New Features in February 2024
Focus
Focus
Strata Cloud Manager

New Features in February 2024

Table of Contents

New Features in February 2024

Here are the new features available in Strata Cloud Manager in February 2024.
Here are the latest new features introduced on Strata Cloud Manager. Features listed here include some feature highlights for the products supported with Strata Cloud Manager. For the full list of new features supported for a product you're using with Strata Cloud Manager, see the release notes for that product.

AIOps for NGFW: Delayed Telemetry Alert

February 23, 2024
Introducing the Delayed Telemetry alert, which actively identifies instances when Strata Cloud Manager detects a problem with receiving or processing telemetry from a device. If telemetry is missing for 6 hours, Strata Cloud Manager issues a medium severity alert. If this absence persists for more than 72 hours, Strata Cloud Manager elevates the alert severity to critical.
Upon the resumption of telemetry data processing, Strata Cloud Manager automatically closes the delayed telemetry alerts. If you remove a device, Strata Cloud Manager deletes all associated data, including delayed alerts. Additionally, Strata Cloud Manager displays an orange or red hourglass icon next to hostnames, providing quick visual cues to identify devices with potential telemetry issues.
Supported on AIOps for NGFW Free and Strata Cloud Manager with AIOps for NGFW Premium license.
Health alerts actively monitor the health and performance of your platform in real-time. This approach helps in identifying issues, predicting potential problems, and implementing remediation actions to ensure your devices function optimally. Here are some key aspects:
  • Monitoring Metrics: Continuously monitor various metrics from the NGFWs, including CPU utilization, memory usage, disk space, network throughput, and other relevant performance indicators.
  • Anomaly Detection: Generate alerts that dynamically adjust based on the metric's historical value and your usage trends.
  • Predictive Analysis: Predict when certain thresholds exceed or when specific events occur by analyzing historical data and patterns. This helps forecast potential issues before they escalate.

Prisma Access: Remote Network Locations with Overlapping Subnets

February 16, 2024
Supported on Strata Cloud Manager for: Prisma Access (Cloud Management)
As a general rule, you cannot have any overlapping subnets within a Prisma Access deployment. That is, the subnets for all remote network locations, your service connections, and your Prisma Access for mobile users IP address pool cannot overlap. However, in some circumstances you cannot avoid having overlapping subnets. Prisma Access allows you to onboard remote network locations with overlapping subnets, as long as you select Overlapped Subnets check box in the remote network settings when you plan for remote networks. However, you can use overlapping subnets only in few use cases.

Prisma Access: License Enforcement for Mobile Users (Enhancements)

February 16, 2024
Supported on Strata Cloud Manager for: Prisma Access (Cloud Management)
Prisma Access uses few enforcement policies for mobile user licenses. Though there is no strict policing of the mobile user count, the service does track the number of unique users over the last 30 days now, which was 90 days previously, to ensure that you have purchased the proper license tier for your user base, and stricter policing of user count may be enforced if continued overages occur. This change is applicable for all types of mobile user licenses.

Prisma Access: Policy Analyzer for Panorama Managed Deployments

February 16, 2024
Supported on Strata Cloud Manager for:
Updates to your Security policy rules are often time-sensitive and require you to act quickly. However, you want to ensure that any update you make to your Security policy rulebase meets your requirements and does not introduce errors or misconfigurations (such as changes that result in duplicate or conflicting rules).
Policy Analyzer in Strata Cloud Manager enables you to optimize time and resources when implementing a change request. Policy Analyzer not only analyzes and provides suggestions for possible consolidation or removal of specific rules to meet your intent but also checks for anomalies, such as Shadows, Redundancies, Generalizations, Correlations, and Consolidations in your rulebase.
See Policy Analyzer to learn more.

Cloud Management for NGFWs: UI Update for Security Checks

February 16, 2024
Supported on Strata Cloud Manager for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • NGFW (Managed by Strata Cloud Manager)
Strata Cloud Manager leverages a set of predefined Best Practice Checks that align with industry-specific standard cybersecurity controls. These include CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology) and custom checks you create based on the specific needs of your organization. These checks evaluate configurations, identifying deviations from best practices or compliance requirements.
For this release, building on the features we gave you in November, we have:
  • Added Strata Cloud Manager Support for real-time inline check exemptions.
    Check exemptions let you exclude checks from being applied to your deployment. There may be special cases where you want to turn off certain checks for some areas of your deployment, or when there are reasons specific checks don't make sense for you. Instead of disabling those checks, you can now restrict where checks are applied in your deployment.
  • Consolidated, field-level, inline check information has been moved to an easily accessible pane on the right side of the screen.
    Previously, check information was available in a banner where the checks applied and in the Best Practices tab.
    Now, when checks are available for a feature, just click the (
    ) icon to see check details.

