Table of Contents

New Features

See what’s new in Prisma Access Cloud Management.
Here’s what’s new in Prisma Access Cloud Management:
The updates described here better enable you to use the Prisma Access app to configure and manage your Prisma Access deployment.
To see what’s new for services and add-ons that are part of your Prisma Access subscription, go to:

July 2023

New Features
Prisma Access Cloud Management on the Strata Cloud Manager
July 21, 2023
Prisma Access Cloud Management is supported on the new Strata Cloud Manager platform. Starting in July 2023, we will be rolling out phased updates to provide you with the new platform experience. We'll be updating the Prisma SASE Platform so that it's on the Strata Cloud Manager platform, alongside your other Palo Alto Networks products and subscriptions that are supported for unified management. This change gives you a new navigation for your Prisma Access Cloud Management features, introduces new features, and means you can use common workflows and features across Cloud Management and your other products that are also updated for Strata Cloud Manager.
Learn more:
Introducing an AI-Powered Network Security Platform - Strata Cloud Manager
July 21, 2023
Palo Alto Networks Strata Cloud Manager is a new AI-Powered network security management platform. With Strata Cloud Manager, you can easily manage and monitor your Palo Alto Networks network security infrastructure ━ SASE environment ━ from a single, streamlined user interface.
This includes using Strata Cloud Manager to manage and monitor the cloud-delivered security services that are included with Prisma Access. Strata Cloud Manager gives you comprehensive monitoring, alerting, and visibility into your Prisma Access environment:
Support for 400 Remote Network Sites per IPSec Termination Node
July 21, 2023
Prisma Access 3.2 brought you high-bandwidth 1 Gbps remote networks. Now, Prisma Access 4.0 raises the previous limit of 250 sites per IPSec termination node to 400 sites per IPSec termination node.
AIOps-Powered ADEM
July 21, 2023
AI-Powered ADEM is a Prisma Access add-on license that automates complex IT operations, to increase productivity and reduce time to resolution for issues. AIOps-Powered ADEM is supported in Cloud Management for all Prisma Access users, regardless of the interface you're using to manage Prisma Access (Panorama or Cloud Management).
If you've enabled AIOps-Powered ADEM license, then the license is auto enabled for all the compute locations.
Forwarding Rules Mode for PAC Files
July 21, 2023
You can edit a proxy auto-configuration (PAC) file for explicit proxy that meets your requirement. GlobalProtect app proxies traffic to Prisma Access based on forwarding rules and logic from the PAC file. You can edit the PAC file content under Forwarding Rules.
Agent-Based Proxy Configuration
July 21, 2023
The agent-based proxy feature facilitates coexistence and interoperability of the GlobalProtect app with third-party VPNs wherein you can secure your mobile users’ internet traffic through the GlobalProtect app to the explicit proxy and use the third-party VPN of your choice to secure private application access.
  • On the
    Explicit Proxy
    page, you can enable the agent-based proxy configuration for the explicit proxy mobile users.
  • On the
    GlobalProtect App
    page, you can configure the following GlobalProtect agent and proxy modes:
    • Mode for external users
    • Mode for internal users
    • Local proxy port
1 Gbps Maximum Bandwidth Support for Remote Network IPSec Termination Nodes
July 21, 2023
The maximum bandwidth that Prisma Access can allocate to IPSec termination nodes for remote network deployments is increasing from 500 Mbps to 1,000 Mbps.
This change allows you to allocate more bandwidth to remote networks. To make this increase effective, you must allocate a minimum of 501 Mbps to the compute locations associated with the IPSec termination nodes.
Transparent SafeSearch Support
July 21, 2023
Prisma Access allows you to redirect mobile users' queries to a search engine to the engine's SafeSearch portal by performing an FQDN-to-IP mapping. This functionality can be useful if you're providing guest Wi-Fi for customers at a store.
Private IP Visibility and Enforcement for Explicit Proxy Traffic Originating from Remote Networks
July 21, 2023
You can now use the private IP addresses of the systems in your branch locations that are forwarding traffic to Explicit Proxy. You can use the private IP address to skip authentication of headless systems that can't authenticate, set up security policies, and get visibility of the traffic on Prisma Access Explicit Proxy.
You can enable this functionality when you secure users and devices at a branch with a site-to-site IPSec tunnel using Remote Network and Explicit Proxy Secure Processing Nodes (SPNs).
Support for 15,000 Remote Network Sites
July 21, 2023
You can create up to 15,000 Remote Networks to secure branch sites with Prisma Access.

May 2023

New Features
Integrate Prisma Access with Cisco Meraki SD-WAN
May 05, 2023
Onboard Cisco Meraki MX SD-WAN devices using the Prisma Access using the latest simplified and automated tunnel creation instead of onboarding them manually like in previous releases.

April 2023

New Features
Regional private IP address pools for Mobile Users - GlobalProtect
April 27, 2023
To allow you to be more granular in your Mobile Users-GlobalProtect IP address pool allocation, you can specify granular IP pools for the locations that are available with the feature, as well as Worldwide or per Prisma Access theater.
New Prisma Access locations With Local Zones
April 27, 2023
Prisma Access will add locations that are in local zones. These locations have their own compute locations. The following locations will be supported:
  • Australia West (Perth)
  • US-Central (Chicago)
  • US-Southeast (Miami)
You onboard local zones in the same way as any other Prisma Access location, and the local zones are available in mobile users—GlobalProtect, remote network, and service connection deployments.
The local zone locations do not use Palo Alto Networks registered IP addresses and do not support the following Prisma Access features:
  • No Availability Zone redundancy for remote networks or service connections HA Cluster
  • Explicit proxy mobile users
  • Inbound access for remote networks
Prisma Access Version
April 27, 2023
Displays the current Prisma Access version that your deployment is running.
New Prisma Access Cloud Management Location
April 27, 2023
Prisma Access Cloud Management can now be deployed in the Singapore region.

