Prisma Access and Panorama Version Compatibility

Cadence for Software and Content Updates for Prisma Access

Upgrade Your Prisma Access Dataplane

Dataplane Upgrade Overview

Prisma Access upgrades your dataplane in two phases on two weekend dates, and keeps you informed about the upgrade using the Prisma Access app. On a high level, the following steps are taken during the upgrade process.

An email notification from the Prisma Access app arrives 21 days before the scheduled dataplane upgrade start date. This email notification provides the dataplane upgrade start date for phase #1.
In the email, you are asked to select and submit the location or locations to upgrade first and the preferred time window for the upgrade via the Prisma Access App.
You can change and submit the first locations to upgrade and time window multiple times for a given tenant. The last submission that occurred five days before the scheduled start date will be chosen by the service for the upgrade. You will not be able to make any changes within five days of the upgrade start date.
If you make changes, it might take up to 30 minutes for the changes you made to be displayed in the Upgrade Dashboard on Insights. You will be notified via email alert when the Prisma Access has processed and completed the changes.
Prisma Access strongly suggests that you select locations that reflect your entire deployment. For example, if you have a mobile user, service connection, and remote network deployment, select a location or locations that have all deployment types.
Prisma Access will perform phase #1 of the upgrade on the selected location or locations within the local time window selected for those locations.
If the selected upgrade locations have any combination of Mobile Users—GlobalProtect, Service Connections, or Remote Networks, the dataplane for each deployment will be upgraded to the required dataplane version, as described later in this section.
Once the upgrade is complete in the first location, you’ll receive an email notification via the Prisma Access app. Palo Alto Networks recommends that you monitor the service for any new issues that occur immediately after the dataplane upgrade.
In an unlikely occurrence where you see a new issue, report the issue to Palo Alto Networks technical support.
The technical support team will investigate the issue and take corrective actions that may also include rolling back to the previous data plane version. This decision will be communicated to you via the technical support case.
If there are no new issues or a new issue is not upgrade-related, Prisma Access will proceed with the dataplane upgrade on the following weekend.
The upgrade of the remaining locations will take place during the same time window you selected for the first upgrade (in local time).
After the dataplane upgrade completes, you will be notified via email alert.

The following figure shows the timeline used for the upgrade and includes the tasks that you will need to perform for the dataplane upgrade (shown in green), as well as the steps that Prisma Access performs.

The following section provides more details about the dataplane upgrade process.

After you sign up for notifications, Prisma Access informs you of the two weekend dates that will be used for the upgrade process and sends these notifications 21 days, 3 days, and 24 hours before the first phase of the upgrade will occur. The upgrade process occurs in two phases:

Phase #1 upgrades the location or locations you chose on the first weekend using the time window you provided and notifies you via email when the upgrade is complete. If you did not choose the locations to upgrade first, or did not select a time window, Prisma Access makes the choices for you.
Prisma Access attempts to upgrade the locations during the four-hour window that you select via the Prisma Access app. However, completing the required upgrades during this window is best-effort and Palo Alto Networks cannot guarantee that the locations will be upgraded during that time. If the locations cannot be upgraded within the specified time window, you will receive an email notification. Palo Alto Networks recommends that you schedule a change request window starting at 8 p.m. local time on Friday and ending at 8 p.m. local time on Sunday for each of the two weekends when the dataplane upgrade occurs.
Prisma Access makes the following changes to your deployment during Phase #1 of the upgrade. See Dataplane Upgrade Example for more details.
Deployment Type	What is Upgraded
Mobile User Deployments	Prisma Access upgrades a single mobile user gateway, also known as the Mobile User Security Processing Node (MU-SPN) , for the location or locations you specify.
Remote Network Deployments	Prisma Access upgrades the backup (HA) remote network, also known as the Remote Network Security Processing Node (RN-SPN) , then makes the backup remote network the active node for the location or locations you specify. The backup remote network is not upgraded. The backup remote network connection is not upgraded until the following weekend, when the active and backup nodes are upgraded for all locations. If there are multiple RN-SPNs in the selected location, all nodes are upgraded to the new dataplane version.
Service Connections	Prisma Access upgrades the backup (HA) service connection, also known as the Service Connection Corporate Access Node (SC-CAN), then makes the backup service connection the active node for the location or locations you specify. The backup service connection is not upgraded until the following weekend, when the active and backup nodes are upgraded for all locations. If there are multiple SC-CANs in the selected location, all nodes are upgraded to the new dataplane version.
Between the first and second upgrades, you should monitor the first upgraded locations and perform connectivity, performance, routing, and logging testing to make sure that the locations upgraded successfully. If you encounter a service-impacting failure after the upgrade, open a Support Case with Palo Alto Networks Technical Support for assistance. Palo Alto Networks will attempt to resolve the issue by rolling back the dataplane to a previous dataplane version within 24 hours.
Seven days after Prisma Access upgrades the first location, Phase #2 upgrades the remainder of your locations, using the same time window you selected for the first phase, and notifies you via email when the upgrade is complete.
The upgrade window can be longer. For example, if Phase #2 occurs during a national holiday in the United States of America, Prisma Access can perform the second phase of the upgrade 14 days after the first phase instead of seven. The notifications you receive in the Prisma Access app show you the specific timeline for the upcoming dataplane upgrade.

