Features in Prisma Access 3.2 and 3.2.1
Table of Contents
Expand All
|
Collapse All
Prisma Access Docs
-
3.2 Preferred and Innovation
- 5.2 Preferred and Innovation
- 5.1 Preferred and Innovation
- 5.0 Preferred and Innovation
- 4.2 Preferred
- 4.1 Preferred
- 4.0 Preferred
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
-
- Features in Prisma Access 3.2 and 3.2.1
- Changes to Default Behavior
- Upgrade the Cloud Services Plugin
- Prisma Access Known Issues
- Prisma Access Addressed Issues
- Release Updates for Reports
-
- Features in Prisma Access 3.1 Preferred and Innovation
- Features in Prisma Access 3.0 Preferred and Innovation
- Features Introduced in Prisma Access 2.2 Preferred
- Features Introduced in Prisma Access 2.1 Innovation
- Features Introduced in Prisma Access 2.1 Preferred
- Features Introduced in Prisma Access 2.0 Innovation
- Features Introduced in Prisma Access 2.0 Preferred
- Features Introduced in Prisma Access 1.8
- Features Introduced in Prisma Access 1.7
- Features Introduced in Prisma Access 1.6.1
- Features Introduced in Prisma Access 1.6.0
- Features Introduced in Prisma Access 1.5.1
- Features Introduced in Prisma Access 1.5.0
- Features Introduced in Prisma Access 1.4.0
- Features Introduced in Prisma Access 1.3.1
- Features Introduced in Prisma Access 1.3.0
- Features Introduced in Prisma Access 1.2.0
- Features Introduced in Prisma Access 1.1.0
- Getting Help
-
-
-
-
- Allocate Licenses for Prisma Access (Managed by Strata Cloud Manager)
- Plan Service Connections for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Add Additional Locations for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Enable Available Add-ons for Prisma Access (Managed by Strata Cloud Manager)
- Search for Subscription Details
- Share a License for Prisma Access (Managed by Strata Cloud Manager) and Add-ons
- Increase Subscription Allocation Quantity
-
- Activate a License for Prisma Access (Managed by Strata Cloud Manager) and Prisma SD-WAN Bundle
- Activate and Edit a License for SASE 5G Through Common Services
-
- Prisma Access Onboarding Workflow
-
4.0 & Later
- 4.0 & Later
- 3.2 Preferred and Innovation
- 3.1 Preferred and Innovation
- 3.0 Preferred and Innovation
- 2.2 Preferred
- Prisma Access China
-
- Set Up Prisma Access
- Configure the Prisma Access Service Infrastructure
- Remote Networks: IPSec Termination Nodes and Service IP Addresses
- Remote Networks: IP Address Changes Related To Bandwidth Allocation
- Remote Networks: Service IP Address and Egress IP Address Allocation
- API Examples for Retrieving Prisma Access IP Addresses
- Get Notifications When Prisma Access IP Addresses Change
- Prisma Access Zones
- DNS for Prisma Access
- High Availability for Prisma Access
-
- Enable ZTNA Connector
- Delete Connector IP Blocks
- Set Up Auto Discovery of Applications Using Cloud Identity Engine
- Private AWS Application Target Discovery
- Security Policy for Apps Enabled with ZTNA Connector
- Monitor ZTNA Connector
- View ZTNA Connector Logs
- Preserve User-ID Mapping for ZTNA Connector Connections with Source NAT
-
- Enable Dynamic Privilege Access for Prisma Access Through Common Services
- Authorize User Group Mapping in Cloud Identity Engine for Dynamic Privilege Access
- Enable the Access Agent
- Set Up the Agent Infrastructure for Dynamic Privilege Access
- Create a Snippet
- Create a Project
