New Features - Strata Cloud Manager - February 2025

You can clone existing GlobalProtect tunnel settings and app settings. This enhancement facilitates the creation of additional tunnel and app settings if you need to support split tunneling or multiple connection settings.

The snippet sharing enhancement improves control and visibility over shared configurations across multiple tenants. The new features include a customizable Action when disassociated property for Subscriber Tenants, which allows you to convert snippets to local or delete them when disassociated.

You can now choose between reverting snippet-related changes or keeping current versions when loading previous configurations with the Config Version Load functionality.

To reduce misconfiguration during publishing, you'll benefit from the validate-before-update function, while asynchronous loading of updates for subscribers enhances performance.

The UI improvements introduce Paused Updates status indicators and refresh capabilities for Subscribed and Published Tenants, making it easier for you to track and manage snippet statuses. Error messaging now displays snippet names instead of UUIDs, simplifying your troubleshooting process.

A new configuration indicator helps you track snippet sharing statuses efficiently. These enhancements optimize your disassociated snippet management, provide you with version control and configuration reload options, and improve error handling and status visibility.

You can now add multiple trusted IP addresses using the bulk import feature in Strata Cloud Manager .

This enhancement significantly improves the user experience by enabling the bulk import of trusted IP addresses through a simple CSV upload, eliminating the need for time-consuming manual entry. With an increased default limit of 100 IP addresses per tenant security group (TSG), you can more efficiently manage larger sets of IP addresses.

Additionally, robust error handling ensures that only valid, unique IP addresses are accepted, providing clear feedback if issues such as duplicates, private IP addresses, or exceeding the limit occur.

This update streamlines the configuration process, reduces errors, and offers greater flexibility for managing network security.

Strata Cloud Manager for Configuration Management is a solution that is defined and controlled based on the region where it is deployed. You can deploy Strata Cloud Manager in the locations of your choosing, based on data location preferences and where you have the most users. For this reason, we are rolling out region-specific support for Strata Cloud Manager as soon as we are able to do so for each region.

Update:

Strata Cloud Manager now supports the following additional regions:

• France
• South Africa

Strata Cloud Manager for Configuration Management is a solution that is defined and controlled based on the region where it is deployed. You can deploy Strata Cloud Manager in the locations of your choosing, based on data location preferences and where you have the most users. For this reason, we are rolling out region-specific support for Strata Cloud Manager as soon as we are able to do so for each region.

Update:

Strata Cloud Manager now supports the following additional regions:

• France
• South Africa

Strata Cloud Manager for Configuration Management is a solution that is defined and controlled based on the region where it is deployed. You can deploy Strata Cloud Manager in the locations of your choosing, based on data location preferences and where you have the most users. This selection of locations allows for optimized performance, adherence to data residency requirements, and tailored user experiences based on geographical proximity. For this reason, we are rolling out region-specific support for Strata Cloud Manager as soon as we are able to do so for each region.

You can now deploy Strata Cloud Manager in the following additional region for Configuration Management support in the Strata Cloud Manager 2026.R2.0 release: Brazil .

Note: This feature is available on request for users with Strata Cloud Manager Pro license tier. Please contact your account team to enable the feature.

Strata Cloud Manager now converts local firewall configurations into shared configuration snippets. You can select specific configuration elements from a firewall to create reusable snippets for multiple devices. When creating snippets, you control which configuration items to include, sharing only the necessary settings across different network segments.

Converting local configurations to snippets standardizes configurations across your network and deploys consistent settings to multiple NGFWs. This replicates successful local configurations to other devices, reduces duplication, and maintains consistency between local and shared settings.

This functionality improves network configuration management and scaling. It ensures quick propagation of best practices and optimized settings throughout your infrastructure. The functionality connects local device management with centralized configuration control for flexible network administration.

