New Features - Strata Cloud Manager - July 2025

You can manage Applications, API Keys, and Security Profiles from a centralized dashboard within Strata Cloud Manager. This allows you to create and manage multiple API keys, define and manage applications, and create and manage AI API security profiles and their revisions. This centralized approach enables you to tailor security policy rules precisely to the unique needs of different applications and API integrations.

You can now discover your GCP cloud assets by onboarding your GCP account in Strata Cloud Manager. You can deploy and secure your GCP environment with network intercept. This feature enables onboarding your GCP cloud account to a centralized management platform, enabling the discovery of your cloud assets and providing visibility into your AI workload deployments.

This expanded support for GCP provides dedicated protection, enhanced visibility, streamlined deployment, and reduced risk.

Note: This feature is available on request. Contact your account team to enable the feature.

If you use Panorama to manage your organizations NGFWs, you can migrate your configurations to Strata Cloud Manager for the benefits of cloud management.

Strata Cloud Manager enables you to migrate your organizations NGFW hierarchy and configurations:

• Complete migration visibility and control — Accept and validate Panorama running configurations with pre-migration identification of unsupported elements.

• Flexible migration options — Choose partial or complete configuration migration based on your requirements.

• Conflict prevention — Automatic detection and display of previously migrated elements during subsequent migrations.

• Automated validation — Minimize the risk of configuration errors that could impact network security.

• Configuration continuity — Maintain your previous configurations throughout the migration process.

For the benefits of moving to Strata Cloud Manager, click here.

You can now manage device quarantine lists for NGFWs acting as GlobalProtect portals and gateways directly through Strata Cloud Manager. This capability enables you to block specific devices by adding their corresponding device information to a quarantine list while using Strata Cloud Manager as your primary management interface.

When you access the device quarantine list functionality in Strata Cloud Manager, you can view quarantined devices that have been flagged by Administrators.

You can now configure High Availability (HA) active/active pairs through the Strata Cloud Manager user interface, expanding beyond the previously available active/passive configuration. This feature addresses the prior limitation where Strata Cloud Manager supported only active/passive HA, requiring you to use alternative methods to configure active/active deployments.

When you configure active/active HA, both firewalls in the pair actively process traffic simultaneously, providing increased throughput and better resource utilization compared to active/passive configurations where the secondary device remains idle. You can distribute network traffic across both devices using various load balancing methods, including session-based distribution and IP hash algorithms. The active/active configuration requires you to configure HA3 interfaces for session synchronization between the paired devices, ensuring traffic continuity during failover events.

You will find this feature particularly useful when you need to maximize network performance and cannot afford to have hardware resources sitting idle. Active/active HA allows you to effectively double your processing capacity while maintaining redundancy. The configuration includes virtual address management where you can define floating IP addresses that can move between devices or configure ARP load sharing to distribute traffic. You can also configure device priorities and election settings to control which device handles specific traffic types or takes precedence during certain network conditions.

Strata Cloud Manager™ now makes it easy to create and deploy custom admin roles

for managed NGFWs, allowing you to control what each administrator is allowed to do. By setting up roles with specific permissions and assigning them to administrators you can enforce the principle of least privilege, ensuring administrators have only the access necessary for their specific job functions.

This feature gives you fine-grained control across the web interface, CLI, REST API, and XML API. You can configure detailed access permissions over various functional areas, including device configuration, network settings, security policies, monitoring capabilities, and operational tasks. For example, you can create a network admin role that has permissions to manage interfaces and routing but is restricted from changing security profiles.

Strata Cloud Manager allows you to configure and deploy GRE (Generic Routing Encapsulation) tunnels on managed NGFW platforms to establish secure, point-to-point connectivity across untrusted networks. GRE tunnels enable you to encapsulate various network layer protocols inside virtual point-to-point links, allowing you to extend your network topology across geographically distributed locations.

Now you can deploy a custom master key in Strata Cloud Manager™ to replace the default master key on your next-generation firewalls (NGFWs), adding an extra layer of protection for your sensitive data.

When you deploy a new master key, Strata Cloud Manager re-encrypts all key material to strengthen your security posture. You can define a custom lifetime for the master key (from 1 to 18, 250 days) and set reminder notifications (1 to 365 days before expiration). This allows you to rotate keys on schedule to help minimize disruption. Regular rotation is a best practice for cryptographic key management and helps you meet compliance requirements.

The Deploy Master Key feature supports both standalone and high-availability (HA) firewall configurations, with built-in validations to ensure secure key deployment.

Strata Cloud Manager™ now provides the ability to configure and deploy NetFlow on managed next-generation firewall (NGFW) platforms. This new capability allows you to export detailed IP traffic statistics to a NetFlow collector, providing valuable data for security analysis, troubleshooting, and performance optimization. You can create server profiles to define collector destinations and export parameters, with support for Layer 3, Layer 2, virtual wire, tap, VLAN, loopback, and tunnel interfaces. This feature supports NetFlow Version 9 and both standard and enterprise templates.

Strata Cloud Manager™ now offers expanded response page customization, allowing you to tailor additional page types for a more consistent and user-friendly experience. These pages appear during authentication challenges, security restrictions, or informational notices, helping users understand what is happening while maintaining your organization’s branding.

Newly supported customizable pages include:

• GlobalProtect: Customize portal login pages, welcome screens, and help pages that guide users through the connection process.

• Authentication Services: Modify Multi-Factor Authentication (MFA) login pages and SAML authentication error pages to provide clear guidance during authentication challenges.

• SSL Decryption: Customize notification pages to inform users about traffic inspection policies and certificate errors.

Strata Copilot now extends its reach to new regions, enhancing global accessibility. This expansion brings the powerful AI-driven assistance to users in South Africa. By increasing geographical coverage, Strata Copilot offers more organizations the opportunity to streamline their security operations, leverage intelligent insights, and improve overall efficiency in managing their Palo Alto Networks solutions in Strata Cloud Manager across these diverse locations.

Strata Copilot now supports the following additional regions:

• South Africa