- Traffic Steering for Dynamic Privilege Access
- Push the Prisma Access Agent Configuration
- Download the Dynamic Privilege Access Enabled Prisma Access Agent Package
-
- Install the Prisma Access Agent
- Log in to the Dynamic Privilege Access Enabled Prisma Access Agent
- Change Preferences for the Dynamic Privilege Access Enabled Prisma Access Agent
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Location
- Switch to a Different Project
- Connect the Dynamic Privilege Access Enabled Prisma Access Agent to a Different Server
- Disable the Dynamic Privilege Access Enabled Prisma Access Agent
- Switch Between the Prisma Access Agent and GlobalProtect App
- View and Monitor Dynamic Privilege Access Users
- View and Monitor Dynamic Privilege Access Projects
- Automatic Tunnel Restoration in Dynamic Privilege Access Prisma Access Agents
- Manage Prisma SASE 5G
- App Acceleration in Prisma Access
-
-
- Planning Checklist for GlobalProtect on Prisma Access
- Set Up GlobalProtect Mobile Users
- GlobalProtect — Customize Tunnel Settings
- GlobalProtect — Customize App Settings
- Ticket Request to Disable GlobalProtect
- GlobalProtect Pre-Logon
- GlobalProtect — Clientless VPN
- Monitor GlobalProtect Mobile Users
- How the GlobalProtect App Selects Prisma Access Locations for Mobile Users
- Allow Listing GlobalProtect Mobile Users
-
- Explicit Proxy Configuration Guidelines
- GlobalProtect in Proxy Mode
- GlobalProtect in Tunnel and Proxy Mode
- Private IP Address Visibility and Enforcement for Agent Based Proxy Traffic
- SAML Authentication for Explicit Proxy
- Set Up Explicit Proxy
- Cloud Identity Engine Authentication for Explicit Proxy Deployments
- Proxy Mode on Remote Networks
- How Explicit Proxy Identifies Users
- Explicit Proxy Forwarding Profiles
- PAC File Guidelines
- Explicit Proxy Best Practices
- Monitor and Troubleshoot Explicit Proxy
- Block Settings for Explicit Proxy
- Use Special Objects to Restrict Explicit Proxy Internet Traffic to Specific IP Addresses
- Access Your Data Center Using Explicit Proxy
- App-Based Office 365 Integration with Explicit Proxy
- Chromebook with Prisma Access Explicit Proxy
- Configure Proxy Chaining with Blue Coat Proxy
- Configure Proxy Chaining on Prisma Access Explicit Proxy
- IP Address Optimization for Explicit Proxy Users- Proxy Deployments
- DNS Resolution for Mobile Users—Explicit Proxy Deployments
- View User to IP Address or User Groups Mappings
- Report Mobile User Site Access Issues
- Enable Mobile Users to Access Corporate Resources
-
-
- Planning Checklist for Remote Networks
- Allocate Remote Network Bandwidth
- Onboard a Remote Network
- Connect a Remote Network Site to Prisma Access
- Enable Routing for Your Remote Network
- Onboard Multiple Remote Networks
- Configure Remote Network and Service Connection Connected with a WAN Link
- Remote Networks—High Performance
- Integrate a Shared Desktop VDI with Prisma Access Using Terminal Server
-
- Multitenancy Configuration Overview
- Plan Your Multitenant Deployment
- Create an All-New Multitenant Deployment
- Enable Multitenancy and Migrate the First Tenant
- Add Tenants to Prisma Access
- Delete a Tenant
- Create a Tenant-Level Administrative User
- Sort Logs by Device Group ID in a Multitenant Deployment
-
- Add a New Compute Location for a Deployed Prisma Access Location
