>
    Strata Copilot
    Configuration: Snippets
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Getting Started
    4. Configuration: Strata Cloud Manager
    5. Configuration: NGFW and Prisma Access
    6. Configuration: Overview
    7. Configuration: Snippets
    Download PDF
    Strata Cloud Manager

    Configuration: Snippets

    Table of Contents

    Configuration: Snippets

    Use snippets to group configurations that you can quickly push to your firewalls or deployments.
    Where Can I Use This?What Do I Need?
    • Prisma Access (Managed by Panorama or Strata Cloud Manager)
    • NGFW, including those funded by Software NGFW Credits
    Each of these licenses include access to Strata Cloud Manager:
    → The features and capabilities available to you in Strata Cloud Manager depend on which license(s) you are using.
    Use snippets to group configurations that you can quickly push to your firewalls or deployments.
    A snippet is a configuration object, which can't fit into a hierarchy, or grouping of configuration objects, that you can associate with a folder, deployment, or device. Snippets are used to standardize a common base configuration for a set of firewalls or deployments allowing you to quickly onboard new devices with a known good configuration and reducing the time required to onboard a new device. For example, you can onboard a new firewall in a remote branch office. You can associate a set of snippets that contain all of the required network and policy rule configurations with the folder the new firewall belongs to. This reduces the time required to set up the firewall to protect the remote branch office.
    Snippet associations have a top-down priority in the event of conflicting object values. Rules with duplicate names are not allowed, and validation fails during the creation of a snippet with the same name in any folder or while associating a snippet to a folder if the snippet with the same name is already associated.
    This means that if the first and the last associated snippets have different values for the same object, the value from the first snippet is inherited by the device or deployment. Additionally, all configurations inherited from a snippet can be overridden at the child folder, deployment, or device level.
    Within a folder hierarchy, a snippet might only be associated one time within any folder hierarchy. This means that a snippet can’t be associated with both a folder and the folder nested under it. However, you can associate the same snippet with different folders or folders nested under different folders. Snippets that are already associated with a folder in the folder hierarchy are grayed out so they can’t be used more than once where applicable.

    Snippet Classification

    • Predefined: These read-only snippets are maintained by Palo Alto Networks and available through the Snippet Library tab. You opt in to add them to your configuration and opt out to remove them. When a newer version is available, you can update the snippet in place.
    • Local: These editable snippets are created within the tenant and can't share them with other subscriber tenants. Local snippets can be shared. After sharing the local snippet, it will change to Published snippets
    • Published: Trusted subscriber tenants have access to these shared snippets, which can't be deleted, but can be cloned and updated.
    • Subscribed: These snippets, shared by the publisher tenant, can be cloned by users but can't be edited.

    Cross-Scope References Using Snippets

    This feature allows you to reference any common configurations or objects attached to a global scope and push it to Prisma Access and NGFW firewalls. These shared objects and configurations within the global scope are available to all the snippets. A snippet associated with the global scope is considered as a global snippet. Objects defined within these snippets attached to the global scope, can be referenced across any snippets in the configuration.
    For example, you can create a snippet named Global Variable to consolidate variables and attach it to a Global scope. This ensures easy referencing and availability across all other snippets in the configuration. Similarly, you can effectively manage custom URL categories for access policy rules, threat prevention profiles, zones, addresses, and other objects representing standard network segments.

