New Features - Strata Cloud Manager - August 2025

You can now deploy and manage VM-Series firewalls directly from Strata Cloud Manager, which streamlines the deployment and monitoring of your entire security infrastructure from a single, unified interface. This centralized dashboard within Strata Cloud Manager consolidates threats detected by both VM-Series firewalls and Prisma AIRS AI Runtime: Network Intercept, giving you a unified view of your security operations.

You can also use the same streamlined workflow to deploy a VM-Series firewall as you would for other cloud assets. This capability helps you to accelerate your deployment processes and ensures consistent protection. Enhanced application details provide clear insights into network traffic flow paths, showing which firewall platform protects each application and displaying the firewall serial number and type ( VM-Series or Prisma AIRS AI Runtime: Network Intercept).

Strata Cloud Manager now provides users the ability to customize predefined local and cloud-based applications. For each given application, you can modify the TCP Timeout, TCP Half Closed, TCP Time Wait, and Risk values to more appropriately fit the needs of your organization's network security requirements.

You can now set up a Hardware Security Module (HSM) to generate, store, and manage digital keys through Strata Cloud Manager. An HSM is a physical appliance that, once connected, provides both physical and logical protection of these cryptographic keys. By utilizing the management options in Strata Cloud Manager, you can specify HSM servers that use one or more of the following providers: SafeNet Network, nCipher nCshield Connect, or Thales CipherTrust Manager.

You can now configure a PA-7000 Series Firewall Log Forwarding Card (LFC) using Strata Cloud Manager. The LFC is a physical, high-performance slot card that forwards all dataplane logs from the firewall to an external logging system. Once installed, you can choose to configure either interface LFC 1/1 or interface LFC 1/9, as well as IPv4 or IPv6 settings, depending on your deployment needs.

Strata Cloud Manager (SCM) now provides users the ability to view all dependent applications associated with a selected application while creating Security Policy Rules. This makes it easier to build security policies without unintentionally excluding required dependent applications. To view the dependent applications, access the relevant Security Policy Rule, and from the Application / Service menu, open the Application dropdown and select the Dependent Applications button. This opens the Dependent Applications pane, which displays all dependent apps contained within the selected application it relies on, as well as the rules they are used in. Additionally, you can also add these dependencies directly to your current rule or an existing rule.

Adopting post-quantum cryptography (PQC) is critical to protecting your organization and its assets against future quantum computers, which will break today’s classical cryptography. Failure to adopt PQC early increases the risk of compromise of sensitive data with attacks like Harvest Now, Decrypt Later already under way. On the other hand, upgrading legacy applications and systems is a time-consuming and costly process that risks service disruption and data security without proper guardrails in place. Accounting for these concerns, PAN-OS® 12.1 adds support for securing TLSv1.3 sessions using post-quantum (PQ) key encapsulation mechanisms (KEMs) to SSL Forward Proxy, SSL Inbound Inspection, Decryption Mirror, and the Network Packet Broker features.

In decryption profiles, you can enable PQ KEMs standardized by the National Institute of Standards and Technology (NIST) or nonstandardized, experimental options. You can also specify if your selected algorithms are preferred by the client-side, server-side, or both. Next-Generation Firewalls (NGFWs) now serve as cipher translation proxies, translating between PQC and classical encryption for applications that are not yet post-quantum ready. For example, you can use quantum-safe encryption for communications between end users and NGFWs but classical encryption for connections between an NGFW and applications.

This solution secures both legacy and quantum-safe systems and applications, enables you to meet PQC mandates, and reduces stress and complexity around PQC upgrades.

Future quantum computers will break today's encryption. Adversaries are taking advantage by stealing encrypted data today to decrypt once a cryptographically relevant quantum computer (CRQC) is available. This "Harvest Now, Decrypt Later" strategy requires a proactive response. Management connections are prime targets for adversaries because the encrypted traffic contains sensitive, long-lived data such as login credentials and configuration details. To defend against the quantum computing threat, PAN-OS® 12.1 now supports post-quantum cryptography (PQC) for administrative access to Next-Generation Firewalls (NGFWs) and Panorama®. This feature protects TLSv1.3 management connections using quantum-resistant algorithms standardized by the National Institute of Standards and Technology (NIST).

