New Features
Table of Contents
New Features
See what’s new in Prisma Access Cloud Management.
Here’s what’s new in Prisma Access Cloud
Management:
The updates described here better enable
you to use the Prisma Access app to configure and manage your Prisma
Access deployment. To see what’s new for services and add-ons
that are part of your Prisma Access subscription, go to:
|
July 2023
New Features | |
|---|---|
Prisma Access Cloud Management on the Strata Cloud
Manager July 21, 2023 | Prisma Access Cloud Management is supported on the new
Strata Cloud Manager platform. Starting in July 2023, we will be
rolling out phased updates to provide you with the new platform
experience. We'll be updating the Prisma SASE Platform so that
it's on the Strata Cloud Manager platform, alongside your other
Palo Alto Networks products and subscriptions that are supported
for unified management. This change gives you a new navigation
for your Prisma Access Cloud Management features, introduces new
features, and means you can use common workflows and features
across Cloud Management and your other products that are also
updated for Strata Cloud Manager. Learn more:
|
Introducing an AI-Powered Network Security Platform -
Strata Cloud Manager July 21, 2023 | Palo Alto Networks Strata Cloud Manager is a new AI-Powered
network security management platform. With Strata Cloud Manager,
you can easily manage and monitor your Palo Alto Networks
network security infrastructure ━ SASE environment ━ from a
single, streamlined user interface. This includes using Strata Cloud Manager to manage and monitor
the cloud-delivered security
services that are included with Prisma Access. Strata
Cloud Manager gives you comprehensive monitoring, alerting, and
visibility into your Prisma Access environment: |
Support for 400 Remote Network Sites per IPSec Termination
Node July 21, 2023 | Prisma Access 3.2 brought you high-bandwidth 1 Gbps remote
networks. Now, Prisma Access 4.0 raises the previous limit of
250 sites per IPSec termination node
to 400 sites per IPSec termination node. |
AIOps-Powered ADEM July 21, 2023 | AI-Powered ADEM is a
Prisma Access add-on license that automates complex IT
operations, to increase productivity and reduce time to
resolution for issues. AIOps-Powered ADEM is supported in Cloud
Management for all Prisma Access users, regardless of the
interface you're using to manage Prisma Access (Panorama or
Cloud Management). 
If you've enabled AIOps-Powered ADEM license, then the license is
auto enabled for all the compute locations. |
Forwarding Rules Mode for PAC Files July 21,
2023 | You can edit a proxy auto-configuration (PAC) file for explicit
proxy that meets your requirement. GlobalProtect app proxies
traffic to Prisma Access based on forwarding rules and logic
from the PAC file. You can edit the PAC file content under Forwarding Rules. 
|
Agent-Based Proxy Configuration July 21,
2023 | The agent-based proxy feature facilitates coexistence and
interoperability of the GlobalProtect app with third-party VPNs
wherein you can secure your mobile users’ internet traffic
through the GlobalProtect app to the explicit proxy and use the
third-party VPN of your choice to secure private application
access.
|
1 Gbps Maximum Bandwidth Support for Remote Network IPSec
Termination Nodes July 21, 2023 | The maximum bandwidth that Prisma Access can allocate to IPSec termination nodes
for remote network deployments
is increasing from 500 Mbps to 1,000 Mbps. This change allows you
to allocate more bandwidth to remote networks. To make this
increase effective, you must allocate a minimum of 501 Mbps to
the compute locations
associated with the IPSec termination nodes. |
Transparent SafeSearch Support July 21,
2023 | Prisma Access allows you to redirect mobile users' queries to a
search engine to the engine's SafeSearch portal by performing an
FQDN-to-IP mapping. This functionality can be useful if you're
providing guest Wi-Fi for customers at a store. |
Private IP Visibility and Enforcement for Explicit Proxy
Traffic Originating from Remote Networks July 21,
2023 | You can now use the private IP addresses of the systems in your
branch locations that are forwarding traffic to Explicit Proxy.
You can use the private IP address to skip authentication of
headless systems that can't authenticate, set up security
policies, and get visibility of the traffic on Prisma Access
Explicit Proxy. You can enable this functionality when you secure users and
devices at a branch with a site-to-site IPSec
tunnel using Remote Network and Explicit Proxy Secure
Processing Nodes (SPNs). |
Support for 15,000 Remote Network Sites July 21,
2023 | You can create up to 15,000 Remote Networks to secure
branch sites with Prisma Access. |
May 2023
New Features | |
|---|---|
Integrate Prisma Access with Cisco Meraki
SD-WAN May 05, 2023 | Onboard Cisco Meraki MX
SD-WAN devices using the Prisma Access using the
latest simplified and automated tunnel creation instead of
onboarding them manually like in previous releases. |
April 2023
New Features | |
|---|---|
Regional private IP address pools for Mobile Users -
GlobalProtect April 27, 2023 | To allow you to be more granular in your Mobile
Users-GlobalProtect IP address pool allocation, you can specify
granular IP pools for the locations that are available with the
feature, as well as Worldwide or per Prisma Access theater. |
New Prisma Access locations With Local
Zones April 27, 2023 | Prisma Access will add locations that are in local zones. These
locations have their own compute locations. The following
locations will be supported:
You onboard local zones in the same way as any other Prisma
Access location, and the local zones are available in mobile
users—GlobalProtect, remote network, and service connection
deployments. The local zone locations do not use Palo Alto Networks registered
IP addresses and do not support the following Prisma Access
features:
|
Prisma Access Version April 27,
2023 | Displays the current Prisma Access version that your deployment
is running. |
New Prisma Access Cloud Management
Location April 27, 2023 | Prisma Access Cloud Management can now be deployed in the
Singapore region. |
March 2023
New Features | |
|---|---|
New Application Support March 29, 2023 | Enterprise DLP now supports the following new applications:
|
Expanded Download Support for Existing Applications March 29, 2023 | Enterprise DLP now supports download inspection for the following
applications:
|
Expanded File Size Support for Existing Applications March 29, 2023 | Enterprise DLP now supports large file inspection for the
following applications:
|
Two New Ways to Access Prisma Access Cloud
Management March 10, 2023 | We’re working on transforming your management
infrastructure and experience to more advanced features and
capabilities. Towards this goal, and as part of the March
release upgrade, your Prisma Access Cloud Management instance
will be migrated to a new hub view and the app will have a new
name and URL. You won't experience any disruption to your
infrastructure or services during the migration. Importantly, after we migrate your instance
during the March release upgrade:
|
Custom Role-Based Access
Control March 10, 2023 | Prisma Access Cloud Management implements custom Role-Based Access Control
(RBAC), to enable you to manage roles or specific
permissions, and assign access rights to administrative users.
