New Features - Strata Cloud Manager - November 2024

The All Users

Managing security across a hybrid workforce requires administrators to track user connection status, location, and access mode across Next-Generation Firewalls (NGFWs) and cloud services. The All Users page provides comprehensive, centralized visibility to address this complexity

In the All Users page, you can view:

• The total number of unique users currently connected to Palo Alto Networks security solutions and whether users are connected to NGFW and Prisma® Access.
• The number of users connected during a certain time range, broken down by users connected through NGFW and Prisma Access.
• Agent-based users connected through NGFW and Prisma Access.
• Agent-based or browser-based Explicit Proxy users connected to NGFW and Prisma Access.
• A list of unmanaged device users accessing Prisma Access.
• A list of users connecting from branch locations to Prisma Access.
• A list of users connecting their data centers using specific service connections.

Malicious actors scan Internet Protocol (IP) numbers to identify and exploit open and insecure protocols on target hosts. This reconnaissance technique involves cycling through IP protocol numbers to discover the IP protocols and services that the target host supports, sometimes with the help of automated tools. Starting with PAN-OS® 11.1, you can enable reconnaissance protection against IP protocol scans.

When enabled, your Next-Generation Firewall (NGFW) detects IPv4 and IPv6 protocol scans based on a specified number of scan events that occur within a specified interval. By default, your NGFW generates an alert in the Threat logs when these thresholds are met. However, you can configure the NGFW to take other actions, such as dropping subsequent packets from the source IP address to the target host for a specified time. To minimize false positives and allow legitimate activity, you can exclude the IP addresses of trusted internal groups performing vulnerability testing from this protection.

Details of each detected scan are available in Threat logs.

Save a configuration as a named snapshot in Strata Cloud Manager for enhanced configuration management and version control. Previously in Strata Cloud Manager, users were limited to loading only previously pushed configurations that had been committed to the firewalls. This restriction meant that administrators had to manually keep track of configuration pushes and timing if they wanted to maintain access to a known good configuration they could fall back on during troubleshooting or rollback scenarios.

Now, with the new Config Version Snapshot dashboard, you can save any in-progress configuration as a named snapshot, providing unprecedented flexibility in configuration management workflows. Having a named snapshot capability allows you to preserve specific configuration states that you can easily load to restore Strata Cloud Manager to a known working state, regardless of whether that configuration was ever pushed to production firewalls.

The named configuration snapshots feature includes a dedicated management interface with their own organized table view, where you can assign descriptive names to each snapshot for easy identification and tracking. This naming convention enables teams to maintain clear documentation of configuration milestones, test states, or backup points. For example, you might save snapshots labeled "Pre-Migration Baseline," "Security Policy Update v2.1," or "Known Good State - Q4 2024."

When you save a named snapshot, it replaces the current configuration candidate in your workspace, allowing you to immediately begin working from that restored state. This functionality is particularly valuable for testing configuration changes, maintaining configuration templates, or quickly reverting to stable configurations during incident response scenarios.

You can deploy Prisma Access Cloud Management in the Switzerland region.

The Strata Cloud Manager Configuration APIs now support both the Next Generation Firewall and Cloud Next Generation Firewall platforms. This is in addition to the already existing support for the Prisma Access (SASE) platform. To support the additional platforms, the API documentation on pan.dev has a new organization that includes a Strata Cloud Manager-specific landing page. The configuration API documentation has also been broken into functional areas and then organized by platform.

Other major changes include:

• A new FQDN: api.strata.paloaltonetworks.com

• Restructuring of the API paths to support the new API organization.

• Removal of query parameters for POST, PUT, and DELETE operations.

There are many other changes to the configuration APIs, both to support the new platforms, and to support new functionality. For complete details on this release, please see the Strata Cloud Manager API November 2024 Release Notes.

Strata Cloud Manager introduces new permissions to enforce access control for managing security checks, managing security check exceptions, and overriding security check block actions. These permissions offer granular control and enhance security by preventing users from making unauthorized changes to the security checks essential for maintaining compliance. The new permissions are:

• Manage Security Checks

  Security checks are a set of predefined best practice checks and custom checks that evaluate your configuration and identify deviations.

  To view predefined best practice checks and perform actions such as creating, editing, deleting, or cloning custom checks, you will now need the necessary read and write access for the Manage Security Check permission.

• Manage Security Check Exceptions

  Security check exceptions allow you to turn off specific security checks for certain devices in your environment.

  To manage and view the security check exceptions, you will now need the necessary read and write access for the Manage Security Check Exception permission.

• Override Security Check Block Action

  You can override the security check block action in two ways:

  • When you push the configuration to the firewall, you can choose to ignore security check failures and continue with the push operation.

  • When you create or edit a Security Policy Rule, Strata Cloud Manager validates the rules against existing security checks. If the checks fail, you can choose to override and save the rule.

  To perform any of the above override operations, you will now need read and write access for Override Security Check Block Action permission.

The following table outlines the predefined roles and the associated new permissions:

• Superuser

  Includes read and write access for the following permissions:

  • Manage Security Checks

  • Manage Security Check Exception

  • Override Security Check Block Action

• Network Administrator

  Security Administrator

  View Only Administrator

  Includes read-only access for the following permissions:

  • Manage Security Checks

  • Manage Security Check Exception

For all other predefined roles, Strata Cloud Manager hides the Security Checks and Security Check Exceptions tabs in the Security Posture Settings . Alternatively, you can create or edit existing custom roles and configure the necessary permissions to view, manage, and override security checks.

To help troubleshoot your cloud managed NGFWs, a Session Browser is now available in Strata Cloud Manager. The session browser addresses common challenges faced by security teams who are unable to interface with their NGFWs directly due to various operational constraints, such as NGFWs not being physically on location, network connectivity issues, or security policies that restrict direct device access.

The Session Browser provides real-time visibility into network traffic and session data, enabling administrators to diagnose issues remotely without requiring physical presence at the NGFW location. When reviewing session information, you can leverage advanced filtering capabilities to quickly isolate relevant data by rules, sources, destinations, or App-ID™. This granular filtering allows for efficient troubleshooting by narrowing down sessions to specific applications, user groups, or network segments that may be experiencing issues.

Beyond the core session browsing functionality, this release consolidates previously scattered troubleshooting capabilities into a unified experience. The available troubleshooting tools for DNS Proxy, User IP mapping, User Group configurations, Routing tables, Dynamic User Group membership, Dynamic Address Group populations, NAT policy evaluation, and External Dynamic Lists are now accessible through a single dashboard. This consolidation significantly reduces the time spent navigating between different interfaces and provides a complete view of your NGFW's operational status.

This feature allows distributed security teams to maintain optimal NGFW performance and quickly resolve network issues regardless of their physical proximity to the infrastructure.