Prisma Access Release Notes 4 0

Prisma Access Release Notes
Version 4.0.0-h51
docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support
About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
documentation@paloaltonetworks.com.
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2023-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.
Last Revised
August 14, 2023
Prisma Access Release Notes Version 4.0.0-h51 2 ©2023 Palo Alto Networks, Inc.
Table of Contents
Prisma Access Release Information...............................................................5
New Features in Prisma Access 4.0....................................................................................... 7
Changes to Default Behavior................................................................................................. 12
Prisma Access Known Issues................................................................................................. 13
Prisma Access Addressed Issues........................................................................................... 18
Prisma Access 4.0.0-h51 Addressed Issues............................................................ 18
Prisma Access 4.0.0-h8 Addressed Issues...............................................................21
Prisma Access 4.0 Addressed Issues........................................................................ 21
Panorama Support for Prisma Access 4.0 Preferred...............................23

Required Software Versions for Panorama Managed Prisma Access (4.0
Preferred).....................................................................................................................................24
Upgrade Considerations for Panorama Managed Prisma Access (4.0 Preferred)...... 25
Upgrade the Cloud Services Plugin (4.0 Preferred).......................................................... 27
Getting Help...................................................................................................... 29
Related Documentation........................................................................................................... 30
Requesting Support.................................................................................................................. 31
Table of Contents
Prisma Access Release Information
Where Can I Use This? What Do I Need?
• Prisma Access (Cloud Management) Prisma Access license

• Prisma Access (Panorama Managed) Minimum Required Prisma Access Version 4.0
Preferred
About Prisma Access Release Updates

Prisma Access releases and updates allow you to stay up-to-date and secure your users. Some of
the updates are managed by Palo Alto Networks, such as Prisma Access infrastructure updates
and you will receive advance notification so you can plan around them. Some updates are your
responsibility and you must schedule the specified version of the content update and software
update. If you're using Panorama to manage Prisma Access (instead of Prisma Access Cloud
Management), you decide when to upgrade to the latest plugin version, in order to leverage
newly-available features that the plugin enables for Panorama.
• Learn about how Prisma Access releases work and the different release types
Supported GlobalProtect Versions to Use with Prisma Access
Any GlobalProtect version that is not End-of-Life (EoL) is supported for use with Prisma Access.
Find the Latest Features for Prisma Access, and for Prisma Access Add-Ons and Integrations
Because Prisma Access includes support for other Palo Alto Networks subscriptions (like WildFire,
Threat Prevention, and SaaS Security, for example) you can also benefit from the latest new
features that these subscriptions provide. Here's how to check exactly what your Prisma Access
subscription includes.
Here's where you can learn more about the latest updates for the products and services that are
included or integrate with Prisma Access:
Latest Prisma Access Release Earlier Prisma Access Release Updates for Services and Add-
Updates Versions Ons Supported with Prisma
Access
• New Features in Prisma • Prisma Access Version 3.2 • Prisma Access Insights
Access 4.0 Preferred and Innovation • Autonomous DEM
• What's New for • Prisma Access Version 3.1 • SaaS Security
Prisma Access Cloud Preferred and Innovation
Management • Enterprise DLP
• Prisma Access Version 3.0
Preferred and Innovation • GlobalProtect
• Prisma Access Version 2.2 • Prisma SASE Multitenant
Preferred Cloud Management
Platform
• Prisma SD-WAN
5
Latest Prisma Access Release Earlier Prisma Access Release Updates for Services and Add-
Updates Versions Ons Supported with Prisma
Access
• Prisma Access Releases
Earlier than 2.2 Preferred
New Features in Prisma Access 4.0