- How BGP Advertises Mobile User IP Address Pools for Service Connections and Remote Network Connections
- Proxy Support for Prisma Access and Strata Logging Service
- Block Incoming Connections from Specific Countries
- Prisma Access for No Default Route Networks
-
-
- Default Routes With Prisma Access Traffic Steering
- Traffic Steering in Prisma Access
- Traffic Steering Requirements
- Default Routes with Traffic Steering Example
- Default Routes with Traffic Steering Direct to Internet Example
- Default Routes with Traffic Steering and Dedicated Service Connection Example
- Prisma Access Traffic Steering Rule Guidelines
- Configure Zone Mapping and Security Policies for Traffic Steering Dedicated Connections
- Configure Traffic Steering in Prisma Access
- Preserve User-ID and Device-ID Mapping for Service Connections with Source NAT
-
- Prisma Access Internal Gateway
-
- Configure Privileged Remote Access Settings
- Set Up the Privileged Remote Access Portal
- Configure Applications for Privileged Remote Access
- Set Up Privileged Remote Access Profiles
- Define Permissions for Accessing Privileged Remote Access Apps
- Configure Split Tunneling for Privileged Remote Access Traffic
- Manage Privileged Remote Access Connections
- Use Privileged Remote Access
-
- Integrate Prisma Access With Other Palo Alto Networks Apps
- Integrate Third-Party Enterprise Browser with Explicit Proxy
- Integrate Third-Party NDRs with Prisma Access
- Juniper Mist Integration for SASE Health
-
-
- Connect your Mobile Users in Mainland China to Prisma Access Overview
- Configure Prisma Access for Mobile Users in China
- Configure Real-Name Registration and Create the VPCs in Alibaba Cloud
- Attach the CEN and Specify the Bandwidth
- Create Linux Instances in the Alibaba Cloud VPCs
- Configure the Router Instances
- Onboard the GlobalProtect Gateway and Configure the Prisma Access Portal
-
-
-
- INC_CIE_AGENT_DISCONNECT
- INC_CIE_DIRECTORY_DISCONNECT
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_GW_USER_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_GLOBALPROTECT_PORTAL_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_MU_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_MU_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_MU_DNS_SERVER_UNREACHABLE_ PER_PA_LOCATION
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_ALL_PA_LOCATIONS
- INC_PORTAL_CLIENTLESS_VPN_AUTH_ TIMEOUT_FAILURES_COUNT_EXCEEDED_ ABOVE_BASELINE_PER_PA_LOCATION
- INC_RN_AUTH_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_AUTH_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_DNS_SERVER_UNREACHABLE_ALL_ PA_LOCATIONS
- INC_RN_DNS_SERVER_UNREACHABLE_PER_ PA_LOCATION
- INC_RN_ECMP_TUNNEL_RTT_EXCEEDED_ BASELINE
- INC_RN_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SECONDARY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_RN_SITE_CAPACITY_PREDICTION
- INC_SC_PRIMARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SECONDARY_WAN_TUNNEL_RTT_ EXCEEDED_BASELINE
- INC_SC_SITE_CAPACITY_PREDICTION
-
- INC_CERTIFICATE_EXPIRY
- INC_GP_CLIENT_VERSION_UNSUPPORTED
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_CAPACITY
- INC_MU_IP_POOL_BLOCK_UTILIZATION_ EXCEEDED_THRESHOLD
- INC_PA_INFRA_DEGRADATION
- INC_PA_SERVICE_DEGRADATION_PA_LOCATION
- INC_PA_SERVICE_DEGRADATION_RN_ SITE_CONNECTIVITY
- INC_PA_SERVICE_DEGRADATION_SC_ CONNECTIVITY
- INC_RN_ECMP_BGP_DOWN
- INC_RN_ECMP_BGP_FLAP
