Features Introduced in Prisma Access

Your Panorama must be running a minimum version of 9.0.4
before installing the 1.6 Cloud Services plugin. PAN-OS 9.1.1 is also supported with the 1.6 plugin, but if you are upgrading from an earlier plugin version, you should upgrade the plugin to 1.6 before upgrading your Panorama from 9.0.
x
to 9.1.1, because earlier plugin versions are not compatible with PAN-OS 9.1.1. The Cloud Services plugin 1.6 and later require Panorama version 9.0.4 or 9.1.1 as the minimum version. Installing the 1.6 plugin on a Panorama running 8.1 or earlier is not supported, and will result in an unsupported configuration and data loss.
Prisma Access does not support versions of the Cloud Services plugin earlier than 1.6, and you must upgrade to this version.
The following table describes the new features introduced in Prisma Access version 1.6.
Feature
Description
If you specify the same DNS server to resolve both internal and external domains, Prisma Access does not proxy the DNS request, and you can view the actual source IP address of the client that sent the DNS request. This enhancement allows you to enforce source IP address-based DNS policies or identify endpoints that communicate with malicious domains using the source IP of the DNS requests.
You can use Prisma Access to specify DNS servers to resolve both internal and public domains. If you specify an internal DNS server to resolve internal DNS domains and then specify either a public server or Prisma Access’ Cloud Default server to resolve external domains, Prisma Access proxies the requests from the remote network site. You can also specify an external DNS server that is closer to the egress points of your remote network sites than your internal DNS server, which can provide optimal connectivity for SaaS applications such as Microsoft Office 365.
Prisma Access allows you to configure two VLAN attachments for a single Clean Pipe location in an active/backup configuration for intra-zone redundancy—an enhancement to the current implementation, where you can specify two different VLAN attachments in different availability zones (inter-zone redundancy).
QoS for Clean Pipe
For Clean Pipe deployments, you can create QoS policies to define the traffic that receives QoS treatment and QoS profiles to define the classes of service, including priority, that the traffic can receive. You can define QoS based on DSCP values or zones (Trust or Untrust).
If you are hosting an internet-facing application or service in your remote network location, you can use Prisma Access to front-end that application or service and provide secure access from both internal and external users over the internet.
200 Tenant Support for Multitenancy
The Cloud Services Plugin increases multitenant support from 100 to 200 Prisma Access tenants. This gives Service Providers and large enterprises the capability to expand how they deploy and support disparate, segregated environments. For concurrent Panorama administrator login maximums, see the Prisma Access Administrator’s Guide (Panorama Managed).
Support for Individual BGP Peers on Primary and Secondary IPSec Tunnels
To facilitate dynamic IPSec tunnel failover for BGP deployments if the on-premises devices do not use the same IP addresses for BGP peering, you can specify different BGP peer and local IP addresses for the primary and secondary (active and backup) IPSec tunnels for service connections and remote network connections.
This release adds support for Data Loss Prevention (DLP) on Prisma Access. DLP on Prisma Access uses predefined patterns, built-in settings, and options that make it easy for you to protect files that contain certain file properties (such as a document title or author), credit card numbers, regulated information from different countries (like social security numbers), and third-party DLP labels.
DLP is an add-on license on Prisma Access. You can either start with a 60-day trial or purchase a license to use Enterprise DLP on Prisma Access.
DLP on Prisma Access includes the following elements:
  • You can
    Block
    files that match data patterns as well as create
    Alert
    notifications.
  • DLP on Prisma Access supports the use of
    snippets
    and
    data masking
    .
    If a pattern in a security policy matches an alert or block notification, Prisma Access extracts a snippet of the sensitive data that matched. Prisma Access uses data masking to partially mask the snippets to prevent the sensitive data from being exposed. You can configure DLP on Prisma Access to completely mask the sensitive information, unmask the snippets, or disable snippet extraction and viewing.
Prisma Access for Users and Prisma Access for Networks can leverage Palo Alto Networks’ Directory Sync service to retrieve user and group information for policy enforcement.
ECMP load balancing for Lower-Bandwidth Remote Network Connections
You can configure ECMP Load Balancing for remote networks with a bandwidth of 50, 100, or 150 Mbps, as well as 300 Mbps, allowing lower-bandwidth connections to increase their fault tolerance by adding up to four IPSec tunnels for a single remote network.
Prisma Access extends the protection of mobile user traffic from IPv4/IPv6 dual-stacked endpoints with a new CLI command that enables you to sinkhole IPv6 mobile user traffic. Because endpoints can automatically fall back to an IPv4 address, you can enable a secure and uninterrupted user experience for mobile user traffic to the internet.

Recommended For You