Changes to Default Behavior and Minimum Required Panorama Version

The following chapter details the changes in default behavior after you upgrade to the Cloud Services plugin version 1.5, and includes information about the minimum Panorama version you need to use with the Cloud Services plugin 1.5.

Changes to Default Behavior

The following section details the changes in default behavior after you upgrade to Prisma Access 1.5.
Component
Change
Mobile user IP pools will advertise extended BGP community strings
When Prisma Access advertises IP pools for mobile users, it also advertises an extended BGP community string that contains both the Prisma Access Autonomous System (AS) Number and the ID of the service connection to which the mobile users’ location is connected.
Minimum Panorama version requirements for Prisma Access 1.5
In order to use Prisma Access 1.5, you must upgrade your Panorama to a minimum version of 9.0.4 before installing the Cloud Services plugin to 1.5.
The Cloud Services plugin 1.5 and later require a minimum Panorama version of 9.0.4. If your Panorama is running 8.1, any attempt to download the 1.5 plugin from the Software downloads page on the Palo Alto Networks Customer Support Portal and manually upload the plugin on Panorama 8.1 will result in an unsupported configuration and data loss. See Minimum Panorama of 9.0.4 Required for Prisma Access 1.5 for details.
API changes
We’ve created a new set of API scripts to allow you to quickly and easily retrieve the IP addresses that you need to whitelist in your organization’s network. The existing commands will still work and are still available; however the improved functionality will be in the newer commands.
Clean Pipe separation requirement
Starting with Release 1.5, Palo Alto Networks enforces the separation of clean pipe deployments with non-clean pipe deployments (either mobile users or remote networks). When you create a tenant, make sure that you do not mix mobile user or remote network deployments in the same tenant with a clean pipe deployment. If you have an existing tenant that mixed clean pipe deployments with another deployment, you must delete the existing non-clean pipe deployment, then add another tenant and re-create the non-clean pipe deployment in that new tenant.

Minimum Panorama of 9.0.4 Required for Prisma Access 1.5

To support the new features introduced in PAN-OS 9.0, Palo Alto Networks is upgrading the Prisma Access cloud infrastructure. Unlike previous infrastructure upgrades, this upgrade requires you to upgrade Panorama to version 9.0.4 or later to remain interoperable with the infrastructure in the Prisma Access cloud. You can also update to the latest 9.0.x release as they become available on the Customer Support Site.
New Prisma Access deployments must use the Cloud Services plugin 1.5 and a minimum Panorama version of 9.0.4; earlier versions of the Cloud Services plugin and Panorama are not supported for new deployments.

Why is the Panorama Upgrade Mandatory?

Starting with PAN-OS 9.0, policy rules include Universally Unique Identifiers (UUIDs) that are permanent attributes of policy rules and are automatically generated. UUIDs standardize the process of tracking policy modifications and make it easier to demonstrate compliance with audit and regulatory requirements.
Because these UUIDs are auto-generated for all policy rules, we require you to upgrade the Panorama to a minimum version of PAN-OS 9.0.4 and push the device group configuration to the Prisma Access cloud infrastructure before we upgrade it. It is critical that the Panorama is on 9.0 before we upgrade the Prisma Access infrastructure to prevent a configuration push failure because of a UUID mismatch between Panorama and the upgraded Prisma Access cloud infrastructure.
Besides this critical reason, there are new exciting features that will be available for Prisma Access with Panorama 9.0.
If your organization manages on-premise firewalls as well as Prisma Access with the same Panorama, you do not need to upgrade your on-premise firewalls. Panorama running PAN-OS 9.0.x can manage on-premise firewalls running PAN-OS 8.x or earlier supported versions with no issues. See the PAN-OS Release Notes for 9.0 for details about changes to default behavior between 8.x and 9.0.4.

Cloud Services Plugin Interoperability

The Cloud Services plugin version 1.4 is EOL as of October 31, 2019.
While the plugin will continue to work for existing customers who did not upgrade their Panorama version by October 31, 2019, and is supported by Palo Alto Networks Technical Support, no new features or maintenance releases will be available for this plugin version; only fixes will be provided for any critical security issues. For continued support on the Cloud Services plugin, you must upgrade your Panorama to 9.0.4 and use the Cloud Services plugin 1.5 for the most up-to-date features and fixes on Prisma Access.
Cloud Services plugin 1.5 and later
require
Panorama version 9.0.
This requirement is only for customers who are using Panorama to manage Prisma Access. Customers who use the Cloud Services plugin to manage Cortex Data Lake only are not affected by this requirement.
On Panorama versions earlier than PAN-OS 9.0, Cloud Services plugin 1.5 will not be available for installation.
Panorama Version
Cloud Services Plugin Version
Plugin Support Details
8.1
1.4
Supported. 1.4 Plugin is as of Oct 31, and will be supported through January 31, 2020. No new features will be added.
1.5
NOT SUPPORTED on Panorama running v8.1. The plugin v1.5 is incompatible with PAN-OS 8.1 and can result in errors and cannot be rolled back to 1.4 plugin. No 1.5 features will be available until you upgrade your Panorama appliance to 9.0.4.
9.0
1.4
Interim support, until we upgrade your Prisma Access infrastructure. See What is the Timeline for the Upgrade?.
1.5
Supported. Plugin v1.5 will add support for new features and ongoing fixes.Be sure to upgrade to the 1.5 plugin only after we have upgraded the Prisma Access infrastructure. See What is the Timeline for the Upgrade?.

What is the Timeline for the Upgrade?

To immediately take advantage of the features and benefits of Prisma Access 1.5, upgrade your Panorama version to a minimum version of 9.0.4.
Use the following procedure to upgrade to Prisma Access 1.5:
  1. Upgrade your Panorama version to 9.0.4.
  2. Wait until Prisma Access upgrades its infrastructure.
  3. Install the Cloud Services plugin on the upgraded Panorama appliance when the plugin becomes available on the Customer Support Portal.
To use Prisma Access 1.5 when it was released, you needed to upgrade your Panorama to 9.0.x before October 31, 2019. If your business processes were not able to accommodate the Panorama upgrade before that date, you can schedule your upgrade for a later time. We have a monthly rollout of the Prisma Access infrastructure so that you can upgrade at a later time and still use Prisma Access 1.4 until then. Use the following table to schedule your Panorama upgrade, and upgrade your Panorama to a minimum version of 9.0.4 before we perform the infrastructure upgrade.
After you upgrade your Panorama version, no action is required. Prisma Access automatically retrieves the running Panorama version for all customers before each upgrade window; after you upgrade your Panorama to the required minimum version, Prisma Access will upgrade your infrastructure using the dates provided in the following table.
Upgrade Panorama to 9.0 Between
Prisma Access Cloud Infrastructure Rollout Date for the Month
Install Cloud Services Plugin 1.5
November 7-30, 2019
December 6-8, 2019
December 9, 2019
After the Panorama upgrade, you can continue using Cloud Services plugin 1.4 until your Prisma Access cloud infrastructure is upgraded. After the infrastructure upgrade, you can install the Cloud Services plugin version 1.5 at your earliest convenience. See Cloud Services Plugin Interoperability.
December 5-31, 2019
January 10-12, 2020
January 13, 2020
January 9-31, 2020
February 7-9, 2020
February 10, 2020
After January 31, 2020
Prisma Access 1.4 is NOT supported after January 31, 2020, and you will not be able to make configuration changes or commits with Prisma Access 1.4 after this date.

Recommended For You