Preferred
The following table describes the new features that are available with Prisma Access 4.0
Preferred.
Feature Description
Prisma Access on the Strata Prisma Access is now supported on the new Strata Cloud
Cloud Manager Platform Manager platform. We'll be updating Prisma Access so
that it is on the Strata Cloud Manager platform, alongside
your other Palo Alto Networks products and subscriptions
that are supported for unified management. If you've
been using the Prisma Access app for Prisma Access
Cloud Management or for Prisma Access monitoring and
visibility features (including Autonomous DEM, Insights,
and Activity dashboards and reports), the update to Strata
Cloud Manager gives you a new management and visibility
experience.
Learn more:
• Learn more about Strata Cloud Manager
• What to expect when Prisma Access is updated to give
you the new management experience
• Where are my Prisma Access features in Strata Cloud
Manager?
• Prisma Access visibility and monitoringwith Strata Cloud
Manager
Explicit Proxy Connectivity in Prisma Access adds explicit proxy connectivity to its version
GlobalProtect for Always-on 6.2 GlobalProtect app. With this introduction, end users are
Internet Security protected with always-on internet security while getting
on-demand access to private apps, either via a third-party
May 22, 2023
VPN or via GlobalProtect with Prisma Access or an on-
premises NGFW. This capability enables you to:
• Easily replace 3rd party proxy solutions
• Co-exist with any 3rd-party VPN agents
• Support both browser-based and non-browser-based
apps to secure internet traffic
Feature Description
• Simplify proxy deployments and achieve User-ID based
enforcement for all traffic
Outbound Route Prefixes When you specify the prefixes for which Prisma Access
Increased to 500 adds static routes for all service connections and remote
network connections (Panorama > Cloud Services >
May 16, 2023
Configuration > Service Setup > Advanced > Outbound
Routes for the Service), you can now specify up to 500
outbound routes. Routes you specify here are routed to
these prefixes over the internet.
This increase was added to Panorama Managed

Prisma Access with the 4.0.0-h20 Cloud
Services plugin. Cloud Managed Prisma Access
deployments support a maximum number of 10
outbound routes.
Integrate Prisma Access with Secure Cisco Meraki MX SD-WAN devices using Prisma
Cisco Meraki SD-WAN Access (Cloud Management) with the latest simplified and
automated tunnel creation, instead of onboarding them
May 05, 2023
manually like in previous releases.
ZTNA Connector The Zero Trust Network Access (ZTNA) Connector lets
you connect to your organization's private apps simply and
April 18, 2023
securely. ZTNA Connector provides mobile users and users
at branch locations access to your private apps using an
automated secure tunnel, which eliminates the requirement
of setting up IPSec tunnels and routing definitions to access
the private apps. ZTNA Connector does not require any
routing from the customer infrastructure and can provide
access to applications that use overlapped IP addresses in
your networks.
PAN-OS 10.2 Support Prisma Access allows you to take advantage of the
following up-to-date security features that are offered with
March 30, 2023
PAN-OS 10.2. including the following features:
Review the PAN-OS 10.2 Upgrade Considerations before
your dataplane upgrade and before upgrading your
panorama to 10.2.
PAN-OS 10.2 includes the following new features:
• Management Features:
• Selective Commit of Configuration Changes
Feature Description
• Policy Features:
• Security Policy Rule Top-Down Order When Wildcard
Masks Overlap
• Content Inspection Features:
• Advanced Threat Prevention: Inline Cloud Analysis
• Domain Fronting Detection
• Decryption Features:
• Multiple Certificate Support for SSL Inbound
Inspection
• URL Filtering Features:
• Inline Deep Learning Analysis for Advanced URL
Filtering
• HTTP Header Expansion
• Enterprise Data Loss Prevention Features:
• Web Form Data Inspection for Enterprise Data Loss
Prevention
You must have a Panorama appliance running 10.2 to take
advantage of the 10.2 features in Prisma Access.
Support for 400 Remote Prisma Access 3.2 brought you high-bandwidth 1Gbps
Network Sites per IPSec remote networks. Now, Prisma Access 4.0 raises the
Termination Node previous limit of 250 sites per IPSec termination node to
400 sites per IPSec termination node.
March 30, 2023
Support for 15,000 Branch Sites Prisma SASE can support up to 15,000 Branch sites in one
in a Single Tenant tenant. If you require more than 15,000 branch sites, you
can take advantage of Prisma SASE's multi-tenant capability
March 30, 2023
built for distributed global enterprises and MSPs with
support for an effective unlimited number of remote users.
New Prisma Access locations Prisma Access adds locations that are in local zones. These
With Local Zones locations have their own compute locations. The following
locations are supported:
March 30, 2023
• Australia West (Perth)
• US-Central (Chicago)
• US-Southeast (Miami)
You onboard local zones in the same way as any other
Prisma Access location, and the local zones are available
in Mobile Users—GlobalProtect, Remote Network, and
Service Connection deployments. The local zone locations
Feature Description
are denoted with two asterisks for Panorama Managed
deployments and are denoted as a Local Zone in Cloud
Managed deployments.
Keep in mind the following guidelines when deploying local
zones:
• Local zone locations do not use Palo Alto Networks
registered IP addresses.
• 1 Gbps support for remote networks is not supported.
• Remote network and service connection node
redundancy across availability zones is not available if
you deploy them in the same local zone, as both nodes
are provisioned in a single zone.
• These local zones do not use Palo Alto Networks
registered IPs. If you have problems accessing
URLs, report the website issue using https://
reportasite.gpcloudservice.com/ or reach out to Palo
Alto Networks support.
Support for RFC 6598 If your enterprise uses RFC 6598 IP addresses as a part of
Addresses in Prisma Access your enterprise routable address space, you can use that
Infrastructure IP Addresses address space in the following Prisma Access infrastructure
IP addresses:
March 30, 2023
• Secure Inbound Access to Remote Network Locations
(supported with Prisma Access 4.0)
• Overlapping Subnets with Remote Network Locations
(supported with Prisma Access 4.0)
• Traffic Steering (supported with Prisma Access 4.0)
• Infrastructure subnet IP addresses (introduced in Prisma
Access 3.1.2 Innovation and supported in Prisma Access
4.0)
• IP address pools used in Mobile Users—GlobalProtect
deployments (introduced in Prisma Access 3.1.2
Innovation and supported in Prisma Access 4.0)
• Static subnets used for service connections and remote
networks (introduced in Prisma Access 3.1.2 Innovation
and supported in Prisma Access 4.0)
To enable the use of 100.64.0.0/10 addresses in
infrastructure addresses, reach out to your Palo Alto
Networks account representative or partner and submit a
request.
Clientless VPN is not supported with RFC 6598 addresses.
Feature Description
New and Updated Prisma New Prisma Access Locations