    Predefined Snippets

    Strata Cloud Manager provides the following predefined snippets that you can use to quickly deploy common configurations. You can opt in to a predefined snippet from the Snippet Library tab.
    SnippetConfigured Objects
    AIRS-Best-Practice
    Snippet for recommended best practice configuration for AI Runtime Security.
    AIRS-SLR-AWS-Default
    Snippet for default AI Runtime Security configuration for AWS deployments.
    Application-Tagging
    Predefined snippet associated with the global scope that stores all application classification and tag data across Strata Cloud Manager. Used by the Application Catalog to manage classifications and tags.
    Auto-VPN-Default-Snippet
    Snippet for default configuration required for Auto VPN — Read Only.
    AWS-VM-Dual-Arm-Default
    Snippet for default configuration for dual-arm VM-Series deployments on AWS.
    AWS-VM-MCN-Default
    Snippet for default configuration for VM-Series MCN deployments on AWS.
    AWS-VM-Single-Arm-Default
    Snippet for default configuration for single-arm VM-Series deployments on AWS.
    Azure-VM-Default
    Snippet for default configuration for VM-Series deployments on Azure.
    Azure-VM-MCN-Default
    Snippet for default configuration for VM-Series MCN deployments on Azure.
    DNS-Best-Practice
    Snippet for recommended best practice configuration for DNS Security.
    Explicit-Proxy-Best-Practice
    Snippet for recommended configuration for Explicit Proxy.
    GCP-VM-Default
    Snippet for default configuration for VM-Series deployments on Google Cloud Platform.
    Gen-AI-Best-Practice
    Snippet for recommended best practice configuration for securing GenAI applications.
    Global-Default
    Snippet for global default configuration settings.
    GlobalProtect-Default
    Snippet for default GlobalProtect configuration settings.
    HiP-Default
    Snippet for default Host Information Profile configuration.
    Internet-Access-Best-Practice
    Snippet for recommended best practice configuration for Internet Access policies.
    Internet-Security-Default
    Snippet for default Internet Security configuration settings.
    O365-Best-Practice
    Snippet for recommended configuration to safely enable Office 365.
    Recommended-Best-Practice
    Snippet for recommended security best practice configuration rules.
    SaaS-Enterprise-Controls
    Snippet for configuring tenant restrictions for Enterprise access to well known SaaS applications.
    SAAS-Inline-Pol-Recommendation
    Snippet for policy recommendations for SaaS Inline security.
    VM-HSF-Cluster-Azure-Default
    Snippet for default configuration for VM-Series HSF cluster deployments on Azure.
    VM-HSF-Cluster-Default
    Snippet for default configuration for VM-Series HSF cluster deployments.
    ZTP-Default
    Snippet for the default configuration required for Zero Touch Provisioning.
    ZTP-Default-Cellular
    Snippet for the default Zero Touch Provisioning configuration for cellular connectivity.
    ZTP-Default-Ethernet-Cellular
    Snippet for the default Zero Touch Provisioning configuration for ethernet and cellular connectivity.

    Create a Snippet

    Create a local snippet to define a common base configuration that you can apply to multiple folders, deployments, or devices. After you create a snippet, you associate it with a folder to push the configuration to those targets.
    1. Log in to Strata Cloud Manager.
    2. Click Snippet Management in the Configuration Scope panel.
    3. Click Add Snippet on the Snippets tab.
    4. Enter a descriptive Name for the snippet.
    5. (Optional) Provide a Description.
    6. (Optional) Assign one or more Labels.
      Select existing labels or create a new one by typing the desired label.
    7. Click Create.
      The snippet is created and appears under Local snippets in the Configuration Scope. You can now configure the snippet by navigating to its scope.
    8. Push Config to push your configuration changes to your network.

    Publish a Snippet to Subscriber Tenants

    Share a local snippet with other tenants by publishing it to subscriber tenants. After publishing, subscriber tenants can access the shared snippet in their configuration. You can control whether subscribers can delete the snippet when it is disassociated.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationNGFW and Prisma AccessOverview and click Snippet Management in the Configuration Scope panel.
    3. Select the local snippet you want to publish to open its Overview.
    4. Click Add Subscriber.
    5. Select the Tenant Name and click Save.
    6. (Optional) Click the Tenant Name link to edit subscriber tenant properties.
      The Do not delete from subscriber tenant option is enabled by default:
      • When enabled, snippets can’t be deleted from the subscriber, even without associations.
      • When disabled, snippets without folder associations can be deleted from the subscriber.
      Save your changes.
    7. Select the Tenant Name and click Publish.
      (Optional) Choose Validate before update for a pre-update validation check on the subscriber before applying changes. If the validation fails, an error message appears. If the validation succeeds, the publisher request is sent to the subscriber.
    8. Verify the Status column shows Snippet Successfully Published to Subscriber Tenant.
      The published snippet appears under Subscribed on the subscriber tenant. Use the refresh icon if the subscribed snippet doesn’t appear immediately.

