Migrating complex Panorama® configurations to Strata Cloud Manager often involves time-consuming manual effort to map templates and folders. The auto snippet association feature solves this challenge by automatically generating and associating configuration snippets with folders during the migration process. When you migrate from Panorama to Strata Cloud Manager, the feature transforms device groups into folders and converts templates into snippets, eliminating the need for manual validation.

You benefit from this feature particularly when managing large-scale deployments where templates are referenced across multiple device groups or where template stacks contain overlapping configurations. By automating these associations, you significantly reduce migration time and minimize configuration errors. This ensures your migrated configuration maintains the same operational behavior as your original Panorama setup while being optimized for the folder-based management model in Strata Cloud Manager.

In shared environments, concurrent configuration changes by multiple administrators can lead to conflicts where a single error traditionally requires reverting all uncommitted changes. Strata Cloud Manager addresses this challenge by moving beyond the traditional all-or-nothing commit model to offer precise control in multi-administrator environments.

You can now selectively revert uncommitted changes made by specific administrators within defined scopes or within designated containers, cloud containers, on-premises containers, and snippets. This feature allows you to revert specific uncommitted changes from the candidate configuration while preserving other administrators' work. In addition to reverting changes, you can perform partial configuration pushes to deploy only the changes within your selected scope to designated device.

To ensure deployment accuracy, you can preview changes before you revert or push them. The system provides detailed information about dependencies that might prevent the operation, allowing you to resolve issues before deployment.

You cannot use selective push or revert and must perform all-admin push in the following scenarios:

• Configuration load operations.
• Changes in container hierarchy, such as snippet association or disassociation.
• Internal commits triggered by tenant upgrades.
• When the number of uncommitted changes exceeds 500.

Strata Cloud Management (SCM) now supports multiple virtual system (vsys) mode for Next-Generation Firewalls, enabling you to manage and configure multiple virtual systems within a single physical firewall from SCM. Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple firewalls, managed service providers and enterprises can use a single pair of firewalls (for high availability) and enable virtual systems on them. Each virtual system is an independent, separately-managed firewall with its traffic kept separate from the traffic of other virtual systems.This feature allows you to create logical separations within a firewall to support multiple departments, customers, or security domains while maintaining centralized management. When you enable multi-vsys mode, you can create, update, and delete virtual systems, import interfaces into specific virtual systems, and push configurations to one or multiple virtual systems simultaneously.

With multi-vsys support, you can logically separate traffic, policies, and objects for different business units or customers, providing enhanced multi-tenancy capabilities. You can delegate administration to different teams by associating virtual systems with appropriate containers, allowing fine-grained access control to specific virtual systems. The ability to push configurations to multiple virtual systems at once simplifies management of complex multi-vsys environments.

This feature is particularly valuable for service providers who need to maintain separation between multiple customer environments on shared hardware, enterprises that want to isolate different departments or business units, or organizations that need to maintain strict separation between production, development, and testing environments. By implementing virtual systems, you can optimize hardware utilization while maintaining logical separation and meet compliance requirements that mandate traffic isolation between different security domains.

SCM provides an intuitive interface for managing virtual systems, allowing you to view the status of all virtual systems, move virtual systems between containers, and monitor the synchronization status of each virtual system separately. When pushing configurations, you can select which virtual systems should receive updates, providing flexibility in configuration management.

Strata Cloud Manager now allows you to configure Trusted Source Addresses to enhance the security of Explicit Proxy deployments. This feature enables you to specify exactly which source IP addresses are permitted to authenticate using the X-Authenticated-User (XAU) protocol. When enabled, the firewall trusts XAU headers contained in incoming requests only if they originate from the IP addresses you have explicitly defined, preventing unauthorized sources from successfully using XAU for authentication,.

You can manage this security measure by creating an address object for the IP you wish to trust and adding it to the Trusted Source Address configuration. The feature includes options to enable the configuration and add, search, or delete trusted source addresses as required.

You can now configure DNS rewrite conditions in Strata Cloud Manager to control when DNS address translation occurs based on the DNS client's characteristics. This feature allows the firewall to perform address translation based on the specific characteristics of the DNS client rather than applying a global, static rule. By evaluating the requester’s source zone or source address against criteria defined in NAT rules, the system determines whether a DNS response should be modified. This ensures that DNS resolution is dynamically tied to the network context of the requesting device.

