This month’s release includes these updates to Web Security Management:

This month’s release includes these updates to Okyo Garde Enterprise Edition with Prisma Access:

Prisma Access (Cloud Managed) now allows you to save evidence for investigative analysis on Prisma Access Cloud Management when leveraging Enterprise data loss prevention (DLP).

Okyo Garde Enterprise Edition with Prisma Access brings SASE to the home network.

Okyo Garde is a network security solution that’s neatly packaged to be deployed in employees' homes to support work-from-home use cases.

Okyo Garde:

Palo Alto Networks will provide a SKU that allows you to purchase and activate all the components required for the cloud access security broker (CASB) security offering, which includes the following products:

To gain visibility into and control of SaaS applications, SaaS Security admins create SaaS rule recommendations with specific SaaS App-IDs provided by the App-ID Cloud Engine (ACE).

In Prisma Access Cloud Management, you can now review and choose to accept the rules that SaaS Security admins recommend. SaaS rule recommendations are added to your web access policy—you must have Web Security enabled to leverage SaaS rule recommendations.

You can now enable SSO with smart card authentication for your GlobalProtect mobile users. When a user logs in to their Windows endpoint, the GlobalProtect app acquires and remembers their smart card PIN to authenticate them.

You can now use certificates to authenticate IPSec devices located at remote network or service connections sites to Prisma Access. Until now, you’ve needed to use pre-shared keys for IKE authentication.

Here’s how to set up IPSec tunnels and certificate-based IKE authentication for:

In addition to the Prisma Access 3.0 features that were released for cloud management in January, Prisma Access 3.0 feature support now includes:

Prisma Access 3.0 is now live. Here are the Prisma Access 3.0 features that Prisma Access Cloud Management supports with the January 2022 release.

A new guided walkthrough makes it easy to set up SAML authentication for Prisma Access.

Policy Optimizer now includes an exclusion list, and you can troubleshoot rules that failed to optimize:

Get the status and latest details for the External Dynamic Lists (EDLs) that you’re using with Prisma Access, and:

To get started, go to

External Dynamic Lists

, set the scope to

Remote Networks

or

Mobile Users - GlobalProtect

, and check the

EDL Status

.

The web security default settings for Vulnerability and C2 protections are now set to block medium, high, and critical severity threats by default. If you want to customize these protections more granularly, you can refine protection coverage based on severity or threat type.

See yourGlobalProtect users that are currently logged in and that have logged in in the past 90 days. For currently logged in users, you also have the option to log them out of GlobalProtect. The

Force Logout

option disconnects the user or selected users from GlobalProtect.

To get started, go to

Manage

Service Setup

GlobalProtect

GlobalProtect App

to see

User Status

.

Instead of enabling users to directly disable GlobalProtect, you can allow a user to request for GlobalProtect to be disabled. You can then decide whether to disable GlobalProtect or not and specify for how long GlobalProtect can be disabled.

After you’ve set this up, here’s how it works:

Prisma Access easily integrates with RBI providers, to redirect users so that they can access unknown or even risky resources in an isolated and contained environment. You’re able to provide your users with a seamless experience, without allowing them to directly access potentially malicious content.

In just a step or two, you can enable the RBI provider to integrate with, and then choose the URL categories that you want to direct to the RBI provider’s hosted environment.

As part of the simple setup for Explicit Proxy, you can now customize and manage the Explicit Proxy PAC file directly in Prisma Access, including validating syntax.

You can subscribe to Microsoft 365 endpoint lists directly from Prisma Access Cloud Management.

To subscribe to Azure, AWS, and GCP endpoint lists, create an external dynamic list (EDL) based on the feed URL.

You can now comprehensively manage Enterprise DLP on Prisma Access Cloud Management.

The Enterprise DLP dashboard is built out so you can manage your Enterprise DLP configuration directly from Prisma Access Cloud Management, and new features are supported including Optical Character Recognition (OCR), where DLP scans images in supported file types for sensitive content.

A new guided walkthrough makes it easy to:

Autonomous DEM is now supported for remote networks. To enable Autonomous DEM for remote networks, turn on Autonomous DEM for a compute location. Autonomous DEM will begin monitoring all the remote networks in the compute location.

Exact Data Matching (EDM) for Enterprise DLP is now available for Cloud Managed Prisma Access.

