Professional Documents
Culture Documents
Version 4.0.0-h51
docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2023-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
August 14, 2023
Prisma Access Release Notes Version 4.0.0-h51 2 ©2023 Palo Alto Networks, Inc.
Table of Contents
Prisma Access Release Information...............................................................5
New Features in Prisma Access 4.0....................................................................................... 7
Changes to Default Behavior................................................................................................. 12
Prisma Access Known Issues................................................................................................. 13
Prisma Access Addressed Issues........................................................................................... 18
Prisma Access 4.0.0-h51 Addressed Issues............................................................ 18
Prisma Access 4.0.0-h41 Addressed Issues............................................................ 19
Prisma Access 4.0.0-h23 Addressed Issues............................................................ 20
Prisma Access 4.0.0-h20 Addressed Issues............................................................ 20
Prisma Access 4.0.0-h8 Addressed Issues...............................................................21
Prisma Access 4.0 Addressed Issues........................................................................ 21
Getting Help...................................................................................................... 29
Related Documentation........................................................................................................... 30
Requesting Support.................................................................................................................. 31
Prisma Access Release Notes Version 4.0.0-h51 3 ©2023 Palo Alto Networks, Inc.
Table of Contents
Prisma Access Release Notes Version 4.0.0-h51 4 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Where Can I Use This? What Do I Need?
Latest Prisma Access Release Earlier Prisma Access Release Updates for Services and Add-
Updates Versions Ons Supported with Prisma
Access
• New Features in Prisma • Prisma Access Version 3.2 • Prisma Access Insights
Access 4.0 Preferred and Innovation • Autonomous DEM
• What's New for • Prisma Access Version 3.1 • SaaS Security
Prisma Access Cloud Preferred and Innovation
Management • Enterprise DLP
• Prisma Access Version 3.0
Preferred and Innovation • GlobalProtect
• Prisma Access Version 2.2 • Prisma SASE Multitenant
Preferred Cloud Management
Platform
• Prisma SD-WAN
5
Prisma Access Release Information
Latest Prisma Access Release Earlier Prisma Access Release Updates for Services and Add-
Updates Versions Ons Supported with Prisma
Access
• Prisma Access Releases
Earlier than 2.2 Preferred
Prisma Access Release Notes Version 4.0.0-h51 6 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
The following table describes the new features that are available with Prisma Access 4.0
Preferred.
Feature Description
Prisma Access on the Strata Prisma Access is now supported on the new Strata Cloud
Cloud Manager Platform Manager platform. We'll be updating Prisma Access so
that it is on the Strata Cloud Manager platform, alongside
your other Palo Alto Networks products and subscriptions
that are supported for unified management. If you've
been using the Prisma Access app for Prisma Access
Cloud Management or for Prisma Access monitoring and
visibility features (including Autonomous DEM, Insights,
and Activity dashboards and reports), the update to Strata
Cloud Manager gives you a new management and visibility
experience.
Learn more:
• Learn more about Strata Cloud Manager
• What to expect when Prisma Access is updated to give
you the new management experience
• Where are my Prisma Access features in Strata Cloud
Manager?
• Prisma Access visibility and monitoringwith Strata Cloud
Manager
Explicit Proxy Connectivity in Prisma Access adds explicit proxy connectivity to its version
GlobalProtect for Always-on 6.2 GlobalProtect app. With this introduction, end users are
Internet Security protected with always-on internet security while getting
on-demand access to private apps, either via a third-party
May 22, 2023
VPN or via GlobalProtect with Prisma Access or an on-
premises NGFW. This capability enables you to:
• Easily replace 3rd party proxy solutions
• Co-exist with any 3rd-party VPN agents
• Support both browser-based and non-browser-based
apps to secure internet traffic
Prisma Access Release Notes Version 4.0.0-h51 7 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Feature Description
• Simplify proxy deployments and achieve User-ID based
enforcement for all traffic
Outbound Route Prefixes When you specify the prefixes for which Prisma Access
Increased to 500 adds static routes for all service connections and remote
network connections (Panorama > Cloud Services >
May 16, 2023
Configuration > Service Setup > Advanced > Outbound
Routes for the Service), you can now specify up to 500
outbound routes. Routes you specify here are routed to
these prefixes over the internet.
Integrate Prisma Access with Secure Cisco Meraki MX SD-WAN devices using Prisma
Cisco Meraki SD-WAN Access (Cloud Management) with the latest simplified and
automated tunnel creation, instead of onboarding them
May 05, 2023
manually like in previous releases.