This capability is primarily used to provide granular infrastructure control. In many network architectures, a single hostname must resolve differently depending on the origin of the request. With conditional rewrites, internal users originating from a trusted zone can be directed to private IP addresses for direct internal routing. Simultaneously, external users or guests from untrusted zones receive the original public IP address. This segmentation prevents the exposure of internal IP schemes to unauthorized network segments, strengthening the security posture.

Additionally, this feature consolidates policy management. By integrating the rewrite logic directly into existing DNAT rules, administrators can avoid the complexity of maintaining separate DNS entries or multiple layers of firewall rules for internal and external traffic. This unified approach simplifies policy auditing and reduces the potential for configuration errors across the network.

Generic detection rules often fail to match specific operational requirements when monitoring Prisma® Access infrastructure. To address this, the incident customization feature in Strata Cloud Manager allows you to define custom raise and clear conditions for tunnel, BGP connectivity, and site capacity incidents through the Unified Incident Framework. This capability gives you granular control over when Strata Cloud Manager generates and resolves incidents based on your unique environment.

You can configure specific time-based thresholds for detecting infrastructure issues across your remote network and service connection deployments. You can define the duration a resource, such as a tunnel or BGP, must be down before an incident is raised, and conversely, the length of time it must be up before that incident is cleared. This flexibility ensures that transient issues do not generate unnecessary alerts while still capturing genuine problems. The feature integrates object-based filtering, enabling you to apply different thresholds to specific sites or BGP peers. Strata Cloud Manager performs a longest-match evaluation against your resource hierarchy, meaning you can set conservative default thresholds for your entire infrastructure while defining more aggressive detection parameters for mission-critical connections.

Health incidents actively monitor the health and performance of your platform in real time. This approach helps in identifying issues, predicting potential problems, and implementing remediation actions to ensure your devices function optimally. Here are some key aspects:

Storing and transmitting direct user credentials for third-party integrations creates significant security risks and often violates organizational compliance policies. To solve these vulnerabilities, OAuth 2.0 authentication for ServiceNow integrations in Strata Cloud Manager provides a secure, token-based mechanism that eliminates the need to transmit sensitive passwords directly. This feature, part of Strata Cloud Manager, allows you to leverage industry-standard protocols to establish secure connections without exposing username and password combinations in your notification profiles.

The client credentials grant type implementation allows you to authenticate using client ID and client secret pairs. Strata Cloud Manager automatically handles access token acquisition and renewal, ensuring your incident management workflows continue without manual intervention. Because tokens have limited lifespans and are easily revocable, this approach offers superior protection compared to basic authentication. You can implement least-privilege access patterns, ensuring the integration only receives the minimum permissions necessary for ticket management.

Organizations with strict security mandates benefit from improved audit trails and granular access control. You can migrate existing ServiceNow notification profiles from basic authentication to OAuth seamlessly, maintaining your current incident management workflows while significantly enhancing your credential security posture.

When you deploy workloads in cloud environments, those workloads frequently scale up and down with changing demand. If you write firewall security policies using static IP addresses, you must manually update those policies every time your teams deploy new services or scale existing ones. This creates a gap between how quickly your infrastructure changes and how quickly your security policies can adapt, leading to either security risks from overly permissive rules or operational problems from blocked legitimate traffic.

Automated Tag-based Security solves this problem by automatically collecting tags from your cloud workloads and making them available to your firewalls through Dynamic Address Groups. Instead of writing policies based on IP addresses, you write policies based on workload identity using the same tags your teams already apply in AWS, Azure, GCP, or Kubernetes. When workloads scale up or down, your security policies continue to apply correctly without manual intervention.

You connect your cloud provider accounts, create monitoring definitions that specify which tags to collect, then configure which firewalls should receive those tags. After you commit your changes, the system automatically begins distributing tags to your firewalls. As new firewalls join folders with distribution settings configured, they automatically begin receiving the appropriate tags without manual configuration. Similarly, when firewalls leave those folders, the system automatically removes the associated tags, ensuring your security policies remain aligned with your current infrastructure.

Historically, organizations requiring comprehensive traffic capture for forensic or historical purposes faced limited options: deploy costly standalone SSL/TLS decryption appliances, rely on solutions that provide incomplete visibility, or accept the visibility gaps caused by encrypted traffic.