Cloud Management for NGFWs: Clone a Snippet

February 16, 2024
Supported on Strata Cloud Manager for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • NGFW (Managed by Strata Cloud Manager)
Snippets are configuration objects, or groups of configuration objects, that can be associated with your folders, firewalls, and Prisma Access deployments onboarded to Strata Cloud Manager. They are use to standardize configurations, allowing you to push changes quickly to multiple areas simultaneously. Snippets can be used to manage common configurations centrally for consistent security enforcement across NGFW and Prisma Access deployments. Snippets are classified in two ways: Predefined and Custom. Predefined snippets are available to all Strata Cloud Manager users and can be used to quickly get your new firewalls and deployments up and running with best practice configurations. Customs snippets are any snippets created by administrators.
Preexisting snippets can now be cloned.
If you want to use an existing snippet as a template for a new snippet, you can easily clone it so you do not have to configure a completely new object.
Cloned snippets are not associated with any devices, folders, or deployments, allowing you to customize them freely without having to disassociate them before you begin.

Cloud Management for NGFWs: TACACS+ Accounting

February 16, 2024
Supported on Strata Cloud Manager for:
  • NGFW (Managed by PAN-OS or Panorama)
  • NGFW (Managed by Strata Cloud Manager)
If you use a Terminal Access Controller Access-Control System Plus (TACACS+) server for user authorization and authentication, you can now log accounting information to fully make use of the authentication, authorization, and accounting (AAA) framework that is the basis for TACACS+.
The TACACS+ Accounting feature allows you to use a TACACS+ server profile to record user behavior, such as when a user started using a specific service, the duration of use for the service, and when they stopped using the service. The TACACS+ Accounting feature helps to create logs and records of the initiation and termination of services, as well as any services in progress during the user’s session, that you can then use later if needed for auditing purposes.
When you configure and enable an Accounting server profile, the TACACS+ server provides information to the firewall about the initiation, duration, and termination of services by users. The firewall also generates a log when the TACACS+ server successfully provides the accounting records to the server that you configure in the profile. If the firewall is unable to successfully send the accounting records to any of the servers in the profile, the firewall generates a critical severity alert to the system logs.
By using your existing TACACS+ server, you can now configure it to provide even more information about the use of services by users on your network, giving you even more robust visibility into user activity on your network.

Traceability and Control of Post-Quantum Cryptography in Decryption

February 16, 2024
Supported on Strata Cloud Manager for:
PAN-OS 11.1 is required. This feature was first introduced in PAN-OS 11.1 for NGFW (Managed by PAN-OS or Panorama).
Today, post-quantum cryptography (PQC) algorithms and hybrid PQC algorithms (classical and PQC algorithms combined) are accessible through open-source libraries and integrated into web browsers and other technologies. Traffic encrypted by PQC or hybrid PQC algorithms cannot be decrypted yet, making these algorithms vulnerable to misuse. To address these concerns, Palo Alto Networks firewalls now detect, block, and log the use of PQC and hybrid PQC algorithms in TLSv1.3 sessions. Successful detection, blocking, and logging of PQC and hybrid PQC algorithms depends on your SSL Decryption policy rules.
If SSL traffic matches an SSL Forward Proxy or SSL Inbound Inspection Decryption policy rule, the firewall prevents negotiation with PQC, hybrid PQC, and other unsupported algorithms. Specifically, the firewall removes these algorithms from the ClientHello, forcing the client to negotiate with classical algorithms. (For a list of supported cipher suites, see PAN-OS 11.1 Decryption Cipher Suites.) This enables continuous decryption and threat identification through deep packet inspection. If the client strictly negotiates PQC or hybrid PQC algorithms, the firewall drops the session. In the Decryption log for the dropped session, the error message states that the "client only supports post-quantum algorithms.” To see details of successful or unsuccessful TLS handshakes in the Decryption logs, enable both options in your Decryption policy rules.
If SSL traffic matches a “no-decrypt” Decryption policy rule or doesn’t match any Decryption policy rules, the firewall allows negotiation with PQC or hybrid PQC algorithms. However, details of sessions that negotiate these algorithms are available in Decryption logs only when session traffic matches a "no-decrypt" Decryption policy rule.
Additionally, new threat signatures offer additional visibility into the use of PQC and hybrid PQC algorithms in your network. These signatures monitor ServerHello responses and trigger alerts for SSL sessions that successfully negotiate with the most commonly known PQC and hybrid PQC algorithms. A Threat Prevention license is required to receive alerts.