Access Locations
To better accommodate worldwide deployments and
March 30, 2023 provide enhanced local coverage, adds the following new
locations:
• Ghana (added to the Europe Northwest compute
location)
• Guatemala (added to the US East compute location)
• Latvia (added to the Belgium compute location)
• US Central West (added to the new US Central West
compute location)
• Uruguay (added to the South America West compute
location)
• Uganda (added to the Switzerland compute location)
New Explicit Proxy Locations

Prisma Access supports the following new locations for
explicit proxy:
• US Central West
• Poland
• Israel
New and Renamed Prisma Access Compute Locations and

Remapped Locations
To better optimize performance of Prisma Access, we've
made these updates to compute locations:
• (Remapped) Poland—The Poland location is moving to
the Europe Central (Warsaw) compute location.
• (New) US Central West—The new US Central West
location uses the US Central West compute location.
New deployments have the new remapping applied
automatically. If you have an existing Prisma Access
deployment that uses one of these locations and you want
to take advantage of the remapped compute location,
follow the procedure to add a new compute location to a
deployed Prisma Access location.
Changes to Default Behavior


Preferred
The following table details the changes in default behavior for Prisma Access version 4.0
Preferred.
Component Change
Remapped Poland Location To better optimize performance of Prisma

Access, starting with the Prisma Access 4.0
infrastructure upgrade, the Poland location
is remapped to the Europe Central (Warsaw)
compute location.
This remapping applies to all existing Prisma
Access deployments, even if you have not
installed the Cloud Services plugin 4.0. Your
current compute location-to-location mapping
is not affected; however, if you have an
existing Prisma Access deployment that uses
one of these locations and you want to take
advantage of the remapped compute location,
follow the procedure to add a new compute
location to a deployed Prisma Access location.
New deployments have this mapping applied
automatically.
Bulk Import of Remote Networks The number of remote networks that you can
onboard in bulk using a CSV file has changed
from 1000 to 100.
Prisma Access Known Issues

• Prisma Access (Panorama Managed) Prisma Access license

Minimum Required Prisma Access Version 4.0
Preferred
Prisma Access has the following known issues.
Issue ID Description
ADI-20366 To use ZTNA Connector on a Panorama

Managed Prisma Access tenant you must file
a support ticket to get the feature enabled.
The feature is enabled by default on Cloud
Managed Prisma Access tenants that have
been upgraded to Prisma Access 4.0.
ADI-20335 If you use RFC 6598 addresses in your

environment and want to set up ZTNA
Connector on a Cloud Managed Prisma
Access tenant, you must file a ticket to enable
the functionality to define IP pools to reserve
for Prisma Access to enable connectivity to
your connector VMs and your apps.
CYR-33199 Current user counts and 90 day user counts

are not correct for Kerberos authenticated
users.
CYR-33180 In order to use the Prisma Access Explicit

