NEW Prisma Access 1.4 Updates

Community Team Member

Palo Alto Networks releases Prisma Access version 1.4, featuring new default behavior and lots of new enhancements, including more location support for mobile users. Got questions? Get answers here on LIVEcommunity!

 

Prisma access 1.4.jpg

 

Prisma Access, formerly known asGlobalProtect cloud service (GPCS), has released version 1.4 for August 2019. 

 

Along with Prisma Access version 1.4, which fixes many issues described below, there is a long list of added features and some default changes to the product. These updates are very important for you to know about. One of the biggest added features is the increased location support, which now supports more than 100 locations in 76 countries.

 

Please check out the video preview below that covers those added features and the changes to default behavior.

 

 

Added Features

The following table describes the new features introduced in Prisma Access version 1.4. *

 

FEATURE
DESCRIPTION
Increased Location Support for Mobile Users, Remote Networks, and Service Connections
To better accommodate worldwide deployments and provide best-of-breed local coverage, you can now choose from more than 100 locations in 76 countries when you onboard your mobile users, remote network connections, and service connections.
Be aware of the following changes and requirements as a result of the added locations:
  • When you first install the plugin, log out and then log back in to Panorama to see the new locations.
  • For existing customers, Prisma Access retains all existing locations in addition to adding support for the new locations; however, existing location names have changed. In addition, if you allow your mobile users to manually select gateways from the GlobalProtect app, the gateway names that mobile users see from the app have changed. See Changes to Default Behavior for details.
  • For mobile user deployments, if you currently whitelist Prisma Access public IP addresses, you must whitelist the addresses that Prisma Access assigns for any new locations that you add. To ensure that mobile users do not lose access to SaaS or public applications after you add more locations, Prisma Access pre-reserves unique addresses for each location, and you can run an API script and whitelist the pre-reserved addresses before you add new mobile user locations. See Changes to Default Behavior for more information.
  • For mobile user deployments, there is a minimum number of IP addresses that are required for each region where you deploy the locations. When you configure mobile user deployments in Panorama, the web interface validates the minimum IP address pool and prompts you if changes are required. This validation is not available if you configure locations using CLI. If you deploy all locations using CLI, we recommend that you add a "/18 address" in the worldwide pool for mobile users.
Custom Local IP Address for BGP
For service connections or remote network connections that use BGP, you can specify a custom local IP address that Prisma Access uses as its local IP address for BGP. This custom address is useful when the device on the other side of the connection (such as an Amazon Web Service (AWS) Virtual Private Gateway) requires a specific local IP address for BGP peering.
Automatic Creation of Template Stack, Templates, and Device Groups for Multi-Tenant Deployments
To speed up the process of configuring additional tenants in a multi-tenant deployment, Prisma Access automatically creates templates, template stacks, and device groups for each tenant you create after the first one, instead of requiring you to manually create these components for each tenant.
When you enable multi-tenancy, existing templates, template stacks, and device groups still migrate over to the first tenant. For each subsequent tenant you add, Prisma Access creates the templates, template stacks, and device groups and adds them to the access domain you create.
Administratively Logout Mobile Users from Panorama
To immediately remove mobile users from access to your organization's resources, you can log out active mobile users from the Cloud Services plugin in Panorama.
HTTP/HTTPS Traffic Forwarding to Service Connections
Prisma Access can redirect HTTP or HTTPS internet traffic from mobile users and remote networks, and forward and route that traffic over a service connection.
With this capability, you can steer traffic through a third-party security stack (service chain) before egressing to the internet. Another use case is to redirect certain website traffic to be routed through the organization’s on-premise network.
Clean Pipe Service for Multi-Tenant Deployments
To allow organizations that manage the IT infrastructure of other organizations, such as service providers or telecommunications providers (Telcos), to quickly and easily protect outbound internet traffic for their tenants, Palo Alto Networks introduces the Clean Pipe service with this release. A service provider (or Telco) will be able to route their customers (configured as tenants) to the Clean Pipe service using a Partner Interconnect. After the traffic crosses the Partner Interconnect, it will be sent to a tenant-dedicated instance of Clean Pipe for security and then be routed to the internet.
An API that allows you to quickly and easily onboard tenants is also available.
To use the Clean Pipe service, you must purchase a Clean Pipe license and deploy Prisma Access in multi-tenant mode. After you purchase and activate this license, a new Clean Pipe tab is activated in the Cloud Services plugin. See Changes to Default Behavior for details.
* - Information adopted from the Prisma Access release notes also available in TechDocs.
 
 

Default Behavior

Along with the new features, there are changes to the default behavior that you may want to be aware of.

Please see the following table detailing the changes to default behavior: **

 

COMPONENT CHANGE
Additions to Public IP addresses when you add mobile user locations
When you add mobile user locations, Prisma Access assigns public IP addresses for each location you add. With this release, Palo Alto Networks pre-reserves IP addresses for each location, and we provide a unique set for each customer. If you whitelist your public IP addresses to provide mobile users access to SaaS or public applications, you can call our API and whitelist the pre-reserved IP addresses before you add new mobile user locations.
To find the public IP addresses to whitelist before you add the locations, generate an API key if you have not already done so, and enter the curl -k -H header-api-key: Current-API-Key https://api.gpcloudservice.com/getAddrList/latest?get_egress_ip_all=yes command, where Current-API-Key is the Prisma Access API key. You can then whitelist these IP addresses before you add the new location.
 
