New Features

See what’s new in Prisma Access Cloud Management.
Here’s what’s new in Prisma Access Cloud Management:
With Prisma Access Cloud Management, you’re using the Prisma Access app on the hub to manage and interact with your Prisma Access environment. If you’re using Panorama to manage Prisma Access, review the Panorama Managed Prisma Access release notes instead.

April 2021

New Features in April 2021
Guided Onboarding
The new Overview page now includes walkthroughs you can follow when you’re setting up mobile users, remote networks, or service connections for the first time.
The walkthroughs take you through the basic, required steps to get your environment up and running. When you’re done, you’ll be ready to start testing your environment, and customizing it to fit your organization’s needs.
You’ll only see the option to
Launch Walkthroughs
for deployments with no existing configuration. After first-time setup, the onboarding task shows on the Overview page as complete.
Security Profile Hit Counts
Security profile dashboards are updated to surface more data, including hit counts for profiles, rules, and overrides. Here’s what’s new for each profile type:
Anti-Spyware and Vulnerability
You can now see profile and override hit counts. For overrides, you can also see the timestamp for when the override was last used.
WildFire and Antivirus
For each profile, you can see the verdicts for files or email links submitted to WildFire, and the malware the profile blocked.
DNS Security
See the number of DNS queries the profile blocked.
URL Access Management
See the number of hits for each URL category.
File Blocking
See the percent of decrypted traffic that the file blocking profile is enforcing, and the number of files the profile blocked in the last seven days.
Autonomous DEM for Mobile Users (GlobalProtect)
Autonomous Digital Experience Management (DEM) is now available!
Autonomous DEM is a service that provides native, end-to-end visibility and insights for all user traffic in your Secure Access Service Edge (SASE) environment.
Navigation Updates
We’ve updated the Prisma Access navigation, so that you can move more seamlessly between global and local configurations. You can even pin the pages you use most frequently, so that they’re right there when you need them.
Take a look:
Getting Started Homepage
page is your new Prisma Access homepage. Come here if you’re new to Prisma Access or when you first log in to see:
  • At-a-glance status
    for your Prisma Access environment:
    • Verify license and status details
    • Get configuration status and drill down on an issue to find it's source
  • A checklist that shows you your
    onboarding progress
    , and gives you next steps.
  • Your overall
    best practice scores
    show you were you can take action to align with best practices.
Identity Redistribution
So that you can enforce your security policy consistently, Prisma Access shares identity data that GlobalProtect discovers locally across your entire Prisma Access environment. We’ve enabled some identity data redistribution by default, and for what’s left, we’ve made the configuration to enable redistribution very simple (just select a checkbox). You can see and manage all identity redistribution from a single dashboard:
Go to
Identity Services
Identity Redistribution
(URL Access Management and Authentication)
Best Practice Checks now extend to URL Access Management and Authentication.
Best practice security checks are built-in to Prisma Access. Use these inline checks to continually assess your configuration against Palo Alto Networks’ best practice recommendations. When you see an opportunity to improve your security posture, you can take action then and there.
Cortex Data Lake Regional Support
You can now send Prisma Access Cloud Management logs to Cortex Data Lake instances in any region.
The only Cortex Data Lake region that is not yet supported is Australia.