- INC_RN_ECMP_PROXY_TUNNEL_DOWN
- INC_RN_ECMP_PROXY_TUNNEL_FLAP
- INC_RN_ECMP_TUNNEL_DOWN
- INC_RN_ECMP_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_BGP_FLAP
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_PRIMARY_WAN_TUNNEL_DOWN
- INC_RN_PRIMARY_WAN_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_BGP_DOWN
- INC_RN_SECONDARY_WAN_BGP_FLAP
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_RN_SECONDARY_WAN_TUNNEL_DOWN
- INC_RN_SECONDARY_WAN_TUNNEL_FLAP
- INC_RN_SITE_DOWN
- INC_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_RN_SPN_LONG_DURATION_CAPACITY_EXCEEDED _THRESHOLD
- INC_RN_SPN_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_SC_PRIMARY_WAN_BGP_DOWN
- INC_SC_PRIMARY_WAN_BGP_FLAP
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_PRIMARY_WAN_TUNNEL_DOWN
- INC_SC_PRIMARY_WAN_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_BGP_DOWN
- INC_SC_SECONDARY_WAN_BGP_FLAP
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_PROXY_TUNNEL_FLAP
- INC_SC_SECONDARY_WAN_TUNNEL_DOWN
- INC_SC_SECONDARY_WAN_TUNNEL_FLAP
- INC_SC_SITE_DOWN
- INC_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- INC_SC_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN
- INC_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- INC_ZTNA_CONNECTOR_CPU_HIGH
- INC_ZTNA_CONNECTOR_MEMORY_HIGH
- INC_ZTNA_CONNECTOR_TUNNEL_DOWN
-
- AL_CIE_AGENT_DISCONNECT
- AL_CIE_DIRECTORY_DISCONNECT
- AL_MU_IP_POOL_CAPACITY
- AL_MU_IP_POOL_USAGE
- AL_RN_ECMP_BGP_DOWN
- AL_RN_ECMP_BGP_FLAP
- AL_RN_PRIMARY_WAN_BGP_DOWN
- AL_RN_PRIMARY_WAN_BGP_FLAP
- AL_RN_PRIMARY_WAN_TUNNEL_DOWN
- AL_RN_PRIMARY_WAN_TUNNEL_FLAP
- AL_RN_SECONDARY_WAN_BGP_DOWN
- AL_RN_SECONDARY_WAN_BGP_FLAP
- AL_RN_SECONDARY_WAN_TUNNEL_DOWN
- AL_RN_SECONDARY_WAN_TUNNEL_FLAP
- AL_RN_SITE_DOWN
- AL_RN_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_RN_SITE_LONG_DURATION_EXCEEDED_ CAPACITY
- AL_RN_SPN_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_PRIMARY_WAN_BGP_DOWN
- AL_SC_PRIMARY_WAN_BGP_FLAP
- AL_SC_PRIMARY_WAN_TUNNEL_DOWN
- AL_SC_PRIMARY_WAN_TUNNEL_FLAP
- AL_SC_SECONDARY_WAN_BGP_DOWN
- AL_SC_SECONDARY_WAN_BGP_FLAP
- AL_SC_SECONDARY_WAN_TUNNEL_DOWN
- AL_SC_SECONDARY_WAN_TUNNEL_FLAP
- AL_SC_SITE_DOWN
- AL_SC_SITE_LONG_DURATION_CAPACITY_ EXCEEDED_THRESHOLD
- AL_SC_SITE_LONG_DURATION_EXCEEDED_CAPACITY
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN
- AL_ZTNA_CONNECTOR_APP_STATUS_DOWN_PARTIAL
- AL_ZTNA_CONNECTOR_CPU_HIGH
- AL_ZTNA_CONNECTOR_MEMORY_HIGH
- AL_ZTNA_CONNECTOR_TUNNEL_DOWN
- New Features in Incidents and Alerts
- Known Issues
Features in Prisma Access 3.2 and 3.2.1
This section lists the new features that are available
in Prisma Access 3.2, including Prisma Access 3.2.1, along with
upgrade information and considerations if you are upgrading from
a previous Prisma Access version.
- Cloud Services Plugin 3.2 and 3.2.1
- Upgrade Considerations for 3.2 and 3.2.1 Prisma Access Releases
- Minimum Required Software Versions
- New Features—Prisma Access 3.2.1 Preferred
- New Features—Prisma Access 3.2.1 Innovation
- New Features—Prisma Access 3.2 Preferred
- New Features—Prisma Access 3.2 Innovation
Cloud Services Plugin 3.2 and 3.2.1
Prisma Access 3.2 (including Prisma Access 3.2.1) uses
a single plugin for both Preferred and Innovation releases, providing
operational simplification with a unified plugin for both Preferred
and Innovation releases.