Using RBAC, you can manage users and their access to various
resources within Cloud Management. If you require more granular access control than the predefined
roles provide, you can add custom roles to define which
permissions are enforced for your users. Similar to predefined
roles, custom roles are a set of permissions and permission
sets. Unlike predefined roles, each custom role is assignable
only to the users in the hierarchy under the Tenant Service
Group (TSG) where it is defined. This avoids name conflicts
between similarly named custom roles defined by different
customers. |
Cloud Management UI and Navigation Changes March 10,
2023 |
|
Dual Authentication Portal Support for Mobile
Users—GlobalProtect Deployments March 10,
2023 | You can configure two Mobile Users—GlobalProtect portals in
Prisma Access, with each portal supporting a different
authentication method on a single Prisma Access tenant (for
example, one portal configured for RADIUS authentication and one
portal configured for SAML authentication). |
EDL Hosting Service Support—Microsoft Defender, Zoom, and
GitHub March 10, 2023 | The EDL Hosting Service is
a list of Software-as-a-Service (SaaS) application endpoints maintained
by Palo Alto Networks. Supported SaaS providers include Microsoft
365, Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP),
Salesforce (SFDC), and now Microsoft Defender, Zoom, and GitHub. You
can subscribe to Microsoft 365 endpoint
lists directly from Prisma Access Cloud Management. To
subscribe to Azure, AWS, GCP endpoint lists, SFDC public endpoints,
Microsoft Defender, Zoom, and GitHub, create an external dynamic
list (EDL) based on the feed URL. |
Support Updates March 10,
2023 |
|
Configure Welcome Page for all the GlobalProtect App
Settings March 10, 2023 | You can now configure Welcome Page individually
for all the GlobalProtect app settings. You can select the
predefined factory default page, custom page, or none. If you select None ,
then the welcome page is not enabled for the app setting. |
Renamed Cloud Management Tenant Name March
10, 2023 | The existing Cloud Management Tenant
Name on the page
is renamed to Prisma Access Tenant Name . |
Bypass Decryption for Select Containers
in Web Security March 10, 2023 | You can now bypass decryption select containers in Web Security. Previously in Web Security, decryption rules
were pushed to your chosen scope by default, regardless of whether
you needed them for your network settings. Now, revised Web Security
settings let you exclude the following from decryption:
|
Licensing Enhancements (Additional Mobile
User locations and Service Connections) March 10, 2023 | The following Prisma Access license enhancements are
added:
|
NAT Support for Private Applications March
10, 2023 | You can specify a subnet at one or more
service connections that are used to NAT traffic between Prisma Access
GlobalProtect mobile users and private applications and resources
at a data center.
You
can use either RFC1918 or RFC6598 addresses as the subnets. |
Allow XAU Headers to be Trusted from
Explicit Proxy Source IP Addresses March 10, 2023 | If you have an Explicit Proxy deployment
and have added a list of trusted source IP addresses, you can specify
Explicit Proxy to use X-Authenticated-User (XAU) headers from these
trusted addresses on incoming HTTPS or HTTP traffic for identity.
Use this functionality to allow users that are logged in from another
proxy that use XAU headers for authentication. |
February 2023
New Features | |
|---|---|
Enterprise DLP — Predefined DLP Policy Manager and DLP
Incident Manager App Roles February 20, 2023 | Two new predefined access roles are introduced to help control
access to Enterprise DLP based on user function. |
Enterprise DLP — Support for Cloud Services Server in the
Australia February 20, 2023 | Enterprise DLP users can edit the Cloud Content
Settings to add a Fully Qualified Domain Name (FQDN)
for the Cloud Services server in Australia to scan Enterprise
DLP data. |
November 2022
New Features | |
|---|---|
Next-Generation CASB-X November 18,
2022 | The Next-Generation Cloud Access
Security Broker (CASB-X) license contains all the
CASB components such as SaaS Security Inline, SaaS Security API,
SaaS Security Posture Management (SSPM), and Enterprise DLP. It
can be applied on Cloud-Managed Prisma Access, Panorama Managed
Prisma Access, and Panorama-Managed Next Generation Firewall
(NGFW) devices in a single tenant environment. |
Enterprise DLP — Web Form Data Inspection for Enterprise Data
Loss Prevention on Cloud Management November 16, 2022 | More data is being exchanged in non-file formats that leverage
collaboration applications, web forms, Cloud applications, and
social media. Enterprise DLP now supports inspection of non-file
format traffic on Prisma Access (Cloud Managed) to strengthen
your security posture and prevent exfiltration of sensitive
data. |
EDL Hosting
Service—Salesforce November 15, 2022 | The EDL Hosting Service is
a list of Software-as-a-Service (SaaS) application endpoints.
Supported SaaS providers include Microsoft365 and Azure, Amazon
Web Services (AWS), Google Cloud Platform (GCP), and now
Salesforce (SFDC). To subscribe to Azure, AWS, GCP endpoint lists, and SFDC public
endpoints, create an external dynamic list (EDL) based on the
feed URL. |
Cloud Identity Engine (CIE) Authentication
Support for Explicit Proxy November 15,
2022 | You can now use CIE, along with SAML
and Kerberos, to authenticate Explicit Proxy connections. The
CIE authentication method is displayed only if the Cloud
Authentication Service (CAS) is enabled.    |
November 15, 2022 | 1 Gbps Maximum Bandwidth Support for Remote Network The maximum bandwidth that
Prisma Access can allocate to a node for IPSec termination and
inspection is increasing from 500 Mbps to 1000 Mbps. This change
allows you to allocate more bandwidth to a remote network
site. DNS Proxy Enhancements You can now select Advanced RCODE Support
in the advanced DNS settings to allow
the primary DNS server to fail over to the secondary DNS server
if an RCODE 2 (SERVFAIL) and RCODE 5 (REFUSED) DNS return code
is received. |
November 15, 2022 | Pre-Prod or Lab Tenant You can now enable a tenant in your Prisma Access deployment as a
pre-production or lab
tenant to explore all features before you enable them
in other production tenants. |
October 2022
New Features | |
|---|---|
Enterprise DLP — Support for Cloud Services Server in
India October 20, 2022 | Enterprise DLP users can edit the Cloud Content
Settings to add a Fully Qualified Domain Name (FQDN) for
the Cloud Services server in India to scan Enterprise DLP
data. |
Terminal Server (TS) Agent for User Mapping October
3, 2022 | Palo Alto Networks Terminal Server (TS) Agent
allocates a port range to each user to identify specific users on
Windows-based terminal servers. TheTS Agent notifies Prisma
Access of the allocated port ranges, so that Prisma Access can enforce
policy based on users and user groups. You can now configure the
TS Agent for user mapping from the page.  |
Prisma SD-WAN Add-On License October
3, 2022 | Prisma SD-WAN is an add-on
license on Prisma Access. The Prisma Access Licenses page now
also shows the Prisma SD-WAN if you have added to your Prisma Access. |
CASB Bundle to Include SaaS Security
Posture Management (SSPM) October 3, 2022 | Cloud Access Security Broker (CASB) bundle
now includes SaaS Security Posture Management
(SSPM)along with SaaS Security Inline, Enterprise Data Loss Prevention
(DLP) Inline, SaaS Security API, and Data Loss Prevention (DLP)
API.  |
Prisma Access 3.2 Innovation Features October
3, 2022 | Advanced URL Inline Categorization You
can use the Advanced URL Inline Categorizationto
enable real-time web page analysis and manage URL exceptions. Real-time
URL analysis is available locally and in the cloud as a part of
the Advanced URL Filtering service. Advanced Threat Prevention Advanced Threat Prevention can
detect many unknown and targeted command and control (C2) attacks as
well as evasive attacks from tools such as Cobalt Strike. Enterprise
DLP Support for Non-File Based Web Traffic You can now
