New Features - Strata Cloud Manager - February 2026

When users accessing remote desktops through a web browser cannot hear audio from applications running on the remote server, they are prevented from using applications that require audio output such as training videos, notification alerts, or communication tools. You can enable audio passthrough in a Privileged Remote Access (PRA) profile to allow audio from the remote RDP server to be heard on the user's device. Audio passthrough is disabled by default in the default PRA profile. You configure this setting per PRA profile, which allows you to enable audio for specific user groups or application types based on your security requirements. This configuration is only available for RDP applications.

Note: Please contact your account team to enable the feature.

Migrating complex Panorama® configurations to Strata Cloud Manager often involves time-consuming manual effort to map templates and folders. The auto snippet association feature solves this challenge by automatically generating and associating configuration snippets with folders during the migration process. When you migrate from Panorama to Strata Cloud Manager, the feature transforms device groups into folders and converts templates into snippets, eliminating the need for manual validation.

You benefit from this feature particularly when managing large-scale deployments where templates are referenced across multiple device groups or where template stacks contain overlapping configurations. By automating these associations, you significantly reduce migration time and minimize configuration errors. This ensures your migrated configuration maintains the same operational behavior as your original Panorama setup while being optimized for the folder-based management model in Strata Cloud Manager.

Strata Cloud Manager now provides an enhanced System for Cross-Domain Identity Management ( SCIM) integration for Oracle Cloud Infrastructure (OCI), automating user and group management. The enhanced SCIM capability streamlines identity lifecycle management by facilitating provisioning, de-provisioning, and updates of user identities and group assignments between OCI and Strata Cloud Manager .

Key enhancements and benefits include:

• Utilize static bearer tokens for secure, long-lived authentication, specifically designed for SCIM API access.
• Support a two-step user provisioning process, accommodating OCI specific SCIM request handling, including the ability to add users without immediate group assignments.
• Map role-based groups directly from OCI to Strata Cloud Manager for precise and consistent access control.
• Automate identity lifecycle management, enforcing consistent access policies and simplifying administration for OCI users within your Strata Cloud Manager environment.

Note: Please contact your account team to enable the feature.

Identifying and understanding configuration discrepancies during a firewall migration is difficult when you view raw XML differences without context. The new configuration diff feature for Panorama® migration to Strata™ Cloud Manager provides categorized and searchable comparisons during your migration workflow. When you migrate your configurations to Strata Cloud Manager, you can view differences organized into meaningful categories rather than raw data. This feature tracks three types of changes:

• Unsupported objects : Identifies objects not supported to show parity gaps with Panorama features.
• Modified or deleted objects : Shows changes between the pushed and running configurations.
• Name changes : Tracks objects whose names changed during the migration process.

By listing the object names and types for each difference, this feature helps you understand the impact of configuration changes without needing technical knowledge of complex XML structures.

You can now easily deactivate an individual product or all products within a Tenant Service Group (TSG) to better manage your tenant resources and licenses. This flexibility helps you reuse existing tenants, optimize license allocation, and maintain better control over your deployment.

If a license remains valid after deactivation, you can reassign it to another tenant without any additional setup. Deactivating all products in a tenant also automatically deactivates the associated add-ons, ensuring clean and consistent management.

You also have a 24-hour grace period to cancel a deactivation after it’s initiated, giving you more control and flexibility in managing changes.

Generic detection rules often fail to match specific operational requirements when monitoring Prisma® Access infrastructure. To address this, the incident customization feature in Strata Cloud Manager allows you to define custom raise and clear conditions for tunnel, BGP connectivity, and site capacity incidents through the Unified Incident Framework. This capability gives you granular control over when Strata Cloud Manager generates and resolves incidents based on your unique environment.

You can configure specific time-based thresholds for detecting infrastructure issues across your remote network and service connection deployments. You can define the duration a resource, such as a tunnel or BGP, must be down before an incident is raised, and conversely, the length of time it must be up before that incident is cleared. This flexibility ensures that transient issues do not generate unnecessary alerts while still capturing genuine problems. The feature integrates object-based filtering, enabling you to apply different thresholds to specific sites or BGP peers. Strata Cloud Manager performs a longest-match evaluation against your resource hierarchy, meaning you can set conservative default thresholds for your entire infrastructure while defining more aggressive detection parameters for mission-critical connections.

