Learn what's new — features and default behavior — with Prisma Access 3.2
Prisma Access helps you deliver consistent security to your remote networks and mobile users. All your users connect to Prisma Access to safely use the internet and cloud and data center applications. You get protection at scale with global coverage, so you don’t have to worry about things like sizing and deploying firewalls at your branches, or building out and managing appliances in colocation facilities.
Read on to learn about all the new features and behavior introduced with the release of Prisma Access 3.2.
Features in Prisma Access 3.2
Cloud Services Plugin 3.2: Prisma Access 3.2 uses a single plugin for both 3.2 Preferred or 3.2 Innovation, providing operational simplification with a unified plugin for both Preferred and Innovation releases. By default, the plugin will run 3.2 Preferred. To upgrade to 3.2 Innovation, reach out to your Palo Alto Networks account representative and submit a request.
New Features for Prisma Access 3.2 Preferred
SaaS Security Posture Management: The latest enhancements to Palo Alto Networks’ Next-Generation cloud access security broker (CASB) ensures that essential SaaS apps are hardened and protected from dangerous misconfigurations and other security hygiene issues that could put users and data at risk by delivering powerful SaaS security posture management (SSPM) capabilities to the industry’s most comprehensive and integrated SASE solution.
UBA Support: User Behavior Analytics (UBA) enables Prisma Access to detect and stop activity from compromised accounts and malicious insiders before the damage is done. The key functionalities are
Detects suspicious user activity that could indicate a compromised account or malicious insider.
Behavioral analytics—identify high-risk activity including shared credentials, bulk data access, suspicious logins, and more.
Comprehensive user activity auditing enables quick and simple investigation and remediation workflow.
Autonomous Digital Experience Management Self Serve: Autonomous digital experience management (Autonomous DEM) empowers end users to resolve application experience issues that fall into their purview without consulting IT. ADEM Self Serve reduces ticket load and improves the experience of end-users by helping them quickly resolve the following issues:
CPU and Memory Issues impacting application experience—Autonomous DEM Self Serve can detect High CPU or Memory Utilization conditions and notify mobile users with guided remediation.
WiFi issues impacting application experience—Autonomous DEM Self Serve can detect poor WiFi quality, change of WiFi connections or disconnect conditions, and notify mobile users with guided remediation.
Internet issues impacting application experience—Autonomous DEM Self Serve can detect internet disconnect conditions for wired and wireless connections and notify mobile users with guided remediation.
Prisma SASE Platform: SASE Portal will be a single location to access and manage Secure Access Service Edge (SASE) products and services for enterprises and service providers (SPs). The key capabilities are as follows:
License activation and subscription management—Activate and manage all your available licenses from one location.
Tenant management—The option to create single and multiple tenants, build a hierarchy, and share and allocate license subscriptions for the desired tenants.
Hierarchical Multi-tenant Cloud Management Dashboard—Single Pane of Glass Management supporting insights into network and security services across all tenants.
Open API gateway—API access via centralized API gateway to enable integration and automation.
Identity and access management—Centralized authentication and authorization of user roles and permissions for all applications and API-based access.
Simplified Activation and Subscription Management: You can now use a completely new and revamped user-friendly workflow to activate and manage all your Prisma Access subscriptions in one place. With this update, Palo Alto Networks optimizes the activation flow, significantly reducing the activation time and providing contextual information that can reduce any human errors during the activation.
The updates include the following workflows:
Evaluation-to-production conversion request
Incident management procedures to troubleshoot activation-related issues and improve the overall serviceability experience
DNS Security Enhancements: Prisma Access deployments now extend protection for the latest DNS-based attack techniques, including strategically aged domains, making it the most comprehensive DNS security solution available.
This change allows you to allocate more bandwidth to remote networks. To make this increase effective, you must allocate a minimum of 1000 Mbps to the compute locations associated with the IPSec termination nodes.
