The overlay routing feature eliminates traffic hairpinning by enabling direct egress from Prisma AIRS AI Runtime: Network intercept to next-hop destinations, like the Internet Gateway (IGW) and NAT Gateways. This prevents double inspection of traffic, reducing latency, bandwidth utilization, and resource consumption. Prisma AIRS can now function as a NAT gateway, consolidating security inspection and network address translation into a single component while maintaining comprehensive security for containerized workloads.

For details refer to the Deploy Prisma AIRS AI Runtime: Network Intercept in AWS section.

Protect your containerized applications with precision through namespace-level traffic steering, a capability that refines security controls beyond all-or-nothing traffic inspection. You can now selectively choose which traffic flows to inspect or bypass based on CIDR ranges within individual Kubernetes namespaces. This addresses previous limitations, enabling a more optimized security posture where critical traffic is thoroughly examined, while known benign traffic can bypass inspection, improving performance and resource utilization without compromising security for your Kubernetes workloads.

Gain granular control over cloud asset discovery and application organization beyond traditional VPC boundaries using tags, subnets, and namespaces.

This feature provides enhanced application definition options during the cloud account onboarding process. It allows you to define precise application boundaries, moving beyond the limitations of Virtual Private Cloud (VPC)-based definitions. By leveraging cloud-native constructs such as tags, subnets, and namespaces, you can now accurately organize and map your applications across various compute resources, including container workloads, virtual machines, and serverless functions. This approach aligns with modern, dynamic cloud application architectures.

Streamline the deployment and monitoring of your security infrastructure with unified capabilities for VM-Series firewalls directly within Strata Cloud Manager. The security dashboard now consolidates threats detected by both VM-Series firewalls and the Prisma AIRS AI Runtime: Network intercept, providing a single, unified security operations experience.

You can deploy a VM-Series firewall from Strata Cloud Manager using the same workflow as the Prisma AIRS AI Runtime Network intercept to simplify and accelerate your deployment process. Enhanced application details provide clear insights into network traffic flow paths and indicate which firewall platform protects each application, displaying both the firewall serial number and firewall type (VM-Series or Prisma AIRS AI Runtime: Network intercept).

You can now extend AI security inspection to Large Language Models (LLMs) hosted on privately managed endpoints. This feature allows you to secure traffic to custom models, even when their endpoints or input/output schemas are not publicly known. By enabling this support within your AI security profile, all traffic that matches a security policy rule will be forwarded to the AI cloud service for threat inspection, regardless of whether the model is a well-known public service or a custom-built private one. This ensures comprehensive security for your entire AI ecosystem, including models deployed on private endpoints within your infrastructure.

Panorama threat logs (Monitor > Threat) now include an additional AI security report tab to display comprehensive AI security threat logs forwarded by Prisma AIRS AI Runtime: Network intercept managed by Panorama. This gives you enhanced visibility into AI model protection, AI application protection, and AI data protection threats detected based on your AI security profile configurations. You can also filter logs by the `ai-security` threat type when configuring log forwarding profiles or building custom reports, enabling targeted analysis and streamlined security operations for AI-specific threats.

Prisma AIRS AI Runtime: Network intercept now supports deployment across multiple regions, including US, UK, India, Canada, and Singapore. This expansion allows you to deploy the AI firewalls on tenant service groups (TSG) in your preferred regions.

Introducing Security Lifecycle Review (SLR) for AWS, providing comprehensive visibility, control, and protection without requiring the deployment of an inline firewall. The Prisma AIRS AI Runtime: Network intercept, deployed in the SLR mode, protects your inbound, outbound, and east-west traffic using mirrored traffic between the application Elastic Network Interfaces (ENIs).

To get started:

• Onboard a cloud account in Strata Cloud Manager.
• Generate a deployment Terraform for SLR in Strata Cloud Manager.
• Apply Terraform in AWS to deploy Prisma AIRS: Network intercept in SLR mode.
• Download and assess the SLR report.
• View the SLR-generated threat logs in the Strata Cloud Manager log viewer.

Prisma AIRS: Network intercept now supports multiple upgrade paths to maintain protection against AI threats. You can update firewall images (*.aingfw) through the PAN-OS interface, CLI commands, or Panorama. The dedicated *.aingfw format ensures compatibility with Prisma AIRS environments, protecting AI workloads while simplifying security operations.

Introducing Prisma AIRS AI Runtime security for private clouds. Secure your AI workloads on private clouds such as ESXi and KVM-based servers, interacting with public cloud LLM models.

You can manually deploy and bootstrap the Prisma AIRS AI Runtime: Network intercept in private cloud environments. The firewall can be managed by Strata Cloud Manageror Panorama.

You can now manage and monitor your AI firewalls with Panorama.

AI security policy and logs can also be defined and observed on Panorama. This integration allows you to leverage Panorama as the central management platform for your Prisma AIRS AI Runtime: Network intercept. All AI security threat logs are forwarded to Panorama under Monitor > Threat, providing a consolidated view of your AI security posture.