Dataplane Upgrade Example

The following example shows a sample dataplane upgrade procedure for a Mobile Users deployment with five locations (MU-SPNs) and three SC-CANs. The US West location has two MU-SPNs as the result of an autoscale event (an extra MU-SPN was added after a large number of mobile users logged in to that location).

In this example, you selected a single location (US West) to upgrade first, and requested a four-hour upgrade window of 8:00 a.m. to 12:00 noon Saturday for the upgrade.

On the first upgrade weekend (Phase #1), Prisma Access upgraded the dataplane for one of the MU-SPNs and the SC-CAN in the US West location between 8:00 a.m. and 12:00 p.m. Pacific Time on Saturday.

To determine the MU-SPN that was upgraded, contact your authorized Palo Alto Networks representative or partner.

Seven days after the first location is upgraded, Prisma Access upgrades the remaining components (Phase #2), including all the MU-SPNs and SC-CANs in the deployment, using the same four-hour time window as was used for the first phase of the upgrade (8:00 a.m. to 12:00 p.m. on Saturday).

In this example, Prisma Access uses the following time zone information when upgrading the dataplane:

The remaining MU-SPN (MU-SPN 2) in the US West location is upgraded.
The Japan Central MU-SPN and SC-CAN are upgraded using the local time in Japan.
The UK MU-SPN and SC-CAN are upgraded using the local time in the UK.
The US Southwest MU-SPN is upgraded using Pacific Time.

Use the Prisma Access App to Get Upgrade Alerts and Updates

Sign up for alert notifications from the Prisma Access app.
Grant access for the people whom you want to receive alert notifications.
To receive alerts, you must be a Prisma Access admin. There are three types of admin roles, but only account administrators can grant users access to an app. Go to the hub to check role assignments and assign roles.
Log in to Prisma Access from the hub.
Select
Insights
Alerts
Alert Subscription
.
+ Add Users
and enter the
User Email Address(es)
, separated by commas, to which Prisma Access should send alert notifications.
The email addresses to which Prisma Access sends alerts must be the same email addresses associated with users in your Palo Alto Networks support account.
(
Multi-Tenant Deployments Only
) In a multi-tenant deployment,
Select Sub-Tenants
for which you want users to receive notifications or
All Sub-Tenants
if you want them to receive notifications from all sub-tenants.
Add
the users.
Check your notifications to be made aware of upcoming dataplane upgrades; then, select your upgrade preferences using one of the following methods.
Prisma Access sends an upgrade notification 21 days before your dataplane upgrade is scheduled.
Select
Insights
Network Objects
Prisma Access Upgrade
Upgrade Preferences
.
Log in to the Prisma Access app, view the banner at the top of the page for your scheduled upgrade, and select
Click here
.

Check your email for notifications for your scheduled upgrade and click the hyperlink in the email.
Select
Insights
Network Objects
Prisma Access Upgrade
Upgrade Preferences
.
The Prisma Access Upgrade Dashboard displays.

(
Optional
) Read the
Upgrade Process
to learn more about how the upgrade process works.
Select your
Upgrade Preferences
.
If you have a multi-tenant deployment, all tenants display in this area. If you have already selected your upgrade preferences for your deployment, these selections display here.
Select the tenants for which to set upgrade preferences, then select
Edit Preferences
.

