In addition to Google Chrome, Microsoft Edge, and Safari browsers, the Firefox browser is now supported for Remote Browser Isolation (RBI) on macOS and Windows desktop operating systems.

Refer to How Remote Browser Isolation Works for the combination of operating systems and browsers that your users can use for isolated browsing.

To help broaden the device support for your managed users, mobile support is added for Remote Browser Isolation (RBI) in addition to macOS and Windows desktop operating systems. Your managed users can now use Android, iOS, and iPadOS devices for isolated browsing.

Refer to How Remote Browser Isolation Works for the combination of operating systems and browsers that are supported for RBI.

Palo Alto Networks

AI Runtime Security

is a purpose-built firewall to discover, protect, and defend the enterprise traffic flows against all potential threats focusing on addressing AI-specific vulnerabilities such as prompt injection, and denial-of-service attacks on AI models. It combines continuous runtime threat analysis of your AI applications, models, and data sets with AI powered security to stop attackers in their tracks. The

AI Runtime Security

leverages real-time AI-powered security protecting your AI application ecosystem from both AI-specific and conventional network attacks.

AI Runtime Security

leverages critical anomaly detection capabilities and protects AI models from manipulation to ensure the reliability and integrity of AI output data. It rejects prompt injections, malicious responses, training data poisoning, malicious URLs, command and control, embedded unsafe URLs, and lateral threat movement.

AI Runtime Security

uses Palo Alto Networks Strata Cloud Manager (SCM) as the main configuration and management engine. To begin with, activate and onboard your cloud service provider account on SCM. The AI Security Profile imports security capabilities from Enterprise DLP and URL Filtering for inline detection of threats in AI application traffic.

The

AI Runtime Security

is powered by the following four key elements:

Discover

- The

AI Runtime Security

discovers your enterprise AI application and all other applications. The

AI Runtime Security

dashboard provides complete visibility and security insights of your AI and other applications in just a few clicks. You can effortlessly gain actionable intelligence on AI traffic flows covering your applications, models, user access, and infrastructure threats.

Deploy

- The

AI Runtime Security

deployment using Terraform templates automates the deployment procedure reducing the human error, lowering the required time for manual configuration tasks, and for protecting your enterprise AI applications. Deploy your

AI Runtime Security

instance downloading the Terraform templates and provide permissions to your cloud service provider account projects to analyze flow logs and DNS logs.

Detect

- Identify unprotected traffic flows with potential security threats to the cloud network and detect the potential security risks based on logs and recommended actions to remediate.

Defend

- Shield your organization’s AI application ecosystem from AI-specific and conventional network attacks by leveraging real-time AI-powered security. Get the continuous discovery of the AI network traffic on the containers and namespaces.

To learn more about AI Runtime Security activation, onboarding, and deployment, see AI Runtime Security documentation.

For Enterprise IT and IT Enabled Services (ITES) companies that need to control which users have access to their customer projects, Dynamic Privilege Access provides a seamless, secure, and compartmentalized way for your users to access only those projects that they are assigned to. Employees are typically assigned to several customer projects and are provided with siloed access to these projects so that an authorized user can access only one customer project at a time.

A new predefined role called the

Project Admin

is available to allow project administrators to create and manage project definitions. Project administrators have the ability to map projects to select Prisma Access location groups, and create IP address assignments using DHCP based on the project and location group.

If you have an existing Prisma Access (managed by Panorama) deployment and want to switch from Panorama to cloud management, Palo Alto Networks offers an in-product workflow that lets you migrate your existing Prisma Access configuration to Strata Cloud Manager. While this migration workflow is disabled by default, you can reach out to your account teams to enable this feature and begin the migration to cloud management.

Benefits of moving to cloud management include:

Dynamic Privilege Access enables Prisma Access to apply different network and Security policy rules to mobile user flows based on the project your users are working on. In the Strata Cloud Manager Command Center, you can view user-based access information in your environment.

Gain visibility into your Prisma Access Agent deployment by using Strata Cloud Manager to monitor your users' project activity. In the Strata Cloud Manager Command Center, you can view project-based access information in your environment.

To allow more flexibility after you configure Connector IP Blocks, you can now delete and update the Connector IP Blocks. However, you can delete the Connector IP Blocks only after you delete all the ZTNA objects such as connectors, applications, wildcards, and connector-groups on the tenant.

Enterprises need to enforce configuration objects and global settings consistently across all deployments. By referencing global settings across various scopes, such as snippets or folders, organizations can streamline operations, eliminate redundant configurations, and enhance centralized management. For example, organizations can effectively manage custom URL categories for access policy rules, threat prevention profiles, zones, addresses, and other objects representing standard network segments.

This feature allows you to reference any common configurations or objects attached to a global scope and push to

NGFW

s or

Prisma Access

deployments. These shared objects and configurations within the global scope are available to all the snippets. Snippets associated with the global scope are considered a global snippet, and the objects defined within these snippets can be referenced across any snippets in the configuration. This simplifies the process of managing configurations from a single location, updating, and enforcing global standards across all deployments.

Enterprise Data Loss Prevention (E-DLP)

now supports creating a file type exclusion list when modifying a DLP Rule to define the type of traffic to inspect, the impacted file types, action, and log severity for the data profile match criteria. Creating a file type exclusion list, rather than an inclusion list, instructs the

NGFW

or

Prisma Access

tenant to forward all file types except for those specified in the exclusion list to

Enterprise DLP

for inspection and verdict rendering. A DLP Rule can be configured with an inclusion or exclusion file type list, but not both.