Features Introduced in Prisma Access 1.6.0

Prisma Access does not support versions of the Cloud Services plugin earlier than 1.6, and you must upgrade to this version.

The following table describes the new features introduced in Prisma Access version 1.6.0.

Feature	Description
DNS Enhancements for Mobile Users	If you specify the same DNS server to resolve both internal and external domains, Prisma Access does not proxy the DNS request, and you can view the actual source IP address of the client that sent the DNS request. This enhancement allows you to enforce source IP address-based DNS policies or identify endpoints that communicate with malicious domains using the source IP of the DNS requests.
DNS Additions for Remote Networks	You can use Prisma Access to specify DNS servers to resolve both internal and public domains. If you specify an internal DNS server to resolve internal DNS domains and then specify either a public server or Prisma Access’ Cloud Default server to resolve external domains, Prisma Access proxies the requests from the remote network site. You can also specify an external DNS server that is closer to the egress points of your remote network sites than your internal DNS server, which can provide optimal connectivity for SaaS applications such as Microsoft Office 365.
Clean Pipe Intra-zone Connection Redundancy	Prisma Access allows you to configure two VLAN attachments for a single Clean Pipe location in an active/backup configuration for intra-zone redundancy—an enhancement to the current implementation, where you can specify two different VLAN attachments in different availability zones (inter-zone redundancy).
QoS for Clean Pipe	For Clean Pipe deployments, you can create QoS policies to define the traffic that receives QoS treatment and QoS profiles to define the classes of service, including priority, that the traffic can receive. You can define QoS based on DSCP values or zones (Trust or Untrust).
Secure Inbound Access Support for Remote Networks	If you are hosting an internet-facing application or service in your remote network location, you can use Prisma Access to front-end that application or service and provide secure access from both internal and external users over the internet.
200 Tenant Support for Multitenancy	The Cloud Services Plugin increases multitenant support from 100 to 200 Prisma Access tenants. This gives Service Providers and large enterprises the capability to expand how they deploy and support disparate, segregated environments. For concurrent Panorama administrator login maximums, see the Prisma Access Administrator’s Guide (Panorama Managed).
Support for Individual BGP Peers on Primary and Secondary IPSec Tunnels	To facilitate dynamic IPSec tunnel failover for BGP deployments if the on-premises devices do not use the same IP addresses for BGP peering, you can specify different BGP peer and local IP addresses for the primary and secondary (active and backup) IPSec tunnels for service connections and remote network connections.
DLP on Prisma Access	This release adds support for Data Loss Prevention (DLP) on Prisma Access. DLP on Prisma Access uses predefined patterns, built-in settings, and options that make it easy for you to protect files that contain certain file properties (such as a document title or author), credit card numbers, regulated information from different countries (like social security numbers), and third-party DLP labels. DLP is an add-on license on Prisma Access. You can either start with a 60-day trial or purchase a license to use Enterprise DLP on Prisma Access. DLP on Prisma Access includes the following elements: You can Block files that match data patterns as well as create Alert notifications. DLP on Prisma Access supports the use of snippets and data masking . If a pattern in a security policy matches an alert or block notification, Prisma Access extracts a snippet of the sensitive data that matched. Prisma Access uses data masking to partially mask the snippets to prevent the sensitive data from being exposed. You can configure DLP on Prisma Access to completely mask the sensitive information, unmask the snippets, or disable snippet extraction and viewing.
Directory Sync Integration with Prisma Access	Prisma Access for Users and Prisma Access for Networks can leverage Palo Alto Networks’ Directory Sync service to retrieve user and group information for policy enforcement.
ECMP load balancing for Lower-Bandwidth Remote Network Connections	You can configure ECMP Load Balancing for remote networks with a bandwidth of 50, 100, or 150 Mbps, as well as 300 Mbps, allowing lower-bandwidth connections to increase their fault tolerance by adding up to four IPSec tunnels for a single remote network.
Sinkhole Mobile User IPv6 Traffic	Prisma Access extends the protection of mobile user traffic from IPv4/IPv6 dual-stacked endpoints with a new CLI command that enables you to sinkhole IPv6 mobile user traffic. Because endpoints can automatically fall back to an IPv4 address, you can enable a secure and uninterrupted user experience for mobile user traffic to the internet.