Professional Documents
Culture Documents
Version 4.0
docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2023-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
March 30, 2023
Prisma Access Release Notes Version 4.0 2 ©2023 Palo Alto Networks, Inc.
Table of Contents
Prisma Access Release Information...............................................................5
New Features in Prisma Access 4.0....................................................................................... 7
Changes to Default Behavior................................................................................................. 11
Prisma Access Known Issues................................................................................................. 12
Prisma Access Addressed Issues........................................................................................... 14
Prisma Access 4.0 Addressed Issues........................................................................ 14
Getting Help...................................................................................................... 23
Related Documentation........................................................................................................... 24
Requesting Support.................................................................................................................. 25
Prisma Access Release Notes Version 4.0 3 ©2023 Palo Alto Networks, Inc.
Table of Contents
Prisma Access Release Notes Version 4.0 4 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Where Can I Use This? What Do I Need?
> Learn about how Prisma Access releases work and the different release types
Find the Latest Features for Prisma Access, and for Prisma Access Add-Ons and
Integrations
Because Prisma Access includes support for other Palo Alto Networks subscriptions
(like WildFire, Threat Prevention, and SaaS Security, for example) you can also benefit
from the latest new features that these subscriptions provide. Here's how to check
exactly what your Prisma Access subscription includes.
Here's where you can learn more about the latest updates for the products and
services that are included or integrate with Prisma Access:
Latest Prisma Access Release Updates Earlier Prisma Access Release Updates for Services and Add-Ons
Versions Supported with Prisma Access
Latest Prisma Access Release Updates Earlier Prisma Access Release Updates for Services and Ad
Versions Supported with Prisma Acce
Version Man
3.0 Platf
Preferred > Prism
and SD-
Innovation WAN
> Prisma
Access
Version
2.2
Preferred
Prisma Access Release Notes Version 4.0 6 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
The following table describes the new features that will be available with Prisma Access 4.0
Preferred.
The list here includes the first Prisma Access 4.0 Preferred features to go live. Here's a
preview of all upcoming Prisma Access 4.0 Preferred features.
Feature Description
PAN-OS 10.2 Support Prisma Access allows you to take advantage of the
following up-to-date security features that are offered with
PAN-OS 10.2, including the following features:
• Management Features:
• Selective Commit of Configuration Changes
• Policy Features:
• Security Policy Rule Top-Down Order When Wildcard
Masks Overlap
• Content Inspection Features:
• Advanced Threat Prevention: Inline Cloud Analysis
• Domain Fronting Detection
• Decryption Features:
• Multiple Certificate Support for SSL Inbound
Inspection
• URL Filtering Features:
• Inline Deep Learning Analysis for Advanced URL
Filtering
• HTTP Header Expansion
• Enterprise Data Loss Prevention Features:
• Web Form Data Inspection for Enterprise Data Loss
Prevention
You must have a Panorama appliance running 10.2 to take
advantage of the 10.2 features in Prisma Access.
Prisma Access Release Notes Version 4.0 7 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Feature Description
ZTNA Connector The Zero Trust Network Access (ZTNA) Connector lets
you connect to your organization's private apps simply and
securely. ZTNA Connector provides mobile users and users
at branch locations access to your private apps using an
automated secure tunnel, which eliminates the requirement
of setting up IPSec tunnels and routing definitions to access
the private apps. ZTNA Connector does not require any
routing from the customer infrastructure and can provide
access to applications that use overlapped IP addresses in
your networks.
Support for 400 Remote Prisma Access 3.2 brought you high-bandwidth 1Gbps
Network Sites per IPSec remote networks. Now, Prisma Access 4.0 raises the
Termination Node previous limit of 250 sites per IPSec termination node to
400 sites per IPSec termination node.
New Prisma Access locations Prisma Access will add locations that are in local zones.
With Local Zones These locations have their own compute locations. The
following locations will be supported:
• Australia West (Perth)
• US-Central (Chicago)
• US-Southeast (Miami)
You onboard local zones in the same way as any other
Prisma Access location, and the local zones are available in
Mobile Users—GlobalProtect, Remote Network, and Service
Connection deployments. The local zone locations will be
denoted with two asterisks.
The local zone locations do not use Palo Alto Networks
registered IP addresses and do not support all Prisma
Access features (for example, 1 Gbps support for remote
networks is not supported). More information will be
Prisma Access Release Notes Version 4.0 8 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Feature Description
available in the Prisma Access Administrator's Guide at a
later date.