By default, the plugin will run the Preferred release. To upgrade
to an Innovation release, reach out to your Palo Alto Networks account
representative and submit a request.
Upgrade Considerations for 3.2 and 3.2.1 Prisma Access Releases
To upgrade to Prisma Access 3.2 or 3.2.1 Preferred,
use one of the following upgrade paths.
To find your plugin version, select PanoramaCloud ServicesConfigurationService Setup in
Panorama and check the plugin version in the Plugin Alert area.
| Installed Cloud Services Plugin Version | Targeted 3.2 Version | Upgrade Path |
|---|---|---|
| Releases earlier than 2.2 Preferred | 3.2 or 3.2.1 Preferred |
|
| 2.2 Preferred | 3.2 or 3.2.1 Preferred |
Direct
upgrades from Prisma Access 2.2 to 3.2 are not supported. |
| All Prisma Access Releases | 3.2 or 3.2.1 Innovation | To upgrade to 3.2 or 3.2.1 Innovation, reach
out to your Palo Alto Networks account representative and submit
a request. The request will be reviewed internally and, if approved,
your deployment will be upgraded to 3.2 or 3.2.1 Innovation. |
Minimum Required Software Versions
Minimum Required Panorama Versions—For the minimum
Panorama versions that are supported for use Panorama Managed Prisma
Access 3.2, see Prisma Access and Panorama Version
Compatibility in the Palo Alto Networks Compatibility
Matrix.
Minimum Required GlobalProtect Versions—Prisma Access supports any GlobalProtect version
that is not End-of-Life (EoL). The GlobalProtect
versions apply to both Panorama and Cloud Managed versions of Prisma Access.
New Features—Prisma Access 3.2.1 Preferred
The following features are added for Prisma Access 3.2.1
Preferred and Innovation. To find the new features for Cloud Managed
Prisma Access, see the new features list in the Prisma Access Release Notes (Cloud
Managed).
Feature | Description |
|---|---|
| Dual Authentication Portal Support for Mobile Users—GlobalProtect Deployments | You can configure two Mobile Users—GlobalProtect
portals in Prisma Access, with each portal supporting a different authentication
method on a single Prisma Access tenant (for example, one portal configured
for RADIUS authentication and one portal configured for SAML authentication).
This functionality requires an upgrade
to a specific Preferred PAN-OS dataplane. To enable this
feature, reach out to your Palo Alto Networks account
representative or partner, who will contact the SRE team and
submit a request to upgrade your dataplane. |
| Licensing Enhancements (Additional Mobile User locations and Service Connections) | The following Prisma Access license enhancements
are added:
|
| Prisma Access Explicit Proxy License Enhancements | You can use the same Mobile Users license
for both Explicit Proxy and GlobalProtect, and when you provision
one mobile user license unit, you can enable GlobalProtect, Explicit
Proxy, or both for a single user. This enhancement eliminates the need
to purchase additional quantities of mobile user units to support
use cases where both Explicit Proxy and GlobalProtect are needed
for the same user. See Prisma Access 3.2.1 Mobile User Licensing Change Examples for licensing
examples. |
| New Prisma Access Compute Locations: Middle-East West and Europe Northwest (Paris) |
To better optimize performance of Prisma Access, the following
compute locations have been added and the following locations
have been remapped to those new compute locations:
New deployments have the new remapping applied automatically. If
you have an existing Prisma Access deployment that uses one of
these locations and you want to take advantage of the remapped
compute location, follow the procedure to add a new compute location to
a deployed Prisma Access location.
