Prisma Access Release and Infrastructure Updates

Learn about the different types of Prisma Access releases and updates that you need to stay up-to-date and secure your users. Some of the updates are managed by Palo Alto Networks, such as Prisma Access infrastructure updates and you will receive advance notification so you can plan around them. Other updates are your responsibility and you must schedule the specified version of the content update, software update, and plugin version (as required), at your earliest convenience.
You can retrieve the status of all cloud services, including Prisma Access and Cortex Data Lake, along with a historical record of the uptime of each service, by accessing the https://status.paloaltonetworks.com/ website. You can also sign up for email or text message updates at this site to be notified in advance when infrastructure updates are planned and real-time notifications when updates occur, and when Palo Alto Networks creates, updates, or resolves an incident.

Prisma Access Scheduled and Unscheduled Upgrades

Prisma Access has scheduled upgrades, including major (
x
.0 and 1.
x
) and minor (1.7.
x
) releases, that include new features and optimizations to deliver best-of-breed security for your remote networks and mobile users. Prisma Access might also need to occasionally make unscheduled upgrades for hotfixes and emergency bug fixes. The following sections define the releases, list the types of upgrades that Palo Alto Networks include for each release, and show you the advance notification and maintenance windows for each release type.

Release Definitions

The following list defines scheduled and unscheduled releases, along with the advance notification we provide you for each release. To make sure that you receive notifications for all releases, register for email or text notifications for Prisma Access at the https://status.paloaltonetworks.com/ website.
  • Scheduled Release
    —Prisma Access divides scheduled releases into major and minor releases.
    • Major Release
      —A major release typically includes significant new features and optimizations that require a maintenance window.
      Notification
      —Palo Alto Networks provides you with a notification 21 days before a major release, including a feature preview document that lists features that are available with the release and any changes to default behavior.
    • Minor Release
      —A minor release includes incremental features and optimizations. In some cases, Palo Alto Networks may combine a hotfix with a minor release.
      Notification
      —Palo Alto Networks provides you with a notification 10 days before a scheduled minor release upgrade, including a feature preview document that lists the new features that are available with the release.
  • Unscheduled Release
    —Unscheduled Prisma Access upgrades include hotfixes or emergency bug fixes (for example, fixes for zero-day threats or plugin changes).
    Notification
    —Palo Alto Networks will make every effort to give you 48 hours’ notice before an unscheduled upgrade. On occasion, you may receive a shorter notice for an unscheduled upgrade.

Upgrade Types

Palo Alto Networks upgrades its cloud-based infrastructure without any intervention required from you. Some upgrades require that you perform an action, such as install a new plugin.
The following list includes the different types of scheduled and unscheduled upgrades for Prisma Access:
  • Infrastructure Upgrade
    —Palo Alto Networks upgrades the Prisma Access infrastructure, which includes the underlying service backend, orchestration, and monitoring infrastructure.
  • Dataplane Upgrade
    —Palo Alto Networks upgrades the Prisma Access dataplane that enables traffic inspection and security policy enforcement on your network and user traffic.
  • Cloud Services Plugin Upgrade
    —Your network administrator will need to upgrade the Cloud Services plugin on the Panorama appliance that manages Prisma Access.
  • Panorama Software Upgrade
    —A Prisma Access and Panorama Version Compatibility might be required to ensure compatibility with Prisma Access.
The following table shows you what is included with each release, including the maintenance window we provide and any impact to your Prisma Access service.
Upgrade Type
Scheduled Upgrades
Unscheduled Upgrades
Major
Minor
Infrastructure Upgrade
Maintenance Window
2-8 hours (always required)
2-8 hours (always required)
2-8 hours (if required)
Impact
No impact to network traffic; however you cannot perform commits during the maintenance window.
Palo Alto Networks schedules the upgrades at a local time that is minimally disruptive to business functions.
Dataplane Upgrade
Maintenance Window
72 hours
(always required)
 —
(not required)
72 hours
(if required)
Impact
Palo Alto Networks uses this window to upgrade the dataplane for all customers. You can make configuration changes and commits during this window. Our goal is to minimize impact to network traffic, but in some cases there may be a brief interruption.
Palo Alto Networks schedules the upgrades at a local time that is minimally disruptive to business functions.
Cloud Services Plugin Upgrade
Maintenance Window
(always required)
(if required)
(if required)
Impact
Palo Alto Networks notifies you in advance if an upgrade to the Cloud Services plugin is required, and when the plugin will be available, using the notification schedule as defined in Release Definitions. During the plugin upgrade, you cannot make configuration changes and commits in Panorama.
After Palo Alto Networks provides you with the advance notification, you must plan to schedule a maintenance window to upgrade the plugin and complete the plugin upgrade within five days of its availability.
You cannot use the previous version of the plugin to perform changes to configuration and commits in Panorama after the three-day upgrade window.