The Return Merchandise Authorization (RMA) workflow in Device Management streamlines the process of replacing failed NGFWs in your network environment. This feature automates and simplifies the traditionally manual, error-prone, and time-consuming task of replacing devices. With the new RMA workflow, you can restore configurations and maintain logging, monitoring, and reporting after asset transfer. The workflow enables you to replace a failed device with a new one while automatically associating it with the same configurations and HA pairs as the old device.

RMA offers a user-friendly interface that clearly displays the status of each step in the replacement process. You can easily restore both local and shared configurations from the old device to the new one. The feature supports the replacement of devices in high availability (HA) pairs without affecting the peer device. In the case of errors or failures during the workflow, you receive instructions for recovery without requiring intervention from Palo Alto Networks.

Connecting Prisma SD-WAN to Prisma Access previously required deploying a separate CloudBlade. To simplify and streamline this process, you can now use native SASE integration to directly onboard Prisma SD-WAN sites to Prisma Access, eliminating the need for a CloudBlade. Native SASE integration creates an IPSec tunnel between a Prisma SD-WAN circuit and Prisma Access to onboard sites.

Prisma Secure Access Service Edge (SASE) offers a comprehensive solution to secure access at the edge, allowing organizations to connect and safeguard users, devices, and applications. Prisma SD-WAN supports this integration for both Cloud Managed and Panorama Managed Prisma Access.

Earlier, you needed the Prisma Access for Networks (Cloud Managed) CloudBlade and Prisma Access for Networks (Panorama Managed) CloudBlade to connect Prisma Access to Prisma SD-WAN. With the native SASE Integration with Prisma SD-WAN feature, you can directly onboard Prisma SD-WAN sites to Prisma Access, bypassing the need for a CloudBlade.

If you have previously set up a CloudBlade to establish the connection between Prisma SD-WAN and Prisma Access, you must first deactivate the CloudBlade and contact Palo Alto Networks Customer Support before using this workflow.

Network administrators often need to reuse objects across different hierarchical levels while making specific modifications for certain deployments. The Object Overriding feature allows you to override specific properties of network objects (such as zones and logical routers) at child levels in the hierarchy while inheriting other properties from the parent object. This provides greater flexibility in managing your configuration without duplicating objects, especially in large, complex deployments.

When you override an object, you can selectively choose which properties to customize at the child level while maintaining the parent object's values for other properties. Any changes made to the parent object's non-overridden properties will automatically propagate to all child objects, ensuring consistency across your configuration. The interface clearly indicates which properties are inherited and which are overridden, making it easy to understand and manage your configuration.

You can revert overridden properties back to their parent values at any time, giving you complete control over your configuration. This feature is particularly valuable for large enterprises with complex hierarchies that need to maintain consistency while allowing for specific customizations at different levels. For example, you might define a security zone at a higher level with certain interface members, then override it at a lower level to add specific interfaces needed only in that context, while still inheriting security profiles and other settings from the parent configuration.

By using object overriding, you can significantly reduce configuration complexity and maintenance overhead, while gaining the flexibility to adapt your security policy to the specific needs of different environments within your organization. This leads to more manageable configurations and reduces the risk of security gaps that can occur with duplicated objects.

The Simplified Security Policy Recommendations for SaaS Security Inline enhances your ability to manage and enforce SaaS app Security policy rules efficiently for NGFW and Prisma Access managed by Strata Cloud Manager . You can now create, manage, and enforce SaaS Security Inline policy rules using the predefined SAAS-Inline-Pol-Recommendations snippet to enforce consistent SaaS app security.

Alternatively, you can now create an Internet Access rule instead of going through the typical SaaS Security Inline policy rule recommendation workflow. As a SaaS Security administrator, creating an Internet Access rule allows you to gain full control over policy rule enforcement and rule ordering. The unified policy framework simplifies your policy rule creation experience, allowing you to enforce consistent SaaS app security regardless of the enforcement point, eliminate policy implementation delay, and reduce the risk of misconfigurations. This streamlined workflow enables you to fully utilize the SaaS Security Inline capabilities, achieving a stronger security posture for your SaaS environment. Simplified Security Policy Recommendations for SaaS Security Inline allows you to more effectively secure your SaaS apps, reduce administrative overhead, and gain clearer visibility into your SaaS Security posture. The Simplified Security Policy Recommendations for SaaS Security Inline is valuable if you manage complex SaaS environments, require granular control over Security policy rules, or need to rapidly respond to evolving security requirements in your cloud infrastructure.