Support for RFC 6598 If your enterprise uses RFC 6598 IP addresses as a part of
Addresses in Prisma Access your enterprise routable address space, you can use that
Infrastructure IP Addresses address space in the following Prisma Access infrastructure
IP addresses:
• Secure Inbound Access to Remote Network Locations
(supported with Prisma Access 4.0)
• Overlapping Subnets with Remote Network Locations
(supported with Prisma Access 4.0)
• Traffic Steering (supported with Prisma Access 4.0)
• Infrastructure subnet IP addresses (introduced in Prisma
Access 3.1.2 Innovation and supported in Prisma Access
4.0)
• IP address pools used in Mobile Users—GlobalProtect
deployments (introduced in Prisma Access 3.1.2
Innovation and supported in Prisma Access 4.0)
• Static subnets used for service connections and remote
networks (introduced in Prisma Access 3.1.2 Innovation
and supported in Prisma Access 4.0)
To enable the use of 100.64.0.0/10 addresses in
infrastructure addresses, reach out to your Palo Alto
Networks account representative or partner and submit a
request.
Clientless VPN is not supported with RFC 6598 addresses.
Third-Party SD-WAN Tunnel Cloud Managed Prisma Access deployments will be able
Automation to onboard Meraki MX SD-WAN devices using the Prisma
Access UI. The UI will simplify and automate tunnel creation
using APIs.
Explicit Proxy Connectivity in Prisma Access adds explicit proxy connectivity to its
GlobalProtect for Always-on GlobalProtect Agent. This connectivity support enables
Internet Security organizations to achieve always-on security for the Internet
when using GlobalProtect on-demand or a 3rd party VPN
for private app access or for anyone who wants to continue
to use proxy-based deployment for SWG.
Prisma Access Release Notes Version 4.0 9 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Feature Description
• Ghana (added to the Europe Northwest compute
location)
• Guatemala (added to the US East compute location)
• Latvia (added to the Belgium compute location)
• US Central West (added to the new US Central West
compute location)
• Uruguay (added to the South America West compute
location)
• Uganda (added to the Switzerland compute location)
Prisma Access Release Notes Version 4.0 10 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
The following table details the changes in default behavior for Prisma Access version 4.0
Preferred.
Component Change
Bulk Import of Remote Networks The number of remote networks that you can
onboard in bulk using a CSV file has changed
from 1000 to 100.
Prisma Access Release Notes Version 4.0 11 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Issue ID Description
Prisma Access Release Notes Version 4.0 12 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Issue ID Description
Workaround: Do no reuse CSRs.
Prisma Access Release Notes Version 4.0 13 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
The following topics describe issues that have been addressed in Prisma Access 4.0.
Prisma Access Release Notes Version 4.0 14 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Issue ID Description
manual-gateway failed for Mobile
Users.Failed plugin validation'
error.
Prisma Access Release Notes Version 4.0 15 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Prisma Access Release Notes Version 4.0 16 ©2023 Palo Alto Networks, Inc.
Panorama Support for Prisma Access
4.0 Preferred
Where Can I Use This? What Do I Need?
If you're using Panorama to manage Prisma Access, Prisma Access 4.0 Preferred
requires that you:
1. Review the required software versions for Panorama to support Prisma Access 4.0 Preferred
2. Determine the upgrade path you'll need to follow for the Cloud Services Plugin
3. Upgrade the Cloud Services Plugin
17
Panorama Support for Prisma Access 4.0 Preferred
The Cloud Services plugin 4.0 requires the following minimum software versions for Panorama
and GlobalProtect.
If you have a Cloud Managed Prisma Access deployment, plugin upgrades are not required;
however, the GlobalProtect versions apply to both Panorama and Cloud Managed versions of
Prisma Access.
Prisma Access Release Notes Version 4.0 18 ©2023 Palo Alto Networks, Inc.
Panorama Support for Prisma Access 4.0 Preferred
An infrastructure and dataplane upgrade is required for all upgrades from an existing Panorama
Managed Prisma Access version to 4.0 Preferred, including if you are upgrading from 3.2
Innovation or 3.2.1 Innovation to 4.0 Preferred. After you download and install the Cloud Services
plugin 4.0, you receive all supported features in Prisma Access to date, including all previous
Innovation and Preferred features along with the new features introduced in 4.0 Preferred. If
you are running a Prisma Access (Panorama Managed) deployment, Palo Alto Networks will make
the Cloud Services plugin 4.0 available for you to download and install after Palo Alto Networks
upgrades your dataplane.
• To find the dates for the infrastructure upgrade, check the calendar in the Prisma SASE status
page, which shows you when infrastructure upgrades occur.
• To find the dates for the dataplane upgrade for your deployment, be sure that you have
subscribed to Insights alerts from Prisma Access. Emails sent from Insights inform you of the
time of the upgrade and its progress after it begins.
To upgrade your Cloud Services plugin to Prisma Access 4.0 Preferred, use one of the following
upgrade paths. To find your current plugin version in Panorama, select Panorama > Cloud
Services > Configuration > Service Setup and check the plugin version in the Plugin Alert area.
