Changes to Default Behavior

The following chapter details the changes in default behavior after you upgrade from the Cloud Services plugin version 1.5.
x
to version 1.6. For the system requirements you need before you upgrade, see Upgrade the Cloud Services Plugin.
Because you do not need to upgrade your Panorama or the Cloud Services plugin from 1.6.0 to take advantage of the 1.6.1 release (Prisma Access upgrades its infrastructure automatically), these changes also apply to Prisma Access 1.6.1.
Component
Change
ECMP load balancing for remote networks
If you enable ECMP load balancing to use up to four IPSec tunnels with a single remote network, Prisma Access uses the same link for return traffic as it uses to send the traffic (
Enabled with Symmetric Return
). After you upgrade the plugin to 1.6, if your deployment has the setting of
Enabled
, you will be prompted to change it to
Enabled with Symmetric Return
. If you do not change this setting, you will receive an error when you perform a local commit until you change it. If you already have
Enabled with Symmetric Return
specified for ECMP, or if you have not enabled ECMP, no action is required.
Hot potato routing AS-PATH prepending changes
When you enable Hot Potato Routing for service connections, the following AS-PATH prepending changes are made. The changes for secondary BGP peers are new for 1.6, and some additional changes are made for primary connections:
  • The service connection does not prepend its AS-PATH to prefixes on a gateway that is directly connected to the service connection. If you specify a secondary BGP peer, the service connection prepends the AS-PATH for the secondary connection once.
  • The service connection prepends the AS-PATH three times to prefixes on gateways connected directly to its backup service connection (a change from twice). If you specify a secondary BGP peer, the service connection prepends the AS-PATH for the secondary connection four times.
  • The service connection prepends the AS-PATH six times to prefixes on gateways that are connected to other service connections (a change from four times). If you specify a secondary BGP peer, the service connection prepends the AS-PATH for the secondary connection seven times.
Addition of __cloud_services Panorama Administrative User
After you install the Cloud Services plugin 1.6, the plugin creates a Panorama administrative user with a username of
__cloud_services
. This user account is required to enable communication between Enterprise DLP on Prisma Access and the Prisma Access management infrastructure. Palo Alto Networks recommends that you change the password for this administrative user in accordance with your organization’s password policy.
If you have deleted the
__cloud_services
user, you must re-add the user manually. The account is used to register and activate Enterprise DLP on Prisma Access, and for continued DLP scanning using the data patterns and data filtering profiles referenced in security policy rules.

Recommended For You