Prisma access 1.4-1.jpg
Changes to location names
The names of the locations that are used for existing mobile users’ configuration, service connections, and remote network connections have changed to the following names.
No configuration is changed as a result of the upgrade to 1.4, including any IP addresses you have whitelisted. Only the names of the locations have changed.
 
NOTE: After installing the plugin, log out and then log back in to Panorama to see the new locations.
  • Asia Pacific (Tokyo) changes to Japan Central
  • Asia Pacific (Seoul) changes to South Korea
  • Asia Pacific (Mumbai) changes to India West
  • Asia Pacific (Singapore) changes to Singapore
  • Asia Pacific (Sydney) changes to Australia Southeast
  • Canada (Montreal) changes to Canada East
  • EU (Frankfurt) changes to Germany Central
  • EU (Ireland) changes to Ireland
  • EU (London) changes to UK
  • EU (Paris) changes to France North
  • South America (Sao Paulo) changes to Brazil South
  • US East (N. Virginia) changes to US East
  • US East (Ohio) changes to US Central
  • US West (N. California) changes to US West
  • US West (Oregon) changes to US Northwest
Changes to GlobalProtect app manual selection gateway names
If you allow mobile users to manually select Prisma Access gateways from the GlobalProtect app, the gateway location names that mobile users can select from the GlobalProtect app have changed to the following names:
  • Australia changes to Australia Southeast
  • Brazil changes to Brazil South
  • Canada changes to Canada East
  • France changes to France North
  • Germany changes to Germany Central
  • India changes to India West
  • Japan changes to Japan Central
  • Korea changes to South Korea
  • United Kingdom changes to UK
The following location names did not change in the GlobalProtect app:
  • Ireland
  • Singapore
  • US East
  • US West
New tab to select locations that mobile users can access from the GlobalProtect app
To reduce the number of available gateways that mobile users can see in their GlobalProtect app when they manually select a gateway, a new Manual Gateway Locations tab in Panorama allows you to specify a subset of onboarded locations (Panorama Cloud Services Configuration Mobile Users Configuration). When GlobalProtect users manually select a location using their GlobalProtect app, they only see the locations that you have added and that are in the Manual Gateway Locations list.
 
If you’ve added a location and it’s not in the predefined list, it doesn’t appear in the GlobalProtect app as a choice; however, you can add onboarded locations to the Manual Gateway Locations list so that they display as a choice.
Prisma access 1.4-2.jpg
Changes to Mobile User location selection in the Prisma Access UI
To allow you to easily add more mobile user locations, there are changes to how you select locations for a mobile user deployment. These changes display when you select Panorama Cloud Service Configuration Mobile Users Configure.

When you onboard a mobile user deployment, the Locations tab changes from a list of locations to a list of regions you can select. There is a map view and a list view. Choose between the map and list view from a button on the lower left of the page.
  • The map view displays a list of the worldwide regions where onboarding locations are available. After you select a region, a map displays with a zoomed version of that region. You then select the locations from the map.
  • The list view displays columns for each region with all locations sorted by region. You can select all sites in a region by selecting All at the top of the column.
New Tab in Cloud Services Plugin for Clean Pipe service
If you purchase and license the Clean Pipe service, a new tab displays in the Panorama Cloud Services Configuration area called Clean Pipe. If you purchase and activate a license for the Clean Pipe service, this tab will become active. You add and modify your Clean Pipe configuration in this tab.
User prompted for HTTPS traffic that matches an authentication policy
If you have an authentication policy configured with user authentication (e.g., captive portal or multi-factor authentication (MFA)) and HTTPS traffic matches the authentication policy, the GlobalProtect app prompts the user to enter their credentials. If authentication succeeds, Prisma Access allows the traffic; if authentication fails, Prisma Access drops the traffic.
This is a change from previous Prisma Access functionality where Prisma Access passed the traffic without asking the user for their credentials.
Product Name Change (GlobalProtect cloud service to Prisma Access)
GlobalProtect cloud service has changed its name to Prisma Access. The following component names have changed:
  • GlobalProtect cloud service – Has been renamed to Prisma Access
  • GlobalProtect cloud service for Remote Networks – Has been renamed to Prisma Access for Networks
  • GlobalProtect cloud service for Mobile Users – Has been renamed to Prisma Access for Users
  • Portals used in GlobalProtect cloud service – Have been renamed to Prisma Access portals
  • Gateways used in GlobalProtect cloud service – Have been renamed to Prisma Access gateways
In addition, Logging Service has been renamed to Cortex Data Lake.
New field for Custom Local IP Address for BGP
When you onboard a service connection or remote network connection, the Onboarding page for service connections and remote networks has a new Local Address field in the BGP tab (Panorama Cloud Services  Configuration Service Setup Add and Panorama Cloud Services Configuration Remote Networks Add). Enter a custom BGP address here as required for your deployment. For example, enter a Local Address in cases where the device on the other side of the connection requires a specific local IP address for BGP peering.
** - Information adopted from the "Changes to Default Behavior" part of the Prisma Access Release Notes.
 
More Info
Prisma Access Release Notes
For more information about all of the features added in Prisma Access 1.4 as well as all of the previous versions, latest releases, upgrades, and installation information, please see the Prisma Access Release Notes

 

Prisma Access Administrator’s Guide
Please see the Prisma Access Administrator’s Guide for details on how to configure and use Prisma Access.

 

Discussion Area
We welcome you to join the conversation by asking questions or providing answers in the Prisma Access Discussion area.

 

 

Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button and don't forget to subscribe to the LIVEcommunity blog.
As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

1,139 Views
Ask Questions Get Answers Join the Live Community
Labels