As a general rule, you cannot have any overlapping subnets within a Prisma Access deployment. That is, the subnets for all remote network locations, your service connections, and your Prisma Access for mobile users IP address pool cannot overlap. However, in some circumstances you cannot avoid having overlapping subnets. Prisma Access allows you to onboard remote network locations with overlapping subnets, as long as you select

Overlapped Subnets

check box in the remote network settings when you plan for remote networks. However, you can use overlapping subnets only in few use cases.

Prisma Access uses few enforcement policies for mobile user licenses. Though there is no strict policing of the mobile user count, the service does track the number of unique users over the last 30 days now, which was 90 days previously, to ensure that you have purchased the proper license tier for your user base, and stricter policing of user count may be enforced if continued overages occur. This change is applicable for all types of mobile user licenses.

Updates to your Security policy rules are often time-sensitive and require you to act quickly. However, you want to ensure that any update you make to your Security policy rulebase meets your requirements and does not introduce errors or misconfigurations (such as changes that result in duplicate or conflicting rules).

Policy Analyzer in

Strata Cloud Manager

enables you to optimize time and resources when implementing a change request. Policy Analyzer not only analyzes and provides suggestions for possible consolidation or removal of specific rules to meet your intent but also checks for anomalies, such as Shadows, Redundancies, Generalizations, Correlations, and Consolidations in your rulebase.

See Policy Analyzer to learn more.

Strata Cloud Manager leverages a set of predefined

Best Practice Checks

that align with industry-specific standard cybersecurity controls. These include CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology) and custom checks you create based on the specific needs of your organization. These checks evaluate configurations, identifying deviations from best practices or compliance requirements.

For this release, building on the features we gave you in November, we have:

Added Strata Cloud Manager Support for real-time inline check exemptions.

Check exemptions let you exclude checks from being applied to your deployment. There may be special cases where you want to turn off certain checks for some areas of your deployment, or when there are reasons specific checks don't make sense for you. Instead of disabling those checks, you can now restrict where checks are applied in your deployment.

Consolidated, field-level, inline check information has been moved to an easily accessible pane on the right side of the screen.

Previously, check information was available in a banner where the checks applied and in the Best Practices tab.



Now, when checks are available for a feature, just click the ( ) icon to see check details.

Snippets are configuration objects, or groups of configuration objects, that can be associated with your folders, firewalls, and

Prisma Access

deployments onboarded to

Strata Cloud Manager

. They are use to standardize configurations, allowing you to push changes quickly to multiple areas simultaneously. Snippets can be used to manage common configurations centrally for consistent security enforcement across NGFW and Prisma Access deployments. Snippets are classified in two ways: Predefined and Custom. Predefined snippets are available to all Strata Cloud Manager users and can be used to quickly get your new firewalls and deployments up and running with best practice configurations. Customs snippets are any snippets created by administrators.

Preexisting snippets can now be cloned.

If you want to use an existing snippet as a template for a new snippet, you can easily clone it so you do not have to configure a completely new object.

Cloned snippets are not associated with any devices, folders, or deployments, allowing you to customize them freely without having to disassociate them before you begin.

If you use a Terminal Access Controller Access-Control System Plus (TACACS+) server for user authorization and authentication, you can now log accounting information to fully make use of the authentication, authorization, and accounting (AAA) framework that is the basis for TACACS+.

The TACACS+ Accounting feature allows you to use a TACACS+ server profile to record user behavior, such as when a user started using a specific service, the duration of use for the service, and when they stopped using the service. The TACACS+ Accounting feature helps to create logs and records of the initiation and termination of services, as well as any services in progress during the user’s session, that you can then use later if needed for auditing purposes.

When you configure and enable an Accounting server profile, the TACACS+ server provides information to the firewall about the initiation, duration, and termination of services by users. The firewall also generates a log when the TACACS+ server successfully provides the accounting records to the server that you configure in the profile. If the firewall is unable to successfully send the accounting records to any of the servers in the profile, the firewall generates a critical severity alert to the system logs.

By using your existing TACACS+ server, you can now configure it to provide even more information about the use of services by users on your network, giving you even more robust visibility into user activity on your network.

Today, post-quantum cryptography (PQC) algorithms and hybrid PQC algorithms (classical and PQC algorithms combined) are accessible through open-source libraries and integrated into web browsers and other technologies. Traffic encrypted by PQC or hybrid PQC algorithms cannot be decrypted yet, making these algorithms vulnerable to misuse. To address these concerns, Palo Alto Networks firewalls now detect, block, and log the use of PQC and hybrid PQC algorithms in TLSv1.3 sessions. Successful detection, blocking, and logging of PQC and hybrid PQC algorithms depends on your SSL Decryption policy rules.

If SSL traffic matches an SSL Forward Proxy or SSL Inbound Inspection Decryption policy rule, the firewall prevents negotiation with PQC, hybrid PQC, and other unsupported algorithms. Specifically, the firewall removes these algorithms from the ClientHello, forcing the client to negotiate with classical algorithms. (For a list of supported cipher suites, see PAN-OS 11.1 Decryption Cipher Suites.) This enables continuous decryption and threat identification through deep packet inspection. If the client strictly negotiates PQC or hybrid PQC algorithms, the firewall drops the session. In the Decryption log for the dropped session, the error message states that the "client only supports post-quantum algorithms.” To see details of successful or unsuccessful TLS handshakes in the Decryption logs, enable both options in your Decryption policy rules.

If SSL traffic matches a “no-decrypt” Decryption policy rule or doesn’t match any Decryption policy rules, the firewall allows negotiation with PQC or hybrid PQC algorithms. However, details of sessions that negotiate these algorithms are available in Decryption logs only when session traffic matches a "no-decrypt" Decryption policy rule.

Additionally, new threat signatures offer additional visibility into the use of PQC and hybrid PQC algorithms in your network. These signatures monitor ServerHello responses and trigger alerts for SSL sessions that successfully negotiate with the most commonly known PQC and hybrid PQC algorithms. A Threat Prevention license is required to receive alerts.

You can now use GlobalProtect with cloud-managed NGFWs to secure your mobile workforce. Enable your cloud-managed NGFWs as GlobalProtect gateways and portals, in order to provide flexible, secure remote access to users everywhere.

Whether checking email from home or updating corporate documents from an airport, the majority of today's employees work outside the physical corporate boundaries. This workforce mobility increases productivity and flexibility while simultaneously introducing significant security risks. Every time users leave the building with their laptops or smart phones, they are bypassing the corporate firewall and associated policies that are designed to protect both the user and the network. GlobalProtect ™ solves the security challenges introduced by roaming users by extending the network security policy that you're enforcing within the physical perimeter to all users, no matter where they are located.

You can centrally manage the certificates you use to secure communication across your network.

You can now export the private key from

Strata Cloud Manager

for a self-signed certificate. However, the export of private keys for an externally signed certificate is restricted. The supported export formats are as follows:

Prisma Access Cloud Management can now be deployed in the India region.

The Strata Cloud Manager user session inactivity timeout occurs after 30 minutes of inactivity. Five minutes prior to the timeout, you get a notification that the session is about to time out unless you press a key or move your cursor. If you don't do anything, the notification will count down the time until approximately five seconds remain.

If you still don't press a key or move your cursor, you'll lose any unsaved work and you'll need to log in again. The inactivity timeout applies to all tenants managed in the Strata Cloud Manager.

Health alerts actively monitor the health and performance of your platform in real-time. This approach helps in identifying issues, predicting potential problems, and implementing remediation actions to ensure your devices function optimally. Here are some key aspects: