New Features - Prisma Access - 3.2 Preferred and Innovation

High-bandwidth remote network deployments were previously limited to 500 Mbps per IPSec termination node, constraining throughput for demanding branch office and remote network use cases. The maximum bandwidth that Prisma® Access can allocate to IPSec termination nodes for remote network deployments increases from 500 Mbps to 1000 Mbps.

To take advantage of this increase, you must allocate a minimum of 501 Mbps to the compute locations associated with the IPSec termination nodes. While bandwidth enforcement is not currently applied, Prisma Access reserves the right to enforce the allocated bandwidth when consumption exceeds the allocation, and you will be notified prior to any enforcement being applied.

This functionality is supported for Panorama Managed deployments only. If you are upgrading from an earlier Cloud Services plugin version, you must perform a Commit and Push before installing the 3.2 plugin, then perform a Push to Devices after installing the plugin to implement this change.

Advanced Threat Prevention blocks unknown and evasive command-and-control (C2) traffic inline in real-time using deep learning and machine learning models. The following capabilities are added to Prisma® Access:

• Inline Cloud Analysis —A series of ML-based detection engines added to the Advanced Threat Prevention cloud analyze traffic in real-time for advanced C2 and spyware threats to protect users against zero-day threats. Cloud-based detection mechanisms are updated and deployed automatically, eliminating the need to download update packages or operate resource-intensive local analyzers.
• Domain Fronting Detection — Domain fronting is a TLS evasion technique that circumvents URL filtering and facilitates data exfiltration using SNI spoofing. Threat Prevention can now detect and block domain fronting attempts, closing this evasion path for attackers.

Explicit Proxy deployments can now protect users against zero-day threats through Prisma® Access Advanced Threat Prevention Inline Cloud Analysis support. A series of ML-based detection engines added to the Advanced Threat Prevention cloud analyze traffic in real-time for advanced command-and-control (C2) and spyware threats, stopping attacks before they can establish a foothold.

By operating cloud-based detection engines, you gain access to a wide array of detection mechanisms that are updated and deployed automatically. This means you don't need to download update packages or operate resource-intensive local analyzers to stay protected against the latest threats. The cloud engines continuously evolve to address new attack techniques, providing protection against threats that signature-based detection alone cannot catch.

This capability is available for Prisma Access Explicit Proxy deployments running Prisma Access 3.2.1 Innovation and later.

Unknown web-based attacks that target previously uncategorized or newly registered URLs can evade static URL filtering databases, exposing users to patient zero threats. Advanced URL Filtering now includes a series of inline cloud-based deep learning detectors that evaluate suspicious web page contents in real-time, stopping unknown web-based attacks before users can be compromised.

Advanced URL Filtering combines Palo Alto Networks' malicious URL database capabilities with a real-time web protection engine powered by machine learning (ML). The inline deep learning analysis goes beyond URL reputation, examining the actual content of web pages to identify malicious characteristics that static databases cannot detect. This provides best-in-class web protection for the modern enterprise and stops threats that traditional URL filtering misses.

Web-based attacks that use previously unknown or uncategorized URLs can bypass traditional URL filtering databases. Advanced URL Filtering now includes inline cloud-based deep learning detectors for Prisma® Access Explicit Proxy deployments, evaluating suspicious web page contents in real-time to stop unknown web-based attacks and prevent patient zero web threats.

Advanced URL Filtering combines Palo Alto Networks' malicious URL database capabilities with a real-time web protection engine powered by machine learning (ML). The inline deep learning analysis operates without adding significant latency, giving Explicit Proxy users the same best-in-class web protection available to GlobalProtect users. This ensures comprehensive protection against web threats across all Prisma Access deployment methods.

Connecting third-party SD-WAN devices and customer premises equipment (CPE) to Prisma® Access for Remote Networks previously required manual identification of IPSec termination nodes and compute locations. An XML API is now available to simplify this process. You provide the bandwidth and the latitude and longitude of the SD-WAN device in the API request, and Prisma Access responds with the name of the IPSec termination node and compute location to use for that device.

This automation reduces the configuration effort required when onboarding large numbers of SD-WAN devices or CPEs, eliminates the need to manually look up termination node assignments, and ensures devices connect to the optimal Prisma Access location based on their geographic position.

For more information about using Prisma Access APIs for remote network management, see the Prisma Access API documentation.

