You can now deploy and manage security infrastructure for private Kubernetes clusters and across multiple cloud accounts using the enhanced deployment service on Strata Cloud Manager. This feature addresses the need to secure private cluster traffic that cannot be accessed directly from the public internet, while providing the flexibility to deploy application workloads and security components in separate accounts managed by different teams within your organization.

When you deploy Kubernetes workloads in private clusters, you can now use AIRS or VM-Series firewalls for traffic inspection through an enhanced Tag Collector deployment in your AWS or Azure environments. The Tag Collector connects to your private clusters to collect IP-tag information and forwards this data to the Cloud IP-Tag Service, enabling the Discovery service to maintain visibility into your container workloads. The generated Terraform templates accommodate both tag collection and traffic inspection from private clusters, eliminating the previous limitation that required public cluster endpoints.

You can select applications across multiple cloud accounts and deploy firewalls in different accounts than your application infrastructure. On AWS, the solution uses Resource Access Manager to share Transit Gateways across accounts, enabling the Tag Collector to collect IP-tags from private clusters and forward traffic to AIRS for inspection. Gateway Load Balancer service principals expose GWLB services across accounts for Kubernetes traffic inspection. On Azure, the solution leverages virtual network peering between the transit VNET and application VNET, with private DNS zone access enabling tag collection from private AKS clusters.

The Tag Collector automatically discovers clusters within your environment and generates monitoring definitions for each identified cluster. It continuously monitors for cluster additions or removals and communicates configuration changes to the Cloud IP-Tag service.

This enhancement decouples the tag collector Terraform templates, allowing you to deploy them standalone when generated through the deployment service. You maintain the option to deploy firewalls and tag collectors in separate accounts from your application account, provided those accounts are onboarded to Strata Cloud Manager.

You can delete historical discovery data for cloud accounts in Prisma AIRS to meet data compliance requirements when you need to remove collected asset information, flow logs, and audit logs from your environment. This feature addresses regulatory compliance scenarios where you must permanently remove specific data sets while maintaining operational security coverage. When you initiate discovery data deletion, the system validates your request and places the cloud account in an inactive state to prevent new data collection while a background process removes all associated data from storage systems and discovery databases.

The deletion process handles firewall deployments differently based on their deployment method. Manually-deployed firewalls continue inspecting traffic during data deletion, ensuring uninterrupted security coverage, while auto-deployed firewalls stop traffic inspection as the system undeploys them. You must manually delete the Terraform template associated with the cloud account regardless of deployment type. For auto-deployed firewalls, deleting the Terraform template removes the firewall from your deployment, whereas manually deployed firewalls require separate removal since only the template is deleted. The deletion process runs asynchronously to maintain system performance, during which you cannot modify account settings or enable additional monitoring features.

Prisma AIRS maintains audit timestamps throughout the deletion process to track when deletion was requested and completed, providing the visibility needed for compliance reporting and data lifecycle management activities. Once deletion completes, the account remains inactive and no longer collects data until you manually reactivate it through the cloud account interface in Strata Cloud Manager.

The overlay routing feature for EKS traffic allows Prisma® AIRS™ AI Runtime: Network Intercept to eliminate traffic hairpinning. This is achieved by enabling direct egress from the intercept to next-hop destinations like Internet Gateways (IGWs) and NAT Gateways. This new capability prevents traffic from being double-inspected, which reduces latency, bandwidth usage, and resource consumption.

With overlay routing, Prisma AIRS can now function as a single component for both security inspection and network address translation, simplifying the network architecture. It consolidates these functions into a single step, ensuring comprehensive security for containerized workloads while maintaining an efficient and direct traffic flow.

You can apply granular security controls to containerized applications by managing traffic inspection at the individual Kubernetes namespace level, moving beyond an all-or-nothing approach. You can selectively inspect or bypass traffic flows based on CIDR ranges within specific namespaces. This provides an optimized security posture where critical traffic is thoroughly examined, while known benign traffic can bypass inspection. This selective approach helps improve performance and resource utilization without compromising security for your Kubernetes workloads. This enhancement strengthens security for your containerized applications, enabling more efficient and effective management of your security posture across diverse Kubernetes workloads.

Protect your serverless resources in Azure or AWS environments by defining security boundaries for them during cloud account onboarding. Once defined, these newly discovered serverless functions become visible on your application dashboard, integrating with your existing virtual machine and container workloads for a unified view of your entire cloud environment. This consolidation of visibility allows you to monitor and manage security for all your compute types from a single location.

