Migrating complex Panorama® configurations to Strata Cloud Manager often involves time-consuming manual effort to map templates and folders. The auto snippet association feature solves this challenge by automatically generating and associating configuration snippets with folders during the migration process. When you migrate from Panorama to Strata Cloud Manager, the feature transforms device groups into folders and converts templates into snippets, eliminating the need for manual validation.

You benefit from this feature particularly when managing large-scale deployments where templates are referenced across multiple device groups or where template stacks contain overlapping configurations. By automating these associations, you significantly reduce migration time and minimize configuration errors. This ensures your migrated configuration maintains the same operational behavior as your original Panorama setup while being optimized for the folder-based management model in Strata Cloud Manager.

In shared environments, concurrent configuration changes by multiple administrators can lead to conflicts where a single error traditionally requires reverting all uncommitted changes. Strata Cloud Manager addresses this challenge by moving beyond the traditional all-or-nothing commit model to offer precise control in multi-administrator environments.

You can now selectively revert uncommitted changes made by specific administrators within defined scopes or within designated containers, cloud containers, on-premises containers, and snippets. This feature allows you to revert specific uncommitted changes from the candidate configuration while preserving other administrators' work. In addition to reverting changes, you can perform partial configuration pushes to deploy only the changes within your selected scope to designated device.

To ensure deployment accuracy, you can preview changes before you revert or push them. The system provides detailed information about dependencies that might prevent the operation, allowing you to resolve issues before deployment.

You cannot use selective push or revert and must perform all-admin push in the following scenarios:

• Configuration load operations.
• Changes in container hierarchy, such as snippet association or disassociation.
• Internal commits triggered by tenant upgrades.
• When the number of uncommitted changes exceeds 500.

Strata Cloud Management (SCM) now supports multiple virtual system (vsys) mode for Next-Generation Firewalls, enabling you to manage and configure multiple virtual systems within a single physical firewall from SCM. Virtual systems are separate, logical firewall instances within a single physical Palo Alto Networks firewall. Rather than using multiple firewalls, managed service providers and enterprises can use a single pair of firewalls (for high availability) and enable virtual systems on them. Each virtual system is an independent, separately-managed firewall with its traffic kept separate from the traffic of other virtual systems.This feature allows you to create logical separations within a firewall to support multiple departments, customers, or security domains while maintaining centralized management. When you enable multi-vsys mode, you can create, update, and delete virtual systems, import interfaces into specific virtual systems, and push configurations to one or multiple virtual systems simultaneously.

With multi-vsys support, you can logically separate traffic, policies, and objects for different business units or customers, providing enhanced multi-tenancy capabilities. You can delegate administration to different teams by associating virtual systems with appropriate containers, allowing fine-grained access control to specific virtual systems. The ability to push configurations to multiple virtual systems at once simplifies management of complex multi-vsys environments.

This feature is particularly valuable for service providers who need to maintain separation between multiple customer environments on shared hardware, enterprises that want to isolate different departments or business units, or organizations that need to maintain strict separation between production, development, and testing environments. By implementing virtual systems, you can optimize hardware utilization while maintaining logical separation and meet compliance requirements that mandate traffic isolation between different security domains.

SCM provides an intuitive interface for managing virtual systems, allowing you to view the status of all virtual systems, move virtual systems between containers, and monitor the synchronization status of each virtual system separately. When pushing configurations, you can select which virtual systems should receive updates, providing flexibility in configuration management.

Strata Cloud Manager now allows you to configure Trusted Source Addresses to enhance the security of Explicit Proxy deployments. This feature enables you to specify exactly which source IP addresses are permitted to authenticate using the X-Authenticated-User (XAU) protocol. When enabled, the firewall trusts XAU headers contained in incoming requests only if they originate from the IP addresses you have explicitly defined, preventing unauthorized sources from successfully using XAU for authentication,.

You can manage this security measure by creating an address object for the IP you wish to trust and adding it to the Trusted Source Address configuration. The feature includes options to enable the configuration and add, search, or delete trusted source addresses as required.

You can now configure DNS rewrite conditions in Strata Cloud Manager to control when DNS address translation occurs based on the DNS client's characteristics. This feature allows the firewall to perform address translation based on the specific characteristics of the DNS client rather than applying a global, static rule. By evaluating the requester’s source zone or source address against criteria defined in NAT rules, the system determines whether a DNS response should be modified. This ensures that DNS resolution is dynamically tied to the network context of the requesting device.

This capability is primarily used to provide granular infrastructure control. In many network architectures, a single hostname must resolve differently depending on the origin of the request. With conditional rewrites, internal users originating from a trusted zone can be directed to private IP addresses for direct internal routing. Simultaneously, external users or guests from untrusted zones receive the original public IP address. This segmentation prevents the exposure of internal IP schemes to unauthorized network segments, strengthening the security posture.

Additionally, this feature consolidates policy management. By integrating the rewrite logic directly into existing DNAT rules, administrators can avoid the complexity of maintaining separate DNS entries or multiple layers of firewall rules for internal and external traffic. This unified approach simplifies policy auditing and reduces the potential for configuration errors across the network.