IT helpdesk teams often receive high volumes of tickets for application experience issues that end users could resolve themselves with the right guidance. Autonomous digital experience management (Autonomous DEM) Self Serve reduces this ticket load by empowering end users to identify and fix issues that fall within their own purview. Autonomous DEM Self Serve detects and provides guided remediation for the following conditions:

• CPU and memory issues impacting application experience —Detects high CPU or memory utilization conditions and notifies mobile users with guided remediation steps.
• WiFi issues impacting application experience —Detects poor WiFi quality, changes in WiFi connections, or disconnect conditions, and notifies mobile users with guided remediation steps.
• Internet issues impacting application experience —Detects internet disconnect conditions for wired and wireless connections and notifies mobile users with guided remediation steps.

For more information about Prisma® Access Autonomous DEM capabilities, see the Autonomous DEM documentation.

Organizations with diverse user populations often need to support different authentication methods for different groups or directories, but previously had to manage these through separate authentication profiles. Prisma® Access now supports Cloud Identity Engine authentication with multiple methods in a single authentication profile, including certificate-based authentication and multiple SAML 2.0-based identity providers.

Multiple authentication mode also supports group-based authentication, allowing you to specify different authentication types for particular groups or directories. This ensures that users experience a smooth login process regardless of the method they use to authenticate and makes it easier to deploy identity-based security policy across a heterogeneous user base.

For Prisma Access Explicit Proxy deployments, multiple authentication mode is supported for SAML authentication only.

Operators managing multi-tenant Prisma® Access Panorama Managed deployments previously had no programmatic way to check the status of commit jobs across tenants, requiring manual verification in the Panorama interface. An operational XML API is now available to retrieve commit job status for any tenant in your multi-tenant deployment.

To retrieve the job status, send a curl command using the following structure, replacing the placeholder values with your actual Panorama address, tenant name, and job ID:

 curl -k 'https://PANORAMA_ADDRESS/api/?type=op & cmd= < request > < plugins > < cloud_services > < prisma-access > < multi-tenant > < tenant-name > < entry name="TENANT_NAME"/ > < /tenant-name > < request-job-result > < jobid > JOB_ID < /jobid > < /request-job-result > < /multi-tenant > < /prisma-access > < /cloud_services > < /plugins > < /request > & key=API_KEY'

Where PANORAMA_ADDRESS is the address of the Panorama managing Prisma Access, TENANT_NAME is the name of the tenant, and JOB_ID is the ID of the commit job for which you are requesting status.

Deployments with a high proportion of asymmetric traffic flows through service connections can generate excessive log volume, driving up Strata™ Logging Service storage consumption without providing proportional security value. The Palo Alto Networks Site Reliability Engineering (SRE) team can now disable logging on service connections for your Prisma® Access deployment when this condition is identified.

If the majority of traffic flows logged by your service connections are asymmetric, disabling service connection logging reduces Strata Logging Service storage consumption. If your deployment does not have asymmetric flows through service connections, you don't need to disable logging.

To disable logging for service connections, reach out to your Palo Alto Networks account representative or partner, who will contact the SRE team and submit a request. For more information about Prisma Access service connections, see the administration documentation.

Sensitive data can be exfiltrated not only through file uploads but also through non-file-based data exchanged in web forms, collaboration applications, cloud applications, and social media. Enterprise Data Loss Prevention (DLP) now supports inspection of non-file-format traffic using web form data inspection, closing this data exfiltration vector.

Web form data inspection extends the same DLP policy enforcement that applies to files to inline data submitted through web interfaces. This means that sensitive information such as credit card numbers, social security numbers, or confidential business data entered into web forms is subject to inspection and policy enforcement, preventing Prisma® Access users from inadvertently or maliciously leaking sensitive data through these channels.

Attackers increasingly use DNS as an attack vector, including the use of strategically aged domains—domains registered well in advance and kept inactive to avoid reputation-based detection before being used for malicious purposes. Prisma® Access deployments now extend protection for the latest DNS-based attack techniques, including strategically aged domains, making it the most comprehensive DNS security solution available.

These enhancements build on the existing DNS security capabilities in Prisma Access to detect and block threats that evade traditional domain reputation systems. By analyzing additional signals beyond domain age and reputation, the updated DNS security engine can identify malicious domains even when they appear legitimate based on historical data alone.

For more information about DNS security capabilities in Prisma Access, see the DNS security documentation.