EDM is an advanced detection tool to monitor and protect sensitive data from exfiltration. Use EDM to detect sensitive and personally identifiable information (PII) such as social security numbers, Medical Record Numbers, bank account numbers, and credit card numbers, in a structured data source such as databases, directory servers, or structured data files (CSV and TSV), with high accuracy.

Specify trusted IP addresses for Prisma Access cloud management administrators. Only administrators that log in from these source IP addresses (and also that successfully authenticate) can access Prisma Access cloud management.

Get started on the navigation panel and go to

Settings

IP Restrictions

.

Policy Optimizer now includes history for security rules you’ve optimized. Historical data includes the optimization results: compare original rule’s traffic coverage against optimized rules.

For troubleshooting purposes, you can now view the routing table for a remote network site or service connection site. Find the

Routing Information

button on the remote networks or service connection dashboard.

A dedicated management experience is now available for web security admins focused on controlling access to the internet and SaaS applications.

Web Security Management consolidates web access policy controls in one place, and includes built-in best practice settings.

In one-click, web security admins can enable a best practice web access policy to start securing all web-bound traffic for all users. This new web access policy layer works seamlessly with your existing security policy.

New guided walkthroughs make it easy to:

Optimizing your security policy now includes the option to clean up zero hit objects.

Objects are the building blocks you use to write policy; a zero hit object is an object that you’re using in your security policy, but in at least one rule, it’s not matching against traffic. So that the object is being used effectively and not introducing security gaps, remove it from the rules where it's not enforcing traffic.

You can now subscribe to optional and required Microsoft 365 endpoint lists.

Go to

Manage

Configuration

Security Services

SaaS Application Management

and open

Microsoft 365 Endpoint Lists

.

Go to

Customize Subscription

to subscribe to the new endpoint lists. You’ll find that each of the services under Worldwide (including GCC) now include lists for both optional and required endpoints:

For easy reference, you’ll now find version and tenant information for your Prisma Access environment on the

Overview

dashboard (

Manage

Service Setup

).

Go to

GlobalProtect

GlobalProtect App

App Configuration

Advanced Options

App

:

Policy rules that are too broad—where they allow applications that aren’t in use in your network—introduce security gaps.

Prisma Access identifies these overly permissive rules for you, and enables you to easily replace them with more specific rules that only allow the applications you’re actually using.

Data loss prevention (DLP) protects sensitive information against unauthorized access, misuse, extraction, or sharing. Enterprise DLP on Prisma Access enables you to enforce your organization’s data security standards and prevent the loss of sensitive data across mobile users and remote networks.

Important:

If you’re already using Panorama to manage Enterprise DLP for next-gen firewalls, your DLP configuration in Prisma Access cloud management is read-only; continue to manage DLP from Panorama.

Prisma Access gives you a snapshot of all your configuration versions. You already have the option to directly restore an earlier configuration version to Prisma Access.

Now, you can also:

The Prisma Access Cloud Management interface is now available in German, French, and Japanese. If one of these languages is the preferred language in your browser, you’ll automatically start seeing the translated interface next time you log in.

Learn about the Prisma Access 2.2 Preferred release here. The features supported for Prisma Access Cloud Management are:

Send IPv6 traffic to Prisma Access

Prisma Access allows you to identify and quarantine compromised devices with the GlobalProtect app. You can either manually or automatically (based on auto-tags) add devices to a quarantine list. You can block quarantined devices from accessing the network, or restrict the device traffic based on a security rule.

To get started, go to

Configuration

Objects

and set up a

Quarantined Device List

. Then use the list as part of identity redistribution.

Live best practice checks for your GlobalProtect configuration help you to pinpoint where you can strengthen your security posture.

Create your own custom GlobalProtect response pages with your corporate branding, acceptable use policies, and links to your internal resources.

Two new guided walkthroughs make it easy to:

Measure your security posture against Palo Alto Networks’ guidance and check for CIS Critical Security Controls (CSC) compliance with the new best practice report. (It covers 40+ checks).

So you can quickly start securing explicit proxy connections, we’ve added new practice security and decryption rules, application filters and groups, and a URL Access Management profile. These built-in best practice settings were created specifically for explicit proxy, and provide a template for securing explicit proxy connections.

