>
    Strata Copilot
    What’s New—Autonomous DEM
    Focus
    Download PDF
    Focus
    1. Home
    2. Autonomous DEM
    3. AI-Powered Autonomous DEM Release Notes
    4. Release Updates
    5. What’s New—Autonomous DEM
    Download PDF
    Autonomous DEM

    What’s New—Autonomous DEM

    Table of Contents

    What’s New—Autonomous DEM

    View the new features added in Autonomous DEM.
    Here’s what’s new in Autonomous DEM:

    What's New in August 2025

    Review features introduced in the ADEM Access Experience Agent 5.7.

    Monitor LAN Health When Local Access is Blocked

    Requires:
    • Prisma Access license
    • Autonomous DEM license (agent version 5.7 or higher) or Strata Cloud Manager Pro
    • GlobalProtect license 6.3.3 or higher
    Autonomous Digital Experience Management (ADEM) is enhanced to monitor LAN health with synthetic tests, even when the GlobalProtect app is configured to block direct access to the local network. This functionality provides the flexibility to maintain the security posture of blocking direct local network access without sacrificing ADEM's critical visibility into LAN performance. You can explicitly configure ADEM to monitor LAN health when the local network access is blocked. When ADEM detects the direct access to local network is disabled in the GlobalProtect app, the ADEM agent runs separate, dedicated processes to collect LAN metrics using TCP connections. Ensure to allowlist these processes in your GlobalProtect app to enable the agent to collect LAN metrics.

    Reverse DNS Lookup for Path Tracing

    Requires:
    ADEM enables you to control reverse DNS lookups during path trace monitoring. By default, ADEM attempts to identify the hostname for every IP address it encounters. However, DNS lookups on private IP addresses (RFC1918) fail to resolve which adds to DNS traffic. To eliminate this traffic, you can configure ADEM to perform reverse lookups only for public IP addresses, ignoring all private ranges. Alternatively, you can retain the default setting to perform DNS lookup on all IP addresses. This optimization reduces network noise and improves the efficiency of path monitoring.

    Launch Access Experience from the Prisma Access Agent App

    Requires:
    • Prisma Access license
    • Autonomous DEM license (agent version 5.7 or higher) or Strata Cloud Manager Pro
    • Prisma Access Agent license 25.3.1 or higher
    The Access Experience icon is integrated directly into the Prisma Access Agent app, giving you a convenient way to get help for connectivity issues, device health assessments, and other common access problems. You no longer need to find and click a separate icon in the Windows system tray or macOS menu bar when they encounter connectivity issues. Instead, simply open the Prisma Access Agent app and access the integrated Access Experience icon, creating a more intuitive workflow for resolving problems. This integration reduces interface clutter and provides a more straightforward path to diagnostic tools.

    What's New in July 2025

    Enhanced Root Cause Analysis for Application Experience

    The root cause analysis for application experience in ADEM is enhanced to provide actionable insights to help resolve application performance issues quickly. ADEM provides granular root cause analysis of the application issues by pinpointing the exact source of performance degradation and recommends remediation steps. The root cause analysis breaks down application metrics into sub-components to identify precise causes of issues. The applications issues are mainly categorized as App Degradation, App Not Reachable, and App Unavailable. For each issue type, ADEM enables you to drill down to identify the potential root causes, degraded reason or error types and impacted service delivery segments. ADEM also shows tailored remediation steps specific to each identified issue, guiding you through the appropriate actions to resolve problems.
    The root cause analysis data is made easy to read using an interactive sunburst chart and companion widgets. The sunburst chart provides a hierarchical view of application issues, progressing from general categories to detailed root causes and error types for straightforward diagnosis. The root cause analysis visualization in ADEM extends across organization, mobile user, remote site, application, user, PA locations, and branch sites. ADEM leverages Real User Monitoring (RUM) data in addition to synthetic metrics for comprehensive root cause analysis where available. These enhancements empower you to diagnose and resolve application issues more efficiently.

    What's New in June 2025

    Evidence-based Verdict in Access Analyzer

    The user access issues query in Access Analyzer is enhanced to show focused insights into user connectivity issues. This enhancement provides new evidence-based verdicts for user access issues. You can now use two distinct user access issues queries:
    • User Issues query- enables you to query new evidence-based verdict on user access attempts directly from logs. The query result displays aggregated Traffic logs for the past seven days for a matched policy rule along with detailed log sessions for the past 3 hours. The logs provide conclusive historical evidence of a user's access attempts. The query result also shows the threat and URL logs for the traffic generated by the user for the past 3 hours.
    • User Issues (Check Security Policy Only) query- shows the security policy configuration of the rules that denied user access to the specified application domain.
    This enhancement empowers you to generate focused reports that are most relevant for your investigations.