|
| Populate User Group Names in Security Policy Rules Using the Cloud Identity Engine | You can configure the Cloud Identity Engine
in Panorama Managed Prisma Access deployments to populate groups
in security policy rules, allowing you to either use the Cloud Identity Engine or
a Master Device to perform this action. If you use a Master Device
to make user and group information selectable in security policies,
that functionality is unaffected. |
| Multi-Tenant Prisma Access support for Cloud Identity Engine Directory Group Sync | Enable Directory Group Sync for a multi-tenant
Panorama managed Prisma Access deployment using the Cloud Identity
Engine. To enable this feature, reach out to your Palo Alto networks
representative. |
| New Strata Logging Service Region: Switzerland | A new region, Switzerland, is added to Strata Logging Service. |
| API to simplify Remote Network Automation | An XML API is provided for you to simplify
connectivity from third-party SD-WAN devices and CPEs to Prisma
Access for Remote Networks. You provide the bandwidth and the latitude
and longitude of the SD-WAN device in the XML API; Prisma Access
responds with the name of the IPSec termination node and compute
location to use for the SD-WAN device. |
| Terminal Server Agent Support | Prisma Access supports the Palo Alto Networks Terminal Server
(TS) Agent for the following platforms:
|
| Explicit Proxy Support for Office 365 Client Apps | In addition to browser-based Office 365 support,
you can now forward O365 client application traffic through the
Prisma Access Explicit Proxy Connect method. |
New Features—Prisma Access 3.2.1 Innovation
Version 3.2 Innovation includes
all the features
in 3.2.1 Preferred
and adds the following features.Feature | Description |
|---|---|
| Regional private IP address pools for Mobile Users - GlobalProtect |
To allow you to be more granular in your Mobile
Users-GlobalProtect IP address pool allocation, you can specify
granular IP pools for the locations that are available with the
feature, as well as Worldwide or per Prisma Access theater.
|
| Cloud Identity Engine Multiple Authentication Mode Support | To simplify the process of identifying and authenticating
users, Prisma Access supports Cloud Identity Engine authentication
using certificate-based authentication in
addition to multiple SAML 2.0-based identity providers in
a single authentication profile. It now also supports group-based authentication
so that you can specify different authentication types for particular
groups or directories. This helps ensure that users experience a
smooth login process regardless of the method they use to authenticate
and makes it easier to deploy identity-based security policy. For
Prisma Access Explicit Proxy deployments, multiple authentication
mode is supported for SAML authentication only. |
| Web Proxy Support | If your network uses a proxy device for security, you can now leverage the same level of
protection using the on-premises web proxy capability that is
available with PAN-OS 11.0. The web proxy features enables
additional options for migrating from an existing web proxy
architecture to a simple unified management console. Using the
web proxy feature with Prisma Access provides a seamless method
for migrating, deploying, and maintaining secure web gateway
(SWG) configurations from an easy to use and simplified
interface. Web proxy helps during the transition from
on-premises to the cloud with no loss to security or
efficiency. Web proxy requires a Panorama version of 11.0. |
| Advanced Threat Prevention Inline Cloud Analysis Support for Explicit Proxy | Explicit Proxy adds Advanced Threat Prevention
Inline Cloud Analysis support, which is a series of ML-based detection
engines are added in the Advanced Threat Prevention cloud to
analyze traffic for advanced C2 (command-and-control) and spyware
threats in real-time to protect users against zero-day threats.