Enable this best practices template in just two clicks. The best practice objects and profiles are already added to the best practice rules, so all you need to do is enable the security and decryption rules to get going:

When you’re up and running, you can customize the best practice template to fit the needs of your organization.

Built-in security and decryption rules, as well as a guided walkthrough, mean you can safely enable M365 in just a few clicks.

You can now choose the version of the GlobalProtect app you want to make available for your mobile users.

While Prisma Access hosts several GlobalProtect app versions, only one of the hosted versions is active. When mobile users log in to the Prisma Access portal, the active version is the one they download and use on their Windows and macOS devices; this is the version you can now choose.

And at any time, you can go to the Overview dashboard to see the active GlobalProtect app version.

In addition to restoring an earlier config version, you can now also load an earlier conversion.

While restoring an earlier config version directly replaces your running configuration with that version (no config push required), loading an earlier config version replaces your candidate configuration with that version. This gives you some time to review the configuration or make adjustments before pushing the config to Prisma Access.

Go to

Manage

Service Setup

Overview

Config Version Snapshots

to get started.

By default, security policy rules are always in effect (all dates and times). To limit a security rule to specific times, you can define schedules, and then apply them to the appropriate rules. For each schedule, you can specify a fixed date and time range or a recurring daily or weekly schedule. Add or edit a security rule to get started.

Prisma Access gives you simple, centralized management for your SaaS applications. For Microsoft 365 apps, Google apps, Dropbox, and YouTube you’ll find features that you can turn on in two steps or less to safely enable the applications for enterprise use, including:

We’ve re-imagined the help that’s built in to Prisma Access cloud management, so that the information you need is at your fingertips, at the exact moment you need it.

Bookmark the new Live Community page for Prisma Access cloud management. Find expert articles, share ideas, and ask questions.

Sometimes a configuration push can have unintended security implications or an unexpected impact on traffic. To recover from this, you can restore an earlier configuration version.

The new Overview page now includes walkthroughs you can follow when you’re setting up mobile users, remote networks, or service connections for the first time.

The walkthroughs take you through the basic, required steps to get your environment up and running. When you’re done, you’ll be ready to start testing your environment, and customizing it to fit your organization’s needs.

Security profile dashboards are updated to surface more data, including hit counts for profiles, rules, and overrides. Here’s what’s new for each profile type:

You can now see profile and override hit counts. For overrides, you can also see the timestamp for when the override was last used.

For each profile, you can see the verdicts for files or email links submitted to WildFire, and the malware the profile blocked.

See the number of DNS queries the profile blocked.

See the number of hits for each URL category.

See the percent of decrypted traffic that the file blocking profile is enforcing, and the number of files the profile blocked in the last seven days.

Autonomous Digital Experience Management (DEM) is now available!

Autonomous DEM is a service that provides native, end-to-end visibility and insights for all user traffic in your Secure Access Service Edge (SASE) environment.

We’ve updated the Prisma Access navigation, so that you can move more seamlessly between global and local configurations. You can even pin the pages you use most frequently, so that they’re right there when you need them.

Take a look:

So that you can enforce your security policy consistently, Prisma Access shares identity data that GlobalProtect discovers locally across your entire Prisma Access environment. We’ve enabled some identity data redistribution by default, and for what’s left, we’ve made the configuration to enable redistribution very simple (just select a checkbox). You can see and manage all identity redistribution from a single dashboard:

Go to

Manage

Configuration

Identity Services

Identity Redistribution

.

Best Practice Checks now extend to URL Access Management and Authentication.

Best practice security checks are built-in to Prisma Access. Use these inline checks to continually assess your configuration against Palo Alto Networks’ best practice recommendations. When you see an opportunity to improve your security posture, you can take action then and there.

Best practice security checks are now built-in to Prisma Access. Use these inline checks to continually assess your configuration against Palo Alto Networks’ best practice recommendations. When you see an opportunity to improve your security posture, you can take action then and there.

Security checks include NIST security controls and Center for Internet Security’s (CIS) Critical Security Controls (CSC).

If your organization’s existing network already uses explicit proxies and deploys PAC files on your client endpoints, you can smoothly migrate to Prisma Access to secure mobile users’ outbound internet traffic. You will still be able to secure mobile users with GlobalProtect. If you want to add an explicit proxy to an existing mobile users deployment, you can divide your mobile users license between the users you want to secure with GlobalProtect and the users you want to secure with an explicit proxy. Explicit proxy uses your existing Mobile User license. Whether you have a new deployment or if you upgrade, you can divide your mobile user license between GlobalProtect and Explicit Proxy connections.