March 2023

New Features
New Application Support
March 29, 2023
Enterprise DLP now supports the following new applications:
  • Apple iCloud Web
  • Bitrix24 Web
  • Blackboard Web
  • Canvas Web
  • DocSend Web
  • Egnyte Web
  • Evernote Web
  • Google Drive Web
  • Microsoft OneDrive Web - Business
  • Microsoft OneDrive Desktop - Business
  • Blogs (e.g Wordpress, Medium)
Expanded Download Support for Existing Applications
March 29, 2023
Enterprise DLP now supports download inspection for the following applications:
  • Box Desktop - Business
  • Microsoft SharePoint Desktop
  • Microsoft SharePoint Web
  • Naver Mail Web
  • Salesforce Web
Expanded File Size Support for Existing Applications
March 29, 2023
Enterprise DLP now supports large file inspection for the following applications:
  • Box Desktop App - Business
  • Microsoft OneDrive Web - Business
  • Microsoft SharePoint Desktop
  • Microsoft SharePoint Web
  • ServiceNow Web
Two New Ways to Access Prisma Access Cloud Management
March 10, 2023
We’re working on transforming your management infrastructure and experience to more advanced features and capabilities. Towards this goal, and as part of the March release upgrade, your Prisma Access Cloud Management instance will be migrated to a new hub view and the app will have a new name and URL. You won't experience any disruption to your infrastructure or services during the migration.
after we migrate your instance during the March release upgrade:
Custom Role-Based Access Control
March 10, 2023
Prisma Access Cloud Management implements custom Role-Based Access Control (RBAC), to enable you to manage roles or specific permissions, and assign access rights to administrative users. Using RBAC, you can manage users and their access to various resources within Cloud Management.
If you require more granular access control than the predefined roles provide, you can add custom roles to define which permissions are enforced for your users. Similar to predefined roles, custom roles are a set of permissions and permission sets. Unlike predefined roles, each custom role is assignable only to the users in the hierarchy under the Tenant Service Group (TSG) where it is defined. This avoids name conflicts between similarly named custom roles defined by different customers.
Cloud Management UI and Navigation Changes
March 10, 2023
  • Folders
    —Use folders to logically group your Prisma Access deployments for simplified configuration management. Folders represent a hierarchical structure that allows you to share configuration. The configurations defined under a folder is inherited by all folders nested under that folder hierarchy. For example, you can configure settings that are common across GlobalProtect, Explicit Proxy, Remote Networks, and Service Connections under the Prisma Access folder. You cannot edit the folder hierarchy in Prisma Access.
    Prisma Access nodes were always represented as folders for existing customers; however, a new UI element is added for Folders under
    Configuration Scope
    on the
    , set the scope to
    Prisma Access
    , and click
  • Configuration Snippets
    —A snippet is a configuration object, or grouping of configuration objects, that you can associate with a folder or deployment. Use snippets to standardize a common base configuration for a set of Prisma Access deployments.
    Snippets are deployed in preview mode for this release.
    There are no changes to configuration for existing Prisma Access deployments and Snippets are deployed in preview mode in this release. This functionality will be supported in a future Prisma Access release.
  • Settings
    —The existing
    Service Setup
    under the
    menu on the left navigation panel is now moved under
    menu, and is renamed to
    Prisma Access Setup
    You can now access
    Prisma Access Infrastructure
    Mobile Users
    Explicit Proxy
    Remote Networks
    , and
    Service Connections
    from the
    Prisma Access Setup
Dual Authentication Portal Support for Mobile Users—GlobalProtect Deployments
March 10, 2023
You can configure two Mobile Users—GlobalProtect portals in Prisma Access, with each portal supporting a different authentication method on a single Prisma Access tenant (for example, one portal configured for RADIUS authentication and one portal configured for SAML authentication).
EDL Hosting Service Support—Microsoft Defender, Zoom, and GitHub
March 10, 2023
The EDL Hosting Service is a list of Software-as-a-Service (SaaS) application endpoints maintained by Palo Alto Networks. Supported SaaS providers include Microsoft 365, Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), Salesforce (SFDC), and now Microsoft Defender, Zoom, and GitHub.
You can subscribe to Microsoft 365 endpoint lists directly from Prisma Access Cloud Management.
To subscribe to Azure, AWS, GCP endpoint lists, SFDC public endpoints, Microsoft Defender, Zoom, and GitHub, create an external dynamic list (EDL) based on the feed URL.
Support Updates
March 10, 2023
  • Prisma Access Cloud Management can now be deployed in the following regions:
    • Australia
    • UK
  • You can now send Prisma Access Cloud Management logs to Cortex Data Lake instances in the following regions:
    • Switzerland
    • Spain
    • Italy
    • France
Configure Welcome Page for all the GlobalProtect App Settings
March 10, 2023
You can now configure Welcome Page individually for all the GlobalProtect app settings.
You can select the predefined factory default page, custom page, or none. If you select
, then the welcome page is not enabled for the app setting.
Renamed Cloud Management Tenant Name
March 10, 2023
The existing
Cloud Management Tenant Name
on the
page is renamed to
Prisma Access Tenant Name
Bypass Decryption for Select Containers in Web Security
March 10, 2023
You can now bypass decryption select containers in Web Security.
Previously in Web Security, decryption rules were pushed to your chosen scope by default, regardless of whether you needed them for your network settings. Now, revised Web Security settings let you exclude the following from decryption:
  • Remote Networks
  • GlobalProtect
  • Mobile User Explicit Proxy
Licensing Enhancements (Additional Mobile User locations and Service Connections)
March 10, 2023
The following Prisma Access license enhancements are added:
  • If you have a Prisma Access Local Edition license and need to add more locations than the maximum number of five, you can purchase a license add-on that allows you to add one or more additional locations so that the Local license can support more than five locations.
  • If you need more service connections than your license offers, you can purchase additional service connections at a flat per-service connection rate.
NAT Support for Private Applications
March 10, 2023
You can specify a subnet at one or more service connections that are used to NAT traffic between Prisma Access GlobalProtect mobile users and private applications and resources at a data center.
  • Data Traffic Source NAT
    —You can NAT Mobile User IP Address pool addresses so that they are not advertised to the data center, and only the subnets you specify at the service connections are advertised and routed in the data center.
  • Infrastructure Traffic Source NAT
    —You can NAT addresses from the Infrastructure Subnet so that they are not advertised to the data center, and only those subnets you specify at the service connections are advertised and routed in the data center.
You can use either RFC1918 or RFC6598 addresses as the subnets.
Allow XAU Headers to be Trusted from Explicit Proxy Source IP Addresses
March 10, 2023
If you have an Explicit Proxy deployment and have added a list of trusted source IP addresses, you can specify Explicit Proxy to use X-Authenticated-User (XAU) headers from these trusted addresses on incoming HTTPS or HTTP traffic for identity. Use this functionality to allow users that are logged in from another proxy that use XAU headers for authentication.

February 2023

New Features
Enterprise DLP — Predefined DLP Policy Manager and DLP Incident Manager App Roles
February 20, 2023
Two new predefined access roles are introduced to help control access to Enterprise DLP based on user function.
Enterprise DLP — Support for Cloud Services Server in the Australia
February 20, 2023
Enterprise DLP users can edit the Cloud Content Settings to add a Fully Qualified Domain Name (FQDN) for the Cloud Services server in Australia to scan Enterprise DLP data.

November 2022

New Features
Next-Generation CASB-X
November 18, 2022
The Next-Generation Cloud Access Security Broker (CASB-X) license contains all the CASB components such as SaaS Security Inline, SaaS Security API, SaaS Security Posture Management (SSPM), and Enterprise DLP. It can be applied on Cloud-Managed Prisma Access, Panorama Managed Prisma Access, and Panorama-Managed Next Generation Firewall (NGFW) devices in a single tenant environment.
Enterprise DLP — Web Form Data Inspection for Enterprise Data Loss Prevention on Cloud Management
November 16, 2022
More data is being exchanged in non-file formats that leverage collaboration applications, web forms, Cloud applications, and social media. Enterprise DLP now supports inspection of non-file format traffic on Prisma Access (Cloud Managed) to strengthen your security posture and prevent exfiltration of sensitive data.
EDL Hosting Service—Salesforce
November 15, 2022
The EDL Hosting Service is a list of Software-as-a-Service (SaaS) application endpoints. Supported SaaS providers include Microsoft365 and Azure, Amazon Web Services (AWS), Google Cloud Platform (GCP), and now Salesforce (SFDC).
To subscribe to Azure, AWS, GCP endpoint lists, and SFDC public endpoints, create an external dynamic list (EDL) based on the feed URL.
Cloud Identity Engine (CIE) Authentication Support for Explicit Proxy
November 15, 2022
You can now use CIE, along with SAML and Kerberos, to authenticate Explicit Proxy connections. The CIE authentication method is displayed only if the Cloud Authentication Service (CAS) is enabled.
November 15, 2022
1 Gbps Maximum Bandwidth Support for Remote Network
The maximum bandwidth that Prisma Access can allocate to a node for IPSec termination and inspection is increasing from 500 Mbps to 1000 Mbps. This change allows you to allocate more bandwidth to a remote network site.
DNS Proxy Enhancements
You can now select
Advanced RCODE Support
in the advanced DNS settings to allow the primary DNS server to fail over to the secondary DNS server if an RCODE 2 (SERVFAIL) and RCODE 5 (REFUSED) DNS return code is received.
November 15, 2022
Pre-Prod or Lab Tenant
You can now enable a tenant in your Prisma Access deployment as a pre-production or lab tenant to explore all features before you enable them in other production tenants.

October 2022

New Features
Enterprise DLP — Support for Cloud Services Server in India
October 20, 2022
Enterprise DLP users can edit the Cloud Content Settings to add a Fully Qualified Domain Name (FQDN) for the Cloud Services server in India to scan Enterprise DLP data.
Terminal Server (TS) Agent for User Mapping
October 3, 2022
Palo Alto Networks Terminal Server (TS) Agent allocates a port range to each user to identify specific users on Windows-based terminal servers. TheTS Agent notifies Prisma Access of the allocated port ranges, so that Prisma Access can enforce policy based on users and user groups. You can now configure the TS Agent for user mapping from the
Identity Redistribution
Remote Networks
Prisma SD-WAN Add-On License
October 3, 2022
Prisma SD-WAN is an add-on license on Prisma Access. The Prisma Access
page now also shows the Prisma SD-WAN if you have added to your Prisma Access.
CASB Bundle to Include SaaS Security Posture Management (SSPM)
October 3, 2022
Cloud Access Security Broker (CASB) bundle now includes SaaS Security Posture Management (SSPM)along with SaaS Security Inline, Enterprise Data Loss Prevention (DLP) Inline, SaaS Security API, and Data Loss Prevention (DLP) API.
Prisma Access 3.2 Innovation Features
October 3, 2022
Advanced URL Inline Categorization
You can use the Advanced URL Inline Categorizationto enable real-time web page analysis and manage URL exceptions. Real-time URL analysis is available locally and in the cloud as a part of the Advanced URL Filtering service.
Advanced Threat Prevention
Advanced Threat Prevention can detect many unknown and targeted command and control (C2) attacks as well as evasive attacks from tools such as Cobalt Strike.
Enterprise DLP Support for Non-File Based Web Traffic
You can now enable Enterprise DLP inspection of sensitive data for a non-file based traffic.
Prisma Access - Web Security
File Control
October 3, 2022
You can now take action on files entering your network via allowed applications, create custom file control profiles, and use your custom profiles in your web access policies.

