Changes to Default Behavior

The following table details the changes in default behavior for the Cloud Services Plugin version 2.2 Preferred.
Component
Change
PAN-OS Dataplane Considerations for Prisma Access Preferred Upgrades
If you are currently running a Prisma Access Preferred release, your dataplane will change from 9.1.7 to 10.0.7. Before Palo Alto Networks upgrades your deployment, you should check the Changes to Default Behavior and Upgrade/Downgrade Considerations for PAN-OS 10.0.
In addition, check that your IKE cryptographic cipher suites are compliant with the 10.0 dataplane and be sure to set
Authentication
to
None
if you use an AES-GCM algorithm for encryption in an IKE crypto profile.
Trailing Slashes Not Allowed for Traffic Steering URLs
If you created custom URL categories and use them in a traffic steering rule, do not enter a trailing slash (/) to URLs (for example,
example.com/
). If you have any trailing slashes in URLs and use them in traffic steering rules, you should remove them before you upgrade the plugin to 2.2 Preferred, or you will receive an error when you Commit and Push your changes.
Change to Supported Cipher Suites for GlobalProtect
Prisma Access has made changes to the supported cipher suites for the SSL/TLS tunnels that are used for communication between mobile users and the GlobalProtect portal and gateways. The following TLS version and cipher suites are supported:
TLS Version:
TLS 1.2
Cipher Suites:
  • aes-256-gcm encryption algorithm, ECDHE key exchange, sha384 authentication algorithm, secp256r1 negotiated EC curve
  • aes-128-gcm encryption algorithm, ECDHE key exchange, sha256 authentication algorithm, secp256r1 negotiated EC curve
  • aes-256-gcm encryption algorithm, DHE key exchange, sha384 authentication algorithm, dh 2048 negotiated EC curve
  • aes-128-gcm encryption algorithm, DHE key exchange, sha256 authentication algorithm, dh 2048 negotiated EC curve
Most Prisma Access deployments will be unaffected by this change; however, if you have issues, you can check the following cipher suite settings.
  • GlobalProtect Portal Connection Issues:
    If your mobile users have older browsers that do not support any of the supported cipher suites, you might experience connection issues to the Prisma Access GlobalProtect portal; in this case, upgrade the mobile users’ browser.
  • GlobalProtect Gateway Connection Issues:
    Prisma Access natively supports the default GlobalProtect cipher settings. However, if you created an SSL/TLS Service Profile that overwrites these settings, and the profile does not include any of the supported ciphers, you might experience connection errors to the GlobalProtect gateway, and you will need to update your cipher settings to one of the supported cipher suites.
Change to Mobile User Egress IP Addresses in the 34.x.x.x IP Range
Palo Alto Networks will be changing the public egress IP addresses for mobile user gateways and portals with the 2.2 upgrade. Palo Alto Networks will be replacing a limited set of older public IP addresses with new Palo Alto Networks-owned public IP addresses to make the allow listing of the public IP addresses simpler and easier.
The change affects your deployment if you have a mobile user deployment with existing security processing nodes (MU-SPNs), including gateways and portals that use an IP address from the ranges mentioned below:
  • 34.96.0.0/13 [34.96.0.0 - 34.103.255.254]
  • 34.104.0.0/16 [34.104.0.0 - 34.104.255.254]
  • 34.124.0.0/16 [34.124.0.0 - 34.124.255.254]
  • 35.203.0.0/16 [35.203.0.0 - 35.203.255.254]
The gateway and portal IP addresses from the IP ranges mentioned above will change to IP addresses from the following subnets:
  • 134.238.0.0/16
  • 165.1.128.0/17
  • 208.127.0.0/16
  • 137.83.192.0/18
  • 66.159.192.0/19
The majority of these new IP addresses will come from the 134.238.0.0/16 subnet; however, a small number might be coming from one or more of the other subnets. If you use allow lists to provide access to internet resources such as SaaS applications or publicly accessible partner applications, you should add the new IP addresses to your allow lists.
This only affects mobile users deployments that use public IP addresses in the 34.96.0.0/13, 34.104.0.0/16, 34.124.0.0/16, and 35.203.0.0/16 ranges mentioned above. Public IP addresses for Remote Networks, Service Connections, Explicit Proxy, and Clean Pipe deployments do not change.
If you are affected by this change and need to update your allow lists, Palo Alto Networks recommends that you perform one of the following actions:
  • Add the following PANW owned subnets to your organization’s allow lists along with the existing IPs and subnets before the 2.2 upgrade in September 2021:
    • 134.238.0.0/16
    • 165.1.128.0/17
    • 208.127.0.0/16
    • 137.83.192.0/18
    • 66.159.192.0/19
    Adding 134.238.0.0/16 ensures that any IP addresses that Prisma Access replaces from IP ranges 34.96.0.0/13, 34.104.0.0/16, 34.124.0.0/16, and 35.203.0.0/16 to the new range 134.238.0.0/16 will not result in any access issues. Please do not remove any existing allow-listed IP addresses from the IP ranges 34.96.0.0/13, 34.104.0.0/16, 34.124.0.0/16, and 35.203.0.0/16 until after the 2.2 dataplane upgrade. You can remove these IP addresses from the allow lists, after the 2.2 dataplane upgrade is finished and the IP replacement has occurred.
  • Run the API to retrieve all new and existing public IP addresses for your Prisma Access deployment, and make sure that all those addresses are added to your allow lists before the start of the dataplane upgrade for Prisma Access 2.2.
Because the IP address changes occur during the dataplane upgrade, Palo Alto Networks recommends that you
do not
delete any existing IP addresses from allow lists until after the upgrade is complete and you have downloaded and installed the Cloud Services plugin 2.2. After the dataplane upgrade is complete, please retrieve the list of all allocated IP addresses and verify that none of the active IP addresses are from the IP subnet ranges 34.96.0.0/13, 34.104.0.0/16, 34.124.0.0/16, and 35.203.0.0/16 mentioned previously. If you do see the active IP addresses from the old IP range, please contact Palo Alto Networks support and report the issue.
DLP Plugin Support for Prisma Access Preferred Upgrades
If you are currently running a Prisma Access Preferred release, your DLP version will change from using Enterprise DLP on Prisma Access to the Enterprise DLP plugin that runs on Panorama. To upgrade, see Upgrade to the Enterprise DLP Plugin—Existing Enterprise DLP on Prisma Access Deployments in the Enterprise DLP Administrator’s Guide.
New WildFire Location Mapping
As a result of the WildFire Germany Cloud (de.wildfire.paloaltonetworks.com) support for Prisma Access, the following countries will be remapped to use the WildFire Germany Cloud:
Andorra, Austria, Bulgaria, Croatia, Czech Republic, Egypt, Germany Central, Germany North, Germany South, Greece, Hungary, Israel, Italy, Jordan, Kenya, Kuwait, Liechtenstein, Luxembourg, Moldova, Monaco, Nigeria, Poland, Portugal, Romania, Saudi Arabia, Slovakia, Slovenia, South Africa Central, Spain Central, Spain East, Turkey, Ukraine, United Arab Emirates, Uzbekistan

Recommended For You