    Modify a Snippet

    Modify your snippet configurations, details, and associations.
    Custom snippets no longer associated with a folder, deployment, or device can be deleted.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationNGFW and Prisma AccessOverview and click Snippet Management in the Configuration Scope panel.
    3. Locate the snippet you want to modify on the Snippets tab.
      Snippets are organized by type (Predefined, Local, Published, Subscribed) with columns for Name, Used in, and Labels.
    4. (Optional) Click the three-dot menu for the snippet and choose Edit to modify the Name, Description, or to change or assign additional Labels.
    5. Click the three-dot menu and choose Associate with Folder to associate the snippet with a different folder, deployment, or device or to associate the snippet with additional folders, deployments, or devices.
      Select the folders or devices from the config tree and click Save.
    6. Make any changes to the snippet configuration as needed.
    7. Push Config.

    Delete a Snippet

    Delete your custom snippets to keep your configurations organized. Snippets must be unassociated with any firewalls, folders, or deployments before they are able to be deleted. To remove a predefined snippet, opt out instead.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationNGFW and Prisma AccessOverview and click Snippet Management in the Configuration Scope panel.
    3. Click the three vertical dots of the custom snippet you want to delete.
    4. Delete the snippet.
      Snippets currently associated with folders, deployments, or devices can't be deleted. First edit the Snippet Associations to remove all existing associations before it can be deleted.

    Clone a Snippet

    If you want to use an existing snippet as a template for a new snippet, you can easily clone it so you do not have to configure a new object.
    Cloned snippets are not associated with any devices, folders, or deployments, allowing you to customize them freely without having to disassociate them before you begin your configurations.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationNGFW and Prisma AccessOverview and click Snippet Management in the Configuration Scope panel.
    3. Click the three vertical dots of the custom snippet you want to clone.
    4. Clone the snippet.
      1. (Optional) Give the cloned snippet a new name.