September 2022

New Features
Transition to Prisma SASE Platform
Prisma Access is being transitioned to the Prisma SASE Platform to provide these benefits. As a part of this transition, you may experience a difference in the steps to access Prisma Access. Learn about the transition to Tenant Management Through the Prisma SASE Platform.
Global Protect:
Proxy Auto-Configuration (PAC) File URL
September 8, 2022
Specify the Proxy Auto-Configuration (PAC) File URL that you want to push to the endpoint to configure proxy settings. The maximum URL length is 256 characters. The following Proxy Auto-Configuration (PAC) File URL methods are supported:
  • Proxy Auto-Config (PAC) standard (for example, http://pac.<hostname or IP>/proxy.pac).
  • Web Proxy Auto-Discovery Protocol (WPAD) standard (for example, http://wpad.<hostname or IP>/wpad.dat).
Global Protect:
Advance Internal Host Detection
September 8, 2022
Enable Advance Internal Host Detection to add an extra security layer during internal host detection by the GlobalProtect app. With the advance internal host detection, the app validates the server certificate of the internal gateways in addition to performing a reverse DNS lookup of the internal host to determine whether the app is inside the enterprise network. Enabling the advance internal host detection stops malicious actors from spoofing the reverse DNS server response during the internal host detection and thereby prevents unauthorized access to the endpoints in the enterprise network. If you do not enable the advance internal host detection, the existing internal host detection works as expected.

August 2022

New Features
Enterprise DLP — Nested Data Profiles
August 30, 2022
Enterprise DLP now supports creating a single data profile containing multiple nested data profiles on the DLP app and Prisma Access (Cloud Managed). This enables you to consolidate match criteria to prevent exfiltration of sensitive data to a single data profile that can leveraged in a single Security policy rule.

July 2022

New Features
Enterprise DLP Audit Logs on Prisma Access (Cloud Managed)
July 29, 2022
Review your Enterprise DLP Audit logs on Prisma Access Cloud Management for a comprehensive history of when data patterns, data profiles, and data filtering are created, modified or deleted across your Enterprise DLP security service.
Create an API Token on Prisma Access (Cloud Managed)
July 29, 2022
Enterprise DLP now supports creating an API Token on Prisma Access Cloud Management.
Kerberos Authentication for Explicit Proxy
July 28, 2022
You can now use Kerberos as your authentication method for Explicit Proxy mobile users.
Learn more about Kerberos authentication.
Web Security:
Inline Details for Policy Actions
July 28, 2022
We’ve replaced the
column with two new columns,
URL Categories
Web Applications
. You can now hover over an allowed Web Application or URL Category to see additional details about how it’s allowing traffic through your network.
URL Categories:
  • Additional Action
  • Decryption
  • Credential Leak Detection
  • File Control
  • DLP
Web Applications:
  • SaaS Enterprise Control (if available)
  • App Functions
  • File Control
  • DLP

June 2022

New Features
Enterprise DLP — Monitor the DLP Service Status on Prisma Access (Cloud Managed)
June 22, 2022
You can now monitor the DLP service status from Prisma Access Cloud Management.
Enterprise DLP — End User Alerting with Cortex XSOAR Support for Microsoft Teams
June 22, 2022
Enterprise DLP — Manage Enterprise DLP Incident Resolutions
June 22, 2022
Assign and manage the case resolution status for Enterprise DLP Incidents on the DLP app or Prisma Access Cloud Management when traffic matches your data profiles or data filtering profiles.

May 2022

New Features
Kerberos Authentication for Explicit Proxy
May 12, 2022
This month’s release includes these updates to Web Security Management:
  • See the details for any of your Custom Web Access Policies transformed into table format. A new
    Advanced Rule View
    makes it easier to reconcile your policies with logs for better troubleshooting.
  • You can now block source and destination regions using the
    Country Block Setting
    under Threat Management.
  • A new Policy Recommendations tab shows you New
    SaaS Rule Recommendations
    from SaaS Security administrators, which you can review, import, and commit (push) to your security policy for enforcement.
Prisma Access Updates
May 12, 2022
  • Regional and Cloud Vendor Redundancy for Service Connections
Migration Support for QoS
from the legacy model where you allocate bandwidth per Prisma Access location, to the new model where you aggregate bandwidth for the wider compute location (Requires Prisma Access 3.1) you are now eligible for migration to the new model even if you have qos profiles configured
QoS Statistics
QoS stats give you real-time and historical QoS data for service connections and remote networks with QoS enabled.
Enterprise DLP — Data Filtering Profile Updates
May 12, 2022
All Data Profiles that you create directly in Prisma Access Cloud Management, on the Data Loss Prevention dashboard, can now be used in a security rule.
To do this, you’ll need to first add a Data Profile to a profile group—you can then add the profile group to security rule so that the Enterprise DLP profile filters traffic matching the rule.
Enterprise DLP — Support for Microsoft Azure to Save Evidence Storage for Investigative Analysis
May 12, 2022
Enterprise DLP now allows you to configure cloud storage on Microsoft Azure to save evidence for investigative analysis on the DLP app on the hub and Prisma Access (Cloud Managed).
Enterprise DLP — Search DLP Incidents Using Report ID
May 12, 2022
Enterprise DLP now supports searching DLP incidents using a Report ID on the DLP app and Prisma Access Cloud Management.
Enterprise DLP — Support for Cloud Services Server in the United Kingdom
May 12, 2022
Enterprise DLP users can edit the Cloud Content Settings to add a Fully Qualified Domain Name (FQDN) for the Cloud Services server in the United Kingdom (UK) to scan Enterprise DLP data.

April 2022

New Features
Enterprise DLP — End User Alerting with Cortex XSOAR
April 28, 2022
Enterprise DLP now supportsend user alerting with using Slack by leveraging integration with Cortex XSOAR. This allows your team to understand why an upload was blocked, enables self-service temporary exemptions for uploads, and provides an audit trail to understand the upload and response history for data scanned by the DLP cloud service.
Enterprise DLP — Save Evidence Storage for Investigative Analysis
April 28, 2022
Prisma Access (Cloud Managed) now allows you to save evidence for investigative analysis on Prisma Access Cloud Management when leveraging Enterprise data loss prevention (DLP).
Support for CASB Bundle and Activation
April 10
Palo Alto Networks will provide a SKU that allows you to purchase and activate all the components required for the cloud access security broker (CASB) security offering, which includes the following products:
  • Prisma Access
  • Enterprise Data Loss Prevention (DLP) add-on
  • SaaS Security Inline add-on
  • SaaS Security API add-on
Requires Prisma Access 3.1.
Prisma SASE Multitenant Cloud Management Platform
April 10
introduces capabilities for Managed Security Service Providers (MSSPs) and for distributed enterprises. These include multitenancy, flexible license activation, and role based access.
Prisma SASE APIs
April 10
Prisma SASE introduces APIs that Managed Security Service Providers (MSSPs) can use to configure and monitor Prisma Access. These APIs can also be used to manage the multitenant hierarchy, and manage access to tenants through role assignment. See for more information.

March 2022

New Features
SaaS Security Inline:
SaaS Policy Recommendations
3.0 Innovation Deployments Only
To gain visibility into and control of SaaS applications, SaaS Security admins create SaaS rule recommendations with specific SaaS App-IDs provided by the App-ID Cloud Engine (ACE).
In Prisma Access Cloud Management, you can now review and choose to accept the rules that SaaS Security admins recommend. SaaS rule recommendations are added to your web access policy—you must have Web Security enabled to leverage SaaS rule recommendations.
Here’s how it works:
  1. SaaS Security admins create SaaS rule recommendations in the SaaS Security Inline app or directly in Prisma Access Cloud Management.
    ➡ In Prisma Access Cloud Management, go to
    Security Services
    SaaS Security
  2. You can review and import SaaS rule recommendations.
    ➡ Go to
    Web Security
    Web Access Policy
  3. The SaaS rule recommendations you’ve imported are labeled so you can easily identify them.
SSO Using Smart Card Authentication
You can now enable SSO with smart card authentication for your GlobalProtect mobile users. When a user logs in to their Windows endpoint, the GlobalProtect app acquires and remembers their smart card PIN to authenticate them.
  • Here’s more on the GlobalProtect app settings that you can customize, including this one.
How to get started:
  1. First set the pre-deployed setting on Windows endpoints to use SSO for smart card authentication.
  2. Enable the GlobalProtect app to use SSO with smart card authentication.
    1. Go to
      Service Setup
      GlobalProtect App
      Add App Settings
    2. Find the
      App Configuration Settings
      Show Advanced Options
    3. In the
      settings, select
      Use Single Sign-On for Smart Card PIN
Certificate-Based Authentication for IKE
You can now use certificates to authenticate IPSec devices located at remote network or service connections sites to Prisma Access. Until now, you’ve needed to use pre-shared keys for IKE authentication.
Here’s how to set up IPSec tunnels and certificate-based IKE authentication for:
Identity Redistribution Updates
Prisma Access Cloud Management automatically enables service connections to work as identity redistribution agents (also called User-ID agents).
For Prisma Access to send identity data to on-premises devices (Panorama or a next-gen firewall), you must add a service connection’s User-ID agent details to the on-premises devices.
So that service connection User-ID agent information includes a collector name and pre-shared key, you can now
Enable Collector Settings
for the service connection. You’ll enter a pre-shared key, and Prisma Access will assign a collector name to the service connection.
To better secure the data redistribution connection, include the collector name and pre-shared key when you add Prisma Access as a redistribution agent on a next-gen firewall or Panorama.
Enterprise DLP — Support for 7-ZIP File Inspection
March 15, 2022
Enterprise DLP now supports inspection of 7Z ZIP files for the 7-ZIP file archiver.
Enterprise DLP — Enhanced Support for Image Detection
March 15, 2022
Enterprise DLP now supports detection of .jpg, .jpeg, .png, .tif, and .tiff image file types when Optical Character Recognition (OCR) is enabled.
Enterprise DLP — Nested Data Profile Match Criteria
March 15, 2022
Enterprise DLP now supports nesting additional match criteria for data profiles on the DLP app and Prisma Access (Cloud Managed) to more accurately define your compliance rules.