enable Enterprise DLP inspection
of sensitive data for a non-file based traffic. |
Prisma Access - Web Security File
Control October 3, 2022 | You can now take action on files entering your
network via allowed applications, create custom file control profiles,
and use your custom profiles in your web access policies. |
September 2022
New Features | |
|---|---|
Transition to Prisma SASE Platform | Prisma Access is being transitioned
to the Prisma SASE Platform to provide these benefits. As a part
of this transition, you may experience a difference in the steps
to access Prisma Access. Learn about the transition to Tenant Management Through the
Prisma SASE Platform. |
Global Protect: Proxy Auto-Configuration (PAC)
File URL September 8, 2022 | Specify the Proxy Auto-Configuration (PAC)
File URL that you want to push to the endpoint to configure proxy
settings. The maximum URL length is 256 characters. The following
Proxy Auto-Configuration (PAC) File URL methods are supported:
|
Global Protect: Advance
Internal Host Detection September 8, 2022 | Enable Advance Internal Host
Detection to add an extra security layer during internal
host detection by the GlobalProtect app. With the advance internal host
detection, the app validates the server certificate of the internal
gateways in addition to performing a reverse DNS lookup of the internal host
to determine whether the app is inside the enterprise network. Enabling
the advance internal host detection stops malicious actors from
spoofing the reverse DNS server response during the internal host
detection and thereby prevents unauthorized access to the endpoints in
the enterprise network. If you do not enable the advance internal
host detection, the existing internal host detection works as expected. |
August 2022
New Features | |
|---|---|
Enterprise DLP — Nested Data Profiles August 30, 2022 | Enterprise DLP now supports creating a single data profile
containing multiple nested data profiles on the DLP app and Prisma Access (Cloud
Managed). This enables you to consolidate match
criteria to prevent exfiltration of sensitive data to a single
data profile that can leveraged in a single Security policy
rule. |
July 2022
New Features | |
|---|---|
Enterprise DLP Audit Logs on Prisma Access (Cloud
Managed) July 29, 2022 | Review your Enterprise DLP Audit logs on Prisma Access Cloud
Management for a comprehensive history of when data
patterns, data profiles, and data filtering are created,
modified or deleted across your Enterprise DLP security
service. |
Create an API Token on Prisma Access (Cloud Managed) July 29, 2022 | Enterprise DLP now supports creating an API Token on Prisma
Access Cloud Management. |
Kerberos Authentication for Explicit
Proxy July 28, 2022 | You can now use Kerberos as your authentication
method for Explicit Proxy mobile users. Learn more about Kerberos authentication.  |
Web Security: Inline Details
for Policy Actions July 28, 2022 | We’ve replaced the Action column
with two new columns, URL Categories and Web Applications .
You can now hover over an allowed Web Application or URL Category
to see additional details about how it’s allowing traffic through
your network.URL Categories:
Web Applications:
 |
June 2022
New Features | |
|---|---|
Enterprise DLP — Monitor the DLP Service Status on Prisma
Access (Cloud Managed) June 22, 2022 | You can now monitor the DLP service
status from Prisma Access Cloud Management. |
Enterprise DLP — End User Alerting with Cortex XSOAR Support
for Microsoft Teams June 22, 2022 | Enterprise DLP now supports end user alerting using Microsoft
Teams by leveraging integration with Cortex
XSOAR. |
Enterprise DLP — Manage Enterprise DLP Incident
Resolutions June 22, 2022 | Assign and manage the case resolution status for Enterprise DLP
Incidents on the DLP app or Prisma Access Cloud
Management when traffic matches your data profiles or
data filtering profiles. |
May 2022
New Features | |
|---|---|
Kerberos Authentication for Explicit
Proxy May 12, 2022 | This month’s release includes these updates
to Web Security Management:
|
Prisma Access Updates May
12, 2022 |
|
Migration Support for QoS from the
legacy model where you allocate bandwidth per Prisma Access location,
to the new model where you aggregate bandwidth for the wider compute
location (Requires Prisma Access 3.1) you are now eligible for migration
to the new model even if you have qos profiles configured | |
QoS Statistics QoS stats give
you real-time and historical QoS data for service connections and
remote networks with QoS enabled. | |
Enterprise DLP — Data Filtering Profile Updates May 12, 2022 | All Data Profiles that you create directly
in Prisma Access Cloud Management, on the Data Loss Prevention dashboard, can
now be used in a security rule. To do this, you’ll need to
first add a Data Profile to a profile group—you can
then add the profile group to security rule so that the Enterprise
DLP profile filters traffic matching the rule. |
Enterprise DLP — Support for Microsoft Azure to Save Evidence
Storage for Investigative Analysis May 12, 2022 | Enterprise DLP now allows you to configure cloud storage on
Microsoft Azure to save evidence for investigative
analysis on the DLP app on the hub and Prisma Access (Cloud
Managed). |
Enterprise DLP — Search DLP Incidents Using Report ID May 12, 2022 | Enterprise DLP now supports searching DLP incidents using a
Report ID on the DLP app and Prisma Access Cloud
Management. |
Enterprise DLP — Support for Cloud Services Server in the
United Kingdom May 12, 2022 | Enterprise DLP users can edit the Cloud Content
Settings to add a Fully Qualified Domain Name (FQDN)
for the Cloud Services server in the United Kingdom (UK) to scan
Enterprise DLP data. |
April 2022
New Features | |
|---|---|
Enterprise DLP — End User Alerting with Cortex XSOAR April 28,
2022 | Enterprise DLP now supportsend user alerting with using
Slack by leveraging integration with Cortex XSOAR. This allows
your team to understand why an upload was blocked, enables self-service
temporary exemptions for uploads, and provides an audit trail to
understand the upload and response history for data scanned by the
DLP cloud service. |
Enterprise DLP — Save Evidence Storage for Investigative
Analysis April 28, 2022 | Prisma Access (Cloud Managed) now allows you
to save evidence for investigative
analysis on Prisma Access Cloud Management when leveraging
Enterprise data loss prevention (DLP). |
Support for CASB Bundle and Activation April
10 | Palo Alto Networks will provide a SKU that allows
you to purchase and activate all the components required for the
cloud access security broker (CASB) security offering, which includes
the following products:
Requires Prisma
Access 3.1. |
Prisma SASE Multitenant Cloud Management
Platform April 10 | introduces capabilities for Managed Security Service
Providers (MSSPs) and for distributed enterprises. These include
multitenancy, flexible license activation, and role based access. |
Prisma SASE APIs April 10 | Prisma SASE introduces APIs that Managed Security
Service Providers (MSSPs) can use to configure and monitor Prisma
Access. These APIs can also be used to manage the multitenant hierarchy,
and manage access to tenants through role assignment. See https://pan.dev/sase/docs for more
information. |
March 2022
New Features | |
|---|---|
SaaS Security Inline: SaaS Policy Recommendations (3.0 Innovation
Deployments Only ) | To gain visibility into and control of SaaS applications,
SaaS Security admins create SaaS rule recommendations with specific
SaaS App-IDs provided by the App-ID Cloud Engine (ACE). In
Prisma Access Cloud Management, you can now review and choose to
accept the rules that SaaS Security admins recommend. SaaS rule recommendations
are added to your web access policy—you must have Web Security enabled to
leverage SaaS rule recommendations. Here’s
how it works:
|
GlobalProtect: SSO Using Smart
Card Authentication | You can now enable SSO with smart card authentication
for your GlobalProtect mobile users. When a user logs in to their
Windows endpoint, the GlobalProtect app acquires and remembers their smart
card PIN to authenticate them.