ZTNA Connector The Zero Trust Network Access (ZTNA) Connector lets
you connect to your organization's private apps simply and
April 18, 2023
securely. ZTNA Connector provides mobile users and users
at branch locations access to your private apps using an
automated secure tunnel, which eliminates the requirement
of setting up IPSec tunnels and routing definitions to access
the private apps. ZTNA Connector does not require any
routing from the customer infrastructure and can provide
access to applications that use overlapped IP addresses in
your networks.
PAN-OS 10.2 Support Prisma Access allows you to take advantage of the
following up-to-date security features that are offered with
March 30, 2023
PAN-OS 10.2. including the following features:
Review the PAN-OS 10.2 Upgrade Considerations before
your dataplane upgrade and before upgrading your
panorama to 10.2.
PAN-OS 10.2 includes the following new features:
• Management Features:
• Selective Commit of Configuration Changes
Prisma Access Release Notes Version 4.0.0-h51 8 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Feature Description
• Policy Features:
• Security Policy Rule Top-Down Order When Wildcard
Masks Overlap
• Content Inspection Features:
• Advanced Threat Prevention: Inline Cloud Analysis
• Domain Fronting Detection
• Decryption Features:
• Multiple Certificate Support for SSL Inbound
Inspection
• URL Filtering Features:
• Inline Deep Learning Analysis for Advanced URL
Filtering
• HTTP Header Expansion
• Enterprise Data Loss Prevention Features:
• Web Form Data Inspection for Enterprise Data Loss
Prevention
You must have a Panorama appliance running 10.2 to take
advantage of the 10.2 features in Prisma Access.
Support for 400 Remote Prisma Access 3.2 brought you high-bandwidth 1Gbps
Network Sites per IPSec remote networks. Now, Prisma Access 4.0 raises the
Termination Node previous limit of 250 sites per IPSec termination node to
400 sites per IPSec termination node.
March 30, 2023
Support for 15,000 Branch Sites Prisma SASE can support up to 15,000 Branch sites in one
in a Single Tenant tenant. If you require more than 15,000 branch sites, you
can take advantage of Prisma SASE's multi-tenant capability
March 30, 2023
built for distributed global enterprises and MSPs with
support for an effective unlimited number of remote users.
New Prisma Access locations Prisma Access adds locations that are in local zones. These
With Local Zones locations have their own compute locations. The following
locations are supported:
March 30, 2023
• Australia West (Perth)
• US-Central (Chicago)
• US-Southeast (Miami)
You onboard local zones in the same way as any other
Prisma Access location, and the local zones are available
in Mobile Users—GlobalProtect, Remote Network, and
Service Connection deployments. The local zone locations
Prisma Access Release Notes Version 4.0.0-h51 9 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Feature Description
are denoted with two asterisks for Panorama Managed
deployments and are denoted as a Local Zone in Cloud
Managed deployments.
Keep in mind the following guidelines when deploying local
zones:
• Local zone locations do not use Palo Alto Networks
registered IP addresses.
• 1 Gbps support for remote networks is not supported.
• Remote network and service connection node
redundancy across availability zones is not available if
you deploy them in the same local zone, as both nodes
are provisioned in a single zone.
• These local zones do not use Palo Alto Networks
registered IPs. If you have problems accessing
URLs, report the website issue using https://
reportasite.gpcloudservice.com/ or reach out to Palo
Alto Networks support.
Support for RFC 6598 If your enterprise uses RFC 6598 IP addresses as a part of
Addresses in Prisma Access your enterprise routable address space, you can use that
Infrastructure IP Addresses address space in the following Prisma Access infrastructure
IP addresses:
March 30, 2023
• Secure Inbound Access to Remote Network Locations
(supported with Prisma Access 4.0)
• Overlapping Subnets with Remote Network Locations
(supported with Prisma Access 4.0)
• Traffic Steering (supported with Prisma Access 4.0)
• Infrastructure subnet IP addresses (introduced in Prisma
Access 3.1.2 Innovation and supported in Prisma Access
4.0)
• IP address pools used in Mobile Users—GlobalProtect
deployments (introduced in Prisma Access 3.1.2
Innovation and supported in Prisma Access 4.0)
• Static subnets used for service connections and remote
networks (introduced in Prisma Access 3.1.2 Innovation
and supported in Prisma Access 4.0)
To enable the use of 100.64.0.0/10 addresses in
infrastructure addresses, reach out to your Palo Alto
Networks account representative or partner and submit a
request.
Clientless VPN is not supported with RFC 6598 addresses.
Prisma Access Release Notes Version 4.0.0-h51 10 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Feature Description
Prisma Access Release Notes Version 4.0.0-h51 11 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
The following table details the changes in default behavior for Prisma Access version 4.0
Preferred.
Component Change
Bulk Import of Remote Networks The number of remote networks that you can
onboard in bulk using a CSV file has changed
from 1000 to 100.