Proxy Connectivity in GlobalProtect for
Always-On Internet Security feature you must
onboard at least one mobile user gateway.
CYR-32888 On macOS endpoints running Safari and

connected to Prisma Access in Tunnel and
Proxy mode or proxy mode, browsing through
explicit proxy is slow.
Workaround: Remove any references to
isResolvable() in your PAC file.
CYR-32713 ZTNA Connector can fail to retrieve the

correct DNS configuration, which causes
ZTNA connector traffic to fail, when the
following conditions apply:
• When the first application is onboarded in
ZTNA connector
• When all applications are removed
(deboarded) from ZTNA Connector
Workaround: Refresh the GlobalProtect
connection to get correct DNS server
configuration. In the case of all applications
going down for a tenant, refresh the
GlobalProtect again when some or all
applications in ZTNA connector are back up.
CYR-32564 ZTNA Connector app traffic is detected as a

threat and dropped for Prisma Access Cloud
Management if the default URL category is
used.
Workaround: Perform one or more of the
following steps as required:
1. Create a custom URL category and add
application FQDNs for the onboarded
applications for ZTNA connector.
2. If you are using a default profile group,
clone a new group and attach the custom
URL category you created in Step 1. If you
are using a custom profile group, attach the
custom URL category you created in step
1.
3. Make sure that you attach either the
cloned profile group or the custom profile
group (from step 2) to the security policy
you created to allow traffic destined to
ZTNA connector applications.
CYR-32517 If you deploy a mobile users location that

already has a location deployed in the same
compute location, you might receive only
one public IP address for the newly-deployed
location instead of two.
Workaround: Enable the IP Allow Listing
feature to receive more than one IP address.
CYR-32511 You can configure IPv6 DNS addresses even if

IPv6 is disabled.
CYR-32191 ZTNA Connector is not supported in

multitenant environments.
CYR-32188 In Prisma Access Insights, the Connector

Availability graph for a given ZTNA Connector
will not show up if the IPSec tunnel between
the connector and the ZTNA Tunnel
Terminator (ZTT) has been up without
interruption for the last 24 hours. The
Connector Availability graph shows up only if
the tunnel has gone down at least once within
the last 24 hours.
CYR-32170 When using ZTNA Connector, diagnostic

tools such as ping, traceroute and nslookup
that are accessible from the ZTNA Connector
UI Connectors > Actions > Diagnostics icon
are not functional.
CYR-32006 When using Dynamic DNS (DDNS)

registration using the Cloud Services plugin
3.2, nsupdate commands are not working as
expected, which causes issues with DDNS
update queries.
CYR-32004 Due to a limitation in the number of IPSec

profiles currently supported in Prisma Access,
when deploying ZTNA Connector you can
onboard a maximum of 100 connector VMs
per tenant.
CYR-31623 Only one Panorama HA pair can be associated

with a CDL instance.
CYR-31603 ZTNA Connectors with two interfaces are not

supported in a Connector Group enabled for
AWS Auto Scale. This is due to an AWS Auto
Scale group limitation that ties both interfaces
to the same subnet. See this article for details.
Workaround: ZTNA Connectors with two
interfaces are supported in Connector Groups
that are not enabled for AWS Auto Scale.
Ensure that all ZTNA Connectors with two
interfaces are contained in a Connector Group
that is not enabled for AWS Auto Scale.
CYR-31205 In mobile user deployments for GlobalProtect

in Tunnel and Proxy mode or proxy
mode,commit will fail if you don't attach
either a SAML or Kerberos authentication
profile in your explicit proxy configuration
even if you enable Use GlobalProtect Agent
to Authenticate.
CYR-31187 In order to use the Prisma Access Explicit

Proxy Connectivity in GlobalProtect for
Always-On Internet Security functionality,
the default PAC file URL does not populate
properly unless you do a commit and push to
both Mobile Users—GlobalProtect and Mobile
Users—Explicit Proxy.
Workaround: Make sure you Commit and
Push to both Mobile Users—GlobalProtect
and Mobile Users—Explicit Proxy when
configuring Prisma Access Explicit Proxy
connectivity in GlobalProtect.
CYR-30504 In some cases, attempts to retrieve aggregate

bandwidth statistics are timing out.
Workaround: Try again, or go to Prisma
Access Insights to view the aggregate
bandwidth statistics.
CYR-30434 Renaming an authentication profile

immediately after creating it causes a new
authentication profile to be created.
Workaround: Do not make changes to a
profile immediately after creating it.
CYR-30044 Predefined EDLs aren't being populated in

the Block Settings list in a new Explicit Proxy
deployment.
Workaround: Onboard your Explicit Proxy
deployment, do a Commit and Push, and then
go back and update the EDL in your block
Settings.
CYR-29964 Attempts to reuse a certificate signing request