Be sure to follow the minimum Panorama versions for each plugin version during the upgrade (for
example, only Cloud Services plugin versions 4.0, 3.2, and 3.1.0-h50 or later support a Panorama
running 10.2.3 or later, and you should not upgrade your Panorama to PAN-OS 10.2.3 until after
you upgrade your Cloud Services plugin to these minimum versions).
Releases earlier 4.0 Preferred 1. Upgrade your deployment to Prisma Access 2.2
than 2.2 Preferred and commit and push your changes.
If your deployment is on a version of Prisma
Access that is earlier than 2.2 Preferred, you must
first upgrade to 2.2 before you can upgrade to
3.2. Upgrades from 2.0 or 2.1 versions of Prisma
Access are not supported.
2. Upgrade your deployment to Prisma Access 3.0
and commit and push your changes.
Prisma Access Release Notes Version 4.0 19 ©2023 Palo Alto Networks, Inc.
Panorama Support for Prisma Access 4.0 Preferred
2.2 Preferred 4.0 Preferred 1. Upgrade your deployment to Prisma Access 3.0
and commit and push your changes.
2. Upgrade your deployment to Prisma Access 3.1
and commit and push your changes.
3. Upgrade your deployment to either Prisma Access
3.2 or 3.2.1 and commit and push your changes.
4. Upgrade your deployment to Prisma Access 4.0
and commit and push your changes.
3.0 Preferred 4.0 Preferred 1. Upgrade your deployment to Prisma Access 3.1
and commit and push your changes.
2. Upgrade your deployment to either Prisma Access
3.2 or 3.2.1 and commit and push your changes.
3. Upgrade your deployment to Prisma Access 4.0
and commit and push your changes.
3.1 Preferred 4.0 Preferred 1. Upgrade your deployment to either Prisma Access
3.2 or 3.2.1 and commit and push your changes.
2. Upgrade your deployment to Prisma Access 4.0
and commit and push your changes.
Prisma Access Release Notes Version 4.0 20 ©2023 Palo Alto Networks, Inc.
Panorama Support for Prisma Access 4.0 Preferred
STEP 1 | Determine the upgrade path for the plugin to which you want to upgrade.
For some upgrade paths, you need to upgrade your plugin sequentially. For example, to
upgrade from a 2.2 Preferred plugin to a 4.0 plugin, you must first perform interim upgrades to
2.2, 3.0, and 3.1 before upgrading to 4.0.
Prisma Access Release Notes Version 4.0 21 ©2023 Palo Alto Networks, Inc.
Panorama Support for Prisma Access 4.0 Preferred
STEP 2 | Download and install the Cloud Services plugin versions you require.
• To download and install the Cloud Services plugin by downloading it from the Customer
Support Portal, complete the following steps.
1. Log in to the Customer Support Portal and select Software Updates,
2. Find the Cloud Services plugin in the Panorama Integration Plug In section and download
it.
Do not rename the plugin file or you will not be able to install it on Panorama.
3. Log in to the Panorama Web Interface of the Panorama you licensed for use with the
Prisma Access, select Panorama > Plugins > Upload and Browse for the plugin File that
you downloaded from the CSP.
4. Install the plugin.
• To download and install the new version of the Cloud Services plugin directly from
Panorama, complete the following steps:
1. Select Panorama > Plugins and click Check Now to display the latest Cloud Services
plugin updates.
Prisma Access Release Notes Version 4.0 22 ©2023 Palo Alto Networks, Inc.
Getting Help
Where Can I Use This? What Do I Need?
The following topics provide information on where to find more about this release and
how to request support:
23
Getting Help
Related Documentation
Use the following documents to set up and implement your Prisma Access deployment:
• Use the Prisma Access Administrator’s Guide to plan, install, set up, and configure Prisma
Access to secure your network.
• Use the vendor-specific tasks in the Prisma Access Integration Guide to use Prisma Access to
configure mobile user authentication and secure your public cloud and third-party SD-WAN
deployments.
• Use the Cortex Data Lake Getting Started Guide to learn how to deploy Cortex Data Lake and
begin forwarding logs from your on-premise firewalls to Cortex Data Lake.
Visit https://docs.paloaltonetworks.com for more information on our products.
Prisma Access Release Notes Version 4.0 24 ©2023 Palo Alto Networks, Inc.
Getting Help
Requesting Support
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
To provide feedback on the documentation, please write to us at:
documentation@paloaltonetworks.com.
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
https://www.paloaltonetworks.com/company/contact-support
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto
Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/
company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.
Prisma Access Release Notes Version 4.0 25 ©2023 Palo Alto Networks, Inc.
Getting Help
Prisma Access Release Notes Version 4.0 26 ©2023 Palo Alto Networks, Inc.