Prisma Access Release Notes Version 4.0.0-h51 12 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Issue ID Description
Prisma Access Release Notes Version 4.0.0-h51 13 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Issue ID Description
ZTNA connector traffic to fail, when the
following conditions apply:
• When the first application is onboarded in
ZTNA connector
• When all applications are removed
(deboarded) from ZTNA Connector
Workaround: Refresh the GlobalProtect
connection to get correct DNS server
configuration. In the case of all applications
going down for a tenant, refresh the
GlobalProtect again when some or all
applications in ZTNA connector are back up.
Prisma Access Release Notes Version 4.0.0-h51 14 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Issue ID Description
Prisma Access Release Notes Version 4.0.0-h51 15 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Issue ID Description
Prisma Access Release Notes Version 4.0.0-h51 16 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Issue ID Description
Workaround: Do no reuse CSRs.
Prisma Access Release Notes Version 4.0.0-h51 17 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
The following topics describe issues that have been addressed in Prisma Access 4.0.
CYR-34616 Fixed an issue where the Panorama > QoS Statistics page
displayed an inflated number of dropped packets.
CYR-34328 Fixed an issue where the Prisma Access UI was loading due
to feature flags not being present in the setup.
Prisma Access Release Notes Version 4.0.0-h51 18 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Issue ID Description
CYR-33930 Fixed an issue where an IPv4 validator was used for IPv6 IP
address validation in the Mobile Users DNS setting.
CYR-33757 Fixed an issue in the Traffic Steering Rule Source tab where
clicking on a Source Address or Address-Group in the
drop-down list caused an incorrect item in the list to be
selected.
Prisma Access Release Notes Version 4.0.0-h51 19 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Issue ID Description
Prisma Access Release Notes Version 4.0.0-h51 20 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Prisma Access Release Notes Version 4.0.0-h51 21 ©2023 Palo Alto Networks, Inc.
Prisma Access Release Information
Issue ID Description
choose any locations to be selected
on the Manual Gateway Locations
tab, subsequent local commits on the
Panorama appliance were failing with the
'Failed to find any locations
in path: cloud_services/mobile-
users/onboarding/entry/manual-
gateway/region/entry/locations/
memberregions validation for
manual-gateway failed for Mobile
Users.Failed plugin validation'
error.
Prisma Access Release Notes Version 4.0.0-h51 22 ©2023 Palo Alto Networks, Inc.
Panorama Support for Prisma
Access 4.0 Preferred
Where Can I Use This? What Do I Need?
If you're using Panorama to manage Prisma Access, Prisma Access 4.0 Preferred requires that you:
1. Review the required software versions for Panorama to support Prisma Access 4.0 Preferred
2. Determine the upgrade path you'll need to follow for the Cloud Services Plugin
3. Upgrade the Cloud Services Plugin
23
Panorama Support for Prisma Access 4.0 Preferred
The Cloud Services plugin 4.0 requires the following minimum software versions for Panorama
and GlobalProtect.
If you have a Cloud Managed Prisma Access deployment, plugin upgrades are not required;
however, the GlobalProtect versions apply to both Panorama and Cloud Managed versions of
Prisma Access.
Prisma Access Release Notes Version 4.0.0-h51 24 ©2023 Palo Alto Networks, Inc.
Panorama Support for Prisma Access 4.0 Preferred
An infrastructure and dataplane upgrade is required for all upgrades from an existing Panorama
Managed Prisma Access version to 4.0 Preferred, including if you are upgrading from 3.2
Innovation or 3.2.1 Innovation to 4.0 Preferred. After you download and install the Cloud Services
plugin 4.0, you receive all supported features in Prisma Access to date, including all previous
Innovation and Preferred features along with the new features introduced in 4.0 Preferred. If
you are running a Prisma Access (Panorama Managed) deployment, Palo Alto Networks will make
the Cloud Services plugin 4.0 available for you to download and install after Palo Alto Networks
upgrades your dataplane.
The Cloud Services plugin version 4.0 supports 10.0.8 and 10.1.3-based Prisma Access
dataplane versions; however, not all new features in the plugin are supported until your
dataplane has been upgraded to PAN-OS version 10.2.4.
• To find the dates for the infrastructure upgrade, check the calendar in the Prisma SASE status
page, which shows you when infrastructure upgrades occur.
• To find the dates for the dataplane upgrade for your deployment, be sure that you have
subscribed to Insights alerts from Prisma Access. Emails sent from Insights inform you of the
time of the upgrade and its progress after it begins.
To upgrade your Cloud Services plugin to Prisma Access 4.0 Preferred, use one of the following
upgrade paths. To find your current plugin version in Panorama, select Panorama > Cloud
Services > Configuration > Service Setup and check the plugin version in the Plugin Alert area.