How
to get started:
|
Certificate-Based Authentication for
IKE | You can now use certificates to authenticate IPSec
devices located at remote network or service connections sites to
Prisma Access. Until now, you’ve needed to use pre-shared keys for
IKE authentication. Here’s how to set up IPSec tunnels and certificate-based
IKE authentication for: |
Identity Redistribution Updates | Prisma Access Cloud Management automatically
enables service connections to work as identity redistribution agents
(also called User-ID agents). For Prisma Access to send identity
data to on-premises devices (Panorama or a next-gen firewall), you
must add a service connection’s User-ID agent details to the on-premises devices. So
that service connection User-ID agent information includes a collector
name and pre-shared key, you can now Enable Collector
Settings for the service connection. You’ll enter a
pre-shared key, and Prisma Access will assign a collector name to
the service connection. To better secure the data redistribution connection,
include the collector name and pre-shared key when you add Prisma
Access as a redistribution agent on a next-gen firewall or Panorama.  |
Enterprise DLP — Support for 7-ZIP File Inspection March 15, 2022 | Enterprise DLP now supports inspection of 7Z ZIP
files for the 7-ZIP file archiver. |
Enterprise DLP — Enhanced Support for Image Detection March 15, 2022 | Enterprise DLP now supports detection of .jpg, .jpeg, .png, .tif,
and .tiff image file types when Optical Character Recognition
(OCR) is enabled. |
Enterprise DLP — Nested Data Profile Match Criteria March 15, 2022 | Enterprise DLP now supports nesting additional match criteria for
data profiles on the
DLP app and Prisma Access (Cloud Managed) to more accurately
define your compliance rules. |
February 2022
New Features | |
|---|---|
Prisma Access 3.0 Features February
28, 2022 | In addition to the Prisma Access 3.0 features
that were released for cloud management in January, Prisma
Access 3.0 feature support now includes:
|
Web Security Updates February
28, 2022 | This month’s release includes these updates
to Web Security Management:
|
January 2022
New Features | |
|---|---|
Prisma Access 3.0 January
27, 2022 | Prisma Access 3.0 is now live.
Here are the Prisma Access 3.0 features that Prisma Access Cloud
Management supports with the January 2022 release. PRISMA
ACCESS 3.0 PREFERRED
|
New Guided Walkthrough: SAML January
27, 2022 | A new guided walkthrough makes
it easy to set up SAML authentication for Prisma Access. |
Policy Optimizer: Exclusions
and Troubleshooting January 27, 2022 | Policy Optimizer now includes
an exclusion list, and you can troubleshoot rules that failed to
optimize:
 |
Troubleshooting for EDLs January
27, 2022 | Get the status and latest details for the External
Dynamic Lists (EDLs) that you’re using with Prisma Access, and:
To get started, go
to External Dynamic Lists , set the scope
to Remote Networks or Mobile Users
- GlobalProtect , and check the EDL Status . |
Web Security: Update to
Vulnerability and C2 Protection Settings January 27,
2022 | The web security default settings for Vulnerability
and C2 protections are now set to block medium, high, and critical
severity threats by default. If you want to customize these protections
more granularly, you can refine protection coverage based on severity
or threat type.
 |
GlobalProtect: Force Logout January
27, 2022 | See yourGlobalProtect users that
are currently logged in and that have logged in the past 90 days.
For currently logged in users, you also have the option to log them
out of GlobalProtect. The Force Logout option
disconnects the user or selected users from GlobalProtect. To
get started, go to to see User Status .
|
GlobalProtect: Ticket Request
to Disable GlobalProtect January 27, 2022 | Instead of enabling users to directly disable GlobalProtect,
you can allow a user to request for GlobalProtect to be disabled.
You can then decide whether to disable GlobalProtect or not and
specify for how long GlobalProtect can be disabled. After
you’ve set this up, here’s how
it works:
 |
Enterprise DLP — New Data Patterns For Enterprise DLP January 7, 2022 | Enterprise DLP now includes 56 new data patterns and 5 new data
profiles. New data patterns include PCI data patterns for full
bank account numbers, routing numbers localized in various
countries (Australia, Canada, parts of Europe, China, and
Japan), IBAN numbers, CCNs for various credit card types
(American Express, Visa, Mastercard, and Discover). |
Enterprise DLP — Expedited Enablement of Optical Character
Recognition (OCR) January 7, 2022 | Optical Character Recognition (OCR) enablement is now expedited
when enabled on Prisma Access (Cloud Managed) or on the DLP app
on the hub for Next-Generation firewalls and Prisma Access
(Panorama Managed). Now when you request OCR enablement, the
request is fulfilled in 15 minutes after it is received by the
DLP cloud service. |
Simplified Integration for Remote Browser
Isolation (RBI) January 6, 2022 | Prisma Access easily integrates with RBI providers,
to redirect users so that they can access unknown or even risky
resources in an isolated and contained environment. You’re able
to provide your users with a seamless experience, without allowing
them to directly access potentially malicious content. In
just a step or two, you can enable the RBI provider to integrate
with, and then choose the URL categories that you want to direct
to the RBI provider’s hosted environment. |
Explicit Proxy—PAC File Editor January
6, 2022 | As part of the simple setup for Explicit Proxy,
you can now customize and manage the Explicit Proxy PAC file directly
in Prisma Access, including validating syntax.  |
EDL Hosting Service — AWS and GCP Endpoints
Lists January 6, 2022 | The EDL Hosting Service is
a list of Software-as-a-Service (SaaS) application endpoints. Supported
SaaS providers include Microsoft 365 and Azure, and now Amazon Web Services
(AWS) and Google Cloud Platform (GCP). You can subscribe to Microsoft 365 endpoint
lists directly from Prisma Access Cloud Management. To
subscribe to Azure, AWS, and GCP endpoint lists, create an external
dynamic list (EDL) based on the feed URL. |
Support for Certificates in DER and PEM
Formats January 6, 2022 | You can now import and export PEM-formatted certificates,
and you can import DER-formatted certificates (export for DER-formatted
certificates is in the works). |
Enterprise DLP: EDM Updates and Snippet
Settings January 6, 2022 | Prisma Access Cloud Management now supports:
|
December 2021
New Features | |
|---|---|
SaaS Security Dashboard December
2, 2021 | SaaS Security Inline is built-in to Cloud Managed
Prisma Access to give you a centralized view of network and CASB
security. SaaS Security Inline offers SaaS visibility—advanced analytics and reporting—so that your organization
has the insights to understand the data security risks of sanctioned
and unsanctioned SaaS application usage on your network. |
Enterprise DLP — New Data Profiles for Enterprise DLP December 2, 2021 | Enterprise data loss prevention (DLP) now includes 7 new
predefined data patterns and 2 new predefined data profiles to
provide scanning for medical codes, NPI codes, and more
credentials, access tokens, and keys. |
November 2021
New Features | |
|---|---|
Enterprise DLP Updates November
18, 2021 | You can now comprehensively manage Enterprise
DLP on Prisma Access Cloud Management. The Enterprise DLP
dashboard is built out so you can manage your Enterprise DLP configuration
directly from Prisma Access Cloud Management, and new features are
supported including Optical Character Recognition (OCR), where DLP
scans images in supported file types for sensitive content. |
New Guided Walkthrough November
18, 2021 | A new guided walkthrough makes
it easy to:
|
Autonomous DEM for Remote Networks November
12, 2021 | Autonomous DEM is now supported for remote
networks. To enable Autonomous DEM for remote networks, turn on
Autonomous DEM for a compute location. Autonomous DEM will begin
monitoring all the remote networks in the compute location. |
Enterprise DLP — Exact Data Matching November
2, 2021 | Exact Data Matching (EDM) for Enterprise DLP
is now available for Cloud Managed Prisma Access. EDM is an
advanced detection tool to monitor and protect sensitive data from exfiltration.
