Features Introduced in Prisma Access 2.2 Preferred
Focus
Focus

Features Introduced in Prisma Access 2.2 Preferred

Table of Contents

Features Introduced in Prisma Access 2.2 Preferred

This section lists the new features that are available in Prisma Access 2.2 Preferred, along with upgrade information and considerations if you are upgrading from a previous Prisma Access version.
To see the changes in default behavior after you upgrade to the Cloud Services plugin 2.2 Preferred and Innovation, see Changes to Default Behavior.

Cloud Services Plugin 2.2 Preferred

Prisma Access 2.2 consists of a single Prisma Access version and it uses the Cloud Services Plugin 2.2 Preferred. There is no 2.2 Innovation version.
A dataplane upgrade is required to upgrade to 2.2 Preferred. This upgrade is required whether you are currently running 2.1 Preferred, 2.1 Innovation, 2.0 Preferred, or 2.0 Innovation. 2.2 Preferred runs on the PAN-OS version 10.0 dataplane.

Upgrade Considerations for 2.2 Prisma Access Releases

A dataplane and infrastructure upgrade is required for all upgrades from an existing Panorama Managed Prisma Access version to 2.2. Preferred. Your dataplane will be upgraded to PAN-OS 10.0.
After you upgrade to the Cloud Services plugin 2.2 Preferred, you receive all supported features in Prisma Access to date, including all Innovation and Preferred features, along with the new features introduced in 2.2 Preferred. If your 2.1 Innovation deployment uses Explicit Proxy for mobile users, Palo Alto Networks will perform additional infrastructure upgrades as a part of the dataplane upgrade. Palo Alto Networks will inform you of these updates using email notifications in the Prisma Access app.
For all upgrades, be sure that you have signed up for alerts in the Prisma Access app. Palo Alto Networks will alert you 21 days in advance for the scheduled date and available time windows for the dataplane upgrade. If you are running a Prisma Access (Panorama Managed) deployment, Palo Alto Networks will make the Cloud Services plugin 2.2 available for you to download and install after Palo Alto Networks upgrades your dataplane. While your existing Cloud Services plugin may continue to work, it is recommended that you install and upgrade your Cloud Services plugin to 2.2. For details about the dataplane upgrade, see Upgrade Your Prisma Access Dataplane in the Prisma Access Administrator’s Guide (Panorama Managed).

Minimum Required Software Versions

For the minimum Panorama version that is supported with 2.2 Preferred, see Prisma Access and Panorama Version Compatibility in the Palo Alto Networks Compatibility Matrix.
Panorama 10.1 is only supported for 2.2 Preferred and the 2.1 Preferred and 2.1 Innovation plugin versions listed in the Minimum Required Panorama Software Versions section in the Palo Alto Networks Compatibility Matrix.
Any other future, unreleased PAN-OS releases will not be supported for use with Prisma Access until further notice.
Prisma Access supports any GlobalProtect version that is not End-of-Life (EoL). A minimum GlobalProtect version of 5.2.6 (5.2.8 recommended) is required to use Autonomous Digital Experience Management (Autonomous DEM) and a minimum of GlobalProtect 5.2.5 is required for GlobalProtect App Log Collection for Troubleshooting.