Note: Cloud Managed Prisma Access deployments have this change applied automatically. If you have an existing Panorama Managed Prisma Access remote network deployment, you must perform a Commit and Push before installing the 3.2 plugin and perform a Push to Devices after installing the plugin to implement this change.
Simplified SASE Consumption Model with Prisma Access SD-WAN Add-On: Palo Alto Networks is introducing Prisma SD-WAN as a simple add-on solution to Prisma Access, allowing customers to get best-in-class security and SD-WAN in an effortless, consumable model. With the Prisma SD-WAN add-on to Prisma Access, you can get the most comprehensive SASE solution that enables aggregation of bandwidth across all branch locations, provides ease of activation via a single link for all SASE services—including SD-WAN—while gaining the flexibility to easily add additional services as needed from a unified management console.
New Prisma Access Locations: To better accommodate worldwide deployments and provide enhanced local coverage, adds the following new locations, which map to the following compute locations:
Pakistan West (II)—Maps to the Asia Southeast (Singapore) compute location.
Sri Lanka—Maps to the Asia Southeast (Singapore) compute location.
New and Renamed Prisma Access Compute Locations and Remapped Locations: To better optimize performance of Prisma Access, the following new compute locations are added and the following locations are remapped to the new compute locations:
US South—The Mexico Central, Mexico West, and US South locations are moving to the US South compute location.
Europe Southwest—The Andorra, Portugal, Spain Central, and Spain East locations are moving to the Europe Southwest compute location.
Europe South—The Italy, Kenya, and Monaco locations are moving to the Europe South compute location.
Asia Southeast (Indonesia)—The Indonesia location is moving to the Asia Southeast (Indonesia) compute location.
In addition, the existing Asia Southeast compute location is renamed Asia Southeast (Singapore).
Simplify Private App Access Using ZTNA Connector: The Zero Trust Network Access (ZTNA) Connector dramatically simplifies private app access for all apps including modern, cloud-native, containerized, microservice, and legacy apps.
With the introduction of this feature, you can either use the ZTNA Connector or a service connection to enable access to private apps for your users. Both methods enforce all ZTNA 2.0 principles.
Advanced Threat Prevention Inline Cloud Analysis and Domain Fronting Detection: Advanced Threat Prevention blocks unknown and evasive command and control traffic inline in real-time with unique deep learning and machine learning models.
The following advanced threat prevention capabilities are added to Prisma Access:
Inline Cloud Analysis—A series of ML-based detection engines are added in the Advanced Threat Prevention cloud to analyze traffic for advanced C2 (command-and-control) and spyware threats in real-time to protect users against zero-day threats. By operating cloud-based detection engines, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages or operate resource-intensive analyzers.
Domain Fronting Detection—Threat Prevention can detect domain fronting, a TLS evasion technique that can circumvent URL filtering database solutions and facilitate data exfiltration using SNI spoofing.
Advanced URL Filtering Inline Deep Learning Analysis: Advanced URL Filtering provides best-in-class web protection for the modern enterprise and stops unknown web-based attacks in real time to prevent patient zero web threats. Advanced URL Filtering combines Palo Alto Networks’ malicious URL database capabilities with the industry’s first real-time web protection engine powered by machine learning (ML). Advanced URL Filtering Inline adds a series of inline cloud-based deep learning detectors that evaluate suspicious web page contents in real-time.
DLP Web Form Data Inspection: To prevent exfiltration of sensitive information in data exchanged in collaboration applications, web forms, Cloud applications, custom applications, and social media, Enterprise Data Loss Prevention (DLP) supports inspection of non-filed format traffic using web form data inspection.
Private Application NAT Support: This feature allows users to access private applications and networks across a service connection without a dedicated IP address block from the corporate routable IP address space (RFC 1918). This implementation allocates mobile users' endpoint client IP addresses from the RFC 6598 (100.64/10)pool by default, and NATs the private application traffic going across a service connection. Note: Do not enable this feature if your enterprise uses RFC 6598 as part of your enterprise routable IP address space.
