New Features Introduced in Prisma Access 3.0

Prisma Access will support Quality of Service (QoS)for remote networks that allocate bandwidth by compute location. If you are using the bandwidth allocation per compute location model, you will be able to add QoS profiles to prioritize traffic per site. 

If you have a deployment that allocates bandwidth by location and uses QoS, do not migrate to a deployment that allocates bandwidth by compute location; migrations with QoS are not supported.

To ensure that your mobile users always have access to the services and applications that are accessible from service connections, you will be able to enable network redundancy during mobile user setup. This feature provides redundant network paths between the mobile user dataplane and service connections that may be in different compute locations.

Enabling redundancy provides you with more resilient access to resources behind service connections in a data center or headquarters location. Because a service connection is required for mobile users to access resources from remote networks, you also have more resiliency in accessing resources in remote network locations.

For either a Cloud Managed or PanoramaManaged Prisma Access deployment, the following prerequisites are required before this feature is enabled:

• Onboard multiple service connections in different compute locations.
• Enable asymmetric routing and load sharing across service connections in your Backbone Routing options.

For Cloud Managed deployments, select Manage > Service Setup > Service Connections > Advanced Settings and make sure that the Backbone Routing option is set to Allow asymmetric routing and load sharing across Service Connections. Prisma Access enables this feature without further configuration.

For Panorama Managed deployments, select Panorama > Cloud Services > Configuration > Service Setup, click the gear to edit the Settings, and, in the Advanced tab, make sure that the Backbone Routing option is set to asymmetric-routing-with-load-share.

• (Panorama Managed Deployments only) Enable network redundancy by selecting Panorama > Cloud Services > Configuration > Mobile Users —GlobalProtect, selecting the Hostname and, in the General tab, selecting Enable Network Redundancy. 

Prisma Access provides the following enhancements for Explicit Proxy:

• Support for Deployments with No Default Route at Branch Sites—To help you transition from a proxy-based architecture in your branch sites to Prisma Access, a Prisma Access deployment will be supported for branch sites that have a no-default route architecture. This deployment, which uses remote networks in conjunction with Explicit Proxy, provides security inspection using a remote network Security Processing Node (RN-SPN), while users and servers use the PAC file to forward the traffic to Prisma Access.
• Inline Editing of PAC Files—You will be able to edit the PAC file used with Explicit Proxy in the Cloud Managed UI.
• Best Practice Assessment for Explicit Proxy Policies— Cloud Managed Explicit Proxy deployments will include a best practice check for security policy rules that are used with Explicit Proxy.

To optimize performance, improve latency, and adhere to data sovereignty rules, Prisma Access adds the following compute locations, and the following locations map to these compute locations:

• Australia South Compute Location— Mapping to Australia South and Australia Southeast locations.
  
• Canada Central (Toronto) Compute Location—Mapping to Canada Central location.
• India North Compute Location—Mapping to the India North location.

If you add the locations after you install the Cloud Services 3.0 plugin, Prisma Access associates the new compute locations automatically.

Note: For Explicit Proxy, these new compute locations are supported for new deployments only.

If you are upgrading from an existing Prisma Access deployment and you have already onboarded these locations, complete the following steps to take advantage of the new compute location:

1. Delete the location associated with the new compute location.
2. Commit and push your changes.
3. Re-add the locations you just deleted.
4. Commit and push your changes.
5. Retrieve the new gateway and portal IP addresses (for mobile users) or the new egress IP addresses (for remote networks) using the API script.
6. Make a note of the new IP addresses and add them to your allow lists.

Since you need to allow time to delete and add the existing location and change your allow lists, Palo Alto Networks recommends that you schedule a compute location change during a maintenance window or during off-peak hours.

If you use URLs in custom URL categories or external dynamic lists (EDLs) and do not append an ending token such as . / ? & = ; +, it is possible to allow more URLs than you intended. For example, entering example.com as a matchingURL instead of example.com/ would also match example.com.website.info or example.com.br.

Prisma Access will allow you to set an ending token to URLs in EDLs or custom URL categories so that, if you enter example.com, Prisma Access treats it as it would treat example.com/ and only matches that URL.

Cloud Services 3.0 Innovation uses a dataplane version of PAN-OS 10.1 and you are able to take advantage of PAN-OS 10.1 features up to PAN-OS10.1, including the following features:

• App-ID Cloud Engine support
• SaaS Policy Rule Recommendation for SaaS Security Inline (see the feature description for SaaS Security Inline Enforcement for more details)
• The ability to authenticate users using the Cloud Authentication Service component of the Cloud Identity Engine (the Directory Sync component, which performs group mapping, is already supported with Prisma Access)
• Enhanced Handling of SSL/TLS Handshakes for Decrypted Traffic
• Security Policy Enforcement for Inactive GlobalProtect Sessions

In addition to the Explicit Proxy enhancements described for 3.0 Preferred, Prisma Access offers the following additional enhancements for 3.0 Innovation:

• SNI Spoofing Prevention—Explicit Proxy will be able to protect network traffic from Server Name Indication (SNI) spoofing attacks in cases where the SNI domain does not match the domain used for HTTP Requests or HTTP Connect requests.
• DNS Security Signature Category Additions—Explicit Proxy will support the following additional DNS security signature categories:
  • Dynamic DNS Hosted Domains
  • Grayware Domains
  • Newly Registered Domains
  • Parked Domains
  • Phishing Domains
  • Proxy Avoidance and Anonymizers 

Command and Control Domains and Malware Domains are currently supported DNS security signature categories.

When you receive configuration-related errors during commits, Prisma Access has replaced generic 

messages you previously received with messages that more clearly communicate the cause of the misconfiguration. For example, authentication objects without authentication profiles receive a message indicating the object with the missing profile instead of a generic message indicating an issue with the commit.

Other message improvements include:

• HIP profiles that exceed the maximum allowed
• Missing or overlapping IP addresses, or missing URLs, in objects for a mobile user (GlobalProtect) deployment
• IPv6 addresses being specified when IPv6 addressing has not been enabled in a Prisma Access deployment
• Port numbering being outside of the valid range (0-65535)
• EDL-related validation errors
• Security policy-related rule validations (missing service value, using Negate with Any for Source or Destination)
• Missing SCEP certificates when using SSL Authentication