Decryption Port Mirroring eliminates these tradeoffs by providing a solution that improves your security monitoring, incident response, and data retention. When enabled, your Next-Generation Firewall (NGFW) forwards cleartext copies of decrypted SSL/TLS and SSH proxy traffic to external traffic collection or analysis tools through a configured Ethernet interface. No other specialized hardware is required.

You can mirror traffic before or after Security policy rule enforcement to meet your specific needs. By default, the NGFW mirrors all decrypted traffic before policy enforcement. This enables security teams to replay events and analyze traffic that generated a threat or was dropped by the firewall. Post-enforcement mirroring excludes dropped packets, which reduces false positives on third-party data loss prevention (DLP) or intrusion prevention system (IPS) devices.

Decryption Port Mirroring is supported on all hardware and VM-Series NGFWs and requires the free Decryption Port Mirroring license.

Threat actors leverage specific DNS queries to bypass security filters or conduct network reconnaissance. For example, SVCB (Type 64) and HTTPS (Type 65) records can facilitate encrypted connections that evade traditional inspection, while ANY (Type 255) queries allow attackers to retrieve all known record types to map your internal network. Without the ability to distinguish and control these specific record types, your organization remains vulnerable to sophisticated evasion techniques and information gathering.

Palo Alto Networks now provides the option in Strata Cloud Manager to block ECH (Encrypted Client Hello), which is a draft state proposal to encrypt the entire ‘client hello’ message. This includes SVCB (Type 64), HTTPS (Type 65), and ANY (Type 255) DNS record types. While enabling ECH offers some data privacy, such as ALPN and SNI, it can also prevent certain firewall services that use the client hello from operating as intended. To maintain optimal function of the security services of the firewall, Palo Alto Networks recommends blocking all ECH-supporting record types.

Many application servers use load-balanced DNS to return only a subset of resolved IP addresses per query, which can cause security policy match failures unless the firewall maintains an aggregate list of all valid IP addresses. Strata™ Cloud Manager now supports the Load Balanced DNS setting for fully qualified domain name (FQDN) address objects to ensure your Security policy rules consistently match traffic for distributed cloud services and load-balanced application environments.

When enabled, the network security platform maintains an aggregate list of up to 100 resolved IP addresses per domain that have not yet reached their time-to-live (TTL) expiration. Instead of a replacement logic, this intelligent maintenance ensures that all valid source and destination IPs returned across multiple DNS queries are available for policy enforcement. The system uses an intelligent retry interval that doubles if no changes are detected, allowing the IP list to refresh without impacting management plane performance. This ensures your security posture remains robust even for applications with highly dynamic or distributed IP pools.

Strata Cloud Manager now supports forwarding next-generation firewall (NGFW) management plane logs to external destinations, for monitoring, archiving, and analysis. This feature extends existing visibility beyond data plane traffic.

You can configure forwarding for System, Config, User-ID™, IP-Tag, HIP Match, and GlobalProtect® log types to Syslog, HTTP, SNMP, and email servers. You can apply granular filters based on severity and event attributes to monitor administrative activity, system health, and user mapping events within your centralized logging infrastructure.

The PA-505 and PA-510 firewalls upgrade the capabilities of earlier PA-400 Series models with targeted enhancements for small branch offices, retail locations, and managed security service environments. The PA-505 features seven RJ-45 ports and the PA-510 features eight RJ-45 ports for connectivity. These platforms have threat performance of 800 Mbps to 1.2 Gbps. The PA-505 in particular includes upgraded memory from 8GB to 16GB and increased storage from 64GB to 128GB. Both of these models support local logging, Zero Touch Provisioning (ZTP), and high availability deployments.

The PA-505 and PA-510 are first supported on PAN-OS® version 12.1.3. You can manage these firewalls through multiple interfaces including CLI, Firewall Web Interface, Panorama, and Strata Cloud Manager.

Adopting post-quantum cryptography (PQC) is critical to protecting your organization and its assets against future quantum computers, which will break today’s classical cryptography. Failure to adopt PQC early increases the risk of compromise of sensitive data with attacks like Harvest Now, Decrypt Later already under way. On the other hand, upgrading legacy applications and systems is a time-consuming and costly process that risks service disruption and data security without proper guardrails in place. Accounting for these concerns, PAN-OS® 12.1 adds support for securing TLSv1.3 sessions using post-quantum (PQ) key encapsulation mechanisms (KEMs) to SSL Forward Proxy, SSL Inbound Inspection, Decryption Mirror, and the Network Packet Broker features.

