New NetSec Platform Features on Strata Cloud Manager (March 2026)
See all the new features made available for Strata Cloud Manager in March
2026.
These new features follow the Strata Cloud Manager release model of continuous feature deployment; as they're ready, we make them
available to ensure the latest support for all products and subscriptions across the
NetSec platform. There's no Strata Cloud Manager upgrade or management version
requirement associated with these features; however, check if they have version or
license dependencies associated with other parts of the NetSec platform (like a
cloud-delivered security service subscription, or a Prisma Access version, for
example).
Object Type Filter in Incidents Dashboard
March 11, 2026
Supported for:
Strata Cloud Manager
Manually searching through numerous network incidents to find issues
affecting specific infrastructure components is time-consuming and delays
troubleshooting. To solve this challenge, the primary impacted object type filter in
Strata Cloud Manager introduces a dynamic, key-value-based filtering mechanism on
the Incidents dashboard. When you analyze
incidents across your network environment, you often need to focus on issues
impacting particular sites, applications, or tunnels. This feature enables you to
select an impacted object type and choose from dynamically populated values,
streamlining your incident analysis workflow.
You can use this capability to investigate all incidents affecting a
critical application, assess the reliability of a specific site over time, or
correlate incidents across multiple components that share a common infrastructure
element. The filter adapts to your incident context, ensuring that only relevant
object types and values appear based on the incidents you are reviewing. By
leveraging this feature, you perform faster root cause analysis, reduce mean time to
resolution for incidents impacting business-critical objects, and make informed
decisions about remediation priorities. This targeted visibility allows operations
teams to transition seamlessly between broad incident monitoring and specific
object-level investigation.
Next-Generation Trust Security
March 9, 2026
Supported for:
Strata Cloud Manager
Next-Generation Trust Security unifies public and private trust under a single
control framework. It extends Strata™ Cloud Manager with integrated certificate
lifecycle governance and SaaS-based private PKI services. By shifting from periodic
infrastructure management to continuous operational control, this solution ensures
that the systems validating trust and authenticating identities depend on real-time
certificate state. The result is sustained network resilience and governed
certificate velocity at an enterprise scale.
Key capabilities include:
Unified Discovery and Inventory:The discovery engine scans
public and private networks, internal and external CAs, cloud-native key
stores, Kubernetes clusters, and network appliances. It creates a single
authoritative inventory that provides visibility into expiration status,
trust hierarchies, and policy alignment across the entire certificate
estate.
Policy-Driven Automation: Automated workflows govern the
entire certificate lifecycle, covering issuance, installation, validation,
renewal, and retirement across enterprise environments to prevent outages.
It also supports post-quantum readiness and enables organizations to manage
the increasing renewal velocity associated with shortened certificate
lifecycles.
SaaS-based Private PKI Services: The SaaS-based private PKI
capability replaces hardware-dependent, on-premises CA environments with
cloud-delivered PKI services that provide HSM-backed secure operations and
high availability across regions.
Crypto-Agility: The CA-neutral architecture enables
organizations to execute controlled transitions, such as algorithm updates
or CA changes, without destabilizing production systems.
Outage Prevention: Next-Generation Trust Security preserves
enforcement continuity and enterprise-wide certificate health by ensuring
certificates supporting critical services are renewed and validated before
expiration. Continuous monitoring and automated lifecycle controls reduce
the risk of certificate-related failures across your operational
environment.
After activation, you can access and manage Next-Generation Trust Security
directly within Strata Cloud Manager. From a centralized interface, you can align
cryptographic trust with your network control plane, ensuring consistent governance
across firewalls, SASE services, and enterprise workloads.
Unified Activation Console for SASE Products
Important: We are rolling out this new, unified activation experience in
stages. For supported SASE products, you may see the new activation console now,
or you maybe directed to use the Hub for activation until the update reaches
your tenant.
