NEW Prisma Access 1.5 Updates

Community Team Member

Prisma Access 1.5.pngPrisma Access 1.5 New Features

Palo Alto Networks released Prisma Access 1.5 (formerly GPCS – GlobalProtect Cloud Service) and it comes with new features and changes to behavior. Read more about how Prisma Access 1.5 can help you keep your cloud secure.

 

Let's start off with the new features. As you can see in the list below, there are many new features that have been added, including PAN-OS 9.0 feature support, API command enhancements, and Custom URL enhancements.

 

New features included in Prisma Access 1.5*

FEATURE
DESCRIPTION
PAN-OS 9.0 feature support
This release offers support for PAN-OS 9.0, which includes the following new features and enhancements:
Note that the following PAN-OS 9.0 features are not supported:
Route preferences and preferred backup for service connections
In addition to Prisma Access’ default routing for service connections, Prisma Access allows a new choice, 
Hot potato routing, which changes the way routes are imported and advertised to and from Prisma Access, so traffic destined to service connections (e.g., HQ or data center traffic) exits the Prisma Access network as quickly as possible.
 
In addition, to help ensure routing symmetry in the event of a link failure, you can choose a preferred service connection to use as a backup if a link to a service connection fails (Backup SC).
ECMP load balancing for remote network connections
To provide additional network resiliency using redundant instances of your Customer Premises Equipment (CPE), Prisma Access allows you to add up to four IPSec tunnels for a single remote network.
BGP default route support for remote network connections
Prisma Access can advertise a default route for remote network connections using BGP. You can then use this route in your organization’s network to direct traffic to Prisma Access.
API command enhancements
Prisma Access adds improvements to the commands you use to retrieve the public IP addresses (the source IP addresses that Prisma Access uses for requests to an internet-based source).

The API command has the following enhancements for mobile user deployments:
  • The API command lists the locations associated with the reserved IP addresses.
  • You can easily retrieve both the active IP addresses for each location and the reserved IP addresses for those locations that are used for scaling events. You can request the active addresses, the reserved addresses, or all sets of addresses.
Custom URL category enhancements
You can specify up to 2,000 wild card (*.example.com) URLs, including those specified in custom URL categories, which is an increase from 500, when you use traffic forwarding rules with service connections.
Redistribute HIP information
To ensure consistent Host Information Profile (HIP) policy enforcement and to simplify policy management, you can redistribute HIP information received from mobile users and users at remote networks that use the GlobalProtect app from Prisma Access to other gateways, firewalls, and Panorama appliances in your enterprise, including the Panorama that manages Prisma Access.
View HIP reports from Panorama
After you configure Prisma Access to redistribute HIP information to Panorama. Then you can then view an HIP report from Panorama.

* - Information adopted from the Prisma Access release notes also available in TechDocs.

 

Changes to Default Behavior

The following section details the changes in default behavior after you upgrade to Prisma Access 1.5.**

COMPONENT
CHANGE
Mobile user IP pools will advertise extended BGP community strings
When Prisma Access advertises IP pools for mobile users, it also advertises an extended BGP community string that contains both the Prisma Access Autonomous System (AS) Number and the ID of the service connection to which the mobile user's location is connected.
Minimum Panorama version requirements for Prisma Access 1.5
In order to use Prisma Access 1.5, you must upgrade your Panorama to a minimum version of 9.0.3-h3 (9.0.4 recommended) before installing the Cloud Services plugin to 1.5.
 
NOTE: The Cloud Services plugin 1.5 and later require a minimum Panorama version of 9.0.3-h3. If your Panorama is running 8.1, any attempt to download the 1.5 plugin from the software downloads page on the Palo Alto Networks Customer Support Portal and manually upload the plugin on Panorama 8.1 will result in an unsupported configuration and data loss.
API changes
We’ve created a new set of API scripts to allow you to quickly and easily retrieve the IP addresses that you need to whitelist in your organization’s network. The existing commands will still work and are still available; however, the improved functionality will be in the newer commands.

 

 

Minimum Panorama of 9.0.3-h3 Required for Prisma Access 1.5

To support the new features introduced in PAN-OS 9.0, Palo Alto Networks is upgrading the Prisma Access cloud infrastructure. Unlike previous infrastructure upgrades, this upgrade requires you to upgrade Panorama to version 9.0.3-h3 or later (9.0.4 is recommended) to remain interoperable with the infrastructure in the Prisma Access cloud. You can also update to the latest 9.0.x release as they become available in the Customer Support Portal.

Minimum and recommended Panorama versions to use with Prisma Access 1.5.

MINIMUM PANORAMA VERSION REQUIRED FOR PRISMA ACCESS 1.5
RECOMMENDED VERSION TO USE WITH PRISMA ACCESS 1.5
9.0.3-h3
9.0.4
If you use the trial version of Data Loss Prevention (DLP) with Prisma Access, 9.0.4 is required.

 

** - Information adopted from the Changes to Default Behavior also available in TechDocs.

 

 

Additional Prisma Access 1.5 Information

Prisma Access Release Notes 

For more information about all the features added in Prisma Access 1.5 and all the previous versions, latest releases, upgrades, and installation information, please see the Prisma Access Release Notes.

 

Prisma Access Administrator’s Guide

Please see the Prisma Access Administrator’s Guide for details on how to configure and use Prisma Access.

 

Prisma Access Discussion Area

We welcome you to join the conversation by asking questions or providing answers in the Prisma Access Discussion Area.

 

 

Thanks for taking time to read my blog.
If you enjoyed this, please hit the Like (thumbs up) button, don't forget to subscribe to the LIVEcommunity Blog.

 

As always, we welcome all comments and feedback in the comments section below.

 

Stay Secure,
Joe Delio
End of line

459 Views
Ask Questions Get Answers Join the Live Community
Labels