February 2021

New Features in February 2021
Keep a pulse on your network with Prisma Access reports. Use report data to inform policy updates and zero in on ways you can strengthen network security and keep users productive.
You can download reports, share them within your organization, and schedule regular report updates. The reports available to you are:
  • The
    App Report
    shows you the applications in use on your network and associated security risks.
  • The
    User Activity Report
    gives you a view into a specific user’s web traffic.
  • The
    Usage Report
    helps you to evaluate your Prisma Access usage—how does what you’re licensed for compare to what you’re using?—and get a high-level view into the health and performance of your environment.
Go to the Reports homepage in Prisma Access Cloud Management to start exploring.
(Security Policy and Decryption)
Best practice security checks are now built-in to Prisma Access. Use these inline checks to continually assess your configuration against Palo Alto Networks’ best practice recommendations. When you see an opportunity to improve your security posture, you can take action then and there.
Security checks include NIST security controls and Center for Internet Security’s (CIS) Critical Security Controls (CSC).
Prisma Access 2.0 Innovation Features
By default, Prisma Access Cloud Managed is now running the Prisma Access 2.0 Preferred release. The features here are available only with the Prisma Access 2.0 Innovation release. If you’d like to upgrade your environment to Prisma Access 2.0 Innovation, contact your account team.
Explicit Proxy
If your organization’s existing network already uses explicit proxies and deploys PAC files on your client endpoints, you can smoothly migrate to Prisma Access to secure mobile users’ outbound internet traffic. You will still be able to secure mobile users with GlobalProtect. If you want to add an explicit proxy to an existing mobile users deployment, you can divide your mobile users license between the users you want to secure with GlobalProtect and the users you want to secure with an explicit proxy. Explicit proxy uses your existing Mobile User license. Whether you have a new deployment or if you upgrade, you can divide your mobile user license between GlobalProtect and Explicit Proxy connections.
Remote Networks Allocated Bandwidth, for Existing Deployments
In December, we introduced Remote Network Bandwidth Allocation, Based on Prisma Access Location. This feature is now available to existing remote network setups. If you want to start allocating bandwidth based on Prisma Access locations instead of for each site, you can. The benefit is that, bandwidth can be used across sites where it’s needed, instead of dedicated to a single side even when its not being used.
Support for Predefined URLs and URLS in EDLs in Traffic Steering
You can now target internet-bound traffic that you want to forward through a service connections site based on:
  • Predefined URL categories
  • URLs in External Dynamic Lists (EDLs)
Support for No Export BGP Community
To allow you to control how BGP advertises subnets, Prisma Access support the well-known BGP community no-export.
Licensing Page Updates
The Prisma Access Licenses page now also shows any Add-Ons that you’ve added to your Prisma Access subscription.
Customization and Dashboards for Security Profiles
The WildFire and Antivirus dashboard is now available.
Earlier this month we added dashboards for all security profiles, with one exception; as of February 25th, the remaining dashboard for WildFire and Antivirus is now also available.
While best practice security profiles have been built-in to Prisma Access from the start, you can now customize security profiles to meet the unique needs of your business.
Each profile has it’s own dashboard—from a profile dashboard, you can create and update profiles, centrally manage profile overrides, assess profile and override usage, and tap in to the latest Palo Alto Network’s threat data (including content releases, the Threat Vault, and PAN-DB) to check coverage and take action. Explore each profile type to see all the features available to you.
Here are some security profile highlights:
And here are the security profiles available to you:
  • Anti-Spyware
    —Detect and stop command and control (C2) activity.
  • Vulnerability
    —Stop attacker attempts to exploit system flaws and gain unauthorized access to your network
  • DNS Security
    —Automatically secure your DNS traffic and get coverage for DNS-based attacks.
  • URL Access Control
    —Control user access to and interaction with web content, and enforce safe search.
  • HTTP Header Insertion
    —formerly included with URL Filtering, this profile gives you a way to manage SaaS application access based on HTTP headers.
  • File Blocking
    —Monitor or block specific file types.
  • WildFire and Antivirus
    Detect viruses and malware found in executables and file types.
Insights is now integrated with Prisma Access Cloud Management. Look for Insights on the left navigation bar.
With Insights, you can continuously monitor your Prisma Access environment. When an event or status requires your attention, Insights sends you alert notifications so you can quickly pinpoint issues that you can fix and so that you have visibility into the fixes the Prisma Access team is working on.
Log Details for Threats and Overrides
Threat logs (anti-spyware and vulnerability events) now include threat details to give you context and the detected event, and show you if there are threat overrides configured that might be impacting how the threat is enforced.
Peer Analysis for Features You Aren’t Yet Using
To help you understand the protection capabilities of features for which you don’t have an active license, you now have visibility into how your industry peers are benefiting from the feature capabilities. This will give you an idea of how the feature might be able to benefit you.
You’ll see a dashboard like this when you try to access a feature for which you don’t yet have a license:

