and Infrastructure Updates for more details about the upgrade process using Prisma Access.

If you are upgrading from the Cloud Services 1.7 to the Cloud Services plugin 2.0 Preferred or Innovation, you will be able to aggregate your bandwidth per compute location instead of specifying bandwidth per location. Existing deployments with existing remote networks can also now upgrade to the aggregate bandwidth model.

In addition, you can upgrade to the aggregate bandwidth model if you upgraded an existing deployment running the Cloud Services plugin with onboarded remote networks to the Cloud Services plugin 1.8. When you upgrade from 1.8 to the Cloud Services plugin 2.0 Innovation, Prisma Access allows you to migrate to the aggregate bandwidth model.

Continue to allocate bandwidth by location and do not migrate to the bandwidth allocation model if you have any of the following Prisma Access capabilities enabled:

You will be able to forward logs from remote networks, also known as

Security Processing Nodes (SPNs)

, to Cortex Data Lake without having a security policy rule defined to allow that action.

To support the explicit proxy feature for mobile users, Prisma Access will change the

Mobile Users

tab (

Panorama

Cloud Services

Configuration

Mobile Users

) to

Mobile Users—GlobalProtect

will add a tab

Mobile Users—Explicit Proxy

, and will add the following templates, template stacks, and device groups:

Existing templates, template stacks, and device groups do not change. To configure Prisma Access - GlobalProtect, continue to use the Mobile_User_Template_Stack, Mobile_User_Template, and Mobile_User_Device_Group templates and device groups.

In addition, the API that you use to retrieve Prisma Access IP addresses will be updated to allow you to retrieve the active, reserved, and preallocated public IP addresses that Prisma Access uses for the explicit proxy network load balancers and authentication cache servers.

If you have Enterprise Data Loss Prevention (DLP) on Prisma Access enabled in your deployment, you will migrate to using the Enterprise DLP plugin. Prisma Access provides you with a migration process to transfer your organization’s data to the new DLP.

As a result of this change, if you have existing data patterns and data filtering profiles that you use for Enterprise DLP on Prisma Access, the migration process moves them to the following locations in Panorama:

Prisma Access automatically assigns the WildFire Canada region for any remote network connections or mobile user locations that are in the Canada East and Canada Central locations.

If you have an existing configuration for DNS resolution of internal domains, Prisma Access migrates that configuration to a rule named

dns-rule-1

. Your configuration is unchanged; the rule creation is to match the new method of using rules for internal DNS configuration.

In addition, UDP queries are set to a maximum of five retries and a retry interval of two seconds. You can change these settings in the DNS proxy settings for mobile users (GlobalProtect) and remote networks in the

UDP Queries Retries

area.