>
    Strata Copilot
    Insights: Compliance Center
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. Strata Cloud Manager Getting Started
    4. Insights: Strata Cloud Manager
    5. Insights: Compliance Center
    Download PDF
    Strata Cloud Manager

    Insights: Compliance Center

    Table of Contents

    Insights: Compliance Center

    Compliance Center in Strata Cloud Manager enables you to automate the monitoring of compliance and manage security frameworks across your deployments.
    Where Can I Use This?What Do I Need?
    • NGFW
    • Prisma® Access
    • Strata Cloud Manager Pro
    • Panorama® CloudConnector Plugin 3.0.0 for Panorama managed deployments
    • Traffic logs in Strata Logging Service
    Compliance Center in Strata Cloud Manager offers continuous, automated compliance monitoring and framework management across your deployments. It provides a unified view, allowing you to assess your network security posture against various security standards, such as NIST CSF 2.0, as well as your internal policies.
    Here are the key features of Compliance Center:
    • Framework Management - Compliance Center enables you to create, modify, and manage compliance frameworks. This includes defining control hierarchies, adding controls and sub-controls, organizing leaf-level controls into optional groups, and associating specific security checks.
    • Benchmarking - Involves calculating your organization's overall compliance rate against a selected framework. This feature allows you to compare your compliance against industry peers for predefined checks, providing context on your security posture. Benchmarking requires a framework to be in an active state.
    • Remediation Workflow - Compliance Center provides a structured workflow for remediation when configurations are found to be non-compliant. Failed checks generate incidents that include remediation playbooks and evidence, which show the exact failing configuration and its UI path. Incidents provide direct links to the relevant configuration UI within Strata Cloud Manager, Panorama, or the Next-Generation Firewalls (NGFWs) local configuration for corrections.
    Compliance Center derives insights from NGFW and Prisma Access configurations by analyzing configurations collected via telemetry, through the Panorama CloudConnector plugin, or directly from Strata Cloud Manager's configuration manager. Configurations are sent via device telemetry once a day, the CloudConnector plugin for Panorama sends the configuration during each local commit, and the Strata Cloud Manager configuration is processed once every 3 minutes.

    Onboard and Utilize Compliance Center for Automated Compliance Monitoring

    1. Select InsightsPostureCompliance Center in your Strata Cloud Manager tenant. If this is your first time accessing the Compliance Center, select Get Started to enter the marketplace.
    2. Select an industry framework, for example, NIST or PCI DSS, then Benchmark to calculate your organization's compliance rate.
      The Compliance Marketplace displays various industry frameworks, including Essential Eight, PCI DSS v4.0.1, CIS CSC v8.1, and NIST CSF 2.0. This step establishes a baseline for your security posture, evaluating current configurations against the chosen industry standard. It provides an immediate compliance score and, if available, an industry average for comparison.
    3. Click View on a benchmarked framework to see a comprehensive overview of your current compliance status.
      This page will be the default view upon your return to the Compliance Center.
    4. Each framework tile has an action menu, which provides the below options:
      • Clone Framework - Allows you to create an editable copy of the framework you have cloned. This option is available with RBAC write access.
      • Stop Benchmark - Allows you to stop benchmarking a framework and remove it from your framework list. This option is available with RBAC write access.
      • View Framework - Displays a read-only version of the framework wizard, where you can see the framework details, the control hierarchy, the group configuration and the mapping of checks, or recommendations. This option is available with RBAC read access.
      • View Description - Displays the text description of the framework provided by the source organization. This option is available with RBAC read access.
    5. Review the Compliance Center dashboard, which offers a high-level overview of your organization's compliance posture across various metrics:
      1. Overall Compliance rates for NGFW and Prisma Access.
      2. Configurations assessed statistics, including:
        • Checks — The number of posture recommendation checks run.
        • Assessments — The number of checks multiplied by the number of configuration objects they are run against.
        • Exceptions — Both total and expiring exceptions.
      3. Compliance Trend graph, visualizing compliance over time.
      4. Compliance Controls grid, listing top-level controls with severity levels (Critical, High, Warning, Informational) and pass or fail totals. Your benchmarked frameworks, such as NIST 800-53 r5 and NIST CSF 2.0, appear on the left. Selecting a framework reorients the entire page to that framework.
    6. (Optional) Use the product filter to toggle the dashboard view between Prisma Access and NGFW.
      This optional step refines the dashboard's focus, providing a product-centric view of compliance data for targeted analysis. This updates every widget on the page to provide a product-centric view.
    7. (Optional) Click the Download, Share, or Schedule icons to obtain the PDF report for the chosen compliance framework.
      This functionality enables you to generate detailed reports for offline analysis, sharing with auditors or stakeholders, and for scheduling regular compliance reviews. These reports provide a detailed, product-by-product analysis of every control. You can view and edit scheduled reports under Reports in Strata Cloud Manager.

