Prisma Access Release and Infrastructure Updates

Learn about the different types of Prisma Access releases and updates that you need to stay up-to-date and secure your users. Some of the updates are managed by Palo Alto Networks, such as Prisma Access infrastructure updates and you will receive advance notification so you can plan around them. Other updates are your responsibility and you must schedule the specified version of the content update, software update, and plugin version (as required), at your earliest convenience.
You can retrieve the status of all cloud services, including Prisma Access and Cortex Data Lake, along with a historical record of the uptime of each service, by accessing the https://status.paloaltonetworks.com/ website. You can also sign up for email or text message updates at this site to be notified in advance when infrastructure updates are planned and real-time notifications when updates occur, and when Palo Alto Networks creates, updates, or resolves an incident.

Prisma Access Scheduled and Unscheduled Upgrades

Prisma Access has scheduled upgrades, including major (
x
.0 and 1.
x
) and minor (2.0.
x
) releases, that include new features and optimizations to deliver best-of-breed security for your remote networks and mobile users. Prisma Access might also need to occasionally make unscheduled upgrades for hotfixes and emergency bug fixes. The following sections define the releases, list the types of upgrades that Palo Alto Networks include for each release, and show you the advance notification and maintenance windows for each release type.

Release Definitions

The following list defines scheduled and unscheduled releases, along with the advance notification we provide you for each release. To make sure that you receive notifications for all releases, register for email or text notifications for Prisma Access at the https://status.paloaltonetworks.com/ website.
  • Scheduled Release
    —Prisma Access divides scheduled releases into major and minor releases.
    • Major Release
      —A major release typically includes significant new features and optimizations that require a maintenance window.
      Notification
      —Palo Alto Networks provides you with a notification 21 days before a major release, including a feature preview document that lists features that are available with the release and any changes to default behavior.
    • Minor Release
      —A minor release includes incremental features and optimizations. In some cases, Palo Alto Networks may combine a hotfix with a minor release.
      Notification
      —Palo Alto Networks provides you with a notification 10 days before a scheduled minor release upgrade, including a feature preview document that lists the new features that are available with the release.
  • Unscheduled Release
    —Unscheduled Prisma Access upgrades include hotfixes or emergency bug fixes (for example, fixes for zero-day threats or plugin changes).
    Notification
    —Palo Alto Networks will make every effort to give you 48 hours’ notice before an unscheduled upgrade. On occasion, you may receive a shorter notice for an unscheduled upgrade.

Upgrade Types

Palo Alto Networks upgrades its cloud-based infrastructure without any intervention required from you. Some upgrades require that you perform an action, such as install a new plugin.
The following list includes the different types of scheduled and unscheduled upgrades for Prisma Access:
  • Infrastructure Upgrade
    —Palo Alto Networks upgrades the Prisma Access infrastructure, which includes the underlying service backend, orchestration, and monitoring infrastructure.
  • Dataplane Upgrade
    —Palo Alto Networks upgrades the Prisma Access dataplane that enables traffic inspection and security policy enforcement on your network and user traffic.
  • Cloud Services Plugin Upgrade
    —Your network administrator will need to upgrade the Cloud Services plugin on the Panorama appliance that manages Prisma Access.
  • Panorama Software Upgrade
    —A Prisma Access and Panorama Version Compatibility might be required to ensure compatibility with Prisma Access.
The following table shows you what is included with each release, including the maintenance window we provide and any impact to your Prisma Access service.
Upgrade Type
Scheduled Upgrades
Unscheduled Upgrades
Major
Minor
Infrastructure Upgrade
Maintenance Window
2-8 hours (always required)
2-8 hours (always required)
2-8 hours (if required)
Impact
: No impact to network traffic; however you cannot perform commits during the maintenance window.
Palo Alto Networks schedules the upgrades at a local time that is minimally disruptive to business functions.
Dataplane Upgrade
Maintenance Window
72 hours
(always required)
 —
(not required)
72 hours
(if required)
Impact
: Palo Alto Networks uses this window to upgrade the dataplane for all customers. You can make configuration changes and commits during this window. Our goal is to minimize impact to network traffic, but in some cases there may be a brief interruption.
Palo Alto Networks schedules the upgrades at a local time that is minimally disruptive to business functions.
Cloud Services Plugin Upgrade
Maintenance Window
(always required)
(if required)
(if required)
Impact
: Palo Alto Networks notifies you in advance if an upgrade to the Cloud Services plugin is required, and when the plugin will be available, using the notification schedule as defined in Release Definitions. During the plugin upgrade, you cannot make configuration changes and commits in Panorama.
After Palo Alto Networks provides you with the advance notification, you must plan to schedule a maintenance window to upgrade the plugin and complete the plugin upgrade within five days of its availability.
You cannot use the previous version of the plugin to perform changes to configuration and commits in Panorama after the three-day upgrade window.