(CSR) to generate a certificate results in a
"Requested entity already exists"
error.
Workaround: Do no reuse CSRs.
CYR-29933 Attempts to use the verdicts:all -

X "DELETE" API call more than one
time per hour result in the {"code" :8,
"message" : "Too many requests"
error.
Workaround: Do not use this API call more
than one time per hour.
CYR-29700 If you configure multiple GlobalProtect

portals in a multitenant Prisma Access
Panorama Managed multitenant deployment,
committing changes on a per-username
basis fails with a "global-protect-
portal-8443 should have the value
"GlobalProtect_Portal_8443" but
it is [None]" error.
Workaround: If you have enabled multiple
GlobalProtect portals and have a Prisma
Access multi-tenant deployment, perform
Commit All commit operations instead of
committing on a per-user basis.
Prisma Access Addressed Issues


Preferred
The following topics describe issues that have been addressed in Prisma Access 4.0.
Prisma Access 4.0.0-h51 Addressed Issues

CYR-35078 Fixed an issue where an internal DNS domain could not be

set and the following message was displayed: Invalid
wildcard domain name. The domain name
can have only one asterisk in the first
position.
CYR-34966 Fixed an issue where remapped compute locations did not

display in the QoS settings for remote networks under
Customize Per Site.
CYR-34616 Fixed an issue where the Panorama > QoS Statistics page
displayed an inflated number of dropped packets.
CYR-34429 Fixed an issue where local commits were failing after an

upgrade to the 4.1.0 Cloud Services plugin.
CYR-34328 Fixed an issue where the Prisma Access UI was loading due
to feature flags not being present in the setup.
CYR-34118 Fixed an issue where, if using Explicit Proxy in multitenant

mode and after upgrading to 3.2.0+ plugin, Block Settings
and Authentication Settings migrations did not take place.
CYR-34053 Fixed an issue where, after a compute location was

remapped, remote network QoS settings could not be
applied to the remapped compute location.
CYR-33969 Fixed an issue where a Mobile Users—GlobalProtect

configuration was deleted without the plugin user having
deleted the configuration.
CYR-33930 Fixed an issue where an IPv4 validator was used for IPv6 IP
address validation in the Mobile Users DNS setting.
CYR-33805 Fixed an issue where the Remote Networks and Mobile

Users text in the Multi Tenant creation window was
misaligned and did not properly indicate which component
the allocation charts were for.
CYR-33202 Fixed an issue where 127.0.0.1 was allowed to be entered

for internal DNS resolution settings.
CYR-25509 Fixed an issue where an unsupported debug command was

exposed.

CYR-33844 Fixed an issue where the following Cloud Services plugin

builds were not compatible with the following M-series
Panorama devices:
• 4.0.0-h23
• 4.0.0-h20
• 4.0.0-h8
• 3.2.1-h48
• 3.2.1-h41
• 3.2.0-h55
CYR-33781 Fixed an issue where a commit failure was received when

using the Explicit Proxy Trusted Source Address feature
and upgrading from the 3.2.1 Cloud Services plugin to a 4.0
plugin.
CYR-33757 Fixed an issue in the Traffic Steering Rule Source tab where
clicking on a Source Address or Address-Group in the
drop-down list caused an incorrect item in the list to be
selected.
CYR-33695 Fixed an issue where traffic steering rules could not be

disabled or moved, and in other cases, a No object to
edit in move handler error was encountered and no
changes could be applied to the traffic steering rule.
CYR-33202 Fixed an issue where 127.0.0.1 was allowed to be entered

for internal DNS resolution settings.
CYR-32221 Fixed an issue where, after clicking on the Connection

Name of a Remote Network and then returning back to the
previous page, the Peer IP Address displayed as Loading.
CYR-32186 Fixed an issue where a Permission Denied error was

received when attempting to delete a remote network.

CYR-33066 Fixed an issue where, when setting up traffic

replication, an error was received if the
Member/User field was longer than 31
characters.
CYR-32488 Fixed an issue where ADEM could not be

enabled at a remote network compute
location, even though the ADEM-AIOPS
license was enabled.

CYR-31535 Fixed an issue where the ADEM-AIOPS

SKU did not display in the multi-tenant web
interface.
CYR-30517 Fixed an issue where the maximum number of

IKE peers per IPSec termination node was not
enforced using a validation check.
CYR-27018 Fixed an issue where the Cloud Services

Plugin was not able to send dynamic updates
requests using nsupdate to the external DNS
server.