    Create a Custom Compliance Framework

    This procedure guides you through creating a custom compliance framework in Strata Cloud Manager's Compliance Center, allowing you to define and monitor adherence to your organization's specific security standards.
    1. Select InsightsPostureCompliance Center in your Strata Cloud Manager tenant. If this is your first time accessing the Compliance Center, select Get Started to enter the marketplace.
    2. Initiate custom framework creation. The Compliance Center offers multiple starting points for framework creation, catering to different needs. Choose the one that best fits your needs:
      • Clone an existing framework.
        1. Locate an existing framework tile.
        2. Select the action menu (three vertical dots) on the framework tile, then Clone Framework. This creates an editable copy for modifications. See Add or Edit Custom Framework.
      • Add a custom framework using the Add Benchmark menu.
        1. Select Add Benchmark menu from the top-left of the landing page and select Add Custom Compliance.
        2. From the modal, choose one of the following paths:
          • Upload CSV (Download Template): Download the provided CSV template to create a custom framework. Copy the details of your desired framework into this template to populate it. After filling out the template, upload the CSV file, ensuring it is under 4 GB and exactly matches the template's structure. Once you successfully create the framework, you can use the custom framework wizard to link relevant checks to the leaf level controls.
          • Choose an existing framework: Select an existing framework to clone. This is an alternative way to clone an existing framework.
          • Manual Creation: Launch the framework management wizard to build a framework step-by-step manually. See Manually Add or Edit Custom Framework.