When your organization needs to support users who authenticate through different methods, managing multiple authentication flows on a single Prisma® Access tenant was previously not possible. You can now configure two Mobile Users—GlobalProtect portals in Prisma Access, with each portal supporting a different authentication method on a single tenant. For example, you can configure one portal for RADIUS authentication and another for SAML authentication.

This capability is useful when different user populations require different authentication methods—such as employees using SAML and contractors using RADIUS—without requiring separate tenants. Both portals operate independently, enabling flexible identity and access policies for each group.

This functionality requires an upgrade to a specific Preferred PAN-OS® dataplane. To enable this feature, reach out to your Palo Alto Networks account representative or partner, who will contact the SRE team and submit a request to upgrade your dataplane.

Prisma® Access Explicit Proxy previously supported browser-based Office 365 traffic, leaving native O365 client applications—such as Outlook, Teams, and the Office desktop suite—outside the scope of proxy-based inspection and policy enforcement. You can now forward O365 client application traffic through the Prisma Access Explicit Proxy Connect method, extending the same security controls that apply to browser traffic to native Office 365 applications.

This enhancement ensures consistent policy enforcement and threat inspection for all Office 365 traffic regardless of how users access it. Organizations that rely heavily on native Office 365 clients can now apply URL filtering, data loss prevention, and other cloud-delivered security services to that traffic through the existing Explicit Proxy deployment.

For more information about configuring Explicit Proxy for your deployment, see the Prisma Access documentation.

Explicit Proxy deployments that needed both user authentication and machine authentication previously couldn't combine SAML and Kerberos in a single deployment, limiting flexibility for organizations with mixed authentication requirements. You can now use both SAML to authenticate users and Kerberos to authenticate users and machines within a single Prisma® Access Explicit Proxy deployment.

This combination is particularly valuable in enterprise environments where corporate devices use Kerberos for seamless, transparent machine authentication, while unmanaged or guest devices use SAML-based identity provider authentication. By supporting both methods simultaneously, you can apply consistent security policies to all traffic through the Explicit Proxy regardless of the device type or authentication method.

For more information about configuring authentication for Explicit Proxy, see the Prisma Access administration documentation.

Prisma® Access deployments with a Local Edition license were previously limited to a maximum of five locations, and service connections were constrained to what the base license provided. The following license enhancements are now available to give you greater flexibility as your deployment grows:

• If you have a Prisma Access Local Edition license and need more than the five-location maximum, you can purchase a license add-on that allows you to add one or more additional locations.
• If you need more service connections than your license provides, you can purchase additional service connections at a flat per-service connection rate.

These enhancements let you scale your Prisma Access deployment to match your organization's growth without requiring a full license upgrade. For more information about Prisma Access licensing options, contact your Palo Alto Networks account representative.

Multi-tenant Panorama Managed Prisma® Access deployments can now use Directory Group Sync through the Cloud Identity Engine. This enhancement allows user group information from your directory to synchronize across all tenants in a multi-tenant Prisma Access deployment, enabling consistent user-based policy enforcement without manual group configuration per tenant.

Directory Group Sync with the Cloud Identity Engine streamlines identity management for service providers and enterprises that operate multiple tenants, reducing administrative overhead and ensuring that security policies reflect accurate, up-to-date group memberships from your identity provider.

To enable this feature, reach out to your Palo Alto Networks representative.

Organizations that need to control which IP address ranges are advertised to their data center can now configure source NAT at one or more service connections to NAT traffic between Prisma® Access GlobalProtect® mobile users and private applications and data center resources. Two NAT options are available:

• Enable Data Traffic Source NAT —NAT Mobile User IP address pool addresses so that they are not advertised to the data center. Only the subnets you specify at the service connections are advertised and routed in the data center.
• Enable Infrastructure Traffic Source NAT —NAT addresses from the Infrastructure Subnet so that they are not advertised to the data center. Only the subnets you specify at the service connections are advertised and routed in the data center.

You can use either RFC1918 or RFC6598 addresses as the NAT subnets. This gives you precise control over the IP space visible in your data center while maintaining full connectivity for mobile users accessing private applications.