February 2022

New Features
Prisma Access 3.0 Features
February 28, 2022
In addition to the Prisma Access 3.0 features that were released for cloud management in January, Prisma Access 3.0 feature support now includes:
  • IP Allow List
    —You can now enable Prisma Access to display the IP address ranges for Prisma Access traffic. Use these IP address ranges in the IP allow lists for your SaaS applications, where you’re restricting usage to authorized users or sources.
  • Advanced Security Settings for Explicit Proxy
    3.0 Innovation deployments only
    )—Extend DNS Security to explicit proxy traffic, including support for all DNS Security categories and customization options.
  • SaaS Security Inline Policy Enforcement
    3.0 Innovation deployments only
    )—Support for cloud-delivered App-IDs (from ACE) mean that you can write SaaS policy rules based on recommendations from the SaaS Security dashboard.
Web Security Updates
February 28, 2022
This month’s release includes these updates to Web Security Management:
  • So that you can gradually enable a web access policy, or maintain a hybrid policy, you can now turn off the web access
    Global Catch All Policy
    . This rule requires you to allow or deny all web traffic and then build your policy from there. Disabling it means you can more easily migrate to a web access policy over a period of time.
  • When specifying URL categories to block for a web access policy, you’ll be able to choose to
    create a custom URL category
    then and there. The new option is built right into the web access policy configuration.
  • In just a few steps, you can enable a best practice
    Web Security
    policy, and see how to customize your policy, by following a new guided walkthrough.

January 2022

New Features
Prisma Access 3.0
January 27, 2022
Prisma Access 3.0 is now live. Here are the Prisma Access 3.0 features that Prisma Access Cloud Management supports with the January 2022 release.
  • New Prisma Access Compute Locations
    Australia South, Canada Central (Toronto), and India North
  • WildFire API Support
  • WildFire India Cloud Support
  • Maximum Size Increase for External Dynamic Lists
    • 150,000 IPs for IP-based EDLs
    • 250,000 URLs for URL-based EDLs
  • Support for Prisma SD-WAN CloudBlade 3.1.2
  • Mobile User Regional Redundancy
  • Google IdP Support for Cloud Identity Engine
  • QoS Support for Remote Networks
New Guided Walkthrough:
January 27, 2022
A new guided walkthrough makes it easy to set up SAML authentication for Prisma Access.
Policy Optimizer:
Exclusions and Troubleshooting
January 27, 2022
Policy Optimizer now includes an exclusion list, and you can troubleshoot rules that failed to optimize:
  • Removed from Optimization
    —Exclude a rule from optimization. When you exclude a rule from optimization, you’ll need to push the configuration to Prisma Access to save the exclusion and it takes up 24 hours for it to display on the exclusion list. You can add an excluded rule back to the list for optimization at any time.
  • Optimization Failed
    —Review and troubleshoot rules that failed optimization. These rules include a failure description, to let you know why optimization didn’t work.
Troubleshooting for EDLs
January 27, 2022
Get the status and latest details for the External Dynamic Lists (EDLs) that you’re using with Prisma Access, and:
  • search across EDLs to see if they include a specific IP address, subnet, or URL
  • Force an EDL to refresh
To get started, go to
External Dynamic Lists
, set the scope to
Remote Networks
Mobile Users - GlobalProtect
, and check the
EDL Status
Web Security:
Update to Vulnerability and C2 Protection Settings
January 27, 2022
The web security default settings for Vulnerability and C2 protections are now set to block medium, high, and critical severity threats by default. If you want to customize these protections more granularly, you can refine protection coverage based on severity or threat type.
Force Logout
January 27, 2022
See yourGlobalProtect users that are currently logged in and that have logged in the past 90 days. For currently logged in users, you also have the option to log them out of GlobalProtect. The
Force Logout
option disconnects the user or selected users from GlobalProtect.
To get started, go to
Service Setup
GlobalProtect App
to see
User Status
Ticket Request to Disable GlobalProtect
January 27, 2022
Instead of enabling users to directly disable GlobalProtect, you can allow a user to request for GlobalProtect to be disabled. You can then decide whether to disable GlobalProtect or not and specify for how long GlobalProtect can be disabled.
After you’ve set this up, here’s how it works:
  • A user submits a request in the GlobalProtect app to disable GlobalProtect.
  • The GlobalProtect app displays a request ID, and the user shares the request ID with you.
  • In Prisma Access Cloud Management, you use the request number to generate a ticket that disables GlobalProtect for a set amount of time.
Enterprise DLP — New Data Patterns For Enterprise DLP
January 7, 2022
Enterprise DLP now includes 56 new data patterns and 5 new data profiles. New data patterns include PCI data patterns for full bank account numbers, routing numbers localized in various countries (Australia, Canada, parts of Europe, China, and Japan), IBAN numbers, CCNs for various credit card types (American Express, Visa, Mastercard, and Discover).
Enterprise DLP — Expedited Enablement of Optical Character Recognition (OCR)
January 7, 2022
Optical Character Recognition (OCR) enablement is now expedited when enabled on Prisma Access (Cloud Managed) or on the DLP app on the hub for Next-Generation firewalls and Prisma Access (Panorama Managed). Now when you request OCR enablement, the request is fulfilled in 15 minutes after it is received by the DLP cloud service.
Simplified Integration for Remote Browser Isolation (RBI)
January 6, 2022
Prisma Access easily integrates with RBI providers, to redirect users so that they can access unknown or even risky resources in an isolated and contained environment. You’re able to provide your users with a seamless experience, without allowing them to directly access potentially malicious content.
In just a step or two, you can enable the RBI provider to integrate with, and then choose the URL categories that you want to direct to the RBI provider’s hosted environment.
Explicit Proxy—PAC File Editor
January 6, 2022
As part of the simple setup for Explicit Proxy, you can now customize and manage the Explicit Proxy PAC file directly in Prisma Access, including validating syntax.
EDL Hosting Service — AWS and GCP Endpoints Lists
January 6, 2022
The EDL Hosting Service is a list of Software-as-a-Service (SaaS) application endpoints. Supported SaaS providers include Microsoft 365 and Azure, and now Amazon Web Services (AWS) and Google Cloud Platform (GCP).
You can subscribe to Microsoft 365 endpoint lists directly from Prisma Access Cloud Management.
To subscribe to Azure, AWS, and GCP endpoint lists, create an external dynamic list (EDL) based on the feed URL.
Support for Certificates in DER and PEM Formats
January 6, 2022
You can now import and export PEM-formatted certificates, and you can import DER-formatted certificates (export for DER-formatted certificates is in the works).
Enterprise DLP: EDM Updates and Snippet Settings
January 6, 2022
Prisma Access Cloud Management now supports:

December 2021

New Features
SaaS Security Dashboard
December 2, 2021
SaaS Security Inline is built-in to Cloud Managed Prisma Access to give you a centralized view of network and CASB security. SaaS Security Inline offers SaaS visibility—advanced analytics and reporting—so that your organization has the insights to understand the data security risks of sanctioned and unsanctioned SaaS application usage on your network.
Enterprise DLP — New Data Profiles for Enterprise DLP
December 2, 2021
Enterprise data loss prevention (DLP) now includes 7 new predefined data patterns and 2 new predefined data profiles to provide scanning for medical codes, NPI codes, and more credentials, access tokens, and keys.

