Features Introduced in Prisma Access 2.0 Innovation

The following table describes the new features introduced in Prisma Access version 2.0 Innovation.
The Cloud Services plugin 2.0 Innovation version requires the following minimum software versions for Panorama and GlobalProtect:
Panorama:
  • 9.1.4 or a later PAN-OS version of 9.1.
    x
    (PAN-OS 10.0.3 required to activate and use PAN-OS 10.0 features)
  • 10.0.3 or a later PAN-OS version of 10.0.
    x
    If you use the Enterprise DLP plugin or Explicit Proxy with Prisma Access, a minimum Panorama version of 10.0.5 is required.
GlobalProtect:
Supported version: 5.1.
x
and 5.2.
x
The Cloud Services Plugin 2.0 Innovation version includes all the features from the Cloud Services plugin 2.0 Preferred version and adds the following features.
Feature
Description
Autonomous Digital Experience Management (DEM) is now available for mobile users who use the GlobalProtect app!
You can use Autonomous Digital Experience Management (Autonomous DEM) to get visibility into user experience, application and network performance. With Autonomous DEM, you gain segment-wise insights across the entire service delivery path, with real and synthetic traffic analysis that enables the ability to drive autonomous remediation of digital experience problems when they arise. Get Started Now.
Autonomous DEM requires an add-on license, and requires The GlobalProtect app version 5.2.6 or later.
Support for PAN-OS 10.0.3
New Cloud Services 2.0 Innovation customers are running a dataplane version of PAN-OS 10.0.3 and are able to take advantage of PAN-OS 10.0 features up to PAN-OS 10.0.3, including the following features:
GlobalProtect version 5.2.5 is required to use GlobalProtect App Log Collection for Troubleshooting.
IoT Security Support
You can use Prisma Access to implement IoT security. IoT Security applies machine learning and AI to discover and identify connected devices and then presents them in a dynamically generated inventory.
Prisma Access supports the use of the Panorama plugin for DLP 1.0.3 to implement Enterprise Data Loss Prevention (DLP) with Prisma Access.
If you have an existing deployment with Enterprise DLP on Prisma Access and want to upgrade to the Cloud Services plugin 2.0 Innovation version, Palo Alto Networks provides you with a migration process to transfer to using DLP with the DLP Panorama plugin.
If you have a Prisma Access for Users license, you can add compromised devices to a quarantine list and block users from logging in to the network from that device using GlobalProtect.
If you have a Prisma Access for Users license, you can quickly resolve mobile user connection, performance, and access issues by having GlobalProtect users generate and send an easy to read, comprehensive report from the end user’s endpoint to Cortex Data Lake for further analysis.
This release adds a UI element to allow you to generate and store the certificate that is required for communication between the GlobalProtect app and Cortex Data Lake, eliminating the CLI requirement.
You can configure an explicit proxy to secure mobile users with a proxy URL and a Proxy Auto-Configuration (PAC) file. If your organization’s existing network already uses explicit proxies and deploys PAC files on your client endpoints, you can smoothly migrate to Prisma Access to secure mobile users’ outbound internet traffic.
You can still secure mobile users with GlobalProtect. If you want to add an explicit proxy to an existing mobile users deployment, you can divide your mobile users license between the users you want to secure with GlobalProtect and the users you want to secure with an explicit proxy.
Explicit proxy uses your existing Mobile User license. Whether you have a new deployment or if you upgrade, you can divide your mobile user license between Mobile Users - GlobalProtect and Mobile Users - Explicit Proxy.
Explicit Proxy is currently available for new customers only; if you have an existing Prisma Access deployment, you will have the option to use Explicit Proxy at a later time.
Cloud Directory Support for Directory Sync
To allow you to integrate your organization’s cloud directory with Prisma Access, you can activate and use your Directory Sync instance with Azure Active Directory.
Support for Predefined URLs and URLs in EDLs in Traffic Steering
When you create rules for targets when you configure traffic steering for service connections, Prisma Access adds support for the following capabilities:
Policy Optimizer Support
Prisma Access supports the use of Policy Optimizer to allow you to optimize your security policy rules.
Support for and
no-advertise
BGP Communities
Prisma Access makes the following BGP community changes:
  • Prisma Access allows you to add a
    no-export
    community for Corporate Access Nodes (Service Connections) to the outbound prefixes from eBGP peers at the customer premises equipment (CPE). This capability will not be available in hot potato routing mode.
  • Prisma Access supports the well-known BGP communities strings
    no-export
    and
    no-advertise
    that are advertised by the on-premise CPE.
Cortex Data Lake Theater Support
Prisma Access supports the following Cortex Data Lake regions:
  • Japan
  • Singapore
  • Canada
  • Australia
Support for Asymmetric Routing for Service Connections
Prisma Access removes the requirements to have a symmetric network path for the traffic returning from the data center. Asymmetric flows are allowed through the Prisma Access backbone. This removal allows you to configure ECMP or any other load balancing mechanism for service connections to your CPE.
This capability is not enabled by default; to enable it, change the
Backbone Routing
options in your service setup settings.
DNS Enhancements for Mobile Users and Remote Networks
Prisma Access offers the following enhancements when you specify DNS settings for mobile users and remote networks:
  • For internal domains, you can use multiple rules to specify different DNS server settings per region, or you can specify DNS server settings for a region and specify a Worldwide setting to serve as a default for the other regions.
  • For public (external) domains, you can use the same settings as internal domains, the default server for Prisma Access, or a custom DNS server.
  • You can use wildcard matches for DNS domain suffixes.
  • You can use wildcard matches for any part of the DNS domain name.
  • You can specify different domain names to be resolved by different DNS servers.
  • You can specify domain names to be resolved by the Prisma Access Cloud Default server.
  • You can specify how many time to retry a UDP query and the time interval between the retries.
WildFire Dashboard and AutoFocus Portal Integration
Prisma Access allows you to view pervasive artifacts on the AutoFocus Dashboard and view reports on the WildFire portal.
TLS 1.3 Support for Mobile Users (GlobalProtect) and Remote Networks
Prisma Access supports Transport Layer Security (TLS) 1.3 for mobile user (GlobalProtect) deployments and remote networks.
TLS 1.3 is not supported on Explicit Proxy deployments.
Route Aggregation Support for Remote Networks
You can advertise summary routes from data centers and the remote networks chooses the closest service connection as the next hop.
Load Balancing Improvements for Summary Prefix Advertisements on Multiple Service Connections 
Prisma Access has made improvements that enhance load balancing for multiple service connections that you have onboarded in different Prisma Access locations. For example, if you have two service connections onboarded in the US West location and two service connections onboarded in the US East location, Prisma Access load balances the traffic for summary prefixes at each data center to which the service connections are attached. This enhancement effectively increases the available bandwidth for a data center location that you have connected using multiple service connections at different Prisma Access locations.
Protect from Web-Based Threats with Remote Browser Isolation (RBI)
To support a larger range of use cases and prevent malware, phishing, cryptomining, and other such threats, Prisma Access can integrate with third-party RBI cloud vendors using URL response page redirect or traffic steering over the Prisma Access Service connection to the RBI cloud. These integrations help with isolating all active, untrusted web content from endpoints that your users use to access business-critical internet services and internal networks, and ensure that the corporate network remains safe.
See https://www.paloaltonetworks.com/partners/alliance for our technology partners and solution briefs.

Recommended For You