New Features—Cloud Services Plugin 2.2 Preferred

The following table describes the new features that will be available with Prisma Access 2.2 Preferred.
Feature
Description
IPv6 Support for Private App Access
Prisma Access will support private app access over IPv6 for dual-stack mobile users and single and dual-stack endpoints at branch offices. The feature will help if you are moving to modern networks that leverage IPv6. Prisma Access will allow you to specify IPv6 addresses in components such as the infrastructure subnet, mobile user IP address pools, and BGP peers. Prisma Access will still use public IPv4 IP addresses for the Mobile Users (GlobalProtect) VPN tunnels and service connection and remote network connection IPSec tunnels.
FedRAMP Moderate Support
Panorama Managed Prisma Access has been authorized for FedRAMP Moderate support.
Support for WildFire Germany Cloud
Prisma Access supports the use of the WildFire Germany Cloud (de.wildfire.paloaltonetworks.com), allowing you to utilize the WildFire cloud-based threat analysis and prevention engine, while ensuring that files submitted for analysis stay in the country to address data location concerns.
Note that certain metadata connected to submitted samples, as described in the WildFire Privacy Datasheet, are shared with our other regional clouds. While submissions stay within German borders, German customers still benefit from the global security intelligence and updates based on the network effect of Palo Alto Networks 42,000+ WildFire customers. Sensitive data and submissions are restricted from leaving Germany when using the WildFire cloud threat analysis service. Samples submitted to the WildFire Germany cloud and the resulting malware analysis, signature generation and delivery occur and remain within German borders.
The following locations will use WildFire Germany Cloud:
Andorra, Austria, Bulgaria, Croatia, Czech Republic, Egypt, Germany Central, Germany North, Germany South, Greece, Hungary, Israel, Italy, Jordan, Kenya, Kuwait, Liechtenstein, Luxembourg, Moldova, Monaco, Nigeria, Poland, Portugal, Romania, Saudi Arabia, Slovakia, Slovenia, South Africa Central, Spain Central, Spain East, Turkey, Ukraine, United Arab Emirates, Uzbekistan
SaaS Security Inline Support—Visibility
Prisma Access supports the use of SaaS Security Inline to automatically discover and analyze users’ SaaS activity and data usage for Sanctioned and Unsanctioned applications. Having full visibility into the SaaS applications usage, you can reduce the security risks to your organization, like data leakage, malware entry points, and non-compliance.
SaaS Security Inline is a security service that also offers advanced risk scoring, analytics, and reporting.
Support for Gzip Encoding in Clientless VPN
To allow Prisma Access Clientless VPN users to access Gzip-compressed websites, Prisma Access adds support for Gzip encoding to Clientless VPN deployments.
Multi-Tenant support for Autonomous DEM (ADEM)
To enhance the application experience with multi-tenant deployments, Prisma Access now provides flexibility to distribute and enforce ADEM Mobile User license at each tenant. For details, see the technical documentation for Autonomous DEM.
DLP support for multi-tenant deployments
Prisma Access will allow you to use the same DLP capabilities as that used in single-tenant deployments and on next-generation firewalls by adding Enterprise DLP plugin support to multi-tenant deployments.
Use the following guidelines when implementing Enterprise DLP with Prisma Access in a multi-tenant deployment:
  • If you have an existing DLP deployment and are running a Prisma Access Preferred release, you will need to upgrade from Enterprise DLP on Prisma Access to the DLP plugin after you upgrade to Prisma Access 2.2 Preferred. See the Changes to Default Behavior for details.
    If you are upgrading from an Innovation release to 2.2 Preferred, you are already using the Enterprise DLP plugin and no upgrade is required.
  • You manage DLP data patterns and data filtering profiles at the superuser-level admin user, and all tenants share the same patterns and profiles.
    However, you can implement security policies at a per-tenant level and associate different data filtering profiles per tenant, to allow you per-tenant control over what profiles are used.
  • The superuser-level admin user must commit all changes to Panorama whenever you change any DLP profiles or patterns.
IoT Security Support for EU Region
To provide better worldwide coverage, Prisma Access will add support for the IoT Security region in the EU. The IoT Security EU region (Germany—Europe) maps to the following Strata Logging Service locations:
  • Netherlands—Europe
  • UK—Europe
  • Germany—Europe
If you have set up tunnel monitoring with static routes, you can configure Prisma Access to withdraw the static routes that are installed on service connections and remote network connections when the IPSec tunnel goes down.
You cannot apply this change if tunnel monitoring is not enabled.
This feature will be automatically enabled for Cloud Managed Prisma Access deployments after the 2.2 Preferred upgrade.
Explicit Proxy Enhancements
Prisma Access offers the following enhancements for Prisma Access for Mobile Users:
  • DNS Security with customizable action per DNS category
  • Simplified Workflows for Explicit Proxy Policies
  • Proxy Chaining—Forward HTTP and HTTPS traffic from an on-premise proxy to the proxy used by Explicit Proxy
  • Support User Identity-based Security Policies Using HTTP XAU Header
  • Deployment and Operational Status visibility via Prisma Access Insights
Prisma Access Insights Updates
Prisma Access Insights will offer you the following enhancements:
  • Explicit Proxy support—You will be able to monitor health and usage stats for explicit proxy users.
  • Bandwidth utilization for IPSec termination nodes—For remote networks that allocate bandwidth by compute location, you will be able to check the bandwidth utilization of IPSec termination nodes.
  • Service connection enhancements—Insights will provide you with additional statistics for Service Connections.
To see what’s new in Prisma Access Insights, see What’s New in the Prisma Access Insights technical documentation.