Features Introduced in Prisma Access

The following table describes the new features introduced in Prisma Access version 1.4.
Feature
Description
Increased Location Support for Mobile Users, Remote Networks, and Service Connections
To better accommodate worldwide deployments and provide best-of-breed local coverage, you can now choose from more than 100 locations in 76 countries when you onboard your mobile users, remote network connections, and service connections.
Be aware of the following changes and requirements as a result of the added locations:
  • When you first install the plugin, log out and then log back in to Panorama to see the new locations.
  • For existing customers, Prisma Access retains all existing locations in addition to adding support for the new locations; however, existing location names have changed. In addition, if you allow your mobile users to manually select gateways from the GlobalProtect app, the gateway names that mobile users see from the app have changed. See Changes to Default Behavior for details.
  • For mobile user deployments, if you currently whitelist Prisma Access public IP addresses, you must whitelist the addresses that Prisma Access assigns for any new locations that you add. To ensure that mobile users do not lose access to SaaS or public applications after you add more locations, Prisma Access pre-reserves unique addresses for each location, and you can run an API script and whitelist the pre-reserved addresses before you add new mobile user locations. See Changes to Default Behavior for more information.
  • For mobile user deployments, there is a minimum number of IP addresses that are required for each region where you deploy the locations. When you configure mobile user deployments in Panorama, the UI validates the minimum IP address pool and prompts you if changes are required. This validation is not available if you configure locations using CLI. If you deploy all locations using CLI, we recommend that you add a /18 address in the Worldwide pool for mobile users.
Custom Local IP Address for BGP
For service connections or remote network connections that use BGP, you can specify a custom local IP address that Prisma Access uses as its local IP address for BGP. This custom address is useful when the device on the other side of the connection (such as an Amazon Web Service (AWS) Virtual Private Gateway) requires a specific local IP address for BGP peering.
Automatic Creation of Template Stack, Templates, and Device Groups for Multi-Tenant Deployments
To speed up the process of configuring additional tenants in a multi-tenant deployment, Prisma Access automatically creates templates, template stacks, and device groups for each tenant you create after the first one, instead of requiring you to manually create these components for each tenant.
When you enable multi-tenancy, existing templates, template stacks, and device groups still migrate over to the first tenant. For each subsequent tenant you add, Prisma Access creates the templates, template stacks, and device groups and adds them to the access domain you create.
Administratively Logout Mobile Users from Panorama
To immediately remove mobile users from access to your organizations’ resources, you can log out active mobile users from the Cloud Services plugin in Panorama. You can log out mobile users logged in from both the GlobalProtect app and Clientless VPN.
HTTP/HTTPS Traffic Forwarding to Service Connections
Prisma Access can redirect HTTP or HTTPS internet traffic from mobile users and remote networks, and forward and route that traffic over a service connection.
With this capability, you can for example, steer traffic through a third-party security stack (service chain) before egressing to the internet. Another use case is to redirect certain websites’ traffic to be routed through the organization’s on-premise network.
Clean Pipe Service for Multi-Tenant Deployments
To allow organizations that manage the IT infrastructure of other organizations, such as service providers or telecommunications providers (Telcos), to quickly and easily protect outbound internet traffic for their tenants, Palo Alto Networks introduces the Clean Pipe service with this release. A service provider or Telco will be able to route their customers (configured as tenants) to the Clean Pipe service using a Partner Interconnect. After the traffic crosses the Partner Interconnect, it will be sent to a tenant-dedicated instance of Clean Pipe for security, and then routed to the internet.
An API that allows you to quickly and easily onboard tenants is also available.
To use the Clean Pipe service, you must purchase a Clean Pipe license and deploy Prisma Access in multi-tenant mode. After you purchase and activate this license, a new Clean Pipe tab is activated in the Cloud Services plugin. See Changes to Default Behavior for details.

Related Documentation