Features in Prisma Access 3.1
This section lists the new features that are available in Prisma Access 3.1, along with upgrade information and considerations if you are upgrading from a previous Prisma Access version.
Cloud Services Plugin 3.1
Prisma Access 3.1 uses a single plugin for both 3.1 Preferred or 3.1 Innovation. By default, the plugin will run 3.1 Preferred. To upgrade to 3.1 Innovation, reach out to your Palo Alto Networks account representative and submit a request.
Upgrade Considerations for 3.1 Prisma Access Releases
To upgrade to Prisma Access 3.1 Preferred, use one of the following upgrade paths.
To find your plugin version, select
in Panorama and check the plugin version in the
Installed Cloud Services Plugin Version
Targeted 3.1 Version
Releases earlier than 2.2 Preferred
Direct upgrades from Prisma Access 2.2 to 3.1 are not supported.
All Prisma Access Releases
To upgrade to 3.1 Innovation, reach out to your Palo Alto Networks account representative and submit a request. The request will be reviewed internally and, if approved, your deployment will be upgraded to 3.1 Innovation.
Minimum Required Software Versions
If you have a Cloud Managed Prisma Access deployment, plugin upgrades are not required; however, the GlobalProtect versions apply to both Panorama and Cloud Managed versions of Prisma Access.
Prisma Access supports any GlobalProtect version that is not End-of-Life (EoL), including 5.1, 5.2, 5.3, and 6.0. A minimum of GlobalProtect 5.2.5 is required for GlobalProtect App Log Collection for Troubleshooting. The Autonomous DEM (ADEM) documentation has the minimum GlobalProtect and Content Release versions required for ADEM.
New Features—Prisma Access 3.1.2 Preferred and Innovation
The following features are added for Prisma Access 3.1.2 Preferred and Innovation.
To unlock the 3.1.2 features, use a minimum Cloud Services plugin of 3.1.0-h50.
Panorama 10.2.2 Support
Starting with the Cloud Services plugin version of 3.1.0-h50, Prisma Access supports a Panorama version of 10.2.2.
A minimum Panorama version of 10.2.2-h1 is required.
Do not install Panorama 10.2.2-h1 on the Panorama that manages Prisma Access until after you have installed a minimum hotfix plugin version of 3.1.0-h50. In addition, 10.2 Panorama versions lower than 10.2.2 (for example, 10.2.1), or 10.2.2 versions lower than 10.2.2-h1, are not supported for use with Prisma Access.
You can still use Panorama 10.1, 10.0, or 9.1 versions as described in the Compatibility Matrix.
Support for RFC 6598 Addresses in Prisma Access Infrastructure IP Addresses
If your enterprise uses RFC 6598 IP addresses as a part of your enterprise routable address space, you can use that address space in the following Prisma Access infrastructure IP addresses:
The following functionality is not supported with RFC 6598 addresses:
To enable the use of 100.64.0.0/10 addresses in infrastructure addresses, reach out to your Palo Alto Networks account representative or partner and submit a request. An upgrade to 3.1 Innovation is required.
Block Incoming Connections from Specific Countries for GlobalProtect, Explicit Proxy, and Remote Network Deployments
Prisma Access allows you to create security policy rules to block login attempts for Remote Network, Mobile Users—GlobalProtect, and Mobile Users—Explicit Proxy deployments from countries you specify. Prisma Access blocks incoming connections from the countries you specify based on the geo location information from the source IP address of the client.
Block these countries using the following combination of Rule names, tags, and actions:
To drop traffic by country, specify one or more countries in the
Sourcetab of the security policy rule.
Disable Logging for Service Connections
This functionality allows the Palo Alto Networks Site Reliability Engineering (SRE) team to disable logging on the service connections for your Prisma Access deployment.
If the majority of the traffic flows logged by the service connections are asymmetric, disabling service connection logging might be required to reduce the consumption of Cortex Data Lake logging storage. If your deployment does not have asymmetric flows via the service connections, you do not need to disable logging.
