Changes to Default Behavior

The following chapter details the changes in default behavior after you upgrade to the Cloud Services plugin version 2.0 Innovation.
Component
Change
Dataplane Upgrade Process for Existing Customers Using Prisma Access
Dataplane Upgrade Process for Existing Customers Using Prisma Access
—The Cloud Services plugin 2.0 Innovation requires a dataplane upgrade to for your existing locations. If you upgrade to the Cloud Services plugin 2.0 Innovation version, your dataplane is upgraded to 9.1.7.
You must use the Prisma Access app to receive dataplane upgrade notifications. After Prisma Access informs you that the upgrade is available, you will use Insights to select a from a list of time windows for the upgrade and the locations you want to upgrade first.
Palo Alto Networks also uses the Insights functionality in the Prisma Access app to inform you when all locations have been upgraded and when the Cloud Services 2.0 Innovation plugin is available; you can then download and upgrade the plugin to activate Prisma Access 2.0 capabilities. See Prisma Access Release and Infrastructure Updates for more details about the upgrade process using Prisma Access.
Bandwidth Allocation Changes for Remote Networks for Upgrades from 1.7 to 2.0
If you are upgrading from the Cloud Services 1.7 to the Cloud Services plugin 2.0 Preferred or Innovation, you will be able to aggregate your bandwidth per compute location instead of specifying bandwidth per location. Existing deployments with existing remote networks can also now upgrade to the aggregate bandwidth model.
In addition, you can upgrade to the aggregate bandwidth model if you upgraded an existing deployment running the Cloud Services plugin with onboarded remote networks to the Cloud Services plugin 1.8. When you upgrade from 1.8 to the Cloud Services plugin 2.0 Innovation, Prisma Access allows you to migrate to the aggregate bandwidth model.
Continue to allocate bandwidth by location and do not migrate to the bandwidth allocation model if you have any of the following Prisma Access capabilities enabled:
No Security Policy Required to Forward Logs from Remote Network Connections to Cortex Data Lake
You will be able to forward logs from remote networks, also known as
Security Processing Nodes (SPNs)
, to Cortex Data Lake without having a security policy rule defined to allow that action.
Explicit Proxy Changes
To support the explicit proxy feature for mobile users, Prisma Access will change the
Mobile Users
tab (
Panorama
Cloud Services
Configuration
Mobile Users
) to
Mobile Users—GlobalProtect
will add a tab
Mobile Users—Explicit Proxy
, and will add the following templates, template stacks, and device groups:
  • Explicit_Proxy_Template_Stack
  • Explicit_Proxy_Template
  • Explicit_Proxy_Device_Group
Existing templates, template stacks, and device groups do not change. To configure Prisma Access - GlobalProtect, continue to use the Mobile_User_Template_Stack, Mobile_User_Template, and Mobile_User_Device_Group templates and device groups.
In addition, the API that you use to retrieve Prisma Access IP addresses will be updated to allow you to retrieve the active, reserved, and preallocated public IP addresses that Prisma Access uses for the explicit proxy network load balancers and authentication cache servers.
Enterprise DLP on Prisma Access Migrating to Enterprise DLP Plugin
If you have Enterprise Data Loss Prevention (DLP) on Prisma Access enabled in your deployment, you will migrate to using the Enterprise DLP plugin. Prisma Access provides you with a migration process to transfer your organization’s data to the new DLP.
As a result of this change, if you have existing data patterns and data filtering profiles that you use for Enterprise DLP on Prisma Access, the migration process moves them to the following locations in Panorama:
  • Data patterns move from
    Objects
    Custom Objects
    Data Patterns
    to
    Objects
    DLP
    DLP Data Patterns
    .
  • Data filtering profiles move from
    Objects
    Security Profiles
    Data Filtering
    to
    Objects
    DLP
    DLP Data Filters
    .
Reassignment of WildFire to Canada East and Canada Central locations
Prisma Access automatically assigns the WildFire Canada region for any remote network connections or mobile user locations that are in the Canada East and Canada Central locations.
Changes to DNS Configuration and UDP Queries for Mobile Users (GlobalProtect) and Remote Networks
If you have an existing configuration for DNS resolution of internal domains, Prisma Access migrates that configuration to a rule named
dns-rule-1
. Your configuration is unchanged; the rule creation is to match the new method of using rules for internal DNS configuration.
In addition, UDP queries are set to a maximum of five retries and a retry interval of two seconds. You can change these settings in the DNS proxy settings for mobile users (GlobalProtect) and remote networks in the
UDP Queries Retries
area.
Changes to Service Connection Logging
When a traffic flow originates at a data center or headquarters location, and the flow passes from a service connection to a remote network connection, mobile user location, or another service connection, Prisma Access replaces the app-id in the logs with the default app name of
express-mode
.

Recommended For You