Cloud Management of NGFWs: GlobalProtect Portal and Gateway

February 16, 2024
Supported on Strata Cloud Manager for:
  • NGFW (Managed by PAN-OS or Panorama)
  • NGFW (Managed by Strata Cloud Manager)
  • GlobalProtect app
You can now use GlobalProtect with cloud-managed NGFWs to secure your mobile workforce. Enable your cloud-managed NGFWs as GlobalProtect gateways and portals, in order to provide flexible, secure remote access to users everywhere.
Whether checking email from home or updating corporate documents from an airport, the majority of today's employees work outside the physical corporate boundaries. This workforce mobility increases productivity and flexibility while simultaneously introducing significant security risks. Every time users leave the building with their laptops or smart phones, they are bypassing the corporate firewall and associated policies that are designed to protect both the user and the network. GlobalProtect ™ solves the security challenges introduced by roaming users by extending the network security policy that you're enforcing within the physical perimeter to all users, no matter where they are located.

Strata Cloud Manager: Private Key Export in Certificate Management

February 16, 2024
Supported on Strata Cloud Manager for:
  • Prisma Access (Managed by Strata Cloud Manager) and Prisma Access (Managed by Panorama)
  • NGFW (Managed by PAN-OS or Panorama)
You can centrally manage the certificates you use to secure communication across your network.
You can now export the private key from Strata Cloud Manager for a self-signed certificate. However, the export of private keys for an externally signed certificate is restricted. The supported export formats are as follows:
  • Base64 Encoded Certificate (PEM)—This is the default format. It's the most common and has the broadest support on the internet. Export Private Key if you want the exported file to include the private key.
  • Encrypted Private Key and Certificate (PKCS12)—This format is more secure than PEM but isn't as common or as broadly supported. The exported file will automatically include the private key.
  • Binary Encoded Certificate (DER)—More operating system types support this format than the others. You can't export the private key in this format.

Strata Cloud Manager: New Prisma Access Cloud Management Location

February 16, 2024
Supported on Strata Cloud Manager for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
Prisma Access Cloud Management can now be deployed in the India region.

User Session Inactivity Timeout

February 15, 2024
Supported on Strata Cloud Manager
The Strata Cloud Manager user session inactivity timeout occurs after 30 minutes of inactivity. Five minutes prior to the timeout, you get a notification that the session is about to time out unless you press a key or move your cursor. If you don't do anything, the notification will count down the time until approximately five seconds remain.
If you still don't press a key or move your cursor, you'll lose any unsaved work and you'll need to log in again. The inactivity timeout applies to all tenants managed in the Strata Cloud Manager.

AIOps for NGFW: Logging Drive Failure Alert

February 6, 2024
Introducing the Logging Drive Failure alert that detects a failure in the logging drive by monitoring the firewall's disk status. This failure in the drive could potentially result in data loss, impair logging and monitoring capabilities, and activate a failover in the case of a high availability (HA) pair.
Supported on AIOps for NGFW Free and Strata Cloud Manager with AIOps for NGFW Premium license.
Health alerts actively monitor the health and performance of your platform in real-time. This approach helps in identifying issues, predicting potential problems, and implementing remediation actions to ensure your devices function optimally. Here are some key aspects:
  • Monitoring Metrics: Continuously monitor various metrics from the NGFWs, including CPU utilization, memory usage, disk space, network throughput, and other relevant performance indicators.
  • Anomaly Detection: Generate alerts that dynamically adjust based on the metric's historical value and your usage trends.
  • Predictive Analysis: Predict when certain thresholds exceed or when specific events occur by analyzing historical data and patterns. This helps forecast potential issues before they escalate.