New Features - Strata Cloud Manager - June 2024

( HA deployments only ) In an Auto VPN with SD-WAN configuration, the Auto VPN can now generate the appropriate configuration automatically for the active and passive HA peers (both branch and hub HA pairs). It enables the HA failovers to be seamless between the HA pairs.

You can integrate your Cloud NGFW resource with Strata Cloud Manager for policy management. This integration allows you to use a single Strata Cloud Manager to centrally manage a shared set of security rules on Cloud NGFW resources alongside your physical and virtual firewall appliances. You can also manage all aspects of shared policy configurations, gain comprehensive visibility with actionable insights, and generate reports on traffic patterns or security incidents of your Cloud NGFW resources, all from a single console.

You can register your Cloud NGFW resources with an existing Strata Cloud Manager that you activated based on your AIOps, NGFW, Prisma Access, or Strata Cloud Manager Pro/Essential licenses. If you do not have a Strata Cloud Manager, you can activate a new Strata Cloud Manager Essentials (steps 1-8) to use with Cloud NGFW. In either case, the integration automatically enables Strata Cloud Manager Pro features for Cloud NGFW.

It may take approximately 45–50 minutes to upgrade from Strata Cloud Manager Essentials to PRO when you register the first resource.

When using Strata Cloud Manager for Cloud NGFW policy management, consider the following:

• When first registering to Strata Cloud Manager, Cloud NGFW resources (for example, the resource ID) may fail to display. These resources will appear after a few moments if there are no underlying connection issues.
• Best practices for Cloud NGFW Strata Cloud Manager policy management differ from those using Panorama policy management with your Cloud NGFW resource. For example, some pass-through traffic in a Panorama managed environment may be dropped in a Strata Cloud Manager-managed Cloud NGFW resource.
• X-forwarded functionality is not supported in Strata Cloud Manager policy management for your Cloud NGFW.
• Cloud certificate is not supported.
• DLP is not supported.
• DAGs is not supported.
• When configuring security rules for your Strata Cloud Manager-managed Cloud NGFW, you must specify ANY for the security rule. However, the from/to zone appears as the Data Zone in the Strata Logging Service.

For Enterprise IT and IT Enabled Services (ITES) companies that need to control which users have access to their customer projects, Dynamic Privilege Access provides a seamless, secure, and compartmentalized way for your users to access only those projects that they are assigned to. Employees are typically assigned to several customer projects and are provided with siloed access to these projects so that an authorized user can access only one customer project at a time.

The Dynamic Privilege Access feature in Prisma Access provides dynamic privileges for your users based on the workflow or project that your users select in the Prisma Access Agent. Your users can have dynamic privileges based on the combination of the user group and IP pool that is assigned to a project. This unique combination defines a project. With Dynamic Privilege Access, you can isolate resources in your network so that they are only accessible to your users according to the projects they are assigned to.

A new predefined role called the Project Admin is available to allow project administrators to create and manage project definitions. Project administrators have the ability to map projects to select Prisma Access location groups, and create IP address assignments using DHCP based on the project and location group.

You can gain visibility into your Prisma Access Agent deployment by using Strata Cloud Manager to monitor your users' project activity, and view the service consumption and security posture in your network.

Dynamic Privilege Access enables Prisma Access to apply different network and Security policy rules to mobile user flows based on the project your users are working on. In the Strata Cloud Manager Command Center, navigate to Activity InsightsProjects, where you can view user-based access information in your environment

Note: This feature is available on request for users with Strata Cloud Manager Pro license tier. Please contact your account team to enable the feature..

Managing complex network security environments requires you to quickly find and modify configuration settings across multiple devices. Manually searching for every instance of a specific network object such as IP address, object name, referenced objects, duplicated objects, is inefficient, time consuming, and prone to error. Global Configuration Search available in Strata Cloud Manager, solves this challenge by providing a search functionality across your entire managed configuration.

You can search any string, such as a specific policy name, rule UUID, referenced object, or even policies associated with CVEs. The search results are categorized, providing you with direct links to the configuration location within the Strata Cloud Manager enabling easy navigation to all occurrences and references of the searched string. The search results also help you identify other objects that depend on or make reference to the search term or string. For example, when deprecating a security profile enter the profile name in Config Search to locate all instances of the profile and then click each instance to navigate to the configuration page and make the necessary change. After all references are removed, you can then delete the profile. You can do this for any configuration item that has dependencies.

Note: This feature is available on request. Contact your account team to enable the feature.

Remove the need for context switching from central management to individual firewalls for managing local configurations.

This feature enhances readability, simplifies troubleshooting, and reduces manual effort by providing visibility and control over local firewall configurations through Strata Cloud Manager. Additionally, it identifies any conflicting or overridden objects between local and pushed configurations, making it easier to troubleshoot.

Managing complex internet security policies across Next-Generation Firewalls and Explicit Proxy deployments traditionally required manual rule sequencing that could break existing configurations. The Web Access Security policy abstraction framework resolves this complexity by transforming user intent into the policy language for enforcement nodes, specifically supporting PAN-OS and Explicit Proxy deployments. Default rule ordering ensures continuity for your current rules without altering the user experience.

This framework incrementally enhances existing Web Security workflows. The change in behavior, positions newly created Global Web Access policy rules between Web Security rules and regular security rules. Global Catch All policy rules are placed above the intrazone default rules in the post-rules section. This rule ordering allows you to create new internet security policy rules while preserving existing rules in your configuration.

This feature provides significant benefits if you're using Prisma Access for internet security and deploying next-generation firewalls as internet gateways.

Manually synchronizing configurations across multiple tenants is error-prone and inefficient. Snippet sharing eliminates the need for manual synchronization, transforming multitenant configuration management in Strata Cloud Manager . This feature simplifies the sharing of common configurations across tenants, significantly reducing the time and effort required for complex setups.

You can now save and organize configuration combinations as reusable snippets. You can easily share these reusable snippets across tenants within your account. This capability provides flexibility, control, and efficiency in managing shared configurations. Use snippet sharing to move configurations from lab to production environments, migrate settings between tenants, manage common configurations across multiple tenants from a single location, and easily handle global configurations across business units.