Be sure to follow the minimum Panorama versions for each plugin version during the upgrade (for
example, only Cloud Services plugin versions 4.0, 3.2, and 3.1.0-h50 or later support a Panorama
running 10.2.3 or later, and you should not upgrade your Panorama to PAN-OS 10.2.3 until after
you upgrade your Cloud Services plugin to these minimum versions).
Releases earlier 4.0 Preferred 1. Upgrade your deployment to Prisma Access 2.2
than 2.2 Preferred and commit and push your changes.
If your deployment is on a version of Prisma
Access that is earlier than 2.2 Preferred, you must
first upgrade to 2.2 before you can upgrade to
Prisma Access Release Notes Version 4.0.0-h51 25 ©2023 Palo Alto Networks, Inc.
Panorama Support for Prisma Access 4.0 Preferred
2.2 Preferred 4.0 Preferred 1. Upgrade your deployment to Prisma Access 3.0
and commit and push your changes.
2. Upgrade your deployment to Prisma Access 3.1
and commit and push your changes.
3. Upgrade your deployment to either Prisma Access
3.2 or 3.2.1 and commit and push your changes.
4. Upgrade your deployment to Prisma Access 4.0
and commit and push your changes.
3.0 Preferred 4.0 Preferred 1. Upgrade your deployment to Prisma Access 3.1
and commit and push your changes.
2. Upgrade your deployment to either Prisma Access
3.2 or 3.2.1 and commit and push your changes.
3. Upgrade your deployment to Prisma Access 4.0
and commit and push your changes.
3.1 Preferred 4.0 Preferred 1. Upgrade your deployment to either Prisma Access
3.2 or 3.2.1 and commit and push your changes.
2. Upgrade your deployment to Prisma Access 4.0
and commit and push your changes.
Prisma Access Release Notes Version 4.0.0-h51 26 ©2023 Palo Alto Networks, Inc.
Panorama Support for Prisma Access 4.0 Preferred
STEP 1 | Determine the upgrade path for the plugin to which you want to upgrade.
For some upgrade paths, you need to upgrade your plugin sequentially. For example, to
upgrade from a 2.2 Preferred plugin to a 4.0 plugin, you must first perform interim upgrades to
2.2, 3.0, and 3.1 before upgrading to 4.0.
Prisma Access Release Notes Version 4.0.0-h51 27 ©2023 Palo Alto Networks, Inc.
Panorama Support for Prisma Access 4.0 Preferred
STEP 2 | Download and install the Cloud Services plugin versions you require.
• To download and install the Cloud Services plugin by downloading it from the Customer
Support Portal, complete the following steps.
1. Log in to the Customer Support Portal and select Software Updates,
2. Find the Cloud Services plugin in the Panorama Integration Plug In section and download
it.
Do not rename the plugin file or you will not be able to install it on Panorama.
3. Log in to the Panorama Web Interface of the Panorama you licensed for use with the
Prisma Access, select Panorama > Plugins > Upload and Browse for the plugin File that
you downloaded from the CSP.
4. Install the plugin.
• To download and install the new version of the Cloud Services plugin directly from
Panorama, complete the following steps:
1. Select Panorama > Plugins and click Check Now to display the latest Cloud Services
plugin updates.
Prisma Access Release Notes Version 4.0.0-h51 28 ©2023 Palo Alto Networks, Inc.
Getting Help
Where Can I Use This? What Do I Need?
The following topics provide information on where to find more about this release and how to
request support:
• Related Documentation
• Requesting Support
29
Getting Help
Related Documentation
Use the following documents to set up and implement your Prisma Access deployment:
• Use the Prisma Access Administrator’s Guide to plan, install, set up, and configure Prisma
Access to secure your network.
• Use the vendor-specific tasks in the Prisma Access Integration Guide to use Prisma Access to
configure mobile user authentication and secure your public cloud and third-party SD-WAN
deployments.
• Use the Cortex Data Lake Getting Started Guide to learn how to deploy Cortex Data Lake and
begin forwarding logs from your on-premise firewalls to Cortex Data Lake.
Visit https://docs.paloaltonetworks.com for more information on our products.
Prisma Access Release Notes Version 4.0.0-h51 30 ©2023 Palo Alto Networks, Inc.
Getting Help
Requesting Support
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
To provide feedback on the documentation, please write to us at:
documentation@paloaltonetworks.com.
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
https://www.paloaltonetworks.com/company/contact-support
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto
Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/
company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.
Prisma Access Release Notes Version 4.0.0-h51 31 ©2023 Palo Alto Networks, Inc.
Getting Help
Prisma Access Release Notes Version 4.0.0-h51 32 ©2023 Palo Alto Networks, Inc.