CYR-31173 Fixed an issue where when exporting CSV

data for all active mobile users, data for only
9000 users was exported instead of for all
users.
CYR-29945 Fixed an issue where Clientless VPN was

getting enabled every time the cloud
configuration was updated, causing commit to
fail.
CYR-23502 Fixed an issue where, when downloading

current mobile user information from
locations in the Japan Central compute
location, the downloaded CSV information
differed from the results obtained in the UI.
Prisma Access 4.0 Addressed Issues

CYR-31236 Fixed an issue where the SSH Management

Profiles Settings tab was missing from
templates.
CYR-30842 Fixed an issue where the GlobalProtect App

Log certificate was not getting renewed in
Panorama.
CYR-30729 Fixed an issue where commit was failing when

Clientless VPN and multiple portals were both
enabled.
CYR-30586 Fixed an issue where, after enabling X-

Authenticated-User (XAU) header on
incoming HTTP/HTTPS requests for Identity,
the XAU checkbox was deselected.
CYR-30208 Fixed an issue where a commit on a new

Panorama appliance with Explicit Proxy
configuration failed with a 'missing users'
error.
CYR-29809 Fixed an issue where, if the user onboarded

mobile users locations and did not
choose any locations to be selected
on the Manual Gateway Locations
tab, subsequent local commits on the
Panorama appliance were failing with the
'Failed to find any locations
in path: cloud_services/mobile-
users/onboarding/entry/manual-
gateway/region/entry/locations/
memberregions validation for
manual-gateway failed for Mobile
Users.Failed plugin validation'
error.
CYR-29464 Fixed an issue where the Peer IP Address did

not display in a multitenant deployment.
CYR-29431 Fixed an issue where an extra SAML IdP

configuration was added to the Mobile User
Gateway configuration, causing the commit
to fail with the error 'interface '-' is
not a valid reference'.
CYR-29421 Fixed an issue where modifying the Mobile

User GlobalProtect gateway configuration to
use a SAML IdP authentication profile and
clicking okay caused an extra configuration
to be added to Panorama, which also caused
commit to fail with an error interface '-'
is not a valid reference'.
CYR-29160 Fixed an issue where the GlobalProtect

App Log cert was not getting saved when
Panorama was in FIPS-CC mode.
Panorama Support for Prisma
Access 4.0 Preferred

Preferred
If you're using Panorama to manage Prisma Access, Prisma Access 4.0 Preferred requires that you:
1. Review the required software versions for Panorama to support Prisma Access 4.0 Preferred
2. Determine the upgrade path you'll need to follow for the Cloud Services Plugin
3. Upgrade the Cloud Services Plugin
23
Panorama Support for Prisma Access 4.0 Preferred
Required Software Versions for Panorama Managed

Prisma Access (4.0 Preferred)

Preferred
The Cloud Services plugin 4.0 requires the following minimum software versions for Panorama
and GlobalProtect.
If you have a Cloud Managed Prisma Access deployment, plugin upgrades are not required;
however, the GlobalProtect versions apply to both Panorama and Cloud Managed versions of
Prisma Access.
Software Version Minimum Required Panorama Minimum Required

Version GlobalProtect Version
4.0 Preferred • PAN-OS 11.0 Any GlobalProtect version

• PAN-OS 10.2.3 or a later that is not End-of-Life (EoL)
PAN-OS version of 10.2 is supported for use with
Prisma Access.
• PAN-OS 10.1.7 or a later
PAN-OS version of 10.1
You must have a Panorama
appliance running 10.2 to
take advantage of the 10.2
features in Prisma Access.
Upgrade Considerations for Panorama Managed Prisma

Access (4.0 Preferred)