The platform uses the same streamlined workflow you already use for other cloud assets. By extending this workflow to serverless functions, you can consistently deploy firewall protection, ensuring comprehensive security coverage as your cloud-native architectures evolve. This approach provides a repeatable, automated way to secure your dynamic cloud applications, helping to maintain a strong security posture without the need for manual, per-resource configurations. The integration of serverless resources into the centralized dashboard simplifies management and helps you quickly identify and protect newly deployed functions.

Gain granular control over cloud asset discovery and application organization using tags, subnets, and namespaces. This feature allows you to define precise application boundaries during cloud account onboarding, aligning with modern, dynamic cloud architectures. This feature provides enhanced application definition options during the cloud account onboarding process.

You can now deploy and manage VM-Series firewalls directly from Strata Cloud Manager, which streamlines the deployment and monitoring of your entire security infrastructure from a single, unified interface. This centralized dashboard within Strata Cloud Manager consolidates threats detected by both VM-Series firewalls and Prisma AIRS AI Runtime: Network Intercept, giving you a unified view of your security operations.

You can also use the same streamlined workflow to deploy a VM-Series firewall as you would for other cloud assets. This capability helps you to accelerate your deployment processes and ensures consistent protection. Enhanced application details provide clear insights into network traffic flow paths, showing which firewall platform protects each application and displaying the firewall serial number and type (VM-Series or Prisma AIRS AI Runtime: Network Intercept).

You can extend AI security inspection to LLMs hosted on privately managed endpoints or input/output schemas that are not publicly known. By enabling this support within your AI security profile, all traffic that matches a security policy rule is forwarded to the AI cloud service for threat inspection, regardless of whether the model is a well-known public service or a custom-built private one. This ensures comprehensive security for your entire AI ecosystem.

The new AI security profile inspects and secures the AI traffic between AI applications and LLM models passing through Prisma AIRS: Network intercept that are managed by Strata Cloud Manager or Panorama. This profile protects against threats such as prompt injections and sensitive data leakage.

Gain enhanced visibility into AI-specific threats through an additional AI security report that displays comprehensive AI security threat logs forwarded by Prisma AIRS Network intercept. This gives you enhanced visibility into AI model protection, AI application protection, and AI data protection threats detected based on your AI security profile configurations. You can also filter logs by the `ai-security` threat type when configuring log forwarding profiles or building custom reports, enabling targeted analysis and streamlined security operations for AI-specific threats.

Prisma AIRS AI Runtime: Network intercept now supports deployment across multiple regions, including US, UK, India, Canada, and Singapore. This expansion enables you to deploy the Prisma AIRS AI Runtime: Network intercepts on tenant service groups (TSG) in your preferred regions.

Gain comprehensive visibility, control, and protection for your AWS environment without deployment of an inline firewall. The Security Lifecycle Review (SLR) for AWS, within AI Runtime Security: Network intercept when deployed in the SLR mode, protects your inbound, outbound, and east-west traffic using mirrored traffic between the application Elastic Network Interfaces (ENIs). This non-inline deployment method allows security monitoring and enforcement without altering the existing data path. The platform can generate detailed reports and threat logs based on this analyzed traffic, providing insights into potential security incidents.

By leveraging mirrored traffic, you gain crucial threat detection and prevention capabilities for all directions of traffic flow, without the need to re-architect your network or introduce latency associated with inline deployments. This simplifies security operations while enhancing your ability to identify and respond to threats effectively, all while maintaining the agility of your cloud environment.

You can now upgrade your Prisma® AIRS™ AI Runtime: Network Intercept to maintain protection against AI-specific threats. The platform now supports multiple upgrade paths, providing flexibility and ensuring continuous security.

The firewall image format, with a *.aingfw extension, ensures compatibility specifically with the Prisma AIRS environment. This dedicated *.aingfw format ensures compatibility with Prisma AIRS environments protecting AI workloads while simplifying security operations.

You can secure and monitor AI workloads that are deployed in private clouds, such as those built on ESXi and KVM servers. This capability extends protection to your AI applications and models even when they interact with public cloud Large Language Model (LLM) providers. By protecting the traffic between your private cloud workloads and external LLMs, you can safeguard against data exfiltration, prompt injection, and other threats specific to AI interactions. This functionality is essential for organizations with hybrid cloud strategies. It ensures that security is not a barrier to leveraging AI, allowing you to maintain control and visibility over your AI ecosystem regardless of where your data and applications are located.

To enable this, the Prisma AIRS™ AI Runtime: Network intercept can be manually deployed and bootstrapped in your private cloud environment. This deployment provides a crucial security layer for AI workloads that reside outside of public cloud infrastructure. Once deployed, the firewall can be centrally managed by either Strata™ Cloud Manager or Panorama, allowing for consistent policy enforcement and monitoring across your entire network.