Introducing a unified and simplified activation and onboarding
experience for all SASE products through the redesigned Activation
Console (formerly called the Hub). This
centralizes all activation and license management tasks in a single, streamlined
portal, allowing administrators to view, activate, and manage SASE products
efficiently. Products can now be activated at any time directly from the console,
eliminating reliance on magic links. Newly purchased products are automatically
added to the default Customer Support Portal (CSP) account, reducing manual steps
and avoiding complications if the CSP is changed after activation. All SASE products
can now be managed from one interface, improving visibility, control, and
operational efficiency.
This experience is available for the following SASE products:
Prisma Access
Prisma Browser
Remote Browser Isolation
CASB-X
Data Security
AI Access Security
SaaS Security Posture Management
Enterprise DLP
The Firewall and SD-WAN products (Next-Generation Firewall,
SD-WAN) continue to use existing activation and license
management workflows. There are no changes to tenant management, subscription views,
or activation processes for these products.
Key Changes in Activation and Subscription Management for SASE Products
Centralized Activation and Management
All SASE product activations and license
management are now performed through the
Subscriptions & Add-ons page in the
Activation Console, providing a single,
unified interface.
Magic links and authorization codes are no longer required; a
Welcome Email provides a direct link to the Activation
Console, from where the product can be activated.
The Subscriptions & Add-ons page
offers a consolidated overview of all products, including active
subscriptions, add-ons, and trials.
The product amendment, renewal, and activation status are
automatically updated in the Activation Console.
Starting with activation, all lifecycle operations, including
adding or removing add-ons, renewing subscriptions, and making
amendments, can now be performed directly from the
Subscriptions & Add-ons page in
the Activation Console.
Automatic CSP Assignment
New products are now automatically added to the primary Customer Support
Portal (CSP) account with a primary Tenant Service Group (TSG), making them
immediately available for activation. This eliminates the need for manual CSP
selection, reduces errors, and ensures a smoother activation experience.
Subscription Management
The Subscriptions & Add-ons page now contains two
tabs:
SASE tab – Lists all SASE products. Within this
tab:
Trials – Displays all trial
products.
Subscriptions – Lists subscribed
products that are either activated or ready to be
activated.
Firewall and SD-WAN tab – Lists all the firewall
and SD-WAN products that will follow the old activation
process.
In the Strata Cloud Manager, you can only view the subscription
list, but all activation and management operations must be performed
through the Subscriptions & Add-onspage in
the Activation Console.
For multitenant environments, the Subscriptions
& Add-onspage includes a Tenant Browser that shows
the tenant hierarchy. Administrators can switch between tenants to view
products that are activated or waiting to be activated on each tenant
and see high-level details such as license allocations.
The Serial Number previously used to identify a product is now
referred to as the Entitlement Group ID.
Tenant Management
All operations on the subscriptions that were previously performed from Tenant
Management must now be performed through the Activation ConsoleSubscriptions & Add-Ons. This includes amending products, allocating licenses across multiple
tenants, and managing add-ons.
Here are the updated incidents with probable root cause
incidents:
INC_NGFW_HA_STATE_TRANSITIONED_UNHEALTHY
INC_NGFW_LOG_LOSS
INC_NGFW_REDUCED_LOG_FORWARDING
INC_NGFW_TO_MANAGING_PANORAMA_CONNECTIVITY
INC_NGFW_PANO_NON_COMMIT_OP_SLOW
INC_NGFW_SLOW_PANORAMA_COMMIT_OPS
Health incidents actively monitor the health and
performance of your platform in real time. This approach helps in identifying
issues, predicting potential problems, and implementing remediation actions to
ensure your devices function optimally. Here are some key aspects:
Monitoring Metrics: Continuously monitor various metrics from the
NGFWs, including CPU utilization, memory usage, disk space, network
throughput, and other relevant performance indicators.
Anomaly Detection: Generate alerts that dynamically adjust based on
the metric's historical value and your usage trends.
Predictive Analysis: Leverage historical data and patterns to
predict when thresholds might be exceeded or specific events may occur. This
helps forecast potential issues before they escalate.