Use EDM to detect sensitive and personally identifiable information
(PII) such as social security numbers, Medical Record Numbers, bank
account numbers, and credit card numbers, in a structured data source
such as databases, directory servers, or structured data files (CSV
and TSV), with high accuracy. |
Trusted IP Address List for Administrator
Access November 2, 2021 | Specify trusted IP addresses for
Prisma Access cloud management administrators. Only administrators
that log in from these source IP addresses (and also that successfully authenticate)
can access Prisma Access cloud management. Get started on
the navigation panel and go to . |
Policy Optimizer — History and Results
for Optimized Security Rules November 2, 2021 | Policy Optimizer now includes
history for security rules you’ve optimized. Historical data includes
the optimization results: compare original rule’s traffic coverage
against optimized rules.  |
Routing Information for Remote Networks
and Service Connections November 2, 2021 | For troubleshooting purposes, you can now
view the routing table for a remote network site or service connection
site. Find the Routing Information button
on the remote networks or service connection dashboard. |
New Guided Walkthrough November
2, 2021 | A new guided walkthrough makes
it easy to:
|
October 2021
New Features | |
|---|---|
A dedicated management experience is now available
for web security admins focused on controlling access to the internet
and SaaS applications. Web Security Management consolidates
web access policy controls in one place, and includes built-in best
practice settings. In one-click, web security admins can enable
a best practice web access policy to start securing all web-bound
traffic for all users. This new web access policy layer works seamlessly
with your existing security policy.  | |
New Guided Walkthroughs | New guided walkthroughs make
it easy to:
|
Cleanup for Zero Hit Objects | Optimizing your security policy now
includes the option to clean up zero hit objects. Objects
are the building blocks you use to write policy; a zero hit
object is an object that you’re using in your security policy,
but in at least one rule, it’s not matching against traffic. So
that the object is being used effectively and not introducing security
gaps, remove it from the rules where it's not enforcing traffic.  |
Optional and Required Endpoint Lists
for Microsoft 365 | You can now subscribe to optional and required Microsoft 365 endpoint lists. Go
to and open Microsoft
365 Endpoint Lists . Go to Customize Subscription to
subscribe to the new endpoint lists. You’ll find that each of the
services under Worldwide (including GCC) now include lists for both
optional and required endpoints: |
Your Prisma Access Version and Tenant Information | For easy reference, you’ll now find version
and tenant information for your Prisma Access environment on the Overview dashboard (). |
GlobalProtect — New App Settings | Persist for User Input Go to :  |
Endpoint Traffic Policy Enforcement This
is turned off by default. Go to :  | |
SaaS Security Inline — Visibility | You can now use the SaaS Security Inline
app with Prisma Access. SaaS visibility provides advanced analytics
so you can understand the data security risks of sanctioned and
unsanctioned SaaS apps on your network. SaaS Security Inline
is an add-on to your Prisma Access license. To see what’s included
with your license, go to and
review your License information. |
Enterprise DLP — Support for Data Profiles Containing EDM
Datasets and Data Patterns | Enterprise DLP now supports creating custom data profiles on the
DLP app on the hub that contain both data pattern and Exact Data
Matching (EDM) datasets to define the match criteria. |
August 2021
New Features | |
|---|---|
Policy Optimizer —Try it
now while it’s available for early access— | Policy rules that are too broad—where they allow
applications that aren’t in use in your network—introduce security
gaps. Prisma Access identifies these overly permissive rules
for you, and enables you to easily replace them with more specific
rules that only allow the applications you’re actually using.
 |
Enterprise DLP on Prisma Access | Data loss prevention (DLP) protects sensitive information
against unauthorized access, misuse, extraction, or sharing. Enterprise
DLP on Prisma Access enables you to enforce your organization’s data
security standards and prevent the loss of sensitive data across
mobile users and remote networks. Important: If you’re
already using Panorama to manage Enterprise DLP for next-gen firewalls,
your DLP configuration in Prisma Access cloud management is read-only;
continue to manage DLP from Panorama.Enterprise DLP
is an add-on license on Prisma Access. You can either start with
a 60-day trial or purchase a license to use Enterprise DLP on Prisma
Access. |
Configuration Snapshots —
Load and Compare | Prisma Access gives you a snapshot of all
your configuration versions. You already have the option to directly
restore an earlier configuration version to Prisma Access. Now,
you can also:
  |
Translated UI:
| The Prisma Access Cloud Management interface
is now available in German, French, and Japanese. If one of these
languages is the preferred language in your browser, you’ll automatically
start seeing the translated interface next time you log in. You
might still see some text that remains in English—that’s okay, it
won’t last long! We’ll be translating the latest features and updates
each month, and will catch this the next time around. |
Prisma Access 2.2 Preferred Support | Learn about the Prisma Access 2.2 Preferred release
here. The features supported for Prisma Access Cloud Management are: Send IPv6 traffic to Prisma Access Explicit Proxy Enhancements
WildFire Germany Cloud |
Device Quarantine Support | Prisma Access allows you to identify and quarantine
compromised devices with the GlobalProtect app. You can either manually
or automatically (based on auto-tags) add devices to a quarantine
list. You can block quarantined devices from accessing the network,
or restrict the device traffic based on a security rule. To
get started, go to and set up a Quarantined
Device List . Then use the list as part of identity redistribution. |
Best Practice Checks for Mobile Users (GlobalProtect) | Live best practice checks for your GlobalProtect
configuration help you to pinpoint where you can strengthen your
security posture.  |
Custom Response Pages for Mobile Users (GlobalProtect) | Create your own custom GlobalProtect response
pages with your corporate branding, acceptable use policies, and
links to your internal resources. |
Two New Guided Walkthroughs | Two new guided walkthroughs make it easy to:
|
Best Practices Dashboard and PDF Report | Measure your security posture against Palo Alto
Networks’ guidance and check for CIS Critical Security Controls
(CSC) compliance with the new best practice report. (It covers 40+
checks). |
Share Your Feedback | Easily share your feedback on your Prisma Access
experience. Let us know what’s working for you, and how we can make
Prisma Access even better.  |
July 2021
New Features | |
|---|---|
Best Practice Template for Explicit Proxy | So you can quickly start securing explicit proxy
connections, we’ve added new practice security and decryption rules,
application filters and groups, and a URL Access Management profile.