To optimize Prisma® Access performance across multiple regions, new compute locations are added and existing locations are remapped accordingly:

• US South —The Mexico Central, Mexico West, and US South locations move to the US South compute location.
• Europe Southwest —The Andorra, Portugal, Spain Central, and Spain East locations move to the Europe Southwest compute location.
• Europe South —The Italy, Kenya, and Monaco locations move to the Europe South compute location.
• Asia Southeast (Indonesia) —The Indonesia location moves to the Asia Southeast (Indonesia) compute location.

In addition, the existing Asia Southeast compute location is renamed to Asia Southeast (Singapore) . New deployments have these remappings applied automatically. If you have an existing deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to add a new compute location to a deployed Prisma Access location.

To optimize performance for Prisma® Access deployments in the Middle East and Western Europe, two new compute locations are added and existing locations are remapped accordingly:

• Middle-East West Compute Location —The Israel location is remapped from the Europe Central compute location to the new Middle-East West compute location, providing lower latency for users in that region.
• Europe Northwest (Paris) Compute Location —The France South location is remapped from the France South compute location to the new Europe Northwest (Paris) compute location.

New deployments have these remappings applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the new compute location, follow the procedure to add a new compute location to a deployed Prisma Access location.

To better accommodate worldwide Prisma® Access deployments and provide enhanced local coverage in South Asia, the following new locations are added:

• Pakistan West (II) —Maps to the Asia Southeast (Singapore) compute location.
• Sri Lanka —Maps to the Asia Southeast (Singapore) compute location.

These additions improve connectivity and performance for users and remote networks in Pakistan and Sri Lanka by providing geographically closer access points to the Prisma Access infrastructure. For the full list of available locations and their compute location mappings, see the Prisma Access location documentation.

Organizations operating in Switzerland can now store their Prisma® Access log data locally to meet data residency and compliance requirements. A new Switzerland region is added to Strata™ Logging Service, enabling you to direct log forwarding to a Switzerland-based endpoint.

This addition is particularly important for organizations subject to Swiss data protection laws, which may restrict the transfer of certain data outside of Switzerland. By using the Switzerland region, you can ensure that your Prisma Access logs remain within the country's borders while still benefiting from the full capabilities of Strata Logging Service.

No changes to your existing logging configuration are required if you are not operating in Switzerland. If you want to migrate existing logs or update your logging region, contact your Palo Alto Networks account representative for assistance.

Purchasing and managing individual CASB components separately creates licensing complexity and gaps in SaaS security coverage. Next-Generation Cloud Access Security Broker (CASB-X) is a new SKU that consolidates all CASB components into a single offering, including SaaS Security Inline, SaaS Security API, SaaS Security Posture Management (SSPM), and Enterprise DLP API.

Prisma® CASB-X can be applied on Cloud Managed Prisma Access, Panorama Managed Prisma Access, and Panorama Managed next-generation firewall (NGFW) devices in a single-tenant environment. This unified SKU simplifies procurement and ensures comprehensive SaaS security coverage without the need to track multiple separate component licenses.

Panorama Managed Prisma® Access deployments previously required a primary device to make user and group information selectable in security policy rules. You can now configure the Cloud Identity Engine in Panorama Managed Prisma Access deployments to populate groups directly in security policy rules.

This gives you the flexibility to use either the Cloud Identity Engine or a primary device to perform group mapping. If you currently use a primary device to make user and group information selectable in security policies, that functionality is unaffected by this change.

Using the Cloud Identity Engine for group mapping simplifies your deployment by removing the dependency on a dedicated primary device for identity-based policy, while still giving you full control over user-based security enforcement across your Prisma Access environment.

Organizations that needed both Explicit Proxy and GlobalProtect® for the same users previously had to purchase additional mobile user license units for each method. Prisma® Access now allows you to use a single Mobile Users license for both Explicit Proxy and GlobalProtect. When you provision one mobile user license unit, you can enable GlobalProtect, Explicit Proxy, or both for that user.

This enhancement eliminates the need to purchase additional quantities of mobile user units when your users require both access methods. For example, a user who connects via GlobalProtect in the office and Explicit Proxy from a managed device now counts as a single licensed user rather than two.

For detailed examples of how this licensing change affects your deployment, see Prisma Access 3.2.1 Mobile User Licensing Change Examples.