Kerberos Authentication Support for Explicit Proxy: You can now use both SAML to authenticate users, and Kerberos to authenticate users and machines, in a single Explicit Proxy deployment.
Changes to Default Behavior
Reserved IP Addresses for GlobalProtect and Explicit Proxy Deployments Becoming Active: If you have a Prisma Access Mobile Users: GlobalProtect or Mobile Users: Explicit Proxy deployment, the classification of the allocated gateway and portal IP addresses (for GlobalProtect deployments) and Authentication Cache Service (ACS) and Network Load Balancer (NLB) IP addresses (for Explicit Proxy deployments) is changing.
Currently, two IP addresses are allocated for each gateway and portal for Mobile Users—GlobalProtect deployments: one IP address that is active and one that is reserved for autoscale events or infrastructure or dataplane upgrades. In addition, one active and one reserved address are allocated for the ACS and NLB for Mobile Users—Explicit Proxy deployments. Starting with Prisma Access 3.2, all Mobile Users: GlobalProtect gateway and portal and all Explicit Proxy ACS and NLB IP addresses are marked as active for the Prisma Access locations and there are no reserved addresses. The IP retrieval API will return all IP addresses as active.
In addition, the term Active will refer to IP addresses that have been allocated to the Prisma Access deployment. This change ensures that you add all gateway, portal, and ACS IP addresses to your allow lists, which eliminates any issue when a reserved IP address is made active after an autoscaling event or an infrastructure or dataplane upgrade. In the API script, the addrType of reserved is no longer applicable for Mobile Users: GlobalProtect deployments and will not return any portal or gateway IP addresses.
Steps Required to Increase Remote NetworkIPSec Termination Nodes from 500 Mbps to1000 Mbps: If you have an existing Prisma Access Remote Network deployment that allocates bandwidth by compute location (aggregate bandwidth deployment), complete the following steps to increase the bandwidth of your IPSec termination nodes from 500 Mbps to 1000Mbps:
Before installing the Cloud Services plugin 3.2, perform a Commit and Push operation, making sure the Remote Networks is specified in the Push Scope.
Install the 3.2 plugin.
Either perform an additional Commit and Push operation after installing the plugin, or select Commit > Push to Devices.
In either case, make sure that you have selected Remote Networks in the Push Scope.
Default Policy to Exclude Video Traffic for Mobile Users—GlobalProtect Deployments: To optimize GlobalProtect app performance, Prisma Access automatically excludes traffic the Dailymotion, Hulu, Netflix, YouTube, Sling, Vimeo, Xfinity TV, and Youku video apps from the GlobalProtect tunnel. This change involves automatically selecting the Exclude video traffic from the tunnel check box for Video Traffic in the Prisma Access UI. To add video traffic back into the GlobalProtect tunnel, deselect the Exclude video traffic from the tunnel and save and commit your changes.
Secure Inbound Access for Remote Network Sites Public IP Address Assignment Changes: If you use Prisma Access networks to provide inbound access to an application or website at a remote site for internet-connected users, Prisma Access will use a more predictable way of assigning the private IP-to-public IP address assignments for the apps you want to secure.
Note: Palo Alto Networks recommends that you do not make any changes to your secure inbound access deployment during the window between when the infrastructure upgrade occurs for Prisma Access 3.2 and the time when you install the Cloud Services plugin for 3.2, as unpredictable results might occur.
Ideally, LIVEcommunity's product pages (find 'em in our nav bar) will be your first and last stop on your journey to learn more about the Palo Alto Networks products you're using. From discussions and blogs to videos and additional resources, LIVEcommunity can help you get the most from your cybersecurity toolbox.
We encourage you to check out the Prisma Access resources on LIVEcommunity.
Feel free to share your questions, comments and ideas in the section below.