Strata Cloud Manager (SCM) now offers native IP-Tag Harvesting capabilities, streamlining the collection of dynamic IP-to-tag mappings from your cloud environments and their distribution to your firewalls. This feature enables you to define security policies using cloud-native tags, ensuring policies adapt automatically as cloud workloads scale and reducing manual configuration overhead. SCM supports onboarding cloud accounts from AWS, Azure, and GCP, with new support for Terraform-based account onboarding for enhanced security and automation.

For more information, see Configuration: IP Tag Collection.

Note: Please contact your account team to enable the feature.

Strata Cloud Management (SCM) now supports multiple virtual system (vsys) mode for Next-Generation Firewalls, enabling you to manage and configure multiple virtual systems within a single physical firewall from SCM. Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple firewalls, managed service providers and enterprises can use a single pair of firewalls (for high availability) and enable virtual systems on them. Each virtual system is an independent, separately-managed firewall with its traffic kept separate from the traffic of other virtual systems.This feature allows you to create logical separations within a firewall to support multiple departments, customers, or security domains while maintaining centralized management. When you enable multi-vsys mode, you can create, update, and delete virtual systems, import interfaces into specific virtual systems, and push configurations to one or multiple virtual systems simultaneously.

With multi-vsys support, you can logically separate traffic, policies, and objects for different business units or customers, providing enhanced multi-tenancy capabilities. You can delegate administration to different teams by associating virtual systems with appropriate containers, allowing fine-grained access control to specific virtual systems. The ability to push configurations to multiple virtual systems at once simplifies management of complex multi-vsys environments.

This feature is particularly valuable for service providers who need to maintain separation between multiple customer environments on shared hardware, enterprises that want to isolate different departments or business units, or organizations that need to maintain strict separation between production, development, and testing environments. By implementing virtual systems, you can optimize hardware utilization while maintaining logical separation and meet compliance requirements that mandate traffic isolation between different security domains.

SCM provides an intuitive interface for managing virtual systems, allowing you to view the status of all virtual systems, move virtual systems between containers, and monitor the synchronization status of each virtual system separately. When pushing configurations, you can select which virtual systems should receive updates, providing flexibility in configuration management.

Strata Cloud Manager now supports forwarding next-generation firewall (NGFW) management plane logs to external destinations, for monitoring, archiving, and analysis. This feature extends existing visibility beyond data plane traffic.

You can configure forwarding for System, Config, User-ID™, IP-Tag, HIP Match, and GlobalProtect® log types to Syslog, HTTP, SNMP, and email servers. You can apply granular filters based on severity and event attributes to monitor administrative activity, system health, and user mapping events within your centralized logging infrastructure.

Note: Please contact your account team to enable the feature.

In shared environments, concurrent configuration changes by multiple administrators can lead to conflicts where a single error traditionally requires reverting all uncommitted changes. Strata Cloud Manager addresses this challenge by moving beyond the traditional all-or-nothing commit model to offer precise control in multi-administrator environments.

You can now selectively revert uncommitted changes made by specific administrators within defined scopes or within designated containers, cloud containers, on-premises containers, and snippets. This feature allows you to revert specific uncommitted changes from the candidate configuration while preserving other administrators' work. In addition to reverting changes, you can perform partial configuration pushes to deploy only the changes within your selected scope to designated device.

To ensure deployment accuracy, you can preview changes before you revert or push them. The system provides detailed information about dependencies that might prevent the operation, allowing you to resolve issues before deployment.

You cannot use selective push or revert and must perform all-admin push in the following scenarios:

• Configuration load operations.
• Changes in container hierarchy, such as snippet association or disassociation.
• Internal commits triggered by tenant upgrades.
• When the number of uncommitted changes exceeds 500.

Inconsistent security policies and overly permissive Layer 4 rules across your Strata Cloud Manager and Panorama® deployments create unnecessary attack surface. Policy Optimizer in Strata Cloud Manager now extends its analysis of overly permissive security rules to include Panorama-managed environments. This feature helps organizations strengthen their security posture across all global Next-Generation Firewall (NGFW) and Prisma Access deployments, ensuring consistent security regardless of the chosen policy management method.

This feature enables the modernization of legacy, overly permissive Layer 4 rules. It achieves this by identifying broad "any" entries—such as for source user, source address, destination address, or application—and recommending replacements. These new App-ID™ and User-ID™–based policies are grounded in actual network traffic and user behavior logs. Policy Optimizer continuously analyzes historical logs to surface targeted, high-value recommendations, effectively reducing the attack surface, enforcing the principle of least-privilege access, and elevating overall policy hygiene for a stronger security architecture.

Adopting post-quantum cryptography (PQC) is critical to protecting your organization and its assets against future quantum computers, which will break today’s classical cryptography. Failure to adopt PQC early increases the risk of compromise of sensitive data with attacks like Harvest Now, Decrypt Later already under way. On the other hand, upgrading legacy applications and systems is a time-consuming and costly process that risks service disruption and data security without proper guardrails in place. Accounting for these concerns, PAN-OS® 12.1 adds support for securing TLSv1.3 sessions using post-quantum (PQ) key encapsulation mechanisms (KEMs) to SSL Forward Proxy, SSL Inbound Inspection, Decryption Mirror, and the Network Packet Broker features.

In decryption profiles, you can enable PQ KEMs standardized by the National Institute of Standards and Technology (NIST) or nonstandardized, experimental options. You can also specify if your selected algorithms are preferred by the client-side, server-side, or both. Next-Generation Firewalls (NGFWs) now serve as cipher translation proxies, translating between PQC and classical encryption for applications that are not yet post-quantum ready. For example, you can use quantum-safe encryption for communications between end users and NGFWs but classical encryption for connections between an NGFW and applications.

This solution secures both legacy and quantum-safe systems and applications, enables you to meet PQC mandates, and reduces stress and complexity around PQC upgrades.

Future quantum computers will break today's encryption. Adversaries are taking advantage by stealing encrypted data today to decrypt once a cryptographically relevant quantum computer (CRQC) is available. This "Harvest Now, Decrypt Later" strategy requires a proactive response. Management connections are prime targets for adversaries because the encrypted traffic contains sensitive, long-lived data such as login credentials and configuration details. To defend against the quantum computing threat, PAN-OS® 12.1 now supports post-quantum cryptography (PQC) for administrative access to Next-Generation Firewalls (NGFWs) and Panorama®. This feature protects TLSv1.3 management connections using quantum-resistant algorithms standardized by the National Institute of Standards and Technology (NIST).

SSL/TLS service profiles now offer ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism), the post-quantum key exchange algorithm specified in FIPS 203. The NGFW or Panorama ensures interoperability by automatically negotiating a supported classical algorithm if a web browser doesn't support PQC. You can also enable hybrid post-quantum key exchange, which combines a classical algorithm like ECDH with a post-quantum algorithm to generate a shared key. Hybrid key exchange secures your organization from attacks by today's classical computers and future CRQCs. These capabilities prevent disruption to critical operations and ease your transition to PQC.

You can also generate certificates using the NIST-approved digital signatures: ML-DSA (Module-Lattice-based Digital Signature Algorithm) and SLH-DSA (Stateless Hash-based Digital Signature Algorithm). These algorithms are specified in FIPS-204 and FIPS-205, respectively. PQC certificates are for testing only while industry standards are under development.

Storing and transmitting direct user credentials for third-party integrations creates significant security risks and often violates organizational compliance policies. To solve these vulnerabilities, OAuth 2.0 authentication for ServiceNow integrations in Strata Cloud Manager provides a secure, token-based mechanism that eliminates the need to transmit sensitive passwords directly. This feature, part of Strata Cloud Manager, allows you to leverage industry-standard protocols to establish secure connections without exposing username and password combinations in your notification profiles.

The client credentials grant type implementation allows you to authenticate using client ID and client secret pairs. Strata Cloud Manager automatically handles access token acquisition and renewal, ensuring your incident management workflows continue without manual intervention. Because tokens have limited lifespans and are easily revocable, this approach offers superior protection compared to basic authentication. You can implement least-privilege access patterns, ensuring the integration only receives the minimum permissions necessary for ticket management.

Organizations with strict security mandates benefit from improved audit trails and granular access control. You can migrate existing ServiceNow notification profiles from basic authentication to OAuth seamlessly, maintaining your current incident management workflows while significantly enhancing your credential security posture.