Prisma Access and Panorama Version Compatibility

When Prisma Access upgrades its infrastructure and dataplane after a major release, the upgrades can be incompatible with earlier Panorama versions. Because of the fast-paced release of Prisma Access and the Cloud Services plugin, the software compatibility (end-of-support) dates for Panorama are shorter than the software end-of-life dates for Panorama releases and apply to Panorama version compatibility with Prisma Access only.
If the Panorama appliance that manages Prisma Access is running a software version that is incompatible (not supported) with the upgrades, you must upgrade Panorama to a compatible version to take full advantage of the capabilities of the infrastructure and dataplane upgrades. It is Palo Alto Networks’ goal to make this process as seamless as possible; for this reason, we make every effort to provide you with adequate notice of Panorama and Prisma Access version compatibility requirements.
Use the dates in the following table to learn when the software version of the Panorama that manages Prisma Access is no longer compatible with Prisma Access. Before the end-of-support date, you should plan to perform an upgrade to a supported Panorama version.
Panorama Software Version
End-of-Support Dates for Prisma Access Deployments
9.0
February 1, 2021
Before this date, you must upgrade your Panorama version to 9.1.2 or later.
While the Cloud Services plugin 1.7 supports Panorama 9.0 versions until February 1, 2021, any version of the Cloud Services plugin after 1.7 requires a minimum version of 9.1.2 before installation.
A Panorama version that is incompatible with Prisma Access includes all versions of that release; for example, when a 9.0 release is incompatible, all current 9.0.x versions of that release, including 9.0.4 and 9.0.7, are incompatible.
9.1
August 20, 2021
Before this date, you must upgrade your Panorama to a version that is later than 9.1.x. Palo Alto Networks will update this document with more specific upgrade guidelines as newer Panorama software releases become generally available.
The Panorama upgrade is required, regardless of the Cloud Services plugin version you are running at the end-of-support date. You cannot continue using an earlier version of the Cloud Services plugin with an earlier, unsupported Panorama version.

Cadence for Software and Content Updates for Prisma Access

The following table informs you of the software and content updates that you must install to get the latest applications and threat signatures and leverage the threat prevention capabilities provided by Palo Alto Networks.
Component
Update Schedule
Cloud Controlled? (Yes/No)
Comments
Upgrades to Panorama software for compatibility with Prisma Access
For major Prisma Access releases, you might need to upgrade your Panorama version for the following use cases:
  • Required Upgrade
    —On occasion, you will be required to upgrade the software version on Panorama Prisma Access and Panorama Version Compatibility with Prisma Access.
    • Maintenance Window
      —Your organization will need to schedule a maintenance window to upgrade the Panorama software version.
    • Impact
      —You cannot use the new plugin version until you upgrade your Panorama version.
    • Notification
      —Palo Alto Networks will provide you with a notification 100 days before the scheduled major release upgrade.
  • Optional Upgrade
    —In other cases, you might need to upgrade the Panorama software version to use the new features that Prisma Access supports in the major release.
    • Maintenance Window
      —Your organization will need to schedule a maintenance window to upgrade the Panorama software version.
    • Impact
      —You cannot use the new features that Prisma Access supports until you upgrade your Panorama.
    • Notification
      —Palo Alto Networks will notify you of any Panorama requirements 21 days before a scheduled major release upgrade as defined in Release Definitions.
No
See Prisma Access and Panorama Version Compatibility to learn when a Panorama version becomes incompatible with Prisma Access. See Upgrade the Cloud Services Plugin for the currently supported Panorama versions to use with Prisma Access. To upgrade your Panorama to a new version, see Install Content and Software Updates for Panorama.
Cloud Services plugin version
Available after the plugin release.
No
You perform the tasks to upgrade the plugin. See Prisma Access Scheduled and Unscheduled Upgrades for details about when Prisma Access updates its plugin version. See Upgrade the Cloud Services Plugin to upgrade the plugin in the Panorama appliance.
GlobalProtect app
  • Major GlobalProtect App Releases (for example,
    x
    .0 or 5.
    x
    )—
    Prisma Access updates the agent on the portal with the latest major release 7-10 days after the general availability of the
    x
    .0.1 version of that release.
    For example, given an agent release of 5.1, Prisma Access updates the agent on the portal 7-10 days after the release of 5.1.1.
  • Minor GlobalProtect App Releases (for example, 5.1.
    x
    )—
    Prisma Access updates the agent on the portal with the latest minor release 7-10 days after the general availability of that release.
Yes
The cloud controls the versions of the app that is available for upgrade; however you can choose between several different hosted versions of the app and can control how and when to roll out GlobalProtect app updates to the end users. See Manage Upgrade Options for the GlobalProtect App for details.
Daily with a threshold of 24 hours.
We release New App-IDs on the third Tuesday of every month. Plan to review and incorporate these new App-IDs within the 24 hour threshold. Use the New App-ID filter to minimize this possible traffic impact.
Yes
We will provide an update via the status.paloaltonetworks.com page 48 hours prior to a cloud upgrade, and 24 hours prior to release of new App-ID version.
Every hour, 10 minutes after the hour
Yes
Prisma Access is always up-to-date with the latest Antivirus release.
Every 5 minutes
Yes
Prisma Access is always up-to-date with the latest WildFire release.
Every hour
Yes
Prisma Access is always up-to-date with the latest GlobalProtect data file release.
Clientless VPN application signatures
Every hour
Yes
Prisma Access is always up-to-date with the latest Clientless VPN application signature release.

Recommended For You