The simplified security policy feature solves the challenge of managing complex, fragmented Security policy rules across multiple Palo Alto Networks products by integrating policy management within the Strata Cloud Manager interface. It unifies SaaS Security and internet access policy rules, providing centralized control and enhanced visibility. This integration reduces misconfigurations and accelerates security best practices adoption.

You can create policy rules using predefined templates or from scratch, with granular controls for user and device-based access, application actions, and data loss prevention. The feature implements dynamic policy enforcement, automatically adapting to changes in application risk levels, tags, and categories. This ensures your security posture remains up to date without manual intervention.

By consolidating policy management, you gain improved control over policy enforcement, minimize configuration errors, and streamline security implementation. This unified approach allows you to effectively secure your SaaS environment while maintaining consistency with existing internet access security policy rules.

Prisma Access provides enhanced visibility into your configuration pushes in Prisma Access (Managed by Strata Cloud Manager) deployments, allowing you to better monitor and troubleshoot configuration pushes across your network. The status of In Progress jobs is improved, providing you with real-time insights into the progress of configuration pushes across different regions and service types. You can view detailed information about each push, including specific error messages or warnings, enabling quick identification and resolution of issues. This granular visibility is useful when managing large-scale deployments or troubleshooting complex configuration changes.

By using the configuration status messages, you can ensure smoother configuration rollouts, reduce downtime, and maintain better control over your Prisma Access environment. The feature's intuitive interface provides a familiar and user-friendly experience, making it easier for you to manage your Prisma Access configurations effectively.

The Internet Access rule is a new policy type within the security rulebase in Strata Cloud Manager, which simplifies the security management, reduces rulebase complexity, and ensures consistent security control across web traffic, particularly in cloud-centric, and SaaS-driven environments.

The Internet Access rule replaces the existing Web Access policy rules with improved capabilities.

You can efficiently manage user access to web applications, applying functional controls, application tenant handling, and data security inspections globally or for specific applications and URLs. This rule integrates with SaaS Security Inline, providing native capabilities without requiring policy recommendation workflows. You can use it alongside existing firewall access policy rules, maintaining full control over rule ordering.

Default settings allow outbound access to SaaS applications and URLs with security inspection and logging enabled. You can adjust built-in decryption rules per scope for precise control over encrypted traffic. New Strata Cloud Manager[oneapp] tenants receive an optimized out-of-the-box security configuration, while existing tenants can adopt the Internet Access rule without disrupting current setups.

The Internet Access rule is a new policy type within the security rulebase in Strata Cloud Manager, which simplifies the security management, reduces rulebase complexity, and ensures consistent security control across web traffic, particularly in cloud-centric, and SaaS-driven environments.

The Internet Access rule replaces the existing Web Access policy rules with improved capabilities. Internet Access rule migration transfers your existing web Security policy rules. The system integrates Web Security policy rules and custom Web Access policy rules into the new framework during your tenant upgrades.

You can efficiently manage user access to web applications, applying functional controls, application tenant handling, and data security inspections globally or for specific applications and URLs. This rule integrates with SaaS Security Inline, providing native capabilities without requiring policy recommendation workflows. You can use it alongside existing firewall access policy rules, maintaining full control over rule ordering.

Default settings allow outbound access to SaaS applications and URLs with security inspection and logging enabled. You can adjust built-in decryption rules per scope for precise control over encrypted traffic. New Strata Cloud Manager[oneapp] tenants receive an optimized out-of-the-box security configuration, while existing tenants can adopt the Internet Access rule without disrupting current setups.