    What's New in May 2025

    Review features introduced in the ADEM Access Experience Agent 5.6.

    Real User Monitoring (RUM) for Consumer Browsers

    Real User Monitoring (RUM) enhances your ability to monitor and optimize the user experience for web applications. In addition to RUM support for Prisma Access Browsers (PAB), RUM capabilities are extended to consumer browsers such as Google Chrome and Microsoft Edge on managed devices. You can now collect Core Web Vitals metrics from Chrome and Edge browsers on Windows and macOS, providing broader visibility into your users' application experiences.
    The feature integrates with your existing ADEM infrastructure, using the GlobalProtect app for authentication and communication. RUM collects and securely processes and stores data, respecting data privacy and residency requirements. Now, with RUM support extending to multiple browsers, you can configure and manage settings at the tenant level, with options to exclude specific users, user groups, or domains from monitoring. Visualize metrics through updated ADEM dashboards, enabling you to analyze performance trends, identify issues, and make data-driven decisions to improve application delivery. RUM data can be combined with the existing Synthetic monitoring for granular root cause analysis of user experience issues.

    What's New in April 2025

    Review features introduced in the ADEM Access Experience Agent 5.5.

    Mobile User and Remote Site Experience Monitoring for NGFWs

    Requires:
    • Strata Cloud Manager Pro for NGFW license
    • a firewall running PAN-OS
      • 11.1.9 or a later 11.1 version
      • 11.2.6 or a later 11.2 version
    • For remote sites: a PAN-OS SD-WAN subscription
    • For mobile users: a GlobalProtect license
    Autonomous Digital Experience Management (ADEM) now extends its end-to-end application experience and performance monitoring capabilities beyond the SASE platform to next-generation firewalls (NGFWs) for a more comprehensive view into your users’ digital experience.
    Now, if you have users connecting to an NGFW with a GlobalProtect Gateway installed, you can run synthetic tests from the user's endpoint to the application to gain visibility into their application experience. User experience to applications with hop by hop views and segment wise health is visible, allowing you to identify issues and better target your remediation efforts.
    Similarly, if you have an NGFW configured as a branch site using SD-WAN, you can now monitor synthetic tests from the NGFW branch site to the application and take action upon any signs of application experience degradation.
    If you have both Strata Cloud Manager Pro for Prisma Access and for NGFW, ADEM can detect and report when a user is connecting to Prisma Access or to an NGFW at a given point in time so that you can easily pinpoint where an experience issue may be occurring.
    To get started monitoring mobile user and remote site experience for NGFWs, associate your NGFW with the same tenant as ADEM and begin viewing experience data for your NGFWs in Strata Cloud Manager and Panorama.

    What's New in March 2025

    The following new features were released in April 2025.

    Natural Language Queries for Access Analyzer

    Requires:
    • Prisma Access license
    • ADEM or Strata Cloud Manager Pro license
    Natural language queries for Access Analyzer enhances the user experience for administrators by providing a simple interface to construct queries with ease. The new Access Analyzer workflow allows you to select from predefined example questions. The interface includes dynamic placeholders you can modify, streamlining the process of inputting specific values such as usernames, devices, or locations. Ask Access Analyzer queries in Strata Copilot before moving over to the Access Analyzer dashboard to review query logs.
    When utilizing this new functionality, you can use the powerful capabilities of Access Analyzer more effectively, enabling faster problem resolution. Coming soon, users will be able to type out the questions fully themselves. This enhancement aims to increase adoption of the tool among administrators.

    What's New in February 2025

    The following new features were released in February 2025.

    Access Analyzer: Identity Provider Visibility

    Requires Cloud Identity Engine
    ADEM to solve the challenge of identifying user access blocks caused by identity provider (IdP) restrictions, enhancing your ability to troubleshoot user access issues across your SASE environment.
    By integrating Access Analyzer's existing capabilities with CIE's ability to collect application authorization information from IdPs like Azure AD (Entra ID) and Okta, you gain comprehensive visibility into access control. As an IT administrator, you can quickly determine if a user can't access an application due to endpoint, network, or application performance degradations; network policy rules; or IdP blocks.
    As part of this integration, you can easily view which user groups lack access to specific applications, identify the IdP vendor imposing restrictions, and log into the IdP to grant user access. This can save you time in root cause analysis, improve your ability to manage access across your organization, and ensure that your users have appropriate access to the applications they need while maintaining security standards.