By operating cloud-based detection engines, you can access a wide
array of detection mechanisms that are updated and deployed automatically
without requiring the user to download update packages or operate
resource-intensive analyzers. |
| Advanced URL Filtering Inline Deep Learning Analysis Support for Explicit Proxy | Advanced URL Filtering provides best-in-class
web protection for the modern enterprise and stops unknown web-based attacks
in real time to prevent patient zero web threats. Advanced URL Filtering
combines Palo Alto Networks’ malicious URL database capabilities
with the industry’s first real-time web protection engine powered
by machine learning (ML). Advanced URL Filtering Inline adds
a series of inline cloud-based deep learning
detectors that evaluate suspicious web page contents in real-time. |
| Commit job status via XML/API for Multi-tenant | An operational XML API is provided to
retrieve the commit job status for multi-tenant Prisma Access Panorama
Managed deployments. To retrieve the job status using a curl command,
enter the following command and API parameters: curl -k 'https://<a.b.c.d>//api/?type=op&cmd=<request><plugins><cloud_services><prisma-access><multi-tenant><tenant-name><entry%20name="<tenant_name>"></entry></tenant-name><request-job-result><jobid><job_id></jobid></request-job-result></multi-tenant></prisma-access></cloud_services></plugins></request>&key=<key>' Where:
|
New Features—Prisma Access 3.2 Preferred
The following table describes the new features that
are available with Prisma Access 3.2 Preferred.
Feature | Description |
|---|---|
| SaaS Security Posture Management (SSPM) | SSPM is a new product in the SaaS Security
offering that helps find and fix misconfigured settings on supported
SaaS apps along with other features to ensure proper posture security
all from one unified cloud management console. |
| Suspicious User Activity | Suspicious User Activity with SaaS Security
API is an out-of-the-box policy-based detection of user activity
by User, App, and Risk scenarios. |
| Autonomous Digital Experience Management Self Serve | Autonomous digital experience management
(Autonomous DEM) empowers end users to resolve application experience issues
that fall into their purview without consulting IT. ADEM Self Serve
reduces ticket load and improves the experience of end-users by
helping them quickly resolve the following issues:
|
| Prisma SASE Platform | SASE Portal (https://sase.paloaltonetworks.com)
is a single location to access and manage Secure Access Service
Edge (SASE) products and services for enterprises and service providers
(SPs). The key capabilities are as follows:
|
| Simplified Activation and Subscription Management | You can now use a completely new and revamped
user-friendly workflow to activate and manage all your Prisma Access subscriptions
in one place. With this update, Palo Alto Networks optimizes the
activation flow, significantly reducing the activation time and
providing contextual information that can reduce any human errors
during the activation. The updates include the following workflows:
|
| DNS Security Enhancements | Prisma Access deployments now extend protection
for the latest DNS-based attack techniques, including strategically
aged domains, making it the most comprehensive DNS security solution
available. |
| 1 Gbps Maximum Bandwidth Support for Remote Network IPSec Termination Nodes | The maximum bandwidth that Prisma Access
can allocate to IPSec termination nodes for remote network deployments is
increasing from 500 Mbps to 1000 Mbps. This change allows
you to allocate more bandwidth to remote networks. To make this increase
effective, you must allocate a minimum of 501 Mbps to the compute locations associated
with the IPSec termination nodes. See Changes to Default
Behavior for details. While bandwidth enforcement
is not currently applied, Prisma Access reserves the right to enforce
the allocated bandwidth when the consumption exceeds the allocation.