These built-in best practice settings were created specifically
for explicit proxy, and provide a template for securing explicit
proxy connections. Enable this best practices template in
just two clicks. The best practice objects and profiles are already
added to the best practice rules, so all you need to do is enable
the security and decryption rules to get going:
When
you’re up and running, you can customize the best practice template
to fit the needs of your organization. |
CloudBlade is now supported for Prisma Access Cloud
Management. | |
EU Support for Prisma Access Cloud Management | Your Prisma Access environment can now be hosted
in Europe (in the Netherlands).
|
June 2021
New Features in June 2021 | |
|---|---|
Easy M365 Enablement | Built-in security and decryption rules,
as well as a guided walkthrough, mean you can safely enable M365
in just a few clicks.
|
GlobalProtect App Versions | You can now choose the version of the GlobalProtect
app you want to make available for your mobile users. While
Prisma Access hosts several GlobalProtect app versions, only one
of the hosted versions is active. When mobile users log in to the Prisma
Access portal, the active version is the one they download and use
on their Windows and macOS devices; this is the version you can
now choose.  And
at any time, you can go to the Overview dashboard to see the active
GlobalProtect app version.  Along with choosing the GlobalProtect app version
you want to make available, use the GlobalProtect app settings to
specify whether mobile users can upgrade to that version and, if
they can, whether they can choose when to upgrade. |
Config Load | In addition to restoring an earlier config version,
you can now also load an earlier conversion. While restoring
an earlier config version directly replaces your running configuration
with that version (no config push required), loading an earlier
config version replaces your candidate configuration with that version.
This gives you some time to review the configuration or make adjustments
before pushing the config to Prisma Access. Go to to
get started.  |
Security Rule Schedules | By default, security policy rules are always in
effect (all dates and times). To limit a security rule to specific
times, you can define schedules, and then apply them to the appropriate
rules. For each schedule, you can specify a fixed date and time
range or a recurring daily or weekly schedule. Add or edit a security
rule to get started.  |
Prisma Access 2.1 Innovation Features | Explicit Proxy Enhancements
Support
for Secure Inbound Access for Deployments that Allocate Bandwidth
by Compute Location Remote network deployments that allocate bandwidth
by compute location instead of on a per-location basis will now
support using remote networks to allow inbound access to internet-connected
applications. Secure inbound access support for remote networks
is still supported for legacy for deployments that allocate bandwidth
by location. |
May 2021
New Features in May 2021 | |
|---|---|
Prisma Access gives you simple, centralized management
for your SaaS applications. For Microsoft 365 apps, Google apps, Dropbox, and YouTube you’ll find features
that you can turn on in two steps or less to safely enable the applications
for enterprise use, including:
| |
Expanded Inline Help | We’ve re-imagined the help that’s built
in to Prisma Access cloud management, so that the information you
need is at your fingertips, at the exact moment you need it.
|
Bookmark the new Live Community page for Prisma
Access cloud management. Find expert articles, share ideas, and
ask questions. | |
New Config Management Features | Sometimes a configuration push can have unintended
security implications or an unexpected impact on traffic. To recover
from this, you can restore an earlier configuration version. |
Objects
that aren’t referenced in policy and rules without any traffic hits
can clog up performance and complicate policy management. Now you
can easily clean up:
| |
Support Updates |
|
Mobile
Users Statistics Updates | Insights has the following improvements
to Insights for the current and historical mobile user count:
|
April 2021
New Features in April 2021 | |
|---|---|
Guided Onboarding | The new Overview page now
includes walkthroughs you can follow when you’re setting up mobile
users, remote networks, or service connections for the first time. The
walkthroughs take you through the basic, required steps to get your
environment up and running. When you’re done, you’ll be ready to start
testing your environment, and customizing it to fit your organization’s
needs. You’ll only see the option to Launch
Walkthroughs for deployments with no existing configuration. After
first-time setup, the onboarding task shows on the Overview page
as complete. |
Security Profile Hit Counts | Security profile dashboards are updated
to surface more data, including hit counts for profiles, rules,
and overrides. Here’s what’s new for each profile type: Anti-Spyware
and Vulnerability You can now see profile and override
hit counts. For overrides, you can also see the timestamp for when
the override was last used.   WildFire
and Antivirus For each profile, you can see the verdicts
for files or email links submitted to WildFire, and the malware
the profile blocked.  DNS
Security See the number of DNS queries the profile blocked.  URL
Access Management See the number of hits for each URL category.  File
Blocking See the percent of decrypted traffic that the file
blocking profile is enforcing, and the number of files the profile
blocked in the last seven days.  |
Autonomous DEM for Mobile Users (GlobalProtect) | Autonomous Digital Experience Management
(DEM) is now available! Autonomous DEM is a service that
provides native, end-to-end visibility and insights for all user
traffic in your Secure Access Service Edge (SASE) environment. |
Navigation Updates | We’ve updated the Prisma Access navigation,
so that you can move more seamlessly between global and local configurations.
You can even pin the pages you use most frequently, so that they’re
right there when you need them. Take a look: 
|
Getting
Started Homepage | The Overview page is your new Prisma
Access homepage. Come here if you’re new to Prisma Access or when
you first log in to see:
 |
Identity Redistribution | So that you can enforce your security policy consistently,
Prisma Access shares identity data that GlobalProtect discovers
locally across your entire Prisma Access environment. We’ve enabled some
identity data redistribution by default, and for what’s left, we’ve
made the configuration to enable redistribution very simple (just
select a check box). You can see and manage all identity redistribution
from a single dashboard:  Go
to . |
(URL
Access Management and Authentication) | Best Practice Checks now extend
to URL Access Management and Authentication. Best practice
security checks are built-in to Prisma Access. Use these inline
checks to continually assess your configuration against Palo Alto
Networks’ best practice recommendations. When you see an opportunity
to improve your security posture, you can take action then and there. |
Cortex Data Lake Regional Support | You can now send Prisma Access Cloud Management
logs to Cortex Data Lake instances in any region. The only
Cortex Data Lake region that is not yet supported is Australia. |
February 2021
New Features in February 2021 | |
|---|---|
(Security
Policy and Decryption) | Best practice security checks are now built-in to
Prisma Access. Use these inline checks to continually assess your
configuration against Palo Alto Networks’ best practice recommendations. When
you see an opportunity to improve your security posture, you can
take action then and there. Security checks include NIST security
controls and Center for Internet Security’s (CIS) Critical Security
Controls (CSC).  |
Prisma Access 2.0 Innovation
Features | Explicit Proxy If your organization’s
existing network already uses explicit proxies and deploys PAC files
on your client endpoints, you can smoothly migrate to Prisma Access
to secure mobile users’ outbound internet traffic. You will still
be able to secure mobile users with GlobalProtect. If you want to
add an explicit proxy to an existing mobile users deployment, you
can divide your mobile users license between the users you want
to secure with GlobalProtect and the users you want to secure with an
explicit proxy. Explicit proxy uses your existing Mobile User license.