Prisma Access and Panorama Version Compatibility

When Prisma Access upgrades its infrastructure and dataplane after a major release, the upgrades can be incompatible with earlier Panorama versions. Because of the fast-paced release of Prisma Access and the Cloud Services plugin, the software compatibility (end-of-support) dates for Panorama are shorter than the software end-of-life dates for Panorama releases and apply to Panorama version compatibility with Prisma Access only.
If the Panorama appliance that manages Prisma Access is running a software version that is incompatible (not supported) with the upgrades, you must upgrade Panorama to a compatible version to take full advantage of the capabilities of the infrastructure and dataplane upgrades. It is Palo Alto Networks’ goal to make this process as seamless as possible; for this reason, we make every effort to provide you with adequate notice of Panorama and Prisma Access version compatibility requirements.
Use the dates in the following table to learn when the software version of the Panorama that manages Prisma Access is no longer compatible with Prisma Access. Before the end-of-support date, you should plan to perform an upgrade to a supported Panorama version.
To find the latest EoS compatibility information for your Panorama with Prisma Access, log in to the Panorama appliance that manages Prisma Access, select the Service Setup page (
Panorama
Cloud Services
Configuration
Service Setup
), and view the information in the
Panorama Alert
section. See Notifications and Alerts for Panorama, Cloud Services Plugin, and PAN-OS Dataplane Versions for details.
Panorama Software Version
End-of-Support Dates for Prisma Access Deployments
9.1
February 1, 2022
Before this date, you must upgrade your Panorama to a version that is later than 9.1.x. Palo Alto Networks will update this document with more specific upgrade guidelines as newer Panorama software releases become generally available.
For more information about Prisma Access and Panorama software version compatibility, see Prisma Access and Panorama Version Compatibility in the Palo Alto Networks Compatibility Matrix.
The Panorama upgrade is required, regardless of the Cloud Services plugin version you are running at the end-of-support date. You cannot continue using an earlier version of the Cloud Services plugin with an earlier, unsupported Panorama version.

Schedule Your Prisma Access Dataplane Upgrade Using the Prisma Access App

Prisma Access now provides you the flexibility to schedule the dataplane upgrade for your Prisma Access tenant, when upgrades become available. To stay informed about the dataplane upgrade schedule and to select your preference, you must use the Prisma Access app to subscribe to Prisma Access notifications.
To sign up for email alert notifications through the Prisma Access app and indicate your upgrade preferences, complete the following steps.
  1. Log into the Hub.
  2. Click the
    Prisma Access
    app.
  3. Select
    Insights
    to expand the choices; then, select
    Alerts
    Alert Subscription
    and enter the email address to receive notifications from the Prisma Access app.
    The email accounts to which Prisma Access sends alerts must be the same email accounts associated with users in your Palo Alto Networks support account.
  4. Add Users
    .
  5. Enter the email addresses of the users to whom you want to send notifications.
    To add multiple users, separate each user with a comma.
  6. In a multi-tenant deployment,
    Select Sub-Tenants
    for which you want users to receive notifications or select
    All Sub-Tenants
    if you want them to receive notifications from all sub-tenants.
  7. Add
    the users.
  8. Check your notifications.
    Prisma Access sends an upgrade notification 21 days before your dataplane upgrade is scheduled.
    • Log in to the Prisma Access app and view the banner for your scheduled upgrade.
    • Check your email for notifications for your scheduled upgrade.
  9. After you receive notification that the upgrade is available, select your upgrade preferences.
    1. Select the Prisma Access locations you would like to upgrade first.
    2. Select a preferred time window, from the list of available options, for the upgrade.
      Choose from the following upgrade time windows. The time windows are local to the location or locations being upgraded and are all four hour windows:
      • Friday 8:00 p.m. to Saturday 12:00 a.m. (midnight)
      • Saturday 12:00 a.m. (midnight) to 4:00 a.m.
      • Saturday 4:00 a.m. to 8:00 a.m.
      • Saturday 8:00 a.m. to 12:00 p.m. (noon)
      • Saturday 12:00 p.m. (noon) to 4:00 p.m.
      Palo Alto Networks uses your preference to begin the rollout at the selected Prisma Access locations. Prisma Access Insights provides you with notifications that inform you of the progress of the upgrade and when it is complete.
      After the first set of Prisma Access locations is upgraded successfully, the Prisma Access team monitors these locations for seven days, and then upgrades all remaining Prisma Access locations.
      The remaining Prisma Access locations, if any, are upgraded seven days later on the same day and the same time window you selected for the initial set of locations. This upgrade process includes all the remaining locations in your deployment.
      If you do not provide your upgrade preferences three days before the scheduled upgrade window, Palo Alto Networks will automatically select the first set of your deployed Prisma Access locations, notify you of the selection, and upgrade the selected locations on the scheduled date. The remaining Prisma Access locations, if any, in your deployment will be upgraded seven days after the selected time window.