While best practice security profiles have been built-in to Prisma Access from the start, you can now customize security profiles to meet the unique needs of your business.

Each profile has it’s own dashboard—from a profile dashboard, you can create and update profiles, centrally manage profile overrides, assess profile and override usage, and tap in to the latest Palo Alto Network’s threat data (including content releases, the Threat Vault, and PAN-DB) to check coverage and take action. Explore each profile type to see all the features available to you.

Here are some security profile highlights:

And here are the security profiles available to you:

Insights is now integrated with Prisma Access Cloud Management. Look for Insights on the left navigation bar.

With Insights, you can continuously monitor your Prisma Access environment. When an event or status requires your attention, Insights sends you alert notifications so you can quickly pinpoint issues that you can fix and so that you have visibility into the fixes the Prisma Access team is working on.

Threat logs (anti-spyware and vulnerability events) now include threat details to give you context and the detected event, and show you if there are threat overrides configured that might be impacting how the threat is enforced.

Here’s how it works:

You now have more than 60 new options to customize the GlobalProtect app so that it best suits the needs of your organization and your mobile users. Learn more about these GlobalProtect app features, that are newly-available for Prisma Access.

When you next log in, you’ll see that we’ve updated the cloud management interface navigation. We’ve consolidated all features so you can access them from a new navigation panel on the left side of the interface. And we’ve also made it so you can easily move from one Palo Alto Networks app to another, and back again.

These enhancements assist you when sharing public address space externally and internally with private apps:

To get started, enable or adjust the default BGP settings Prisma Access uses to route traffic to your service connection sites (headquarters or data centers). Go to

Service Connections

Service Connection Setup

Advanced Settings

BGP Routing

.

Centrally manage the certificates you use to secure communication across your network. In one place, set up your certificates, add certificate authorities (Prisma Access includes preloaded certificates for well-known CAs), add OCSP responders, and define certificate checks you want to require. The certificates and settings you set up here can be used throughout your Prisma Access deployment to secure features like decryption, your authentication portal, and the GlobalProtect app.

Together, dynamic user groups and auto-tags (along with dynamic address groups) give you a way to automate authentication, decryption, and security policy.

Based on activity (you define the log criteria to act on), users and IP addresses are automatically tagged and added to dynamic user groups. Any policy that references the dynamic user group automatically begins to enforce the user or IP address without requiring you to manually create and commit policy or group changes.

DUGs with auto-tags are particularly useful for auto-remediation—when Prisma Access detects anomalous user behavior or malicious activity, it can automatically enforce your remediation actions.

You allocate bandwidth at an aggregate level for a compute location. Each location has a corresponding compute location for which bandwidth is allocated, and all sites you onboard in a compute location share that allocated bandwidth.

For example, you want to onboard four branch offices using remote networks in the Singapore, Hong Kong, Thailand, and Vietnam locations. All these locations map to the Asia Southeast compute location. If you allocate 200 Mbps bandwidth to the Asia Southeast compute location, all four branch offices will share the 200 Mbps of bandwidth.

If one or more sites are not using a large amount of bandwidth, Prisma Access makes the remaining bandwidth available to other sites in that compute location.

Prisma Access introduces changes to licensing. The new licensing model allows you to implement and use the capabilities of Prisma Access aligned to your business needs in a way that delivers the fastest return on investment. Whether your applications are migrating to the cloud, your users are working from anywhere, or if you are looking to gain operational efficiencies, Prisma Access offers the relevant type of license for your deployment.

Choose from the following license editions:

ZTNA is available for Prisma Access for Mobile Users only; you can use all other editions with Mobile Users, Remote Networks, or both mobile users and remote networks.

All license editions are available for Local and Worldwide Prisma Access locations. When you purchase a license with Worldwide locations, you can deploy Prisma Access in all Prisma Access locations. When you purchase a license with Local locations, you can select up to 5 Prisma Access locations.

Protect your network resources and the applications you use to do business by verifying user identities, and granting access only to legitimate users. Prisma Access now includes support for more authentication services and features so you can do just that.