    What's New in December 2024

    The following new features were released in December 2024.

    Specific SD-WAN Path Monitoring

    Requires SD-WAN ION version 6.4.2 or later and ADEM agent 3.4.7 or later
    If you had synthetic application tests configured for remote sites before this change, you must check the configuration of those tests to ensure that they continue to run as expected.
    For any pre-existing application test for remote sites running ION version 6.4.2 or later:
    1. Edit the configuration of the application test.
    2. Check the value of Remote Sites Test OptionsApplication Entities.
    3. Ensure that Application Entities matches an application for which you've configured a Prisma SD-WAN path policy rule and that you want to run the application test on that path.
      • If yes, leave as is.
      • If not, set to ANY. Otherwise, the application test will not run.
    This does not apply to ION devices running version 6.4.1 or earlier. For those devices, no matter what is specified in Application Entities, the application test will run as expected. However, if you want to upgrade the device, make sure to follow the steps above so that you do not risk test interruption.
    If you have configured Prisma SD-WAN path policy rules for your remote sites, you can now specify that your synthetic application tests probe a particular SD-WAN path. This enables you to monitor the paths through which user traffic is actually flowing instead of all possible paths. Monitoring defined paths yields an application experience score that better reflects the real experience of your users so that you can make more informed decisions to improve or maintain application experience in your organization.

    What's New in October 2024

    The following new features were released in October 2024.

    Browser-Based Real User Monitoring (RUM)

    Real User Monitoring (RUM) uses a browser plugin to capture live web application performance from the user's perspective. This helps to reveal user experience issues that synthetic tests may not detect so that you can have a more complete understanding of user experience across your organization, take any possible remediation steps, and work to increase user productivity and satisfaction.
    RUM Benefits
    • Comprehensive View into User Experience: Gather a new set of metrics to help you understand the full user journey so that you can take the appropriate actions.
    • Enhanced Troubleshooting: View real-time application availability, usability, and the performance of underlying dependencies, such as APIs or microservices, enabling quicker and more accurate troubleshooting.
    • Faster Remediation: Combine RUM metrics with synthetic metrics to detect a wider range of performance degradation issues, identify root causes, and receive recommended remediation steps.

    Simplified App Test Configuration

    Application tests now use top-level domains or IP addresses instead of App-IDs to make it easier for you to define the targets for your application tests and provide better coverage for an application and its subdomains. Now, when you use a top-level domain as the target of your application test, the test also probes the subdomains so you can identify if any of the subdomains are causing experience issues.

    Security Profile Visibility on ADEM Access Analyzer

    The Access Analyzer now provides visibility into the security profiles that are blocking the user's access to a resource. This feature addresses the challenge of manually searching through logs to determine if a security policy is the root cause of an issue. When you run a query in Access Analyzer, the multidomain analysis results pinpoint when a security profile blocks or hinders traffic. The query results enable you to filter logs by a specific security profile subtype and enforcement action to get immediate context. This helps you quickly determine if a legitimate real-time threat or a misconfiguration is blocking the user, so you can restore access or escalate the issue.

    What's New in September 2024

    The following new feature was released in September 2024.

    Configure Agent-Based Proxy for ADEM

    Learn about the Agent-Based Proxy for ADEM feature and how to configure it. Customers who choose to use Agent-Based Proxy access in Prisma Access require visibility into application access through Agent-Based Proxy as well as the performance of Agent-Based Proxy as an element of Prisma Access' service. With ADEM, Agent-Based Proxy forwards all internet traffic to Prisma Access and allows for customized forwarding beyond the scope of PAC based on:
    • Destination, user or user group, operating system, or location (static branch egress IPs).
    • Branches with dynamic egress IP addresses.
    • Geographic locations within the country.

    What's New in July 2024

    The following new feature was released in July 2024.

    Microsoft Teams Integration with ADEM

    The integration of Microsoft Teams meeting metrics with ADEM data provides visibility and root cause analysis to a wide user base, so users can resolve or communicate possible UCaaS performance issues before they affect end-user experience. The Microsoft Teams dashboard data correlates with ADEM synthetic data, giving networking team, UCaaS team, and help desk admins the information they need to troubleshoot Microsoft Teams calls.