Preferred
An infrastructure and dataplane upgrade is required for all upgrades from an existing Panorama
Managed Prisma Access version to 4.0 Preferred, including if you are upgrading from 3.2
Innovation or 3.2.1 Innovation to 4.0 Preferred. After you download and install the Cloud Services
plugin 4.0, you receive all supported features in Prisma Access to date, including all previous
Innovation and Preferred features along with the new features introduced in 4.0 Preferred. If
you are running a Prisma Access (Panorama Managed) deployment, Palo Alto Networks will make
the Cloud Services plugin 4.0 available for you to download and install after Palo Alto Networks
upgrades your dataplane.
The Cloud Services plugin version 4.0 supports 10.0.8 and 10.1.3-based Prisma Access
dataplane versions; however, not all new features in the plugin are supported until your
dataplane has been upgraded to PAN-OS version 10.2.4.
• To find the dates for the infrastructure upgrade, check the calendar in the Prisma SASE status
page, which shows you when infrastructure upgrades occur.
• To find the dates for the dataplane upgrade for your deployment, be sure that you have
subscribed to Insights alerts from Prisma Access. Emails sent from Insights inform you of the
time of the upgrade and its progress after it begins.
To upgrade your Cloud Services plugin to Prisma Access 4.0 Preferred, use one of the following
upgrade paths. To find your current plugin version in Panorama, select Panorama > Cloud
Services > Configuration > Service Setup and check the plugin version in the Plugin Alert area.
Be sure to follow the minimum Panorama versions for each plugin version during the upgrade (for
example, only Cloud Services plugin versions 4.0, 3.2, and 3.1.0-h50 or later support a Panorama
running 10.2.3 or later, and you should not upgrade your Panorama to PAN-OS 10.2.3 until after
you upgrade your Cloud Services plugin to these minimum versions).
Installed Cloud Targeted 4.0 Plugin Upgrade Path

Services Plugin Version
Version
Releases earlier 4.0 Preferred 1. Upgrade your deployment to Prisma Access 2.2
than 2.2 Preferred and commit and push your changes.
If your deployment is on a version of Prisma
Access that is earlier than 2.2 Preferred, you must
first upgrade to 2.2 before you can upgrade to
Installed Cloud Targeted 4.0 Plugin Upgrade Path

Services Plugin Version
Version
3.2. Upgrades from 2.0 or 2.1 versions of Prisma
Access are not supported.
2. Upgrade your deployment to Prisma Access 3.0
and commit and push your changes.
4. Upgrade your deployment to either Prisma Access
3.2 or 3.2.1 and commit and push your changes.
2.2 Preferred 4.0 Preferred 1. Upgrade your deployment to Prisma Access 3.0
3.0 Preferred 4.0 Preferred 1. Upgrade your deployment to Prisma Access 3.1
3.1 Preferred 4.0 Preferred 1. Upgrade your deployment to either Prisma Access
Upgrade the Cloud Services Plugin (4.0 Preferred)


Preferred
Use the following procedure to upgrade the Cloud Services plugin.

Prisma Access uses the Cloud Services plugin in Panorama to activate its functionality.
For a list of the Panorama software versions that are supported with Prisma Access, see Minimum
Required Panorama Software Versions in the Palo Alto Networks Compatibility Matrix.
Before you upgrade the plugin, remove any non-Prisma Access templates from Prisma Access
template stacks to avoid commit validation errors after upgrade and make sure that the Panorama
that manages Prisma Access is running a supported PAN-OS version.
Use one of the following tasks to download and install the Cloud Services plugin.
HA Deployments Only—If you have two Panorama appliances configured in High

Availability (HA) mode, install the plugin on the Primary HA pair first, then the
Secondary.
STEP 1 | Determine the upgrade path for the plugin to which you want to upgrade.
For some upgrade paths, you need to upgrade your plugin sequentially. For example, to
upgrade from a 2.2 Preferred plugin to a 4.0 plugin, you must first perform interim upgrades to
2.2, 3.0, and 3.1 before upgrading to 4.0.
STEP 2 | Download and install the Cloud Services plugin versions you require.
• To download and install the Cloud Services plugin by downloading it from the Customer
Support Portal, complete the following steps.
1. Log in to the Customer Support Portal and select Software Updates,
2. Find the Cloud Services plugin in the Panorama Integration Plug In section and download
it.
Do not rename the plugin file or you will not be able to install it on Panorama.
3. Log in to the Panorama Web Interface of the Panorama you licensed for use with the
Prisma Access, select Panorama > Plugins > Upload and Browse for the plugin File that
you downloaded from the CSP.
4. Install the plugin.
• To download and install the new version of the Cloud Services plugin directly from
Panorama, complete the following steps:
1. Select Panorama > Plugins and click Check Now to display the latest Cloud Services
plugin updates.
2. Download the plugin version you want to install.