You will be notified prior to applying the enforcement. This functionality is supported for Panorama Managed deployments only. If you are upgrading from
an earlier Cloud Services plugin version, you must perform a
Commit and Push before installing the
3.2 plugin and perform a Push to Devices
after installing the plugin to implement this change. |
| Simplified SASE Consumption Model with Prisma Access SD-WAN Add-On | Palo Alto Networks is introducing Prisma SD-WAN as a simple add-on
solution to Prisma Access, allowing customers to get best-in-class
security and SD-WAN in an effortless, consumable model. With the
Prisma SD-WAN add-on to Prisma Access, you can get the most comprehensive SASE
solution that enables aggregation of bandwidth across all branch
locations, provides ease of activation via a single link for all
SASE services—including SD-WAN—while gaining the flexibility to
easily add additional services as needed from a unified management console. |
| New Prisma Access Locations | To better accommodate worldwide deployments
and provide enhanced local coverage, the following new locations
have been added, which map to the following compute locations:
|
| New and Renamed Prisma Access Compute Locations and Remapped Locations | To better optimize performance of Prisma Access,
the following new compute locations are added and the following
locations are remapped to the new compute locations:
In
addition, the existing Asia Southeast compute location is
renamed Asia Southeast (Singapore). New deployments
have the new remapping applied automatically. If you have an existing
Prisma Access deployment that uses one of these locations and you
want to take advantage of the remapped compute location, follow
the procedure to add a new compute location to
a deployed Prisma Access location. |
| Terminal Server (TS) Agent Support | Prisma Access supports the Palo Alto Networks Terminal Server
(TS) Agent for the following platforms:
A maximum
of 400 TS Agents are supported. |
| Disable Logging for Service Connections | This functionality allows the Palo Alto Networks
Site Reliability Engineering (SRE) team to disable logging on the
service connections for your Prisma Access deployment. If the majority of the traffic flows logged by the service connections are asymmetric, disabling
service connection logging might be required to reduce the
consumption of Strata Logging Service logging storage. If your
deployment does not have asymmetric flows via the service
connections, you do not need to disable logging. To disable logging for
service connections, reach out to your Palo Alto Networks account
representative or partner, who will contact the SRE team and submit
a request. |
New Features—Prisma Access 3.2 Innovation
Version 3.2 Innovation includes
all the features
in 3.2 Preferred
and adds the following features.Feature | Description |
|---|---|
| Next-Generation CASB-X for Prisma Access and Next-Generation Firewalls | The Next-Generation Cloud Access Security
Broker (CASB-X) is a new SKU that contains all the CASB components
such as SaaS Security Inline, SaaS Security API, SaaS Security Posture Management
(SSPM), and Enterprise DLP API. It
can be applied on Cloud Managed Prisma Access, Panorama Managed Prisma
Access, and Panorama Managed Next-Generation Firewall (NGFW) devices
in a single-tenant environment. |
| Simplify Private App Access Using ZTNA Connector | The Zero Trust Network Access (ZTNA) Connector
dramatically simplifies private app access for all apps including
modern, cloud-native, containerized, microservice, and legacy apps. With
the introduction of this feature, you can either use the ZTNA Connector
or a service connection to
enable access to private apps for your users. Both methods enforce
all ZTNA 2.0 principles. For
Panorama Managed Prisma Access deployments, the ZTNA Connector is
not supported in a multi-tenant deployment,
however, multi-tenancy is supported with ZTNA Connector in a Cloud Managed
Prisma Access deployment. |
| Advanced Threat Prevention Inline Cloud Analysis and Domain Fronting Detection | Advanced Threat Prevention blocks unknown
and evasive command and control traffic inline in real-time with
unique deep learning and machine learning models. The following
advanced threat prevention capabilities are added to Prisma Access:
|
| Advanced URL Filtering Inline Deep Learning Analysis | Advanced URL Filtering provides best-in-class
web protection for the modern enterprise and stops unknown web-based attacks
in real time to prevent patient zero web threats. Advanced URL Filtering
combines Palo Alto Networks’ malicious URL database capabilities
with the industry’s first real-time web protection engine powered
by machine learning (ML). Advanced URL Filtering Inline adds
a series of inline cloud-based deep learning
detectors that evaluate suspicious web page contents in real-time. |
| DLP Web Form Data Inspection | To prevent exfiltration of sensitive information
in data exchanged in collaboration applications, web forms, Cloud
applications, custom applications, and social media, Enterprise
Data Loss Prevention (DLP) supports inspection of non-filed format
traffic using web form data inspection. |
| NAT Support for Private Applications | You can specify a subnet at one or more service
connections that are used to NAT traffic between Prisma Access GlobalProtect
mobile users and private applications and resources at a data center.
You
can use either RFC1918 or RFC6598 addresses as the subnets. |
| Kerberos Authentication Support for Explicit Proxy | You can now use both SAML to authenticate
users, and Kerberos to authenticate users and machines, in a single Explicit
Proxy deployment. |