Managing multiple SASE products, licenses, and tenants across separate consoles creates operational complexity and reduces visibility. The SASE Portal is a single location to access and manage Prisma® SASE products and services for enterprises and service providers. The portal provides the following key capabilities:

• License activation and subscription management —Activate and manage all your available licenses from one location.
• Tenant management —Create single and multiple tenants, build a hierarchy, and share and allocate license subscriptions for desired tenants.
• Hierarchical multi-tenant cloud management dashboard —Single pane of glass management with insights into network and security services across all tenants.
• Open API gateway —API access via a centralized API gateway to enable integration and automation.
• Identity and access management —Centralized authentication and authorization of user roles and permissions for all applications and API-based access.

Mobile Users—GlobalProtect deployments previously allowed IP address pool allocation only at a global or broad regional level, limiting your ability to control which address ranges users received based on their connection location. You can now specify granular IP pools for the locations available with this feature, as well as define pools at the Worldwide or per Prisma® Access theater level.

This granularity is useful for organizations that need to route traffic through specific network paths based on IP ranges, enforce location-aware security policies, or maintain predictable address allocations for audit and compliance purposes. You can define separate pools for different geographic regions, ensuring that users connecting from a particular location always receive an IP address from the designated pool for that area.

This feature is available with Prisma Access 3.2.1 Innovation and later.

Activating and managing Prisma® Access subscriptions previously required navigating multiple workflows, which increased activation time and the potential for human error. A completely new and revamped user-friendly workflow now lets you activate and manage all your Prisma Access subscriptions in one place. Palo Alto Networks has optimized the activation flow to significantly reduce activation time while providing contextual information at each step to minimize configuration mistakes.

The updated activation experience includes the following workflows:

• Evaluation-to-production conversion requests
• Incident management procedures to troubleshoot activation-related issues and improve the overall serviceability experience

For more information about getting started, see the Prisma Access activation and onboarding documentation.

Organizations that want best-in-class security and SD-WAN previously had to manage separate products with separate activation and management workflows. Prisma® SD-WAN is now available as a simple add-on to Prisma Access, delivering the most comprehensive SASE solution in an effortless, consumable model.

With the Prisma SD-WAN add-on, you can aggregate bandwidth across all branch locations, activate all SASE services—including SD-WAN—through a single link, and flexibly add additional services as your needs evolve, all from a unified management console. This eliminates the integration complexity and operational overhead of managing security and SD-WAN as separate deployments, giving you a cohesive view of your entire network and security posture.

Enabling private app access for diverse application types—including cloud-native, containerized, microservice, and legacy apps—previously required complex network configurations. The Zero Trust Network Access (ZTNA) Connector dramatically simplifies private app access for all these application types. You can now choose to use either the ZTNA Connector or a service connection to enable access to private apps for your users—both methods enforce all ZTNA 2.0 principles.

Environments where multiple users share a single operating system session—such as Citrix or Windows Server Remote Desktop Services—previously could not use user-based security policies in Prisma® Access because individual users couldn't be identified. Prisma Access now supports the Palo Alto Networks Terminal Server (TS) Agent for the following platforms:

• Citrix XenApp 7.x
• Windows Server 2019
• Windows 10 Enterprise Multi-session

The TS Agent maps IP addresses to individual users in shared-session environments, enabling Prisma Access to apply user-based security policies even when multiple users share the same IP address. This ensures consistent policy enforcement for virtual desktop and terminal server deployments without requiring separate IP allocation per user.

In environments where multiple users share a single operating system session, individual users cannot be identified by IP address alone, making user-based security policy enforcement difficult. Prisma® Access now supports the Palo Alto Networks Terminal Server (TS) Agent for the following platforms:

• Windows Server 2019
• Windows 10 Enterprise Multi-session

The TS Agent maps source ports to individual users in shared-session environments, enabling Prisma Access to enforce user-based security policies even when users share the same IP address. A maximum of 400 TS Agents are supported per deployment.

Organizations transitioning from on-premises proxy architectures to cloud-based security often face challenges maintaining their existing secure web gateway (SWG) configurations during the migration. Prisma® Access now supports the on-premises web proxy capability available with PAN-OS® 11.0, providing a seamless method for migrating, deploying, and maintaining SWG configurations from a simplified, unified management console.

If your network uses a proxy device for security, you can leverage the same level of protection using the web proxy feature with Prisma Access. The web proxy enables additional options for migrating from an existing web proxy architecture and helps during the transition from on-premises to the cloud with no loss to security or efficiency.

Web proxy support requires a Panorama® version of 11.0. This feature is available with Prisma Access 3.2.1 Innovation and later.