Whether you have a new deployment or if you upgrade, you can divide
your mobile user license between GlobalProtect and Explicit Proxy
connections. |
Remote Networks Allocated Bandwidth,
for Existing Deployments In December, we introduced Remote Network Bandwidth Allocation,
Based on Prisma Access Location. This feature is now available
to existing remote network setups. If you want to start allocating
bandwidth based on Prisma Access locations instead of for each site,
you can. The benefit is that, bandwidth can be used across sites
where it’s needed, instead of dedicated to a single side even when
its not being used. | |
Support for Predefined URLs and URLS
in EDLs in Traffic Steering You can now target internet-bound
traffic that you want to forward through a service connections site
based on:
| |
Support for No Export BGP Community To
allow you to control how BGP advertises subnets, Prisma Access support
the well-known BGP community no-export. | |
Licensing Page Updates The
Prisma Access Licenses page now also shows any Add-Ons that you’ve
added to your Prisma Access subscription. | |
Customization and Dashboards for Security Profiles | The WildFire and Antivirus dashboard
is now available. Earlier this month we added dashboards for
all security profiles, with one exception; as of February 25th,
the remaining dashboard for WildFire and Antivirus is now also available.While
best practice security profiles have been built-in to Prisma Access
from the start, you can now customize security profiles to meet
the unique needs of your business. Each profile has it’s own
dashboard—from a profile dashboard, you can create and update profiles,
centrally manage profile overrides, assess profile and override
usage, and tap in to the latest Palo Alto Network’s threat data
(including content releases, the Threat Vault, and PAN-DB) to check coverage
and take action. Explore each profile type to see all the features
available to you. Here are some security profile highlights:  And
here are the security profiles available to you:
|
Insights is now integrated with Prisma Access Cloud
Management. Look for Insights on the left navigation bar. With
Insights, you can continuously monitor your Prisma Access environment.
When an event or status requires your attention, Insights sends
you alert notifications so you can quickly pinpoint issues that
you can fix and so that you have visibility into the fixes the Prisma
Access team is working on. | |
Log Details for Threats and Overrides | Threat logs (anti-spyware and vulnerability events)
now include threat details to give you context and the detected
event, and show you if there are threat overrides configured that
might be impacting how the threat is enforced.  |
Peer Analysis for Features You Aren’t
Yet Using | To help you understand the protection capabilities
of features for which you don’t have an active license, you now
have visibility into how your industry peers are benefiting from
the feature capabilities. This will give you an idea of how the feature
might be able to benefit you. You’ll see a dashboard like
this when you try to access a feature for which you don’t yet have
a license:  |
New Features in 2020
December 2020
New Features in December 2020 | |
|---|---|
To help you to quickly resolve mobile user connection,
performance, and access issues, the GlobalProtect app can send troubleshooting
and diagnostic logs to Cortex Data Lake for further analysis. When
end users report an issue in the app, the app sends an easy to read,
comprehensive report to Cortex Data Lake; use the report to quickly identify
the root cause of the end user issue. Here’s how it works:
| |
More Ways to Customize the GlobalProtect
App | You now have more than 60 new options to customize
the GlobalProtect app so that it best suits the needs of your organization
and your mobile users. Learn more about these GlobalProtect
app features, that are newly-available for Prisma Access.  |
Simplified Navigation in App and Between
Apps | When you next log in, you’ll see that we’ve updated
the cloud management interface navigation. We’ve consolidated all
features so you can access them from a new navigation panel on the left
side of the interface. And we’ve also made it so you can easily
move from one Palo Alto Networks app to another, and back again.  |
IKE Peer Host Routes for Remote Networks
and Service Connections | These enhancements assist you when sharing public
address space externally and internally with private apps:
To get started,
enable or adjust the default BGP settings Prisma
Access uses to route traffic to your service connection sites (headquarters
or data centers). Go to .  |
Centrally manage the certificates you use
to secure communication across your network. In one place, set up
your certificates, add certificate authorities (Prisma Access includes
preloaded certificates for well-known CAs), add OCSP responders,
and define certificate checks you want to require. The certificates
and settings you set up here can be used throughout your Prisma
Access deployment to secure features like decryption, your authentication
portal, and the GlobalProtect app.  | |
Dynamic User Groups (DUGs) and Auto-Tagging | Together, dynamic user groups and auto-tags (along
with dynamic address groups) give you a way to automate authentication, decryption,
and security policy. Based on activity (you define the log
criteria to act on), users and IP addresses are automatically tagged
and added to dynamic user groups. Any policy that references the
dynamic user group automatically begins to enforce the user or IP address
without requiring you to manually create and commit policy or group
changes. DUGs with auto-tags are particularly useful for auto-remediation—when
Prisma Access detects anomalous user behavior or malicious activity,
it can automatically enforce your remediation actions. |
You allocate bandwidth at an aggregate level for
a compute location. Each location has a corresponding compute location
for which bandwidth is allocated, and all sites you onboard in a
compute location share that allocated bandwidth. For example,
you want to onboard four branch offices using remote networks in
the Singapore, Hong Kong, Thailand, and Vietnam locations. All these
locations map to the Asia Southeast compute location. If you allocate
200 Mbps bandwidth to the Asia Southeast compute location, all four
branch offices will share the 200 Mbps of bandwidth. If one
or more sites are not using a large amount of bandwidth, Prisma
Access makes the remaining bandwidth available to other sites in
that compute location. If you have already onboarded remote
networks, your deployment is unchanged and you will still assign
bandwidth per site (location) or per remote network connection. | |
The ability to forward internet-directed
traffic through service connections for remote network and mobile
user deployments is enhanced and has a new name—Traffic Steering.Traffic
steering expands the scope of directing internet-bound traffic through service
connections. In addition to specifying FQDNs, IP addresses, and
URLs and forwarding only HTTP and HTTPS internet-bound traffic through service
connections, you can send all traffic or a subset of the traffic
based on the following additional criteria:
You can then
configure Prisma Access to split internet-bound remote network or
mobile user traffic into multiple service connections based on the criteria
you specified.Traffic steering is supported for mobile user and
remote network deployments. | |
November 2020
New Features in November 2020 | |
|---|---|
Prisma Access introduces changes to licensing.