November 2021

New Features
Enterprise DLP Updates
November 18, 2021
You can now comprehensively manage Enterprise DLP on Prisma Access Cloud Management.
The Enterprise DLP dashboard is built out so you can manage your Enterprise DLP configuration directly from Prisma Access Cloud Management, and new features are supported including Optical Character Recognition (OCR), where DLP scans images in supported file types for sensitive content.
New Guided Walkthrough
November 18, 2021
A new guided walkthrough makes it easy to:
  • Create A Security Profile
    Security profiles are how you enable security services (think Threat Prevention, WildFire, and URL Filtering) for your network traffic. Each security profile has it’s own dashboard where you can create and update profiles, centrally manage profile overrides, assess profile and override usage, and tap in to the latest Palo Alto Network’s threat data to check coverage and take action.
    Launch from:
    Manage > Service Setup > Overview > Basics.
Autonomous DEM for Remote Networks
November 12, 2021
Autonomous DEM is now supported for remote networks. To enable Autonomous DEM for remote networks, turn on Autonomous DEM for a compute location. Autonomous DEM will begin monitoring all the remote networks in the compute location.
Enterprise DLP — Exact Data Matching
November 2, 2021
Exact Data Matching (EDM) for Enterprise DLP is now available for Cloud Managed Prisma Access.
EDM is an advanced detection tool to monitor and protect sensitive data from exfiltration. Use EDM to detect sensitive and personally identifiable information (PII) such as social security numbers, Medical Record Numbers, bank account numbers, and credit card numbers, in a structured data source such as databases, directory servers, or structured data files (CSV and TSV), with high accuracy.
Trusted IP Address List for Administrator Access
November 2, 2021
Specify trusted IP addresses for Prisma Access cloud management administrators. Only administrators that log in from these source IP addresses (and also that successfully authenticate) can access Prisma Access cloud management.
Get started on the navigation panel and go to
IP Restrictions
Policy Optimizer — History and Results for Optimized Security Rules
November 2, 2021
Policy Optimizer now includes history for security rules you’ve optimized. Historical data includes the optimization results: compare original rule’s traffic coverage against optimized rules.
Routing Information for Remote Networks and Service Connections
November 2, 2021
For troubleshooting purposes, you can now view the routing table for a remote network site or service connection site. Find the
Routing Information
button on the remote networks or service connection dashboard.
New Guided Walkthrough
November 2, 2021
A new guided walkthrough makes it easy to:
  • Create a Security Rule
    Construct a security rule based on built-in, best practice guidance.
    Launch from:
    Manage > Configuration > Security Policy or the Overview dashboard (Manage > Service Setup > Overview).

October 2021

New Features
A dedicated management experience is now available for web security admins focused on controlling access to the internet and SaaS applications.
Web Security Management consolidates web access policy controls in one place, and includes built-in best practice settings.
In one-click, web security admins can enable a best practice web access policy to start securing all web-bound traffic for all users. This new web access policy layer works seamlessly with your existing security policy.
New Guided Walkthroughs
New guided walkthroughs make it easy to:
  • Onboard Mobile Users (Explicit Proxy)
    Set up an explicit proxy connection for mobile users.
    Launch from:
    the Overview dashboard (Manage > Service Setup > Overview)
  • Optimize Your Security Policy
    Easily convert rules that are too broad (they might be introducing security gaps) into targeted rules that allow only that applications you actually use.
    Launch from:
    Manage > Service Setup > Overview > Optimize > Policy Rules to Optimize
Cleanup for Zero Hit Objects
Optimizing your security policy now includes the option to clean up zero hit objects.
Objects are the building blocks you use to write policy; a zero hit object is an object that you’re using in your security policy, but in at least one rule, it’s not matching against traffic. So that the object is being used effectively and not introducing security gaps, remove it from the rules where it's not enforcing traffic.
Optional and Required Endpoint Lists for Microsoft 365
You can now subscribe to optional and required Microsoft 365 endpoint lists.
Go to
Security Services
SaaS Application Management
and open
Microsoft 365 Endpoint Lists
Go to
Customize Subscription
to subscribe to the new endpoint lists. You’ll find that each of the services under Worldwide (including GCC) now include lists for both optional and required endpoints:
Your Prisma Access Version and Tenant Information
For easy reference, you’ll now find version and tenant information for your Prisma Access environment on the
dashboard (
Service Setup
GlobalProtect — New App Settings
Persist for User Input
Go to
GlobalProtect App
App Configuration
Advanced Options
Endpoint Traffic Policy Enforcement
This is turned off by default.
Go to
GlobalProtect App
App Configuration
Advanced Options
SaaS Security Inline — Visibility
You can now use the SaaS Security Inline app with Prisma Access. SaaS visibility provides advanced analytics so you can understand the data security risks of sanctioned and unsanctioned SaaS apps on your network.
SaaS Security Inline is an add-on to your Prisma Access license. To see what’s included with your license, go to
Service Setup
and review your
Enterprise DLP — Support for Data Profiles Containing EDM Datasets and Data Patterns
Enterprise DLP now supports creating custom data profiles on the DLP app on the hub that contain both data pattern and Exact Data Matching (EDM) datasets to define the match criteria.

August 2021

New Features
Policy Optimizer
—Try it now while it’s available for early access—
Policy rules that are too broad—where they allow applications that aren’t in use in your network—introduce security gaps.
Prisma Access identifies these overly permissive rules for you, and enables you to easily replace them with more specific rules that only allow the applications you’re actually using.
Enterprise DLP on Prisma Access
Data loss prevention (DLP) protects sensitive information against unauthorized access, misuse, extraction, or sharing. Enterprise DLP on Prisma Access enables you to enforce your organization’s data security standards and prevent the loss of sensitive data across mobile users and remote networks.
If you’re already using Panorama to manage Enterprise DLP for next-gen firewalls, your DLP configuration in Prisma Access cloud management is read-only; continue to manage DLP from Panorama.
Enterprise DLP is an add-on license on Prisma Access. You can either start with a 60-day trial or purchase a license to use Enterprise DLP on Prisma Access.
Configuration Snapshots — Load and Compare
Prisma Access gives you a snapshot of all your configuration versions. You already have the option to directly restore an earlier configuration version to Prisma Access.
Now, you can also:
  • Load an earlier version as your candidate configuration; make updates to the new candidate configuration and push to Prisma Access when you’re ready.
  • Compare configuration versions to see what’s changed.
Translated UI:
  • Japanese
  • French
  • German
The Prisma Access Cloud Management interface is now available in German, French, and Japanese. If one of these languages is the preferred language in your browser, you’ll automatically start seeing the translated interface next time you log in.
You might still see some text that remains in English—that’s okay, it won’t last long! We’ll be translating the latest features and updates each month, and will catch this the next time around.
Prisma Access 2.2 Preferred Support
Learn about the Prisma Access 2.2 Preferred release here. The features supported for Prisma Access Cloud Management are:
Send IPv6 traffic to Prisma Access
Explicit Proxy Enhancements
  • Support for user identity-based security policies using HTTP XAU Header
  • Deployment and operational status visibility with Prisma Access Insights
  • Enforce an authentication-only option for explicit proxy security policy
WildFire Germany Cloud
The locations listed here will automatically use the WildFire cloud in Germany to analyze file-based threats.
Device Quarantine Support
Prisma Access allows you to identify and quarantine compromised devices with the GlobalProtect app. You can either manually or automatically (based on auto-tags) add devices to a quarantine list. You can block quarantined devices from accessing the network, or restrict the device traffic based on a security rule.
To get started, go to
and set up a
Quarantined Device List
. Then use the list as part of identity redistribution.
Best Practice Checks for Mobile Users (GlobalProtect)
Live best practice checks for your GlobalProtect configuration help you to pinpoint where you can strengthen your security posture.
Custom Response Pages for Mobile Users (GlobalProtect)
Create your own custom GlobalProtect response pages with your corporate branding, acceptable use policies, and links to your internal resources.
Two New Guided Walkthroughs
Two new guided walkthroughs make it easy to:
  • Turn on decryption
    We’ve built in best practice settings you can use to start decrypting traffic, including default decryption certificates and recommended decryption overrides. Follow the walkthrough to turn decryption on in just a few quick steps.
  • Enable the Best Practice Template for Explicit Proxy
    Prisma Access gives you a best practice template for explicit proxy, so you can safely enable explicit proxy connections. We’ll walk you through enabling the template; then, you can use it as a basis to start customizing your setup to fit your needs.
Best Practices Dashboard and PDF Report
Measure your security posture against Palo Alto Networks’ guidance and check for CIS Critical Security Controls (CSC) compliance with the new best practice report. (It covers 40+ checks).
Share Your Feedback
Easily share your feedback on your Prisma Access experience. Let us know what’s working for you, and how we can make Prisma Access even better.