In decryption profiles, you can enable PQ KEMs standardized by the National Institute of Standards and Technology (NIST) or nonstandardized, experimental options. You can also specify if your selected algorithms are preferred by the client-side, server-side, or both. Next-Generation Firewalls (NGFWs) now serve as cipher translation proxies, translating between PQC and classical encryption for applications that are not yet post-quantum ready. For example, you can use quantum-safe encryption for communications between end users and NGFWs but classical encryption for connections between an NGFW and applications.

This solution secures both legacy and quantum-safe systems and applications, enables you to meet PQC mandates, and reduces stress and complexity around PQC upgrades.

Future quantum computers will break today's encryption. Adversaries are taking advantage by stealing encrypted data today to decrypt once a cryptographically relevant quantum computer (CRQC) is available. This "Harvest Now, Decrypt Later" strategy requires a proactive response. Management connections are prime targets for adversaries because the encrypted traffic contains sensitive, long-lived data such as login credentials and configuration details. To defend against the quantum computing threat, PAN-OS® 12.1 now supports post-quantum cryptography (PQC) for administrative access to Next-Generation Firewalls (NGFWs) and Panorama®. This feature protects TLSv1.3 management connections using quantum-resistant algorithms standardized by the National Institute of Standards and Technology (NIST).

SSL/TLS service profiles now offer ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism), the post-quantum key exchange algorithm specified in FIPS 203. The NGFW or Panorama ensures interoperability by automatically negotiating a supported classical algorithm if a web browser doesn't support PQC. You can also enable hybrid post-quantum key exchange, which combines a classical algorithm like ECDH with a post-quantum algorithm to generate a shared key. Hybrid key exchange secures your organization from attacks by today's classical computers and future CRQCs. These capabilities prevent disruption to critical operations and ease your transition to PQC.

You can also generate certificates using the NIST-approved digital signatures: ML-DSA (Module-Lattice-based Digital Signature Algorithm) and SLH-DSA (Stateless Hash-based Digital Signature Algorithm). These algorithms are specified in FIPS-204 and FIPS-205, respectively. PQC certificates are for testing only while industry standards are under development.

Zero Touch Provisioning (ZTP) can now use cellular interfaces to automatically deploy and configure NGFW (Managed by Panorama or Strata Cloud Manager) in remote locations with limited connectivity or lacking traditional wired connections.

ZTP now supports multiple connectivity scenarios, including cellular-only, ethernet-only, and hybrid connectivity. This provides the flexibility to adapt to various network environments, particularly distributed networks, retail locations, or temporary sites where traditional wired connectivity might be unavailable. This capability integrates directly with existing workflows to maintain management consistency and enable efficient remote deployment without requiring on-site IT intervention. Built to support current and future 5G-enabled platforms, ZTP over Cellular ensures long-term adaptability and reduced operational costs by streamlining the secure onboarding of remote assets.

ZTP over cellular interfaces are supported on devices running PAN-OS 12.1.2 and later.

You can now activate Palo Alto Networks NGFWs at branch locations using the ZTP NGFW Activation web app that extends the existing Zero Touch Provisioning (ZTP) capabilities to mobile devices. This solution enables field installers to complete NGFW onboarding and activation without requiring technical expertise or detailed knowledge of customer network configurations. The web app is browser-based and supports both iOS and Android devices, eliminating the need for separate native applications while maintaining full compatibility with existing ZTP workflows.

The ZTP NGFW Activation web app allows for QR code scanning functionality on Gen 5 or newer hardware that automatically populates device-specific information including Serial Numbers and Claim Keys directly from labels affixed to the NGFW hardware. When you scan a QR code using your mobile device's camera, the QR code contains an embedded URL that redirects you to the ZTP Activation Page along with the Serial Number and Claim Key data. The application automatically populates these fields from the scanned QR code data, and you simply need to initiate the ZTP activation process for the device.

You gain access to all existing ZTP activation features through the web app, including the ability to view activation history for devices processed within the last seven days and monitor the status of firewalls during the provisioning process. The application maintains the same security and authentication requirements as the desktop ZTP portal while optimizing the user interface for smartphones.

This web app addresses deployment scenarios where installers work across multiple branch locations and may need to activate NGFWs for different customers without carrying laptops or requiring detailed technical documentation. The solution reduces the complexity of field deployments while maintaining the security and configuration management oversight that network security teams require for firewall provisioning workflows.