December 2020

New Features in December 2020
To help you to quickly resolve mobile user connection, performance, and access issues, the GlobalProtect app can send troubleshooting and diagnostic logs to Cortex Data Lake for further analysis. When end users report an issue in the app, the app sends an easy to read, comprehensive report to Cortex Data Lake; use the report to quickly identify the root cause of the end user issue.
Here’s how it works:
  1. Turn on
    Log Collection for Troubleshooting
    for the GlobalProtect app:
  2. Your users can now
    Report an Issue
    if they experience unusual performance or can’t connect.
  3. The GlobalProtect app sends diagnostic and troubleshooting information to Cortex Data Lake.
  4. You can access the logs and reports in the Explore app on the hub.
More Ways to Customize the GlobalProtect App
You now have more than 60 new options to customize the GlobalProtect app so that it best suits the needs of your organization and your mobile users. Learn more about these GlobalProtect app features, that are newly-available for Prisma Access.
Simplified Navigation in App and Between Apps
When you next log in, you’ll see that we’ve updated the cloud management interface navigation. We’ve consolidated all features so you can access them from a new navigation panel on the left side of the interface. And we’ve also made it so you can easily move from one Palo Alto Networks app to another, and back again.
IKE Peer Host Routes for Remote Networks and Service Connections
These enhancements assist you when sharing public address space externally and internally with private apps:
  • Enable automatic IKE peer host routes for Remote Networks and Service Connections
    —This option allows Prisma Access to automatically add a host-specific static route to the static IKE gateway peer for the IPSec tunnel on the Remote Network security processing node (SPN) and Service Connection corporate access node (CAN).
  • Specify Outbound Routes
    —This enhancement allows you to add up to 10 prefixes for which static routes are added on all SPNs and CANs, and Prisma Access routes traffic to these prefixes over the internet.
To get started, enable or adjust the default BGP settings Prisma Access uses to route traffic to your service connection sites (headquarters or data centers). Go to
Service Connections
Service Connection Setup
Advanced Settings
BGP Routing
Centrally manage the certificates you use to secure communication across your network. In one place, set up your certificates, add certificate authorities (Prisma Access includes preloaded certificates for well-known CAs), add OCSP responders, and define certificate checks you want to require. The certificates and settings you set up here can be used throughout your Prisma Access deployment to secure features like decryption, your authentication portal, and the GlobalProtect app.
Dynamic User Groups (DUGs)
Together, dynamic user groups and auto-tags (along with dynamic address groups) give you a way to automate authentication, decryption, and security policy.
Based on activity (you define the log criteria to act on), users and IP addresses are automatically tagged and added to dynamic user groups. Any policy that references the dynamic user group automatically begins to enforce the user or IP address without requiring you to manually create and commit policy or group changes.
DUGs with auto-tags are particularly useful for auto-remediation—when Prisma Access detects anomalous user behavior or malicious activity, it can automatically enforce your remediation actions.
You allocate bandwidth at an aggregate level for a compute location. Each location has a corresponding compute location for which bandwidth is allocated, and all sites you onboard in a compute location share that allocated bandwidth.
For example, you want to onboard four branch offices using remote networks in the Singapore, Hong Kong, Thailand, and Vietnam locations. All these locations map to the Asia Southeast compute location. If you allocate 200 Mbps bandwidth to the Asia Southeast compute location, all four branch offices will share the 200 Mbps of bandwidth.
If one or more sites are not using a large amount of bandwidth, Prisma Access makes the remaining bandwidth available to other sites in that compute location.
If you have already onboarded remote networks, your deployment is unchanged and you will still assign bandwidth per site (location) or per remote network connection.
The ability to forward internet-directed traffic through service connections for remote network and mobile user deployments is enhanced and has a new name—Traffic Steering.Traffic steering expands the scope of directing internet-bound traffic through service connections. In addition to specifying FQDNs, IP addresses, and URLs and forwarding only HTTP and HTTPS internet-bound traffic through service connections, you can send all traffic or a subset of the traffic based on the following additional criteria:
  • URL category
  • Service type (HTTP, HTTPS, or Any)
  • User
  • External Dynamic Lists (EDLs)
  • Dynamic Address Groups (DAGs)
You can then configure Prisma Access to split internet-bound remote network or mobile user traffic into multiple service connections based on the criteria you specified.Traffic steering is supported for mobile user and remote network deployments.