July 2021

New Features
Best Practice Template for Explicit Proxy
So you can quickly start securing explicit proxy connections, we’ve added new practice security and decryption rules, application filters and groups, and a URL Access Management profile. These built-in best practice settings were created specifically for explicit proxy, and provide a template for securing explicit proxy connections.
Enable this best practices template in just two clicks. The best practice objects and profiles are already added to the best practice rules, so all you need to do is enable the security and decryption rules to get going:
  • Enable the best practice security rules
  • Enable the best practice decryption rule
When you’re up and running, you can customize the best practice template to fit the needs of your organization.
CloudBlade is now supported for Prisma Access Cloud Management.
EU Support for Prisma Access Cloud Management
Your Prisma Access environment can now be hosted in Europe (in the Netherlands).
  • If you’re
    to Prisma Access, and your Cortex Data Lake instance is hosted in Europe (Germany or the Netherlands) or the United Kingdom, your Prisma Access instance will be automatically deployed in Europe, too.
  • If your
    Prisma Access environment is deployed in the Americas, and you’d like it to be hosted in Europe, contact your account team.

June 2021

New Features in June 2021
Easy M365 Enablement
Built-in security and decryption rules, as well as a guided walkthrough, mean you can safely enable M365 in just a few clicks.
  • Built-in security rules allow M365 apps, and ensure that they connect only to Microsoft endpoints
  • Built-in decryption rules skip decryption for traffic destined to Microsoft-categorized Optimize endpoints (this is Microsoft’s recommendation)
  • The guided walkthrough will get you up and running with M365 in two steps.
GlobalProtect App Versions
You can now choose the version of the GlobalProtect app you want to make available for your mobile users.
While Prisma Access hosts several GlobalProtect app versions, only one of the hosted versions is active. When mobile users log in to the Prisma Access portal, the active version is the one they download and use on their Windows and macOS devices; this is the version you can now choose.
And at any time, you can go to the Overview dashboard to see the active GlobalProtect app version.
Along with choosing the GlobalProtect app version you want to make available, use the GlobalProtect app settings to specify whether mobile users can upgrade to that version and, if they can, whether they can choose when to upgrade.
Config Load
In addition to restoring an earlier config version, you can now also load an earlier conversion.
While restoring an earlier config version directly replaces your running configuration with that version (no config push required), loading an earlier config version replaces your candidate configuration with that version. This gives you some time to review the configuration or make adjustments before pushing the config to Prisma Access.
Go to
Service Setup
Config Version Snapshots
to get started.
Security Rule Schedules
By default, security policy rules are always in effect (all dates and times). To limit a security rule to specific times, you can define schedules, and then apply them to the appropriate rules. For each schedule, you can specify a fixed date and time range or a recurring daily or weekly schedule. Add or edit a security rule to get started.
Prisma Access 2.1 Innovation Features
Explicit Proxy Enhancements
  • Coexistence of Explicit Proxy with VPN clients (both GlobalProtect or third-party) where VPN clients provide Private App Access
  • Support for DNS Security subscriptions with explicit proxy
  • TLS version 1.3 Support
  • Support for Remote Browser Isolation (RBI) using Redirect method
  • Control access to cross-origin resource sharing (CORS) and undecrypted traffic from authenticated IP addresses only
Support for Secure Inbound Access for Deployments that Allocate Bandwidth by Compute Location
Remote network deployments that allocate bandwidth by compute location instead of on a per-location basis will now support using remote networks to allow inbound access to internet-connected applications.
Secure inbound access support for remote networks is still supported for legacy for deployments that allocate bandwidth by location.

May 2021

New Features in May 2021
Prisma Access gives you simple, centralized management for your SaaS applications. For Microsoft 365 apps, Google apps, Dropbox, and YouTube you’ll find features that you can turn on in two steps or less to safely enable the applications for enterprise use, including:
  • Ensure your Microsoft apps connect only to Microsoft endpoints. All you need to do is subscribe to endpoint lists that Palo Alto Networks maintains, and then add a list to policy.
  • Restrict access for Microsoft apps, Google apps, and Dropbox to enterprise accounts (disallow personal accounts on the company network).
  • Enforce YouTube Safe Search.
Expanded Inline Help
We’ve re-imagined the help that’s built in to Prisma Access cloud management, so that the information you need is at your fingertips, at the exact moment you need it.
  • New ML-driven keyword search surfaces content from across Palo Alto Networks resources, and features TechDocs, Knowledge Base, and Live Community topics.
  • Context-aware recommendations are on every page. When available, this includes guided walkthroughs.
  • Embedded videos
Bookmark the new Live Community page for Prisma Access cloud management. Find expert articles, share ideas, and ask questions.
New Config Management Features
Sometimes a configuration push can have unintended security implications or an unexpected impact on traffic. To recover from this, you can restore an earlier configuration version.
Objects that aren’t referenced in policy and rules without any traffic hits can clog up performance and complicate policy management. Now you can easily clean up:
  • Unused Objects
    —These are objects that have not been referenced in policy in the past six months.
  • Zero Hit Policy Rules
    —These are policy rules that have not had any hits in the past six months.
Support Updates
  • Prisma Access Cloud Management can now be deployed in Europe (Frankfurt), in addition to the Americas region.
  • You can now send Prisma Access Cloud Management logs to Cortex Data Lake instances in all supported regions, with Australia being the latest region for which we’ve added support.
  • Prisma Access Cloud Management is now upgraded to support GlobalProtect agent version 5.2.6.
Mobile Users Statistics Updates
Insights has the following improvements to Insights for the current and historical mobile user count:
  • Summary
    • Summary
      tab—In the
      Mobile Users
      section of the
      Connectivity Status
      area, the
      Current Connected Mobile Users
      always displays real-time information about the current number of connected mobile users. In addition, when you move the slider in the time line to view a historical record of connected users, the number displayed shows the peak number of users averaged over the given time period.
      Another slider allows you view either
      users by moving the slider between those values.
      The number displayed counts the number of users that are connected, not the number of devices that are connected, whether or not a single user is logged in to more than one location or is connected with multiple devices.
    • Map View (Real Time)
      tab—When you hover over a location, Insights provides you with the number of connected users.
  • Mobile Users
    • Connected Users
      widget—The date and time that the mobile user count was calculated is provided in the widget. In addition, you can view the current number of currently connected mobile users, or use the slider in the time line to view a historical record of the number of the peak number of users averaged over the given time period.
    • User Connections to Prisma Access Locations
      widget—This widget provides you with the current number of currently connected users per mobile user location.

April 2021

New Features in April 2021
Guided Onboarding
The new Overview page now includes walkthroughs you can follow when you’re setting up mobile users, remote networks, or service connections for the first time.
The walkthroughs take you through the basic, required steps to get your environment up and running. When you’re done, you’ll be ready to start testing your environment, and customizing it to fit your organization’s needs.
You’ll only see the option to
Launch Walkthroughs
for deployments with no existing configuration. After first-time setup, the onboarding task shows on the Overview page as complete.
Security Profile Hit Counts
Security profile dashboards are updated to surface more data, including hit counts for profiles, rules, and overrides. Here’s what’s new for each profile type:
Anti-Spyware and Vulnerability
You can now see profile and override hit counts. For overrides, you can also see the timestamp for when the override was last used.
WildFire and Antivirus
For each profile, you can see the verdicts for files or email links submitted to WildFire, and the malware the profile blocked.
DNS Security
See the number of DNS queries the profile blocked.
URL Access Management
See the number of hits for each URL category.
File Blocking
See the percent of decrypted traffic that the file blocking profile is enforcing, and the number of files the profile blocked in the last seven days.
Autonomous DEM for Mobile Users (GlobalProtect)
Autonomous Digital Experience Management (DEM) is now available!
Autonomous DEM is a service that provides native, end-to-end visibility and insights for all user traffic in your Secure Access Service Edge (SASE) environment.
Navigation Updates
We’ve updated the Prisma Access navigation, so that you can move more seamlessly between global and local configurations. You can even pin the pages you use most frequently, so that they’re right there when you need them.
Take a look:
Getting Started Homepage
page is your new Prisma Access homepage. Come here if you’re new to Prisma Access or when you first log in to see:
  • At-a-glance status
    for your Prisma Access environment:
    • Verify license and status details
    • Get configuration status and drill down on an issue to find it's source
  • A checklist that shows you your
    onboarding progress
    , and gives you next steps.
  • Your overall
    best practice scores
    show you were you can take action to align with best practices.
Identity Redistribution
So that you can enforce your security policy consistently, Prisma Access shares identity data that GlobalProtect discovers locally across your entire Prisma Access environment. We’ve enabled some identity data redistribution by default, and for what’s left, we’ve made the configuration to enable redistribution very simple (just select a check box). You can see and manage all identity redistribution from a single dashboard:
Go to
Identity Services
Identity Redistribution
(URL Access Management and Authentication)
Best Practice Checks now extend to URL Access Management and Authentication.
Best practice security checks are built-in to Prisma Access. Use these inline checks to continually assess your configuration against Palo Alto Networks’ best practice recommendations. When you see an opportunity to improve your security posture, you can take action then and there.
Cortex Data Lake Regional Support
You can now send Prisma Access Cloud Management logs to Cortex Data Lake instances in any region.
The only Cortex Data Lake region that is not yet supported is Australia.