SSL/TLS service profiles now offer ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism), the post-quantum key exchange algorithm specified in FIPS 203. The NGFW or Panorama ensures interoperability by automatically negotiating a supported classical algorithm if a web browser doesn't support PQC. You can also enable hybrid post-quantum key exchange, which combines a classical algorithm like ECDH with a post-quantum algorithm to generate a shared key. Hybrid key exchange secures your organization from attacks by today's classical computers and future CRQCs. These capabilities prevent disruption to critical operations and ease your transition to PQC.

You can also generate certificates using the NIST-approved digital signatures: ML-DSA (Module-Lattice-based Digital Signature Algorithm) and SLH-DSA (Stateless Hash-based Digital Signature Algorithm). These algorithms are specified in FIPS-204 and FIPS-205, respectively. PQC certificates are for testing only while industry standards are under development.

Gain granular control over cloud asset discovery and application organization using tags, subnets, and namespaces. This feature allows you to define precise application boundaries during cloud account onboarding, aligning with modern, dynamic cloud architectures. This feature provides enhanced application definition options during the cloud account onboarding process.

You can configure a data port (a regular interface) to access external services, such as DNS servers, external authentication servers, Palo Alto Networks® services such as software, URL updates, licenses and AutoFocus. Strata Cloud Manager now supports configuring and deploying IPv6 service routes (in addition to IPv4 service routes) for all managed NGFW platforms.

The firewall uses the management (MGT) interface by default to access external services, such as DNS servers, external authentication servers, Palo Alto Networks® services such as software, URL updates, licenses and AutoFocus. An alternative to using the MGT interface is to configure a data port (a regular interface) to access these services. A service route is the path from the interface to the service on a server. Strata Cloud Manager allows you to customize service routes for various services or Use Management Interface for all services.

You can now configure a NAT policy rule with active/active HA binding through the Strata Cloud Manager UI, addressing a critical gap in network configuration management capabilities. This feature enables you to establish floating IP configurations for NAT policies in active/active high availability deployments.

When you deploy firewalls in an active/active HA configuration, you need the ability to bind NAT policies to floating IP addresses that can move between HA peers during failover events. This ensures continuous network address translation services without service interruption when one firewall in the HA pair becomes unavailable. Previously, you had to configure these bindings outside of the Strata Cloud Manager interface, creating operational complexity and potential configuration inconsistencies.

The feature introduces a new configuration card and field specifically for NAT policy active/active HA binding within the Strata Cloud Manager interface. You can access these controls when your device participates in an HA active/active configuration. This integration streamlines your network management workflows by centralizing configuration tasks within a single management interface.

You will benefit from this feature if you operate high-availability network infrastructures that require seamless failover capabilities for NAT services. Organizations with mission-critical applications that cannot tolerate network translation service interruptions will find this particularly valuable, as it maintains network connectivity during planned maintenance or unexpected hardware failures. The feature also reduces configuration errors by providing a standardized interface for HA binding configuration rather than relying on manual configuration processes.

Note: This feature is available on request. Contact your account team to enable the feature.

Virtual router support for cloud managed NGFWs addresses some configuration gaps in Strata Cloud Manager by implementing missing capabilities that are present in Panorama, enabling seamless migration for customers with existing virtual router deployments. You benefit from this enhancement when migrating from Panorama to Strata Cloud Manager because it eliminates configuration blockers that would otherwise prevent successful migration or require extensive reconfiguration of your routing protocols. The feature specifically targets configuration options identified in current Panorama deployments, ensuring that your existing BGP, OSPF, and static routing configurations can be preserved during the migration process.

You can configure enhanced BGP parameters including authentication profiles with secret keys, dampening profiles with configurable cutoff and decay settings, advanced peer connection options such as idle hold time and incoming connection management, and sophisticated route aggregation with suppress filters. The feature provides expanded OSPF capabilities including MD5 authentication profiles with key management, password-based authentication options, and enhanced area configuration parameters. You also gain access to improved static routing options including next virtual router capabilities and advanced route table configurations for both IPv4 and IPv6 implementations.

Depending on your license for ZTNA Connector, you can see the following updates in Strata Cloud Manager Strata Cloud Manager for visibility:

Select the number next to Total Connector Groups, Total Wildcards, FQDN, or IP Subnet to get the details for each ZTNA object. You can see the status related to each ZTNA object (UP, Partially Up, Down). Additionally, you can now monitor a Wildcard's bandwidth by selecting Action .