November 2020

New Features in November 2020
Prisma Access introduces changes to licensing. The new licensing model allows you to implement and use the capabilities of Prisma Access aligned to your business needs in a way that delivers the fastest return on investment. Whether your applications are migrating to the cloud, your users are working from anywhere, or if you are looking to gain operational efficiencies, Prisma Access offers the relevant type of license for your deployment.
There are no changes to licensing for existing Prisma Access deployments.
Choose from the following license editions:
  • Business
  • Business Premium
  • Zero Trust Network Access (ZTNA)
  • Enterprise
ZTNA is available for Prisma Access for Mobile Users only; you can use all other editions with Mobile Users, Remote Networks, or both mobile users and remote networks.
All license editions are available for Local and Worldwide Prisma Access locations. When you purchase a license with Worldwide locations, you can deploy Prisma Access in all Prisma Access locations. When you purchase a license with Local locations, you can select up to 5 Prisma Access locations.
Protect your network resources and the applications you use to do business by verifying user identities, and granting access only to legitimate users. Prisma Access now includes support for more authentication services and features so you can do just that.
Here are the highlights:
  • Support for TACACS+, RADIUS, LDAP, Kerberos, and MFA (SAML and local database authentication are already supported)
  • Built-in MFA vendors to choose from
  • IP address to username mapping, which is especially useful for remote networks — always know who at a remote network site is accessing business resources and sensitive data
  • If you’re using different types of authentication, you can specify the sequence in which you want Prisma Access to try each type
  • Streamlined authentication setup—everything you need to get started is in one place:
Secure Access for Internet-Facing Applications
If you are hosting an internet-facing application or service in your remote network location, you can use Prisma Access to front-end that application or service and provide secure inbound access from both internal and external users over the internet.
Application Tags to Safely Enable Applications with Common Attributes
Application tags help you to safely enable a broad set of applications that share common attributes. For example, you can enable broad access for your users to web-based applications using the
Web App
tag in an application filter, or safely enable all enterprise VoIP applications using the
Enterprise VoIP
tag. Palo Alto Networks researches new and updated applications, groups those with common attributes, and delivers new and updated tags in content releases.
You can also apply your own tags and create application filters based on those tags to address your own application security requirements.

October 2020

New Features in September 2020
Watch the video on getting started with Directory Sync.
Azure Active Directory (AD) Support
Directory Sync now provides Prisma Access with read-only access to Azure AD information, so that you can reference your Azure AD users and user groups in policy. Here’s how to get started.
User Attribute Preferences
Choose the Active Directory attribute Prisma Access uses to reference your users (for example, the User Principal Name or the SAM Account Name). You can set your attribute preferences so that if a directory does not use your primary attribute, Directory Sync collects an alternative attribute for Prisma Access to use based on your preferences.
ECMP Load Balancing for Remote Networks
To provide additional network resiliency using redundant instances of your customer premises equipment (CPE), Prisma Access allows you to add up to four IPSec tunnels for a single remote network. ECMP Load Balancing requires you to use BGP for dynamic routing, and is not supported with a static route or QoS setup. To get started with ECMP load balancing, you’ll need to specify a minimum bandwidth of 50 Mbps for the remote network site.
Prisma Access divides the bandwidth you select by the number of tunnels; for example, if you specify 300 Mbps and add four tunnels, each tunnel carries 75 Mbps. If one of the tunnels goes down, your network connection will now carry 225 Mbps instead of 300 Mbps.
DNS Proxy for Remote Networks
Specify DNS servers to resolve both internal and public domains for specific remote network sites.
If you specify an internal DNS server to resolve internal DNS domains and then specify either a public server or Prisma Access’ default server to resolve external domains, Prisma Access proxies the requests from the remote network site. You can also specify an external DNS server that is closer to the egress points of your remote network sites than your internal DNS server, which can provide optimal connectivity for SaaS applications such as Microsoft Office 365.
To get started quickly, you can copy your mobile user DNS settings over to your remote networks setup:
Mobile User IP Pool Summarization
To reduce the number of mobile user IP subnet advertisements over BGP to your customer premises equipment (CPE), Prisma Access can summarize the subnets before advertising them. This summarization can reduce the number of routes stored in CPE routing tables. For example, you can use Mobile User IP Pool Summarization with cloud VPN gateways (Virtual Private Gateways (VGWs) or Transit Gateways (TGWs)) thatcan accept a limited number of routes.
Support for WINS-Based Applications
To support the use of Windows Internet Name Service (WINS)-based applications, Prisma Access enables you to use WINS to resolve NetBIOS name-to-IP address mapping. You can specify primary and secondary WINS servers for WINS support, either for a Prisma Access region or worldwide.Prisma Access pushes WINS configuration to mobile users with the GlobalProtect app.

