Palo Alto Networks released Prisma Access 1.5 (formerly GPCS – GlobalProtect Cloud Service) and it comes with new features and changes to behavior. Read more about how Prisma Access 1.5 can help you keep your cloud secure.
Let's start off with the new features. As you can see in the list below, there are many new features that have been added, including PAN-OS 9.0 feature support, API command enhancements, and Custom URL enhancements.
New features included in Prisma Access 1.5*
PAN-OS 9.0 feature support
This release offers support for PAN-OS 9.0, which includes the following new features and enhancements:
Route preferences and preferred backup for service connections
In addition to Prisma Access’ default routing for service connections, Prisma Access allows a new choice,
Hot potato routing, which changes the way routes are imported and advertised to and from Prisma Access, so traffic destined to service connections (e.g., HQ or data center traffic) exits the Prisma Access network as quickly as possible.
In addition, to help ensure routing symmetry in the event of a link failure, you can choose a preferred service connection to use as a backup if a link to a service connection fails (Backup SC).
ECMP load balancing for remote network connections
To provide additional network resiliency using redundant instances of your Customer Premises Equipment (CPE), Prisma Access allows you to add up to four IPSec tunnels for a single remote network.
BGP default route support for remote network connections
Prisma Access can advertise a default route for remote network connections using BGP. You can then use this route in your organization’s network to direct traffic to Prisma Access.
API command enhancements
Prisma Access adds improvements to the commands you use to retrieve the public IP addresses (the source IP addresses that Prisma Access uses for requests to an internet-based source).
The API command has the following enhancements for mobile user deployments:
The API command lists the locations associated with the reserved IP addresses.
You can easily retrieve both the active IP addresses for each location and the reserved IP addresses for those locations that are used for scaling events. You can request the active addresses, the reserved addresses, or all sets of addresses.
To ensure consistent Host Information Profile (HIP) policy enforcement and to simplify policy management, you canredistribute HIP informationreceived from mobile users and users at remote networks that use the GlobalProtect app from Prisma Access to other gateways, firewalls, and Panorama appliances in your enterprise, including the Panorama that manages Prisma Access.
View HIP reports from Panorama
After you configure Prisma Access to redistribute HIP information to Panorama. Then you can then view an HIP report from Panorama.
The following section details the changes in default behavior after you upgrade to Prisma Access 1.5.**
Mobile user IP pools will advertise extended BGP community strings
When Prisma Access advertises IP pools for mobile users, it also advertises an extended BGP community string that contains both the Prisma Access Autonomous System (AS) Number and the ID of the service connection to which the mobile user's location is connected.
Minimum Panorama version requirements for Prisma Access 1.5
In order to use Prisma Access 1.5, you must upgrade your Panorama to a minimum version of 9.0.3-h3 (9.0.4 recommended) before installing the Cloud Services plugin to 1.5.
NOTE: The Cloud Services plugin 1.5 and later require a minimum Panorama version of 9.0.3-h3. If your Panorama is running 8.1, any attempt to download the 1.5 plugin from the software downloads page on the Palo Alto Networks Customer Support Portal and manually upload the plugin on Panorama 8.1 will result in an unsupported configuration and data loss.
We’ve created a new set of API scripts to allow you to quickly and easily retrieve the IP addresses that you need to whitelist in your organization’s network. The existing commands will still work and are still available; however, the improved functionality will be in the newer commands.
Minimum Panorama of 9.0.3-h3 Required for Prisma Access 1.5
To support the new features introduced in PAN-OS 9.0, Palo Alto Networks is upgrading the Prisma Access cloud infrastructure. Unlike previous infrastructure upgrades, this upgrade requires you to upgrade Panorama to version 9.0.3-h3 or later (9.0.4 is recommended) to remain interoperable with the infrastructure in the Prisma Access cloud. You can also update to the latest 9.0.x release as they become available in the Customer Support Portal.
Minimum and recommended Panorama versions to use with Prisma Access 1.5.
MINIMUM PANORAMA VERSION REQUIRED FOR PRISMA ACCESS 1.5
RECOMMENDED VERSION TO USE WITH PRISMA ACCESS 1.5
If you use the trial version of Data Loss Prevention (DLP) with Prisma Access, 9.0.4 is required.
For more information about all the features added in Prisma Access 1.5 and all the previous versions, latest releases, upgrades, and installation information, please see thePrisma Access Release Notes.