To disable logging for service connections, reach out to your Palo Alto Networks account representative or partner, who will contact the SRE team and submit a request.
Remapped Prisma Access Locations
To better optimize performance of Prisma Access locations, the following locations are remapped to the Chile compute location:
New deployments have the new remapping applied automatically. If you have an existing Prisma Access deployment that uses one of these locations and you want to take advantage of the remapped compute location, follow the procedure to Add a new compute location to a deployed Prisma Access location.
New Features—Prisma Access 3.1.1 Preferred and Innovation
The following features are added for Prisma Access 3.1.1 Preferred and Innovation.
To unlock the 3.1.1 features, use a minimum Cloud Services plugin of 3.1.0-h10.
Prisma Access supports the updating of enterprise DNS servers with mobile users’ A (Address) and PTR (Pointer) records using Dynamic DNS (DDNS) registration. This functionality allows system administrators or user management software to access the remote endpoint with FQDN for troubleshooting and software updates.
Okyo Garde Network Address Translation Support
Prisma Access adds the following update to Okyo Garde Enterprise Edition with Prisma Access:
Choose to enable or disable Network Address Translation (NAT) and configure a custom IP pool for Okyo Garde in Network Settings.
New Features—Prisma Access 3.1 Preferred
The following table describes the new features that are available with Prisma Access 3.1 Preferred.
Okyo Garde Enterprise Edition with Prisma Access brings SASE to the home network.
Okyo Garde is a network security solution that’s neatly packaged to be deployed in employees' homes to support work-from-home use cases. Okyo Garde:
If you use QoS with your current Prisma Access remote network deployment and you allocate bandwidth by location, you can migrate to an aggregate bandwidth deployment (a deployment that allocates bandwidth by compute location instead of Prisma Access location), while retaining your existing QoS policies and profiles.
Using the aggregate bandwidth model, you allocate bandwidth at an aggregate level per compute location, and Prisma Access dynamically allocates the bandwidth based on load or demand per location.
To optimize performance and reduce latency, Prisma Access adds a new compute location that is hosted in Chile (South America West), and maps the Chile location to that compute location. This new compute region is available as of March 28, 2022, at 12 p.m. UTC.
If you add Chile after you install the Cloud Services 3.1 plugin, Prisma Access associates the new compute location automatically. If you are upgrading from an existing Prisma Access location, you can use this procedure to migrate to the new compute location for Chile.
New Cloud Managed Prisma Access deployments support multitenancy using a single cloud-based Prisma SASE Multitanant Cloud Management Platform, which allows Managed Security Service Providers (MSSPs) and distributed enterprises to manage the tenants and users that you create for your Prisma Access instances, and to monitor those instances.
Alternatively, if you are a new customer but not licensed as an MSSP, you can still use cloud-managed multitenancy if you want to configure your new Prisma Access deployment into a hierarchy of business verticals or geographic locations.
Support for CASB Bundle and Activation
Palo Alto Networks provides a SKU that allows you to purchase and activate all the components required for the cloud access security broker (CASB) security offering, which includes the following products:
Multitenant Support for Cloud Managed Explicit Proxy Deployments
New Cloud Managed Prisma Access deployments will support using multitenancy in Explicit Proxy deployments, which will allow managed security service providers to manage multiple Prisma Access tenants from a single cloud-based Prisma SASE Multitenant Platform.
New Features—Prisma Access 3.1 Innovation
Version 3.1 Innovation includes all the features in 3.1 Preferred and adds the following features.
Explicit Proxy Enhancements
In addition to the Explicit Proxy enhancements described for 3.0 Preferred, Prisma Access offers the following additional enhancements for 3.0 Innovation:
To provide additional redundancy for service connections, Prisma Access will let you onboard active and backup service connections from different cloud providers in the same location, or from different Prisma Access compute locations. Prisma Access provides you with a list of the supported in-country service connections you can use as active and backup locations.
Recommended For You
Recommended videos not found.