    Manually Add or Edit Custom Framework

    Use the Add Custom Framework wizard to define your compliance framework, including its hierarchical structure and associated security checks.
    1. Select InsightsPostureCompliance Center in your Strata Cloud Manager tenant.
    2. Select the Add Benchmark menu from the top-left of the landing page and select Add Custom Compliance.
    3. Choose the Manual Creation path to launch the framework management wizard and build a framework.
    4. Create Control Hierarchy. This step establishes the foundational structure of your framework.
      Select Edit framework details to update the name, source, URL, or logo. You cannot change hierarchy levels of a framework already in use to maintain assessment consistency. You can't edit a framework hierarchy details if there are controls, sub-controls and check associations.
      Define hierarchy levels (for example, Control and Sub-control). Labels are customizable to match your specific standard (for example, Function, Category, Subcategory for NIST CSF, or Control and Safeguard for CIS CSC). Select a control to open the side panel and update its metadata.
      Click Save Changes at any time to save all changes you have made to the framework. You will be prompted with a confirmation modal, where you will be asked to provide a revision number and release note before confirming you want to save the changes. By default, the Sync saved changes to be benchmarked check box is checked. This will auto-deploy the changes you have made. If you wish to make more changes before deploying them to the assessed framework, uncheck that box before clicking Confirm.
      Click Next.
    5. Add Controls.
      Click Add Control to add the parent control. Select the plus sign (+) on the far right of a parent control to add a sub-control, up to the defined hierarchy levels. You will only be able to add as many control levels as you described in the previous step. Select a control to open the side panel and update its metadata.
    6. Select Add Groups (optional). Grouping helps organize leaf-level controls for better manageability and reporting.
      Groups filter leaf level controls in the framework hierarchy. For example, CIS CSC uses "Implementation Groups" 1-3. These groupings guide users through the framework's maturity levels, starting with IG1 and moving through IG3. Groups are optional; you don't have to use them, but if you want to use them, click Edit Group Details to start. Add the name and description of the group in the Details side panel, and then click Add group-name. To associate configuration hierarchy levels with a selected group, click the checkbox next to a control level you want to associate with the selected group.
      To add more groups, click Add Group, then select the new group to edit its associated details and assign it to parts of the configuration hierarchy.
      Click Next.
    7. Associate Recommendations to associate security and custom recommendations to relevant defined leaf controls, enabling automated assessment.
      Select a leaf control from your hierarchy to associate with checks or recommendations. The inventory table displays all checks, including both predefined (best practices) and custom checks. Use the search box or drop-down filters to filter the checks table and find the check you need. When you find the check you want to associate with the selected control, click the toggle switch in the Associated column.
    8. Save Changes and optionally deploy the framework. Saving finalizes your framework, and deployment makes it active for benchmarking and continuous monitoring.
      1. Enter a Revision number and Release notes.
      2. To immediately deploy the framework for benchmarking, ensure the Sync saved changes box is checked.
      3. To save without immediate deployment, uncheck the Sync saved changes box before confirming.
      4. Confirm.

    Remediate Non-Compliant Configurations

    This procedure describes how to address non-compliant configurations identified by the Compliance Center, including accessing remediation playbooks and creating exceptions.
    1. From the Compliance Center landing page, select View in the Compliance widget.
    2. Locate a failed assessment. The assessment page lists every assessment that the Compliance Center runs against your deployment. You can filter by status, severity, object name, or block change actions.
      Assessments are grouped by recommendation; expand a row to see object name, configuration location, and product. You can download this filtered view in a CSV file.
    3. Review the assessment statistics in the Controls widget showing Compliance Rate, Failed Assessments, and a chart showing the severity of assessed checks.
      You can use Change to further filter the table of assessments based on some aspect of the selected compliance framework. All stats in this widget will update after you Apply any framework level filters.
    4. Review the Exceptions Breakdown widget for a detailed view of exception statistics, including the Total Exceptions, Expiring Exceptions, and a chart showing the severity distribution of the checks for which exceptions were created.
    5. Expand a row in the Checks table to see the specific object name, config location, and product for failed assessments.
      You can also download this entire filtered view as a CSV file for offline analysis.
    6. Select Remediate for a failed assessment.
      This action takes you to the incident detail page, which provides comprehensive information and guidance necessary for addressing the non-compliant configuration.
    7. Review the following sections in the incident details:
      1. Standard incident info along with description.
      2. Remediation playbook for corrective steps.
      3. Evidence to identify the incorrect configuration and its path in the web interface.
      4. Activity log that consolidates all pertinent information required to understand, diagnose, and resolve the compliance incident effectively.
    8. Select Go to Configuration in the REMEDIATION PLAYBOOK to apply the necessary changes.
      This provides a direct link to the relevant configuration interface in Strata Cloud Manager, greatly simplifying the remediation process. For configurations managed by Panorama or NGFW, the link opens the manager web UI in a new tab; you must then follow the instructions in the incident details to find and modify the object configuration.
    9. Select View Incident Setting from the Action menu to create scope-based or global exceptions that prevent recommendations or Posture Checks from continuously flagging as non-compliant—for instance, if a check is not applicable or if the configuration is intentionally non-standard.
      The Compliance Center respects these exceptions, and the assessed recommendation or Posture Check will be removed from all compliance calculations. For more information, see Custom Posture Check.

    © 2026 Palo Alto Networks, Inc. All rights reserved.