February 2021

New Features in February 2021
(Security Policy and Decryption)
Best practice security checks are now built-in to Prisma Access. Use these inline checks to continually assess your configuration against Palo Alto Networks’ best practice recommendations. When you see an opportunity to improve your security posture, you can take action then and there.
Security checks include NIST security controls and Center for Internet Security’s (CIS) Critical Security Controls (CSC).
Prisma Access 2.0 Innovation Features
Explicit Proxy
If your organization’s existing network already uses explicit proxies and deploys PAC files on your client endpoints, you can smoothly migrate to Prisma Access to secure mobile users’ outbound internet traffic. You will still be able to secure mobile users with GlobalProtect. If you want to add an explicit proxy to an existing mobile users deployment, you can divide your mobile users license between the users you want to secure with GlobalProtect and the users you want to secure with an explicit proxy. Explicit proxy uses your existing Mobile User license. Whether you have a new deployment or if you upgrade, you can divide your mobile user license between GlobalProtect and Explicit Proxy connections.
Remote Networks Allocated Bandwidth, for Existing Deployments
In December, we introduced Remote Network Bandwidth Allocation, Based on Prisma Access Location. This feature is now available to existing remote network setups. If you want to start allocating bandwidth based on Prisma Access locations instead of for each site, you can. The benefit is that, bandwidth can be used across sites where it’s needed, instead of dedicated to a single side even when its not being used.
Support for Predefined URLs and URLS in EDLs in Traffic Steering
You can now target internet-bound traffic that you want to forward through a service connections site based on:
  • Predefined URL categories
  • URLs in External Dynamic Lists (EDLs)
Support for No Export BGP Community
To allow you to control how BGP advertises subnets, Prisma Access support the well-known BGP community no-export.
Licensing Page Updates
The Prisma Access Licenses page now also shows any Add-Ons that you’ve added to your Prisma Access subscription.
Customization and Dashboards for Security Profiles
The WildFire and Antivirus dashboard is now available.
Earlier this month we added dashboards for all security profiles, with one exception; as of February 25th, the remaining dashboard for WildFire and Antivirus is now also available.
While best practice security profiles have been built-in to Prisma Access from the start, you can now customize security profiles to meet the unique needs of your business.
Each profile has it’s own dashboard—from a profile dashboard, you can create and update profiles, centrally manage profile overrides, assess profile and override usage, and tap in to the latest Palo Alto Network’s threat data (including content releases, the Threat Vault, and PAN-DB) to check coverage and take action. Explore each profile type to see all the features available to you.
Here are some security profile highlights:
And here are the security profiles available to you:
  • Anti-Spyware
    —Detect and stop command and control (C2) activity.
  • Vulnerability
    —Stop attacker attempts to exploit system flaws and gain unauthorized access to your network
  • DNS Security
    —Automatically secure your DNS traffic and get coverage for DNS-based attacks.
  • URL Access Control
    —Control user access to and interaction with web content, and enforce safe search.
  • HTTP Header Insertion
    —formerly included with URL Filtering, this profile gives you a way to manage SaaS application access based on HTTP headers.
  • File Blocking
    —Monitor or block specific file types.
  • WildFire and Antivirus
    Detect viruses and malware found in executables and file types.
Insights is now integrated with Prisma Access Cloud Management. Look for Insights on the left navigation bar.
With Insights, you can continuously monitor your Prisma Access environment. When an event or status requires your attention, Insights sends you alert notifications so you can quickly pinpoint issues that you can fix and so that you have visibility into the fixes the Prisma Access team is working on.
Log Details for Threats and Overrides
Threat logs (anti-spyware and vulnerability events) now include threat details to give you context and the detected event, and show you if there are threat overrides configured that might be impacting how the threat is enforced.
Peer Analysis for Features You Aren’t Yet Using
To help you understand the protection capabilities of features for which you don’t have an active license, you now have visibility into how your industry peers are benefiting from the feature capabilities. This will give you an idea of how the feature might be able to benefit you.
You’ll see a dashboard like this when you try to access a feature for which you don’t yet have a license:

December 2020

New Features in December 2020
To help you to quickly resolve mobile user connection, performance, and access issues, the GlobalProtect app can send troubleshooting and diagnostic logs to Cortex Data Lake for further analysis. When end users report an issue in the app, the app sends an easy to read, comprehensive report to Cortex Data Lake; use the report to quickly identify the root cause of the end user issue.
Here’s how it works:
  1. Turn on
    Log Collection for Troubleshooting
    for the GlobalProtect app:
  2. Your users can now
    Report an Issue
    if they experience unusual performance or can’t connect.
  3. The GlobalProtect app sends diagnostic and troubleshooting information to Cortex Data Lake.
  4. You can access the logs and reports in the Explore app on the hub.
More Ways to Customize the GlobalProtect App
You now have more than 60 new options to customize the GlobalProtect app so that it best suits the needs of your organization and your mobile users. Learn more about these GlobalProtect app features, that are newly-available for Prisma Access.
Simplified Navigation in App and Between Apps
When you next log in, you’ll see that we’ve updated the cloud management interface navigation. We’ve consolidated all features so you can access them from a new navigation panel on the left side of the interface. And we’ve also made it so you can easily move from one Palo Alto Networks app to another, and back again.
IKE Peer Host Routes for Remote Networks and Service Connections
These enhancements assist you when sharing public address space externally and internally with private apps:
  • Enable automatic IKE peer host routes for Remote Networks and Service Connections
    —This option allows Prisma Access to automatically add a host-specific static route to the static IKE gateway peer for the IPSec tunnel on the Remote Network security processing node (SPN) and Service Connection corporate access node (CAN).
  • Specify Outbound Routes
    —This enhancement allows you to add up to 10 prefixes for which static routes are added on all SPNs and CANs, and Prisma Access routes traffic to these prefixes over the internet.
To get started, enable or adjust the default BGP settings Prisma Access uses to route traffic to your service connection sites (headquarters or data centers). Go to
Service Connections
Service Connection Setup
Advanced Settings
BGP Routing
Centrally manage the certificates you use to secure communication across your network. In one place, set up your certificates, add certificate authorities (Prisma Access includes preloaded certificates for well-known CAs), add OCSP responders, and define certificate checks you want to require. The certificates and settings you set up here can be used throughout your Prisma Access deployment to secure features like decryption, your authentication portal, and the GlobalProtect app.
Dynamic User Groups (DUGs)
Together, dynamic user groups and auto-tags (along with dynamic address groups) give you a way to automate authentication, decryption, and security policy.
Based on activity (you define the log criteria to act on), users and IP addresses are automatically tagged and added to dynamic user groups. Any policy that references the dynamic user group automatically begins to enforce the user or IP address without requiring you to manually create and commit policy or group changes.
DUGs with auto-tags are particularly useful for auto-remediation—when Prisma Access detects anomalous user behavior or malicious activity, it can automatically enforce your remediation actions.
You allocate bandwidth at an aggregate level for a compute location. Each location has a corresponding compute location for which bandwidth is allocated, and all sites you onboard in a compute location share that allocated bandwidth.
For example, you want to onboard four branch offices using remote networks in the Singapore, Hong Kong, Thailand, and Vietnam locations. All these locations map to the Asia Southeast compute location. If you allocate 200 Mbps bandwidth to the Asia Southeast compute location, all four branch offices will share the 200 Mbps of bandwidth.
If one or more sites are not using a large amount of bandwidth, Prisma Access makes the remaining bandwidth available to other sites in that compute location.
If you have already onboarded remote networks, your deployment is unchanged and you will still assign bandwidth per site (location) or per remote network connection.
The ability to forward internet-directed traffic through service connections for remote network and mobile user deployments is enhanced and has a new name—Traffic Steering.Traffic steering expands the scope of directing internet-bound traffic through service connections. In addition to specifying FQDNs, IP addresses, and URLs and forwarding only HTTP and HTTPS internet-bound traffic through service connections, you can send all traffic or a subset of the traffic based on the following additional criteria:
  • URL category
  • Service type (HTTP, HTTPS, or Any)
  • User
  • External Dynamic Lists (EDLs)
  • Dynamic Address Groups (DAGs)
You can then configure Prisma Access to split internet-bound remote network or mobile user traffic into multiple service connections based on the criteria you specified.Traffic steering is supported for mobile user and remote network deployments.

