Do dynamic business needs often require you to deal with rapid configuration changes that result in complex configurations with a number of zero hit rules, zero hit objects, unused objects, and duplicate objects? Such configurations can lead to a poor security posture and can inadvertently increase the attack surface of your network. Config Cleanup has you covered.

Config Cleanup gives you a comprehensive view of all policy rules that have no hits, objects that aren't referenced directly or indirectly in your configuration, objects that are referenced in a policy rule but have no hits in the Traffic log during the specified time frame, and objects of the same type with different names but have the same values so that you can better:

Identify and remove unused configuration objects and policy rules from your configuration. Removing unused configuration objects eases administration by removing clutter and preserving only the configuration objects that are required for security enforcement.

Review unused objects and policy rules across your entire Strata Cloud Manager configuration for the last 6 months, and optimize policy rules that are overly permissive rules to convert these to be more specific, focused rules that only allow the applications you’re actually using.

Together with Policy Optimizer, these tools help you ensure that your policy rules stay fresh and up to date.

Hone and optimize overly permissive security rules so that they only allow traffic that are actually in use in your network. Rules that are too broad introduce security gaps because they allow applications that are not in use in your network. Policy Optimizer enables you to convert these overly permissive rules to more specific, focused rules that only allow the applications you’re actually using.

Strata Cloud Manager analyzes log data and categorizes rules as overly permissive when they are allowing any application traffic, and the rules must be at least 15 days old. These rules can introduce security loopholes, if they’re allowing traffic that’s not necessary for enterprise use.

For rules identified as overly permissive, Strata Cloud Manager auto-generates recommendations you can accept to optimize the rule. The new, recommended rules are more specific and targeted than the original rule; they explicitly allow only the applications that have been detected in your network in the last 90 days.

Select an overly permissive rule to review, adjust, and accept optimization recommendations. Replacing these rules with the more specific, recommended rules strengthens your security posture. You can choose to accept some or all of the rule recommendations. Accepting recommendations to optimize a rule does not remove the original rule. The original rule remains listed below the new rules in your Security policy; this is so you can monitor the rule, and remove it when you’re confident that it’s not needed. Both the original rule and optimized rules are tagged so you can easily identify them in your Security policy.

Together with Config Cleanup, these tools help you ensure that your policy rules stay fresh and up to date.

Strata Cloud Manager (SCM) now enables you to configure IPv4 multicast routing on virtual routers and logical routers. You can enable Protocol-Independent Multicast (PIM), Internet Group Management Protocol (IGMP), and Multicast Source Discovery Protocol (MSDP) on supported interfaces. Additionally, SCM enables you to configure PIM Interface Timer profiles, MSDP Timer profiles, and IGMP Interface Query profiles. You can also create IPv4 mroutes, which are static unicast routes that point to a multicast source. Logical routers support only IGMPv2 and IGMPv3 (not IGMPv1). Only logical routers support a multicast static group (virtual routers do not).

Enhanced onboarding and bootstrapping visibility for Strata Cloud Manager improves the NGFW activation process for branch locations, providing visibility and troubleshooting capabilities. This feature addresses the challenges faced by installers with minimal technical knowledge who are responsible for onboarding firewalls. Enhanced visibility for onboarding and bootstrapping offers real-time status updates to administrators throughout the process.

With enhanced visibility for onboarding and bootstrapping, you can monitor the detailed bootup status, including the license download, content upgrade, software upgrade, and configuration push. The feature introduces status bars that reflect the progress of each stage, ensuring you have a clear understanding of the activation process. In case of any interruptions or errors, such as issues with device certificates, TSG ID validation, software updates, or content updates, the bootstrap status indicates where the process failed and allows you to immediately restart.

Strata Cloud Manager for Configuration Management is a solution that is defined and controlled based on the region where it is deployed. You can deploy Strata Cloud Manager in the locations of your choosing, based on data location preferences and where you have the most users. For this reason, we are rolling out region-specific support for Strata Cloud Manager as soon as we are able to do so for each region.

Strata Cloud Manager introduces a set of user interface improvements designed to make policy and device management more intuitive and efficient. These updates focus on simplifying workflows, improving data visibility, and enhancing the overall user experience.

Strata Copilot now extends its reach to new regions, enhancing global accessibility. This expansion brings the powerful AI-driven assistance to users in China, Qatar, and Saudi Arabia. By increasing geographical coverage, Strata Copilot offers more organizations the opportunity to streamline their security operations, leverage intelligent insights, and improve overall efficiency in managing their Palo Alto Networks solutions in Strata Cloud Manager across these diverse locations.