Cadence for Software and Content Updates for Prisma Access

The following table informs you of the software and content updates that you must install to get the latest applications and threat signatures and leverage the threat prevention capabilities provided by Palo Alto Networks.
Component
Update Schedule
Cloud Controlled? (Yes/No)
Comments
Upgrades to Panorama software for compatibility with Prisma Access
For major Prisma Access releases, you might need to upgrade your Panorama version for the following use cases:
  • Required Upgrade
    —On occasion, you will be required to upgrade the software version on Panorama Prisma Access and Panorama Version Compatibility with Prisma Access.
    • Maintenance Window
      —Your organization will need to schedule a maintenance window to upgrade the Panorama software version.
    • Impact
      —You cannot use the new plugin version until you upgrade your Panorama version.
    • Notification
      —Palo Alto Networks will provide you with a notification 100 days before the scheduled major release upgrade.
  • Optional Upgrade
    —In other cases, you might need to upgrade the Panorama software version to use the new features that Prisma Access supports in the major release.
    • Maintenance Window
      —Your organization will need to schedule a maintenance window to upgrade the Panorama software version.
    • Impact
      —You cannot use the new features that Prisma Access supports until you upgrade your Panorama.
    • Notification
      —Palo Alto Networks will notify you of any Panorama requirements 21 days before a scheduled major release upgrade as defined in Release Definitions.
No
See Prisma Access and Panorama Version Compatibility to learn when a Panorama version becomes incompatible with Prisma Access. See Upgrade the Cloud Services Plugin for the currently supported Panorama versions to use with Prisma Access. To upgrade your Panorama to a new version, see Install Content and Software Updates for Panorama.
Cloud Services plugin version
Available after the plugin release.
No
You perform the tasks to upgrade the plugin. See Prisma Access Scheduled and Unscheduled Upgrades for details about when Prisma Access updates its plugin version. See Upgrade the Cloud Services Plugin to upgrade the plugin in the Panorama appliance.
GlobalProtect app
  • Major GlobalProtect App Releases (for example,
    x
    .0 or 5.
    x
    )—
    Prisma Access updates the agent on the portal with the latest major release 7-10 days after the general availability of the
    x
    .0.1 version of that release.
    For example, given an agent release of 5.1, Prisma Access updates the agent on the portal 7-10 days after the release of 5.1.1.
  • Minor GlobalProtect App Releases (for example, 5.1.
    x
    )—
    Prisma Access updates the agent on the portal with the latest minor release 7-10 days after the general availability of that release.
Yes
The cloud controls the versions of the app that is available for upgrade; however you can choose between several different hosted versions of the app and can control how and when to roll out GlobalProtect app updates to the end users. See Manage Upgrade Options for the GlobalProtect App for details.
If your Prisma Access deployment requires a hotfix of the GlobalProtect app, open a Support Case with Palo Alto Networks Technical Support for assistance.
Daily with a threshold of 24 hours.
We release New App-IDs on the third Tuesday of every month. Plan to review and incorporate these new App-IDs within the 24 hour threshold. Use the New App-ID filter to minimize this possible traffic impact.
Yes
We will provide an update via the status.paloaltonetworks.com page 48 hours prior to a cloud upgrade, and 24 hours prior to release of new App-ID version.
Every hour, 10 minutes after the hour
Yes
Prisma Access is always up-to-date with the latest Antivirus release.
Every 5 minutes
Yes
Prisma Access is always up-to-date with the latest WildFire release.
Every hour
Yes
Prisma Access is always up-to-date with the latest GlobalProtect data file release.
Clientless VPN application signatures
Every hour
Yes
Prisma Access is always up-to-date with the latest Clientless VPN application signature release.

Recommended For You