The new licensing model allows you to implement and use the capabilities
of Prisma Access aligned to your business needs in a way that delivers the
fastest return on investment. Whether your applications are migrating
to the cloud, your users are working from anywhere, or if you are
looking to gain operational efficiencies, Prisma Access offers the
relevant type of license for your deployment. There
are no changes to licensing for existing Prisma Access deployments. Choose
from the following license editions:
ZTNA is available for Prisma
Access for Mobile Users only; you can use all other editions with Mobile
Users, Remote Networks, or both mobile users and remote networks. All
license editions are available for Local and Worldwide Prisma Access
locations. When you purchase a license with Worldwide locations,
you can deploy Prisma Access in all Prisma Access locations. When
you purchase a license with Local locations, you can select up to
5 Prisma Access locations. | |
Protect your network resources and the applications
you use to do business by verifying user identities, and granting
access only to legitimate users. Prisma Access now includes support
for more authentication services and features so you can do just
that. Here are the highlights:
 | |
Secure Access for Internet-Facing Applications | If you are hosting an internet-facing application
or service in your remote network location, you can use Prisma Access
to front-end that application or service and provide secure inbound access from
both internal and external users over the internet. |
Application Tags to Safely Enable Applications
with Common Attributes | Application tags help you to safely enable
a broad set of applications that share common attributes. For example,
you can enable broad access for your users to web-based applications using
the Web App tag in an application filter,
or safely enable all enterprise VoIP applications using the Enterprise VoIP tag.
Palo Alto Networks researches new and updated applications, groups those
with common attributes, and delivers new and updated tags in content
releases.You can also apply your own tags and create application
filters based on those tags to address your own application security
requirements.  |
October 2020
New Features in September 2020 | |
|---|---|
Watch the video on getting
started with Directory Sync. | Azure Active Directory (AD) Support Directory
Sync now provides Prisma Access with read-only access to Azure AD
information, so that you can reference your Azure AD users and user groups
in policy. Here’s how to get started. User Attribute Preferences Choose
the Active Directory attribute Prisma Access uses to reference your
users (for example, the User Principal Name or the SAM Account Name). You
can set your attribute preferences so that if a directory does not
use your primary attribute, Directory Sync collects an alternative
attribute for Prisma Access to use based on your preferences. |
ECMP Load Balancing for Remote Networks | To provide additional network resiliency
using redundant instances of your customer premises equipment (CPE),
Prisma Access allows you to add up to four IPSec tunnels for a single
remote network. ECMP Load Balancing requires
you to use BGP for dynamic routing, and is not supported with a
static route or QoS setup. To get started with ECMP load balancing,
you’ll need to specify a minimum bandwidth of 50 Mbps for the remote
network site.  Prisma
Access divides the bandwidth you select by the number of tunnels;
for example, if you specify 300 Mbps and add four tunnels, each
tunnel carries 75 Mbps. If one of the tunnels goes down, your network
connection will now carry 225 Mbps instead of 300 Mbps. |
DNS Proxy for Remote Networks | Specify DNS servers to resolve
both internal and public domains for specific remote network sites. If
you specify an internal DNS server to resolve internal DNS domains
and then specify either a public server or Prisma Access’ default server
to resolve external domains, Prisma Access proxies the requests
from the remote network site. You can also specify an external DNS
server that is closer to the egress points of your remote network sites
than your internal DNS server, which can provide optimal connectivity
for SaaS applications such as Microsoft Office 365. To get
started quickly, you can copy your mobile user DNS settings over
to your remote networks setup:  |
Mobile User IP Pool Summarization | To reduce the number of mobile user IP subnet
advertisements over BGP to your customer premises equipment (CPE),
Prisma Access can summarize the subnets before advertising them. This
summarization can reduce the number of routes stored in CPE routing
tables. For example, you can use Mobile User IP Pool Summarization with
cloud VPN gateways (Virtual Private Gateways (VGWs) or Transit Gateways
(TGWs)) that can accept a limited number of routes.  |
Support for WINS-Based Applications | To support the use of Windows Internet Name Service
(WINS)-based applications, Prisma Access enables you to use WINS
to resolve NetBIOS name-to-IP address mapping. You can specify primary
and secondary WINS servers for WINS support, either for
a Prisma Access region or worldwide.Prisma Access pushes WINS configuration
to mobile users with the GlobalProtect app.  |
August 2020
This release is all about simple setup—the Prisma Access
team has reimagined Cloud Managed Prisma Access to get you up and
running quickly. Here are the features that make getting started
easy.
We’ve also added features that give you more visibility into
and control of your Prisma Access environment.
New Features in August 2020 | |
|---|---|
Easy Onboarding | Onboard mobile users, remote network sites,
and your HQ and data center sites to Prisma Access in just a few steps
with a new, streamlined UI. Pre-defined network and infrastructure
settings mean you can get started quickly, and come back later to customize
your deployment. For example, you can now onboard mobile users
to a Prisma Access location in three steps: 
|
Speedy Activation | A guided workflow steers
you through Prisma Access license activation on the hub.  |
Context-Sensitive Help with Tips to Get
Started | Help topics share the benefits a feature can provide to you, with
quick steps to get started. Just click the help icon on the menu
bar.  |
Prisma Access Insights | Continuously monitor the health and performance
of your Prisma Access environment with the new Insights app. Visually scan
and interact with a variety of Insights dashboards to get status
on your mobile users, remote network sites, service connections
to your HQ and data centers, and the Prisma Access cloud infrastructure. When
Insights detects an issue in your environment, the app generates
an alert that gives you context and lets you know where to take
action. Insights alerts also give you visibility into fixes that the
Prisma Access team is addressing. |
GlobalProtect App Customization | Customize how end users interact
with the GlobalProtect app that’s installed on their endpoints and
send traffic to Prisma Access. Options you can customize include:
|
GlobalProtect App Split Tunneling | Split tunneling conserves bandwidth
by excluding traffic from Prisma Access that is not business critical
or does not enable productivity. You can configure split tunnel
traffic based on an access route, destination domain, application,
and HTTP/HTTPS video streaming application. |
Hot Potato Routing | With hot potato routing, Prisma
Access hands off traffic as quickly as it can to your organization’s
network. Use this routing method if you want your organization’s
network to perform the majority of routing decisions. |
Traffic Forwarding for Third-Party Security | Instead of sending internet traffic from
mobile users and remote networks directly to the internet, you can forward traffic through a service
connection to a third-party security stack for further processing
before being sent to the internet. |
Features Added Before August 2020
Features Introduced Before August
2020 | |
|---|---|
New Dashboard | The new Prisma Access dashboard gives you
an immediate view in to the status and health of your deployment.
When you log in to Prisma Access, use this global view to check
that your remote networks and mobile users are connected to Prisma
Access. If you see something unexpected, you can drill down in the map
to identify the impacted remote network site, mobile user location,
or service connection. |
Log Export | You can now export logs to a CSV, XML, or
JSON formatted file. After using the Explore tab
to search for the log records that you want, export them to a CSV,
XML, or JSON file, and then download the file to your local drive. |
Related Log Events | Certain Prisma Access network logs—Traffic, Threat,
URL, File—now show you the other events logged during the same session. Without
leaving the context of the log you’re interested in, you can see
the sequence of related events. Related logs are displayed chronologically,
top to bottom—the log with the earliest timestamp is listed first. Select
a related log to investigate the details for that event. In cases
where it’s available, log details might also include Directory Sync information
associated with the source user. |
Directory Sync Support | Directory Sync gives Prisma Access
read-only access to your Active Directory information, so that you
can easily set up and manage security and decryption policies for
users and groups. You can add Directory Sync to Prisma Access as
part of the initial Prisma Access activation workflow, or for an active
Prisma Access instance, you can do this on the hub. |