Unexpected session timeouts and inactivity logouts can significantly disrupt user productivity and lead to increased helpdesk tickets. The Prisma Access Agent addresses this issue by introducing configurable notifications that alert users before their sessions expire or terminate due to inactivity. You can now set up timely warnings and custom messages to keep your users informed and provide them with the option to extend their sessions when needed.

You can customize sessions by setting their duration, scheduling logout notifications, and creating custom expiration messages. You can set the duration a user can stay logged in to a session, and also set the amount of time to wait before the agent session ends due to user inactivity. The ability to customize session timeouts and notifications helps balance user access needs with network security. It enables you to control session timeouts, keep users informed about their session status, and communicate important information.

To address the potential risks of end users disabling the Prisma Access Agent, your users can now use a one-time password (OTP) system to securely disable the agent. With the OTP system, Prisma Access Agent can generate unique, single-use codes for agent disabling, enhancing security and administrative control. You can configure the OTP system on a per-user or per-user group basis, providing granular control over who can disable agents and when. When users enter the correct OTP, the agent verifies it locally and disables itself, ensuring functionality even in offline scenarios. This feature also improves auditing capabilities by logging all OTP-related activities, helping you track and monitor agent disabling events across your network. By implementing this OTP system, you can meet compliance requirements, align with industry standards, and provide a more secure and flexible solution for managing Prisma Access Agents.

While the Prisma Access Agent routes mobile user IPv4 traffic through a protected tunnel to Prisma Access, IPv6 traffic is conventionally sent to the local network adapter on an endpoint. Prisma Access offers the ability to enhance security for dual-stack endpoints by sinkholing IPv6 traffic. By enabling IPv6 sinkholing, you can effectively mitigate risks associated with IPv6-based threats, thus reducing your overall attack surface. This feature is valuable in scenarios where you need to maintain a secure environment for mobile users accessing the internet. As endpoints can automatically fall back to IPv4 addresses, you can ensure a continuous and protected user experience without compromising on security. By implementing this capability, you strike an optimal balance between robust threat prevention and uninterrupted connectivity for your mobile workforce.

Organizations transitioning to Prisma Access Agent face challenges when their existing authentication infrastructure uses LDAP/LDAPS, as Prisma Access Agent previously only supported SAML and certificate authentication through Cloud Identity Engine (CIE). This can create significant adoption barriers, especially in regions where LDAP usage is prevalent. LDAP support for Prisma Access Agent addresses this challenge by enabling you to leverage your existing GlobalProtect™ portal LDAP authentication infrastructure, eliminating the need to reconfigure authentication methods when migrating to Prisma Access Agent.

With LDAP authentication support, you can now configure your Prisma Access Agent to authenticate users against your existing directory services through the GlobalProtect portal. This integration provides a seamless authentication experience for your users while maintaining your existing security policies. The feature supports all standard LDAP configuration options, including Base DN, Bind DN, multiple LDAP servers, SSL/TLS secure connections, and server certificate verification for SSL sessions. You can also combine LDAP authentication with client certificate authentication using AND/OR logic to meet your specific security requirements.

The enhanced user experience includes support for saved user credentials, enabling seamless authentication across device states such as sleep-wake cycles, hibernation, and network transitions. When properly configured, users won't need to repeatedly enter their credentials after logging into their operating system.

By supporting LDAP authentication through the GlobalProtect portal, Prisma Access Agent provides you with a smoother migration path from GlobalProtect to Prisma Access Agent, preserving your authentication setup while enabling you to transition to a newer access agent. This feature is valuable for existing deployments where reconfiguring authentication methods would otherwise increase deployment complexity and time.

Organizations face difficulties in pushing updates to remote machines without requiring users to log in to their machines, which can delay critical updates and impact user productivity. Pre-logon for Prisma Access Agent addresses this challenge by establishing a secure connection before user authentication occurs. This feature enables you to manage and update remote devices efficiently, improving IT productivity, and enhancing the overall security posture.

With pre-logon, you can establish a tunnel as soon as a device boots up, using machine certificate authentication. This enables access to critical resources like domain controllers or LDAP servers, even when they are only accessible through the tunnel. You can now perform essential management tasks, such as applying group policies, installing software updates, and synchronizing roaming profiles, without waiting for user login.