    What's New in May 2024

    The following improvements were released in May 2024.
    ADEM Enhancements in the ADEM 5.1.0 Agent
    ADEM Agent is now modularized and called Access Experience. Access Experience can be used for multiple features based on the license activated, such as ADEM and App Acceleration. Other enhancements include:
    • An agent out-of-band upgrade.
    • New Access Experience Agent configuration options for GlobalProtect version 6.3 and above:
      • Install—Install the agent on the endpoint.
      • Uninstall—Uninstall the agent from the endpoint.
      • No Action—Retain the last agent state.

    What's New in November 2023

    The following new features were released in November 2023.
    Comprehensive Visualization of Application Performance for a Suite of Applications
    With the introduction of this feature, administrators will be able to select a single application test and add all relevant test targets associated with that application to the application test. Hence they can view your application test metrics as an aggregated view of all targets, as well as individual test target performance. Since you can now add multiple test targets to a single application test, you cannot create multiple tests for that same application. Administrators are offered the drill down visibility to each test target. For more information, see Comprehensive Visualization of Application Performance for a Suite of Applications
    ADEM support for FedRAMP High
    The Federal Risk and Authorization Management Program (FedRAMP) is a United States government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services for government users. Palo Alto Networks has demonstrated FedRAMP compliance.
    To ensure FedRAMP High "In Process" compliance, Prisma SASE FedRAMP High In Process introduces support for additional Prisma SASE apps, add-ons, and certain features.

    What's New in September 2023

    The following new feature was released in September 2023.
    Introducing ADEM APIs
    The ADEM APIs provide access to ADEM data for real-time and historical monitoring of user, applications, and sites across your deployment. Each API is illustrated with an example highlighting the lines in the API Response code that correspond to the area in the UI where the data appears. There is an FAQ section in the guide that provides details on the usage of parameters.

    What's New in March 2023

    The following new feature was released in March 2023.
    ADEM Zoom Integration
    ADEM has partnered with Zoom to provide the first per-minute root-cause analysis on the market. This helps administrators debug, monitor, and proactively identify the performance issues impacting Zoom users in their organization. To enable this feature, you will need to purchase a Zoom Quality of Service Subscription (QSS) license from Zoom. This integration provides minute-by-minute analysis of all the Zoom calls in a customer's network. See Autonomous DEM Zoom Integration for details on this feature.

    What's New in January 2023

    The following new feature was released in January 2023.
    Prisma Access Locations Dashboard updated
    The following changes have been implemented in the Prisma Access Locations dashboard:
    • New widgets have been added to show all Network Performance and Application Performance metrics monitored for all applications from cloud agents.
    • The Map View shows the application distribution data for connected Mobile Users and Remote Sites at that location.
    • The left border of the application distribution pop-up that appears when you hover your mouse cursor over a circle in the Map View is color-coded such that it represents the overall status that is lower of the Mobile Users status and Remote Sites status.
    • You can filter the data in the dashboard by deployment type.

    What’s New in December 2022

    The following new feature was released in December 2022.
    New Role Available - ADEM Tier 1 Support Role
    ADEM provides role-based access control to the IT Administrators. Administrators who log in with ADEM Tier 1 Support role get read-only access to the ADEM application only. Refer to Role-Based Access Control in ADEM for details.

    What’s New in October 2022

    The following new feature was released in October 2022.
    ADEM Self-Serve
    ADEM now offers end-user notifications for issues that they can resolve directly. With ADEM Self-Serve, when end users experience issues with either application experience, device usage, WiFi, or internet connectivity, they get a notification on their desktop. The notification indicates what the issue is and guides them with one or more possible solutions that they can use to resolve the issue on their own. This enhances user productivity and has the potential to reduce the number of IT tickets. Clicking in the notification opens the Application Experience user interface which provides more details on the issue.
    Transition to Prisma SASE Platform
    Prisma Access is being transitioned to the Prisma SASE Platform to provide these benefits. As a part of this transition, you may experience a difference in the steps to access Prisma Access.