    Share a Snippet Configuration

    This feature provides a unique and flexible method for sharing common configurations across any tenants including in a multitenant environment. You can save and manage various configurations as snippets, easily sharing them across tenants under a customer account. This capability provides considerable flexibility and control in managing shared configurations across different tenant environments.
    Additionally, this feature supports centralizing configuration management for common scenarios among tenants and overseeing global configurations within a multibusiness unit setup.
    In this framework, the publisher tenant shares snippets with the subscriber tenant, while the subscriber tenant receives snippets from the publisher tenant.
    1. Log in to Strata Cloud Manager.
    2. On the publisher tenant, select ConfigurationNGFW and Prisma AccessOverview, select the Global configuration scope.
    3. Establish Trust Between the Tenants: Establish a connection between the subscriber and publisher tenants to enable the sharing of snippets.
      1. Click Subscriber Tenant under Trusted Tenants for Snippet Sharing.
      2. Add Subscriber Tenant.
      3. Enter the TSG ID to add as a subscriber tenant, and Check TSG ID. This ensures prevention of randomly generated TSG or serialized TSG-based attacks.
        Upon successful validation, a confirmation message indicates that the TSD ID has been verified.
      4. Next: Generate Pre Shared Key.
        Copy the generated PSK. You will enter this PSK when validating the publisher tenant in step 4.
    4. Go to subscriber tenant, select ConfigurationNGFW and Prisma AccessOverview and set the configuration scope to Global.
      1. The Publisher Tenants status under Trusted Tenants for Snippet Sharing shows as Pending.
      2. Click Publisher Tenants and Enter Pre Shared Key generated in the previous step, and Validate the subscriber tenant.
        After successful validation, a message confirms the tenant as trusted, establishing trust between the subscriber and publisher tenants.
    5. Publish a Snippet to a subscriber tenant.
      1. Create and associate the snippet with a folder.
        Newly created snippets are available under Local snippets.
        • The Overview tab shows snippet details such as name, description, creation time (when the snippet was loaded on the subscriber side), last updated time, and labels details.
          Creation time on Subscriber also reflects the same time as that of Publisher. It denotes the time when the snippet was created.
        • The Subscriber Tenants tab shows the tenant name, published version on the tenant, last published date, and publish status.
          • Click Published Version to review configuration changes.
          • Before publishing a snippet to a tenant, Add Subscriber and Save it.
        • The Version Snapshots gives a history of your snippet configuration. In this screen, you can compare configuration snapshots with your candidate configuration, and Save Version Snapshot or Load an earlier configuration snapshot as your candidate. Click the Version number to view the configuration differences.
        • The Audit History provides an audit trail of all actions initiated by the administrator. It logs details such as the published version number, changes made, the owner of the change, the date and time of the change, and specifics of the change.
      2. On the Subscriber Tenant tab, select the tenant name and Publish.
        This sends publish request to the subscriber tenant. In the Status column indicates that Snippet Successfully published to subscriber and the snippet will be available under Published snippets.
    6. Verify on the subscriber tenant.
      1. Click Snippet Management in the Configuration Scope panel, and select the snippet under Subscribed snippets.
      2. You're redirected to the snippet Overview which shows details such as the publisher tenant's name, description, TSG ID, snippet creation time, last updated time, labels, and pause update details.
        With pause update enabled, user has the option to Validate Before Update on Publisher before loading the latest version.
    7. Delete the trust.
      Subscribed snippets associated with folders or firewalls can only be cloned and can't be deleted.
      With snippet sharing hardening, now we have option to select how we want to manage the deletion of snippets on Subscriber. So, while adding a Subscriber tenant, we have option to select/unselect "Do Not Delete" When no associations, so if subscribed snippet has associations, even with "Do Not Delete" disabled, snippet will not be deleted.
      1. Go to subscriber or publisher tenant.
      2. Click Subscriber Tenant under Trusted Tenants for Snippet Sharing.
      3. Select the Tenant Name, and Delete Trust.
      After deleting the trust, the snippet will no longer be associated with the firewall or folder and becomes a local snippet.

    Convert Local NGFW Configurations to Reusable Snippets

    Maintaining consistent configurations across multiple NGFWs often requires manual effort and risks configuration drift. Strata Cloud Manager simplifies the migration of locally created NGFW configurations into reusable, shared configuration snippets. The conversion process transforms device-level configurations into a reusable snippet format that you can import and reuse across your NGFW deployment.
    This feature automatically handles complex interface configurations, including tunnel, VLANs, loopback, Ethernet, and aggregate Ethernet interfaces, along with their associated subinterfaces. For each interface type, Strata Cloud Manager creates appropriate object variables that maintain the relationships between parent interfaces and subinterfaces.
    By converting local configurations to centrally managed snippets, you gain immediate benefits in consistency, scale, and operational efficiency. You can review a detailed pre-conversion report showing successfully converted objects and those automatically pruned due to incompatibility with centralized management. This ensures full transparency before saving the snippet, facilitating consistent, synchronized configuration deployment across your entire network. This capability accelerates operational efficiency and strengthens your overall security posture.
    1. Log in to Strata Cloud Manager.
    2. Select ConfigurationNGFW and Prisma AccessOverview and expand the Configuration Scope.
    3. Select the device whose local configuration you want to convert.
      You're redirected to the Overview page.
    4. You cannot configure policies and objects in device scope by default. To configure them, enable Device Scope Configuration.
    5. On the Overview page, under Configuration Snippets, select Convert local configs to snippet.
    6. Review the detailed report showing the Pruned and Converted configuration objects.
    7. Enter a Snippet Name.
    8. Provide and confirm your Master Key.
    9. Save.
    10. Return to the Snippets tab in Folder & Snippet Management to view your snippet.
      Newly created snippets appear under Local snippets. After publishing, they move to Published snippets.

    © 2026 Palo Alto Networks, Inc. All rights reserved.