3. After downloading the plugin, Install it.
STEP 3 | Commit > Commit and Push your changes.
Getting Help

Preferred
The following topics provide information on where to find more about this release and how to
request support:
• Related Documentation
• Requesting Support
29
Getting Help
Related Documentation
Use the following documents to set up and implement your Prisma Access deployment:
• Use the Prisma Access Administrator’s Guide to plan, install, set up, and configure Prisma
Access to secure your network.
• Use the vendor-specific tasks in the Prisma Access Integration Guide to use Prisma Access to
configure mobile user authentication and secure your public cloud and third-party SD-WAN
deployments.
• Use the Cortex Data Lake Getting Started Guide to learn how to deploy Cortex Data Lake and
begin forwarding logs from your on-premise firewalls to Cortex Data Lake.
Visit https://docs.paloaltonetworks.com for more information on our products.
Getting Help
Requesting Support
For contacting support, for information on support programs, to manage your account or devices,
or to open a support case, go to https://support.paloaltonetworks.com.
To provide feedback on the documentation, please write to us at:
documentation@paloaltonetworks.com.
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
https://www.paloaltonetworks.com/company/contact-support
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2022 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto
Networks. A list of our trademarks can be found at https://www.paloaltonetworks.com/
company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.
Getting Help

Prisma Access Release Notes 4 0

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Prisma Access Release Notes 4 0

Uploaded by

Copyright:

Available Formats

Prisma Access Release Notes

About the Documentation

Panorama Support for Prisma Access 4.0 Preferred...............................23

• Prisma Access (Cloud Management) Prisma Access license

About Prisma Access Release Updates

New Features in Prisma Access 4.0

• Prisma Access (Cloud Management) Prisma Access license

This increase was added to Panorama Managed

New and Updated Prisma New Prisma Access Locations

New Explicit Proxy Locations

New and Renamed Prisma Access Compute Locations and

Changes to Default Behavior

• Prisma Access (Cloud Management) Prisma Access license

Remapped Poland Location To better optimize performance of Prisma

Prisma Access Known Issues

• Prisma Access (Panorama Managed) Prisma Access license

Prisma Access has the following known issues.

ADI-20366 To use ZTNA Connector on a Panorama

ADI-20335 If you use RFC 6598 addresses in your

CYR-33199 Current user counts and 90 day user counts

CYR-33180 In order to use the Prisma Access Explicit

CYR-32888 On macOS endpoints running Safari and

CYR-32713 ZTNA Connector can fail to retrieve the

CYR-32564 ZTNA Connector app traffic is detected as a

CYR-32517 If you deploy a mobile users location that

CYR-32511 You can configure IPv6 DNS addresses even if

CYR-32191 ZTNA Connector is not supported in

CYR-32188 In Prisma Access Insights, the Connector

CYR-32170 When using ZTNA Connector, diagnostic

CYR-32006 When using Dynamic DNS (DDNS)

CYR-32004 Due to a limitation in the number of IPSec

CYR-31623 Only one Panorama HA pair can be associated

CYR-31603 ZTNA Connectors with two interfaces are not

CYR-31205 In mobile user deployments for GlobalProtect

CYR-31187 In order to use the Prisma Access Explicit

CYR-30504 In some cases, attempts to retrieve aggregate

CYR-30434 Renaming an authentication profile

CYR-30044 Predefined EDLs aren't being populated in

CYR-29964 Attempts to reuse a certificate signing request

CYR-29933 Attempts to use the verdicts:all -

CYR-29700 If you configure multiple GlobalProtect

Prisma Access Addressed Issues

• Prisma Access (Panorama Managed) Prisma Access license

Prisma Access 4.0.0-h51 Addressed Issues

CYR-35078 Fixed an issue where an internal DNS domain could not be

CYR-34966 Fixed an issue where remapped compute locations did not

CYR-34429 Fixed an issue where local commits were failing after an

CYR-34118 Fixed an issue where, if using Explicit Proxy in multitenant

CYR-34053 Fixed an issue where, after a compute location was

CYR-33969 Fixed an issue where a Mobile Users—GlobalProtect

CYR-33805 Fixed an issue where the Remote Networks and Mobile

CYR-33202 Fixed an issue where 127.0.0.1 was allowed to be entered

CYR-25509 Fixed an issue where an unsupported debug command was

Prisma Access 4.0.0-h41 Addressed Issues

CYR-33844 Fixed an issue where the following Cloud Services plugin

CYR-33781 Fixed an issue where a commit failure was received when

CYR-33695 Fixed an issue where traffic steering rules could not be

CYR-33202 Fixed an issue where 127.0.0.1 was allowed to be entered

CYR-32221 Fixed an issue where, after clicking on the Connection

CYR-32186 Fixed an issue where a Permission Denied error was

Prisma Access 4.0.0-h23 Addressed Issues

CYR-33066 Fixed an issue where, when setting up traffic

CYR-32488 Fixed an issue where ADEM could not be