    What’s New in June 2022

    The following new feature was released in June 2022.
    Support for Selecting Mobile User Groups
    When creating synthetic tests, you now have the option to enable the test on an individual Mobile User or on a Mobile User group or both. You can enable tests only on existing groups that are used in security policies. The tests that you enable on a user group will run on all devices that belong to every single user in that group. You cannot select only certain devices on which to run the test. If a user is removed from a user group, the tests will automatically stop running on the user’s devices. When new users are added to a group, the tests will automatically be run on the new user’s device(s). The test results can be filtered by individual Mobile Users or Mobile User groups (only groups currently in test configuration).
    The following UI pages have been updated to support this feature:
    • New App Test page approached from the Applications page.
      Under the Source section, for Mobile Users, a new Custom option has been added which allows you to select either a single Mobile User or a Mobile User group or both.
    • A new filter called Mobile User Groups has been added on the following pages:
      • Settings
      • Applications
      • Mobile Users

    What’s New in April 2022

    The following new feature was released in April 2022.
    Mobile User changes
    The following UI changes have been made with respect to the Mobile User devices:
    • Summary page
      The widget for Experience Score for Top Monitored Mobile User Devices displays a separate card for each of the User/Device combination along with the device and hostname details.
    • Monitored Mobile Users page
      Monitored Users are now defined as the unique number of User/Device combination. For example, if 2 users are logged in to 3 devices each, the Devices count will display as 6 and the Users count will display as 2. Likewise, if 2 users are using the same device, the Devices count will display 1 and the Users count will display 2. The Monitored Mobile Users Devices table on the Monitored Mobile Users page displays each User/Device combination as a separate row, hence the user name could be duplicated across multiple rows depending on the number of devices he/she is logged in to.
    • Mobile User Details page
      In the Monitored Mobile Users Devices table on the Monitored Mobile Users page table, when you click on a user who has logged into multiple devices, the ensuing Mobile User Details page lists all devices for the selected user. Each unique User/Device combination is represented in a separate card. You can view the details of only one device at a time by selecting its card. The details in the widgets that follow will be displayed for the device card you select.
    Autonomous DEM Agent Installer Available on the CSP
    You can now download the Autonomous DEM agent installation package from the Customer Support Portal. This allows you to upgrade your ADEM agent without having to upgrade your GlobalProtect app.
    You can deploy Autonomous DEM agent that you download from the CSP to your endpoints using the same methods you would deploy the GlobalProtect app:
    • For Windows endpoints, you can obtain the update by navigating to Software Updates in the Customer Support Portal. Search for GlobalProtect Autonomous DEM for Windows64.
      To deploy the agent to Windows endpoints, use Msiexec or via an MDM.
    • For Mac OS X endpoints, you can obtain the update by navigating to Software Updates in the Customer Support Portal. Search for GlobalProtect Autonomous DEM for OS X.
      To deploy the agent to MacOS endpoints, use the macOS plist or via an MDM.

    What’s New in November 2021

    The following new feature was released in November 2021.
    Support for Remote Sites
    ADEM is now natively integrated with Prisma SD-WAN and will deliver exceptional user experience for Palo Alto Networks Prisma SASE. ADEM for Prisma Access together with Prisma SD-WAN provide comprehensive visibility into remote site experience by providing segment wise insights on all WAN paths (active and backup). This helps you quickly isolate the domains and WAN paths that are experiencing degraded experience for remote site users and devices.
    View the overall experience score of your remote sites in the Summary tab by selecting the Remote Site Experience card. The Remote Sites dashboard provides experience details for each site.
    The Remote Sites Experience card in the Summary tab is visible only if you have purchased the Service Setup license.
    For details on this feature, refer to the Remote Sites dashboard.

    What’s New in October 2021

    The following new features were released in October 2021.
    ADEM for Hybrid Workforce
    Optimizing User Experience and application performance across hybrid work environments on and off campus.
    With Autonomous DEM for Hybrid Workforce, regardless of whether Prisma Access GlobalProtect Mobile Users are connected from an untrusted network or a trusted network, Autonomous DEM will continue to provide User Experience and Application Performance Monitoring.
    Autonomous DEM can be enabled when GlobalProtect Clients connect to Prisma Access. Once enabled, it will continue to monitor user experience across hybrid work environments on and off campus.
    For more details on this feature, refer to the First Look at Autonomous DEM Dashboards.
    Disable All Autonomous DEM Update Notifications
    Starting in GlobalProtect version 5.2.8, you have the option to suppress receiving all Autonomous DEM update notification on the Mobile User devices. See Enable ADEM in Panorama Managed Prisma Access for Mobile Users or Enable ADEM in Cloud Managed Prisma Access for Mobile Users for details.

    © 2025 Palo Alto Networks, Inc. All rights reserved.