Features Introduced in Prisma Access 1.3.0

The following table describes the new features introduced in the Cloud Services plugin version 1.3.0. For additional information on how to use the new features in this release, refer to the Prisma Access Administrator’s Guide (Panorama Managed).
Upgrading to 1.3 causes changes to device groups.
Quality of Service (QoS) Support
You can now enable QoS in Prisma Access to mark and shape QoS traffic. Prisma Access delivers the same QoS marking and shaping features available today in Palo Alto Networks next-generation firewalls.
  • You can create PAN-OS security policies to mark traffic destined to Prisma Access for mobile users and for remote network connections. For service connections, Prisma Access honors traffic marking from your on-premise devices. In addition, you can optionally use on-premise devices to mark traffic for remote networks.
  • You can create QoS profiles to shape QoS traffic for service connections and for remote network connections and apply those profiles to traffic that you marked with PAN-OS security policies, traffic that you marked with an on-premise device, or both PAN-OS-marked and on-premise-marked traffic.
Support for Additional Service Connections
You can now configure up to 100 service connections in Prisma Access. Previously, a maximum of three service connections were allowed and you had to use remote network connections for additional connections to an HQ or data center site, which limited throughput to the configured bandwidth of the remote connection.
You can configure up to three service connections with no license cost; however, each additional connection uses 300 Mbps of the remote network bandwidth allocation from your Prisma Access license.
The license cost for additional service connections does not change their functionality. Prisma Access does not limit the bandwidth over service connections, and additional service connections work the same as other service connections.
Additional Bandwidth Choices for Remote Networks
In addition to the existing remote network bandwidth choices of 2 Mbps, 5 Mbps, 10 Mbps, 25 Mbps, 50 Mbps, 100 Mbps, or 300 Mbps, you can now select 20 or 150 Mbps, to better match commonly-used ISP speeds.
Expanded Visibility for Mobile Users
You now have expanded visibility for mobile users, including their client OS, their last login time, and their public IP addresses. You can view a list of currently logged in users or view historical information of previously-logged in users for a 90-day time period.
To view User ID information, select
Cloud Services
; then click either
Current Users
Users (Last 90 days)
in the
Mobile Users
Multiple Prisma Access Instances On a Single Panorama Appliance (Multi-Tenancy)
You can now host and manage multiple instances of Prisma Access (known as
) on a single Panorama appliance. With multi-tenancy, each single Panorama appliance supports up to 100 tenants, each with their own templates and template stacks, device groups, and access domains. This enables you to create tenant-level administrative users who can view and edit the configuration for a single tenant.
You allocate remote network and mobile user license resources for each tenant based on the license that is associated with the Cloud Services plugin in Panorama. The minimum license allocation for each tenant is 500 Mbps for remote networks and 500 mobile users. You can also configure a tenant with only remote networks (minimum 500 Mbps) or mobile users (minimum 500 mobile users).
Since this feature is supported starting with PAN-OS version 8.1.6, you must use the Cloud Services plugin with a Panorama appliance running a minimum version of 8.1.6.
GlobalProtect App Generate Ticket Option
Panorama now allows GlobalProtect administrators and Help Desk support personnel to generate a ticket that end users must supply to disable the GlobalProtect app for Windows or for Mac.
Since this enhancement is supported starting with PAN-OS version 8.1.6, you must use the Cloud Services plugin with a Panorama appliance running a minimum version of 8.1.6.
Persistent Public IP Addresses for Mobile User Gateways
This feature is applicable if you are adding Prisma Access public IP addresses to an allow list in your network to control access for SaaS or public applications.
With this release, Prisma Access now assigns two new sets of public IP addresses for mobile user gateways:
  • One set that is assigned to gateways that are currently active.
  • Another set to reserve in case of a scaling event, infrastructure upgrade, or other event that causes an IP address change for mobile users.
These new IP addresses will persist across future upgrades.
Prisma Access provides each customer with their own unique set of IP addresses. While the currently assigned IP address will change after you upgrade, this change does not affect mobile users' ability to connect to Prisma Access.
Public IP addresses for remote networks will not change after you upgrade, and you do not have to reconfigure your IPSec tunnels.
You can retrieve these new addresses by retrieving your API key and entering a curl command in the following format:
curl -k -H header-api-key:Current-API-Key "https://api.gpcloudservice.com/getAddrList/latest?get_egress_ip_all=yes"
Where Current-API-Key is the Prisma Access API key.
For example, given an API key of
, use the following curl command to retrieve the public IP address:
curl -k -H header-api-key:123abc "https://api.gpcloudservice.com/getAddrList/latest?get_egress_ip_all=yes"
If you have a large number of mobile users from a single region, the reserved IP addresses might be insufficient to scale; in this case, Prisma Access adds more public IP addresses to the allocated IP sets and you will have to retrieve those new IP addresses to add to your allow lists. These extra sets of IP addresses also persist after an upgrade. Continue to use the curl command to get notified when additional sets of IPs are added to the reserved pool.
PAN-OS 8.1 Support
The Prisma Access infrastructure is upgraded to PAN-OS version 8.1. You can now implement PAN-OS 8.1 features in Prisma Access, including but not limited to the following features:
Upgrading the infrastructure to 8.1 causes changes to default behavior; for more information, see the following documentation:
  • Changes to Default Behavior for PAN-OS and GlobalProtect 8.1
  • Changes to Default Behavior for the User-ID Agent
    In particular, please note that previously, the firewall normalized usernames received from User-ID sources (such as an LDAP directory) to the domain\username format. In PAN-OS 8.1, when the Primary Username is in UPN format, it will not be normalized as in previous PAN-OS versions. As a result, usernames are displayed in their original format (for example, username@domain).

Recommended For You