Here are the highlights:

If you are hosting an internet-facing application or service in your remote network location, you can use Prisma Access to front-end that application or service and provide secure inbound access from both internal and external users over the internet.

Directory Sync now provides Prisma Access with read-only access to Azure AD information, so that you can reference your Azure AD users and user groups in policy. Here’s how to get started.

Choose the Active Directory attribute Prisma Access uses to reference your users (for example, the User Principal Name or the SAM Account Name). You can set your attribute preferences so that if a directory does not use your primary attribute, Directory Sync collects an alternative attribute for Prisma Access to use based on your preferences.

To provide additional network resiliency using redundant instances of your customer premises equipment (CPE), Prisma Access allows you to add up to four IPSec tunnels for a single remote network. ECMP Load Balancing requires you to use BGP for dynamic routing, and is not supported with a static route or QoS setup. To get started with ECMP load balancing, you’ll need to specify a minimum bandwidth of 50 Mbps for the remote network site.

Prisma Access divides the bandwidth you select by the number of tunnels; for example, if you specify 300 Mbps and add four tunnels, each tunnel carries 75 Mbps. If one of the tunnels goes down, your network connection will now carry 225 Mbps instead of 300 Mbps.

Specify DNS servers to resolve both internal and public domains for specific remote network sites.

If you specify an internal DNS server to resolve internal DNS domains and then specify either a public server or Prisma Access’ default server to resolve external domains, Prisma Access proxies the requests from the remote network site. You can also specify an external DNS server that is closer to the egress points of your remote network sites than your internal DNS server, which can provide optimal connectivity for SaaS applications such as Microsoft Office 365.

To get started quickly, you can copy your mobile user DNS settings over to your remote networks setup:

To reduce the number of mobile user IP subnet advertisements over BGP to your customer premises equipment (CPE), Prisma Access can summarize the subnets before advertising them. This summarization can reduce the number of routes stored in CPE routing tables. For example, you can use Mobile User IP Pool Summarization with cloud VPN gateways (Virtual Private Gateways (VGWs) or Transit Gateways (TGWs)) thatcan accept a limited number of routes.

Onboard mobile users, remote network sites, and your HQ and data center sites to Prisma Access in just a few steps with a new, streamlined UI. Pre-defined network and infrastructure settings mean you can get started quickly, and come back later to customize your deployment.

For example, you can now onboard mobile users to a Prisma Access location in three steps:

A guided workflow steers you through Prisma Access license activation on the hub.

Help topics share the benefits a feature can provide to you, with quick steps to get started. Just click the help icon on the menu bar.

Continuously monitor the health and performance of your Prisma Access environment with the new Insights app. Visually scan and interact with a variety of Insights dashboards to get status on your mobile users, remote network sites, service connections to your HQ and data centers, and the Prisma Access cloud infrastructure.

When Insights detects an issue in your environment, the app generates an alert that gives you context and lets you know where to take action. Insights alerts also give you visibility into fixes that the Prisma Access team is addressing.

Customize how end users interact with the GlobalProtect app that’s installed on their endpoints and send traffic to Prisma Access. Options you can customize include:

Split tunneling conserves bandwidth by excluding traffic from Prisma Access that is not business critical or does not enable productivity. You can configure split tunnel traffic based on an access route, destination domain, application, and HTTP/HTTPS video streaming application.

With hot potato routing, Prisma Access hands off traffic as quickly as it can to your organization’s network. Use this routing method if you want your organization’s network to perform the majority of routing decisions.

The new Prisma Access dashboard gives you an immediate view in to the status and health of your deployment. When you log in to Prisma Access, use this global view to check that your remote networks and mobile users are connected to Prisma Access. If you see something unexpected, you can drill down in the map to identify the impacted remote network site, mobile user location, or service connection.

You can now export logs to a CSV, XML, or JSON formatted file.

After using the

Explore

tab to search for the log records that you want, export them to a CSV, XML, or JSON file, and then download the file to your local drive.

Certain Prisma Access network logs—Traffic, Threat, URL, File—now show you the other events logged during the same session.

Without leaving the context of the log you’re interested in, you can see the sequence of related events. Related logs are displayed chronologically, top to bottom—the log with the earliest timestamp is listed first.

Select a related log to investigate the details for that event. In cases where it’s available, log details might also include Directory Sync information associated with the source user.