Select the
Preferred Prisma Access Locations
that you want to upgrade first.
Prisma Access strongly suggests that you select locations that reflect your entire deployment. For example, if you have a mobile user, service connection, and remote network deployment, select a location or locations that have all deployment types.
Select from the choices in the drop-down list.
Prisma Access only displays the locations where you have deployed mobile users, remote networks, service connections, or any combination thereof.
The groups in the drop-down list belong to the same compute location, with the exception of the locations in the following groups:
Group 1
: France North, France South, Ireland, United Kingdom
Group 2
: Japan Central, Japan South, South Korea
If you select a choice in either Group 1 or Group 2, and if you have onboardings on two or more locations in that choice, Prisma Access might choose any of the locations in that group to upgrade. For example:
If you select France North, France South, Ireland, United Kingdom as the choice for the upgrade, Prisma Access might choose any of the locations in Group 1 (for example, France South) to upgrade.
If you select Japan Central, Japan South, South Korea as the choice for the upgrade, Prisma Access might choose any of the locations in Group 2 (for example, South Korea) to upgrade.
Prisma Access will inform you via email alerts which locations in the group were upgraded; any remaining locations will be upgraded with the remainder of the locations one week later.

After the first set of Prisma Access locations is upgraded successfully, the Prisma Access team monitors these locations for seven days, and then upgrades all remaining Prisma Access locations. Selecting a single location or a small number of locations gives you a chance to monitor these locations before the remainder of your locations are upgraded one week later.
If no locations display in the drop-down list, you either selected multiple tenants that have no common locations deployed or you have not yet onboarded any locations for the tenants you selected.
Select the
Preferred time for the upgrade window
from the list of available options.
Choose from the following upgrade time windows. The time windows are local to the location or locations being upgraded and are all four hour windows:
Friday 8:00 p.m. (noon) to 12:00 a.m. (midnight)
Saturday 12:00 a.m. (midnight) to 4:00 a.m.
Saturday 4:00 a.m. to 8:00 a.m.
Saturday 8:00 a.m. to 12:00 p.m. (noon)
Saturday 12:00 p.m. (noon) to 4:00 p.m.
Saturday 4:00 p.m. (noon) to 8:00 p.m.
Palo Alto Networks uses your preference to begin the rollout at the Prisma Access location or locations you selected.The last submission that occurred five days before the scheduled start date will be chosen by the service for the upgrade. If you make changes, it might take up to 30 minutes for the changes you made to be displayed in the Upgrade Dashboard on Insights. You will be notified via email alert when the Prisma Access has processed and completed the changes.
If you do not provide your upgrade preferences five days before the scheduled upgrade window, Palo Alto Networks will automatically select the first set of your deployed Prisma Access locations, notify you of the selection, and upgrade the selected locations on the scheduled date. The remaining Prisma Access locations, if any, in your deployment will be upgraded seven days after the selected time window.

Select the
Software Version
that you want to upgrade to, if more than one version is available.
Submit
your changes.
After your rollout begins, select
Insights
Network Objects
Prisma Access Upgrade
Upgrade Status by Tenants
and view the
Upgrade Status by Location
. This page displays the following information for each location that is being upgraded:
The name of the tenant that is being upgraded.
The start and finish date of the upgrade process.
The dataplane version that the tenant is being upgraded to.
The preferred time window for the upgrade.
The initial locations that are being upgraded.
The date that the remaining locations will be upgraded.
In addition, a table displays the locations being upgraded, the start date and time window of the upgrade, and the time zone used for the upgrade. The
Upgrade Status
column provides you with the following information:
Upgrade Status	Description
Scheduled	The dataplane upgrade has been scheduled.
Started	The upgrade has started.
In Progress	The dataplane upgrade is in progress.
Re-trying	The dataplane upgrade did not complete successfully, but Prisma Access continues to be operational using the older dataplane version. Prisma Access will retry the upgrade before the maintenance window for the weekend expires.
Success	The upgrade completed successfully.
After the first set of locations has completed the dataplane upgrade, monitor the upgraded locations and perform connectivity, performance, routing, and logging testing to make sure that they upgraded successfully.
When the second set of locations is scheduled to be upgraded, monitor those locations and check their status by selecting
Insights
Network Objects
Prisma Access Upgrade
Upgrade Status by Tenants
.
Prisma Access sends you an email notification after the dataplane upgrade is complete.