Changes to Default Behavior
The following table details the changes in default behavior for the Cloud Services Plugin version 2.2 Preferred.
PAN-OS Dataplane Considerations for Prisma Access Preferred Upgrades
In addition, check that your IKE cryptographic cipher suites are compliant with the 10.0 dataplane and be sure to set
Noneif you use an AES-GCM algorithm for encryption in an IKE crypto profile.
Trailing Slashes Not Allowed for Traffic Steering URLs
If you created custom URL categories and use them in a traffic steering rule, do not enter a trailing slash (/) to URLs (for example,
example.com/). If you have any trailing slashes in URLs and use them in traffic steering rules, you should remove them before you upgrade the plugin to 2.2 Preferred, or you will receive an error when you Commit and Push your changes.
Change to Supported Cipher Suites for GlobalProtect
Prisma Access has made changes to the supported cipher suites for the SSL/TLS tunnels that are used for communication between mobile users and the GlobalProtect portal and gateways. The following TLS version and cipher suites are supported:
TLS Version:TLS 1.2
Most Prisma Access deployments will be unaffected by this change; however, if you have issues, you can check the following cipher suite settings.
Change to Mobile User Egress IP Addresses in the 34.x.x.x IP Range
Palo Alto Networks will be changing the public egress IP addresses for mobile user gateways and portals with the 2.2 upgrade. Palo Alto Networks will be replacing a limited set of older public IP addresses with new Palo Alto Networks-owned public IP addresses to make the allow listing of the public IP addresses simpler and easier.
The change affects your deployment if you have a mobile user deployment with existing security processing nodes (MU-SPNs), including gateways and portals that use an IP address from the ranges mentioned below:
The gateway and portal IP addresses from the IP ranges mentioned above will change to IP addresses from the following subnets:
The majority of these new IP addresses will come from the 126.96.36.199/16 subnet; however, a small number might be coming from one or more of the other subnets. If you use allow lists to provide access to internet resources such as SaaS applications or publicly accessible partner applications, you should add the new IP addresses to your allow lists.
If you are affected by this change and need to update your allow lists, Palo Alto Networks recommends that you perform one of the following actions:
Because the IP address changes occur during the dataplane upgrade, Palo Alto Networks recommends that you
do notdelete any existing IP addresses from allow lists until after the upgrade is complete and you have downloaded and installed the Cloud Services plugin 2.2. After the dataplane upgrade is complete, please retrieve the list of all allocated IP addresses and verify that none of the active IP addresses are from the IP subnet ranges 188.8.131.52/13, 184.108.40.206/16, 220.127.116.11/16, and 18.104.22.168/16 mentioned previously. If you do see the active IP addresses from the old IP range, please contact Palo Alto Networks support and report the issue.
DLP Plugin Support for Prisma Access Preferred Upgrades
If you are currently running a Prisma Access Preferred release, your DLP version will change from using Enterprise DLP on Prisma Access to the Enterprise DLP plugin that runs on Panorama. To upgrade, see Upgrade to the Enterprise DLP Plugin—Existing Enterprise DLP on Prisma Access Deployments in the Enterprise DLP Administrator’s Guide.
New WildFire Location Mapping
As a result of the WildFire Germany Cloud (de.wildfire.paloaltonetworks.com) support for Prisma Access, the following countries will be remapped to use the WildFire Germany Cloud:
Andorra, Austria, Bulgaria, Croatia, Czech Republic, Egypt, Germany Central, Germany North, Germany South, Greece, Hungary, Israel, Italy, Jordan, Kenya, Kuwait, Liechtenstein, Luxembourg, Moldova, Monaco, Nigeria, Poland, Portugal, Romania, Saudi Arabia, Slovakia, Slovenia, South Africa Central, Spain Central, Spain East, Turkey, Ukraine, United Arab Emirates, Uzbekistan
Recommended For You
Recommended videos not found.