August 2020

This release is all about simple setup—the Prisma Access team has reimagined Cloud Managed Prisma Access to get you up and running quickly. Here are the features that make getting started easy.
We’ve also added features that give you more visibility into and control of your Prisma Access environment.
New Features in August 2020
Easy Onboarding
Onboard mobile users, remote network sites, and your HQ and data center sites to Prisma Access in just a few steps with a new, streamlined UI. Pre-defined network and infrastructure settings mean you can get started quickly, and come back later to customize your deployment.
For example, you can now onboard mobile users to a Prisma Access location in three steps:
  1. Add your portal hostname
  2. Choose Prisma Access locations
  3. Set up user authentication (test your setup with local users)
Speedy Activation
A guided workflow steers you through Prisma Access license activation on the hub.
Context-Sensitive Help with Tips to Get Started
Help topics share the benefits a feature can provide to you, with quick steps to get started. Just click the help icon on the menu bar.
Prisma Access Insights
Continuously monitor the health and performance of your Prisma Access environment with the new Insights app. Visually scan and interact with a variety of Insights dashboards to get status on your mobile users, remote network sites, service connections to your HQ and data centers, and the Prisma Access cloud infrastructure.
When Insights detects an issue in your environment, the app generates an alert that gives you context and lets you know where to take action. Insights alerts also give you visibility into fixes that the Prisma Access team is addressing.
GlobalProtect App Customization
Customize how end users interact with the GlobalProtect app that’s installed on their endpoints and send traffic to Prisma Access. Options you can customize include:
  • The method the GlobalProtect app uses to connect to Prisma Access.
  • The GlobalProtect app settings that are available to the user to adjust (for example, disable or upgrade the GlobalProtect app).
  • The host information profile (HIP) data the app collects—you can base policy enforcement on the data the app collects.
GlobalProtect App Split Tunneling
Split tunneling conserves bandwidth by excluding traffic from Prisma Access that is not business critical or does not enable productivity. You can configure split tunnel traffic based on an access route, destination domain, application, and HTTP/HTTPS video streaming application.
Hot Potato Routing
With hot potato routing, Prisma Access hands off traffic as quickly as it can to your organization’s network. Use this routing method if you want your organization’s network to perform the majority of routing decisions.
Traffic Forwarding for Third-Party Security
Instead of sending internet traffic from mobile users and remote networks directly to the internet, you can forward traffic through a service connection to a third-party security stack for further processing before being sent to the internet.

Features Added Before August 2020

Features Introduced Before August 2020
New Dashboard
The new Prisma Access dashboard gives you an immediate view in to the status and health of your deployment. When you log in to Prisma Access, use this global view to check that your remote networks and mobile users are connected to Prisma Access. If you see something unexpected, you can drill down in the map to identify the impacted remote network site, mobile user location, or service connection.
Log Export
You can now export logs to a CSV, XML, or JSON formatted file.
After using the
tab to search for the log records that you want, export them to a CSV, XML, or JSON file, and then download the file to your local drive.
Related Log Events
Certain Prisma Access network logs—Traffic, Threat, URL, File—now show you the other events logged during the same session.
Without leaving the context of the log you’re interested in, you can see the sequence of related events. Related logs are displayed chronologically, top to bottom—the log with the earliest timestamp is listed first.
Select a related log to investigate the details for that event. In cases where it’s available, log details might also include Directory Sync information associated with the source user.
Directory Sync Support
Directory Sync gives Prisma Access read-only access to your Active Directory information, so that you can easily set up and manage security and decryption policies for users and groups. You can add Directory Sync to Prisma Access as part of the initial Prisma Access activation workflow, or for an active Prisma Access instance, you can do this on the hub.

Recommended For You