In addition to Google Chrome, Microsoft Edge, and Safari browsers, the Firefox browser is now supported for Remote Browser Isolation (RBI) on macOS and Windows desktop operating systems.

Refer to How Remote Browser Isolation Works for the combination of operating systems and browsers that your users can use for isolated browsing.

To help broaden the device support for your managed users, mobile support is added for Remote Browser Isolation (RBI) in addition to macOS and Windows desktop operating systems. Your managed users can now use Android, iOS, and iPadOS devices for isolated browsing.

Refer to How Remote Browser Isolation Works for the combination of operating systems and browsers that are supported for RBI.

Palo Alto Networks AI Runtime Security is a purpose-built firewall to discover, protect, and defend the enterprise traffic flows against all potential threats focusing on addressing AI-specific vulnerabilities such as prompt injection, and denial-of-service attacks on AI models. It combines continuous runtime threat analysis of your AI applications, models, and data sets with AI powered security to stop attackers in their tracks. The AI Runtime Security leverages real-time AI-powered security protecting your AI application ecosystem from both AI-specific and conventional network attacks.

AI Runtime Security leverages critical anomaly detection capabilities and protects AI models from manipulation to ensure the reliability and integrity of AI output data. It rejects prompt injections, malicious responses, training data poisoning, malicious URLs, command and control, embedded unsafe URLs, and lateral threat movement.

AI Runtime Security uses Palo Alto Networks Strata Cloud Manager (SCM) as the main configuration and management engine. To begin with, activate and onboard your cloud service provider account on SCM. The AI Security Profile imports security capabilities from Enterprise DLP and URL Filtering for inline detection of threats in AI application traffic.

The AI Runtime Security is powered by the following four key elements:

Discover - The AI Runtime Security discovers your enterprise AI application and all other applications. The AI Runtime Security dashboard provides complete visibility and security insights of your AI and other applications in just a few clicks. You can effortlessly gain actionable intelligence on AI traffic flows covering your applications, models, user access, and infrastructure threats.

Deploy - The AI Runtime Security deployment using Terraform templates automates the deployment procedure reducing the human error, lowering the required time for manual configuration tasks, and for protecting your enterprise AI applications. Deploy your AI Runtime Security instance downloading the Terraform templates and provide permissions to your cloud service provider account projects to analyze flow logs and DNS logs.

Detect - Identify unprotected traffic flows with potential security threats to the cloud network and detect the potential security risks based on logs and recommended actions to remediate.

Defend - Shield your organization’s AI application ecosystem from AI-specific and conventional network attacks by leveraging real-time AI-powered security. Get the continuous discovery of the AI network traffic on the containers and namespaces.

To learn more about AI Runtime Security activation, onboarding, and deployment, see AI Runtime Security documentation.

For Enterprise IT and IT Enabled Services (ITES) companies that need to control which users have access to their customer projects, Dynamic Privilege Access provides a seamless, secure, and compartmentalized way for your users to access only those projects that they are assigned to. Employees are typically assigned to several customer projects and are provided with siloed access to these projects so that an authorized user can access only one customer project at a time.

A new predefined role called the Project Admin is available to allow project administrators to create and manage project definitions. Project administrators have the ability to map projects to select Prisma Access location groups, and create IP address assignments using DHCP based on the project and location group.

If you have use Panorama to manage your existing Prisma Access deployment, Palo Alto Networks introduces an in-product workflow to help you migrate your existing Prisma Access configuration to Strata Cloud Manager. Palo Also Networks disables this migration workflow by default but, when you're ready to migrate to cloud management, you can contact your account team to enable this feature and begin your migration.

The benefits of moving to Strata Cloud Manager include:

Dynamic Privilege Access enables Prisma Access to apply different network and Security policy rules to mobile user flows based on the project your users are working on. In the Strata Cloud Manager Command Center, you can view user-based access information in your environment.

Gain visibility into your Prisma Access Agent deployment by using Strata Cloud Manager to monitor your users' project activity. In the Strata Cloud Manager Command Center, you can view project-based access information in your environment.

To allow more flexibility after you configure Connector IP Blocks, you can now delete and update the Connector IP Blocks. However, you can delete the Connector IP Blocks only after you delete all the ZTNA objects such as connectors, applications, wildcards, and connector-groups on the tenant.

Enterprises need to enforce configuration objects and global settings consistently across all deployments. By referencing global settings across various scopes, such as snippets or folders, organizations can streamline operations, eliminate redundant configurations, and enhance centralized management. For example, organizations can effectively manage custom URL categories for access policy rules, threat prevention profiles, zones, addresses, and other objects representing standard network segments.

This feature allows you to reference any common configurations or objects attached to a global scope and push to NGFWs or Prisma Access deployments. These shared objects and configurations within the global scope are available to all the snippets. Snippets associated with the global scope are considered a global snippet, and the objects defined within these snippets can be referenced across any snippets in the configuration. This simplifies the process of managing configurations from a single location, updating, and enforcing global standards across all deployments.

Enterprise Data Loss Prevention (E-DLP) now supports creating a file type exclusion list when modifying a DLP Rule to define the type of traffic to inspect, the impacted file types, action, and log severity for the data profile match criteria. Creating a file type exclusion list, rather than an inclusion list, instructs the NGFW or Prisma Access tenant to forward all file types except for those specified in the exclusion list to Enterprise DLP for inspection and verdict rendering. A DLP Rule can be configured with an inclusion or exclusion file type list, but not both.

You can now configure email alerts for log types, such as System, Config, HIP Match, Correlation, Threat, WildFire Submission, and Traffic logs. For each log type, you can set up separate email profiles that allow you to send notifications to different email servers based on the log type. You can define up to four servers within a single profile to ensure high availability. You can enable transport layer security (TLS) to prevent malicious activities, such as Simple Mail Transfer Protocol (SMTP) relay attacks and email spoofing.

You can use Simple Network Management Protocol (SNMP) traps to receive alerts for critical system events, such as hardware or software failures or changes in Palo Alto Networks firewalls. Additionally, you can receive alerts when there is any traffic that matches a firewall security rule and needs immediate attention.