November 2020

New Features in November 2020
Prisma Access introduces changes to licensing. The new licensing model allows you to implement and use the capabilities of Prisma Access aligned to your business needs in a way that delivers the fastest return on investment. Whether your applications are migrating to the cloud, your users are working from anywhere, or if you are looking to gain operational efficiencies, Prisma Access offers the relevant type of license for your deployment.
There are no changes to licensing for existing Prisma Access deployments.
Choose from the following license editions:
  • Business
  • Business Premium
  • Zero Trust Network Access (ZTNA)
  • Enterprise
ZTNA is available for Prisma Access for Mobile Users only; you can use all other editions with Mobile Users, Remote Networks, or both mobile users and remote networks.
All license editions are available for Local and Worldwide Prisma Access locations. When you purchase a license with Worldwide locations, you can deploy Prisma Access in all Prisma Access locations. When you purchase a license with Local locations, you can select up to 5 Prisma Access locations.
Protect your network resources and the applications you use to do business by verifying user identities, and granting access only to legitimate users. Prisma Access now includes support for more authentication services and features so you can do just that.
Here are the highlights:
  • Support for TACACS+, RADIUS, LDAP, Kerberos, and MFA (SAML and local database authentication are already supported)
  • Built-in MFA vendors to choose from
  • IP address to username mapping, which is especially useful for remote networks — always know who at a remote network site is accessing business resources and sensitive data
  • If you’re using different types of authentication, you can specify the sequence in which you want Prisma Access to try each type
  • Streamlined authentication setup—everything you need to get started is in one place:
Secure Access for Internet-Facing Applications
If you are hosting an internet-facing application or service in your remote network location, you can use Prisma Access to front-end that application or service and provide secure inbound access from both internal and external users over the internet.
Application Tags to Safely Enable Applications with Common Attributes
Application tags help you to safely enable a broad set of applications that share common attributes. For example, you can enable broad access for your users to web-based applications using the
Web App
tag in an application filter, or safely enable all enterprise VoIP applications using the
Enterprise VoIP
tag. Palo Alto Networks researches new and updated applications, groups those with common attributes, and delivers new and updated tags in content releases.
You can also apply your own tags and create application filters based on those tags to address your own application security requirements.

October 2020

New Features in September 2020
Watch the video on getting started with Directory Sync.
Azure Active Directory (AD) Support
Directory Sync now provides Prisma Access with read-only access to Azure AD information, so that you can reference your Azure AD users and user groups in policy. Here’s how to get started.
User Attribute Preferences
Choose the Active Directory attribute Prisma Access uses to reference your users (for example, the User Principal Name or the SAM Account Name). You can set your attribute preferences so that if a directory does not use your primary attribute, Directory Sync collects an alternative attribute for Prisma Access to use based on your preferences.
ECMP Load Balancing for Remote Networks
To provide additional network resiliency using redundant instances of your customer premises equipment (CPE), Prisma Access allows you to add up to four IPSec tunnels for a single remote network. ECMP Load Balancing requires you to use BGP for dynamic routing, and is not supported with a static route or QoS setup. To get started with ECMP load balancing, you’ll need to specify a minimum bandwidth of 50 Mbps for the remote network site.
Prisma Access divides the bandwidth you select by the number of tunnels; for example, if you specify 300 Mbps and add four tunnels, each tunnel carries 75 Mbps. If one of the tunnels goes down, your network connection will now carry 225 Mbps instead of 300 Mbps.
DNS Proxy for Remote Networks
Specify DNS servers to resolve both internal and public domains for specific remote network sites.
If you specify an internal DNS server to resolve internal DNS domains and then specify either a public server or Prisma Access’ default server to resolve external domains, Prisma Access proxies the requests from the remote network site. You can also specify an external DNS server that is closer to the egress points of your remote network sites than your internal DNS server, which can provide optimal connectivity for SaaS applications such as Microsoft Office 365.
To get started quickly, you can copy your mobile user DNS settings over to your remote networks setup:
Mobile User IP Pool Summarization
To reduce the number of mobile user IP subnet advertisements over BGP to your customer premises equipment (CPE), Prisma Access can summarize the subnets before advertising them. This summarization can reduce the number of routes stored in CPE routing tables. For example, you can use Mobile User IP Pool Summarization with cloud VPN gateways (Virtual Private Gateways (VGWs) or Transit Gateways (TGWs)) that can accept a limited number of routes.
Support for WINS-Based Applications
To support the use of Windows Internet Name Service (WINS)-based applications, Prisma Access enables you to use WINS to resolve NetBIOS name-to-IP address mapping. You can specify primary and secondary WINS servers for WINS support, either for a Prisma Access region or worldwide.Prisma Access pushes WINS configuration to mobile users with the GlobalProtect app.

August 2020

This release is all about simple setup—the Prisma Access team has reimagined Cloud Managed Prisma Access to get you up and running quickly. Here are the features that make getting started easy.
We’ve also added features that give you more visibility into and control of your Prisma Access environment.
New Features in August 2020
Easy Onboarding
Onboard mobile users, remote network sites, and your HQ and data center sites to Prisma Access in just a few steps with a new, streamlined UI. Pre-defined network and infrastructure settings mean you can get started quickly, and come back later to customize your deployment.
For example, you can now onboard mobile users to a Prisma Access location in three steps:
  1. Add your portal hostname
  2. Choose Prisma Access locations
  3. Set up user authentication (test your setup with local users)
Speedy Activation
A guided workflow steers you through Prisma Access license activation on the hub.
Context-Sensitive Help with Tips to Get Started
Help topics share the benefits a feature can provide to you, with quick steps to get started. Just click the help icon on the menu bar.
Prisma Access Insights
Continuously monitor the health and performance of your Prisma Access environment with the new Insights app. Visually scan and interact with a variety of Insights dashboards to get status on your mobile users, remote network sites, service connections to your HQ and data centers, and the Prisma Access cloud infrastructure.
When Insights detects an issue in your environment, the app generates an alert that gives you context and lets you know where to take action. Insights alerts also give you visibility into fixes that the Prisma Access team is addressing.
GlobalProtect App Customization
Customize how end users interact with the GlobalProtect app that’s installed on their endpoints and send traffic to Prisma Access. Options you can customize include:
  • The method the GlobalProtect app uses to connect to Prisma Access.
  • The GlobalProtect app settings that are available to the user to adjust (for example, disable or upgrade the GlobalProtect app).
  • The host information profile (HIP) data the app collects—you can base policy enforcement on the data the app collects.
GlobalProtect App Split Tunneling
Split tunneling conserves bandwidth by excluding traffic from Prisma Access that is not business critical or does not enable productivity. You can configure split tunnel traffic based on an access route, destination domain, application, and HTTP/HTTPS video streaming application.
Hot Potato Routing
With hot potato routing, Prisma Access hands off traffic as quickly as it can to your organization’s network. Use this routing method if you want your organization’s network to perform the majority of routing decisions.
Traffic Forwarding for Third-Party Security
Instead of sending internet traffic from mobile users and remote networks directly to the internet, you can forward traffic through a service connection to a third-party security stack for further processing before being sent to the internet.

Features Added Before August 2020

Features Introduced Before August 2020
New Dashboard
The new Prisma Access dashboard gives you an immediate view in to the status and health of your deployment. When you log in to Prisma Access, use this global view to check that your remote networks and mobile users are connected to Prisma Access. If you see something unexpected, you can drill down in the map to identify the impacted remote network site, mobile user location, or service connection.
Log Export
You can now export logs to a CSV, XML, or JSON formatted file.
After using the
tab to search for the log records that you want, export them to a CSV, XML, or JSON file, and then download the file to your local drive.
Related Log Events
Certain Prisma Access network logs—Traffic, Threat, URL, File—now show you the other events logged during the same session.
Without leaving the context of the log you’re interested in, you can see the sequence of related events. Related logs are displayed chronologically, top to bottom—the log with the earliest timestamp is listed first.
Select a related log to investigate the details for that event. In cases where it’s available, log details might also include Directory Sync information associated with the source user.
Directory Sync Support
Directory Sync gives Prisma Access read-only access to your Active Directory information, so that you can easily set up and manage security and decryption policies for users and groups. You can add Directory Sync to Prisma Access as part of the initial Prisma Access activation workflow, or for an active Prisma Access instance, you can do this on the hub.

Recommended For You