New Features - Strata Cloud Manager - September 2023

Enforcing your security policy consistently across all the firewalls in your network relies on those firewalls having the most up-to-date identity information from your sources, such as cloud-based identity management systems. With the array of management systems and large numbers of users and devices, it can often be time-consuming and difficult to correlate identity information with its originating sources and ensure that it was provided to all necessary devices.

You can now use Strata Cloud Manager with the Cloud Identity Engine to manage IP address-to-tag (also known as IP-tag) mappings and simplify your security policy by creating tag-based rules. When you configure a cloud connection in the Cloud Identity Engine to your cloud-based identity management system (either Azure or AWS), you can use the Cloud Identity Engine to collect IP-tag mappings.

You can see all of your IP-tag mappings, as well as their associated sources, in the Cloud Identity Manager. Using filters to highlight the most relevant information, you can quickly identify issues with your security policy, such as a source that is currently unavailable. You can then use the Strata Cloud Manager to create tag-based security policy using dynamic address groups and distribute it to the firewalls in your network to ensure they have the latest information needed to consistently enforce security policy. You can also share the IP-tag mappings with other firewalls in your network by using User Context segments in the Cloud Identity Engine.

By leveraging the capabilities of Strata Cloud Manager with the identity information that the Cloud Identity Engine provides, you can more easily create and manage your security policy using tags.

Managing configuration pushes for cloud managed NGFWs and Prisma® Access deployments often lacks comprehensive oversight and rapid recovery options. Config Version Snapshots solve this by providing enhanced visibility and control over your security infrastructure changes, ensuring you can confidently deploy updates while maintaining the ability to quickly recover from any unintended consequences.

You can now evaluate configuration pushes with detailed analysis tools, compare your candidate configuration against previously pushed configurations to identify specific changes, and rollback recent modifications in the event of any unintended consequences from a recent push. This comparison functionality helps you understand exactly what will change before committing updates to production environments.

The system allows you to load previous configurations to use as candidates for your next configuration push, enabling you to build upon proven stable configurations and make incremental changes to expand the scope of the original setup. This iterative approach reduces risk by allowing you to test and validate changes incrementally rather than implementing large-scale modifications all at once.

When issues arise, you can restore previous configurations to immediately rollback the changes from a recent configuration push, minimizing downtime and quickly returning your security infrastructure to a known good state. This rollback capability is essential for maintaining business continuity during configuration troubleshooting scenarios.

Additionally, you can review the specific devices or deployments that are impacted or targeted by your configuration pushes, providing you with complete visibility into the full scope of changes across your entire security infrastructure. This comprehensive view ensures you understand which systems will be affected before executing any configuration updates.

Searching and analyzing large volumes of relevant logs can be time-consuming. To help you quickly investigate security events and streamline log analysis, Strata Cloud Manager 's Log Viewer now includes advanced filtering and viewing capabilities.

These enhancements simplify query construction and ensure you can search and view relevant logs easily. The query builder provides autosuggestions most relevant to your search string and suggests all supported values for fields to refine your query precisely. You can search field names using substrings (for example, search with the string ‘user’ returns suggestions such as source_user and destination_user). Additionally, you can create a query using both the display name shown in the log table and the actual field name in the log record.

Prisma Access Cloud Management is supported on the new Strata Cloud Manager platform. Starting in July 2023, we'll be rolling out phased updates to provide you with the new platform experience. We'll be updating the Prisma SASE Platform so that it is on the Strata Cloud Manager platform, alongside your other Palo Alto Networks products and subscriptions that are supported for unified management. This change gives you a new navigation for your Prisma Access Cloud Management features, introduces new features, and means you can use common workflows and features across Cloud Management and your other products that are also updated for Strata Cloud Manager.

Learn more:

• Where are my Prisma Access features in Strata Cloud Manager?
• Take a First Look Strata Cloud Manager
• See the products and subscriptions are supported for unified management with Strata Cloud Manager

Palo Alto Networks Strata Cloud Manager is a new AI-Powered network security management platform. With Strata Cloud Manager, you can easily manage and monitor your Palo Alto Networks network security infrastructure ━ SASE environment ━ from a single, streamlined user interface.

This includes using Strata Cloud Manager to manage and monitor the cloud-delivered security services that are included with Prisma Access.Strata Cloud Manager gives you comprehensive monitoring, alerting, and visibility into your Prisma Access environment:

• AI-Powered Autonomous DEM
• Prisma Access Insights
• Strata Cloud Manager Dashboards
• Strata Cloud Manager Monitoring
• Strata Cloud Manager Reports

Prisma Access Cloud Management can now be deployed in the Japan region.

Administrators often struggle with disorganized configuration scopes due to unused custom snippets cluttering their management interface. Over time, as network configurations evolve and deployments change, custom snippets can become obsolete or redundant, creating confusion during configuration management tasks and increasing the risk of accidentally applying outdated or inappropriate configurations to production environments.

You can now delete custom snippets that are no longer associated with any deployments, firewalls, or folders to keep your configuration scope organized and prevent unwanted or unused snippets from being applied by mistake. This cleanup capability helps maintain a streamlined configuration management experience and reduces the potential for configuration errors.

Snippets in Strata Cloud Manager are classified into two categories: Predefined snippets are available to all Strata Cloud Manager users and help you quickly get your new firewalls and deployments up and running with best practice configurations. Custom snippets are any snippets that administrators create for specific organizational needs.

You can delete unused custom snippets directly from the configuration scope view, providing a convenient way to maintain an organized snippet library. Note that predefined snippets available in Strata Cloud Manager cannot be deleted, ensuring that essential best practice configurations remain available to all users.

Troubleshoot these networking and identity features–track down and resolve connectivity issues or policy enforcement anomalies:

• NAT
• DNS Proxy
• User Groups
• Dynamic Address Groups
• Dynamic User Groups
• User ID

Network Troubleshooting for NAT and DNS Proxy

Troubleshoot your NGFWs from Strata Cloud Manager without having to move between various firewall interfaces. If you experience connectivity issues after deploying and configuring your NGFWs, you can get an aggregate view of your routing and tunnel states, and drill down to specifics to find anomalies and problematic configurations.

Identity and Policy Troubleshooting

Troubleshoot your identity-based policy rules and dynamically defined endpoints. Check the status of specific NGFWs and expose possible mismatches between how you expect a policy to work and its actual enforcement behavior.

Note: Prisma Access Prisma® Access has its own, separate method of configuring explicit proxy. This new feature applies only to cloud-managed firewalls.

To consolidate management, you can now configure a web proxy on the firewalls you're managing with Strata Cloud Manager ®. This means that if you use an NGFW as a proxy device to secure your network, you can configure your proxy settings across your deployment from a single management interface.

This interface includes an in-app Proxy Auto-Configuration (PAC) file editor so that you can edit your proxy settings and modify your PAC file all in one place whenever network changes arise.

The web proxy supports two methods for routing traffic:

• Explicit Proxy — The request contains the destination IP address of the configured proxy, and the client browser sends requests to the proxy directly. Authentication methods such as Kerberos and SAML 2.0 are supported, requiring the appropriate web proxy licensing.
• Transparent Proxy —The request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). This method requires specific networking prerequisites, including a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules defined in Strata Cloud Manager . Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP).

You can push web proxy configurations to the following platforms:

• PA-1400

• PA-3400

• VM-Series (with a minimum of four vCPUs)