Pre-logon is useful for remote users. It enables scenarios such as the application of group policies and software updates before user login, and synchronization of roaming profiles. For kiosks like ATM machines, it allows connection to the corporate network without user intervention.

The feature requires client certificates for authentication. You can configure certificate-based authentication for pre-logon while maintaining SAML or other methods for user login. This flexibility ensures that your security policies remain intact while improving device management capabilities.

You can troubleshoot the agent using existing Prisma Access Agent tools like log retrieval and HIP reports even when the pre-logon tunnel is active. The feature supports agent upgrades and downgrades, ensuring your devices remain current and secure.

By implementing pre-logon, you can significantly improve the management of remote and corporate-owned devices, reduce IT overhead, and enhance security by ensuring devices are properly configured and updated before users gain full network access. This feature is designed to work across system restarts and sleep-wake cycles, providing consistent connectivity for your managed devices.

Mobile users often struggle to connect securely when working from locations with captive portals, such as hotels, cafes, and airports. These captive portals require authentication before allowing internet access. Prisma Access Agent automatically detects when a user has connected to a network with a captive portal and opens the captive portal authentication page in its embedded browser, enabling users to authenticate without bypassing security policies. This approach enhances security by containing the captive portal interaction within the controlled environment of the embedded browser, mitigating risks associated with external browser use.

By using captive portal support with Prisma Access Agent's embedded browser functionality, you ensure that your mobile workforce maintains secure access to corporate resources across diverse network environments. It prevents scenarios where employees are unable to access the internet or corporate resources due to undetected captive portals, while also addressing security concerns related to captive portal interactions. This solution significantly reduces connectivity-related support tickets, improves overall user productivity, and provides an integrated, secure experience for your remote and traveling employees while maintaining the stringent security standards your organization requires.

Managing SAML authentication across various web browsers poses significant challenges for administrators, often resulting in a cumbersome user experience with annoying pop-ups and redirections between the access agent and browser.

The Prisma Access Agent embedded browser addresses this issue by integrating a dedicated browser directly into the agent, providing your users with a consistent in-app experience for Prisma Access Agent logins, simplifying administration and enhancing security. By keeping the authentication process within the application, you eliminate the need for external browser interactions, reduce the risk of user confusion, and mitigate potential security vulnerabilities associated with browser redirections.

With support for various authentication methods, compatibility with existing Prisma Access Agent features, the embedded browser significantly improves both security and usability in your remote access infrastructure.

Prisma Access Agent now supports transparent proxy connections, offering always-on internet security and private app access for your mobile users. This feature enables seamless coexistence with third-party VPN agents, enhancing your organization's security posture. You can use it to secure all internet traffic from browser and nonbrowser apps, even when users are disconnected from the tunnel. The solution forwards internet traffic to Prisma Access, preventing users from bypassing Prisma Access.

You can support various scenarios including users connecting from home, branch offices, or public Wi-Fi. It's compatible with endpoints running third-party VPNs in full or split tunnel modes. The feature prevents conflicts on endpoints and offers admin controls to maintain smooth operation. You will find this useful for maintaining consistent security across diverse networks. It supports continuous trust verification for mobile users through device posture checks. By implementing this functionality, you can enforce security policies regardless of user location or connection method, strengthening your overall security stance and strengthening your overall security posture with always-on connectivity.

We introduced the ability to extend Prisma Access user group policy with the short form format. Migrating security policies from NGFW to Prisma Access requires policy elements standardization. Prisma Access only supports long-form DN entries for group-based policies, while the NGFW allows using other formats such as SAML account name/Common Name and email address. This feature enables customers to define the group format choice for security policy creation, allowing standardized policy creation across Prisma Access and NGFW.

Depending on your license for an enterprise browser, the following new items are available in Strata Cloud Manager for visibility:

• Activity InsightsUsers
  New Connection Method = Enterprise Browser
  Enterprise Browser is now available as a Connection Method to filter user activity by Enterprise Browsers in Prisma Access. You can view the following details:

  • Active Users trend chart
  • Current Active User count and list
  • Risky Users
  • Active Users list including User Name, Browser Type, Browser Version, Last Source IP, Last Source Location, Last Used PA Location, and Last Activity Time

  If you have multiple enterprise browsers, you can switch to Prisma Access Browser or any other supported third-party enterprise browser using Connection Method.

• MonitorSubscription UsageMobile Users
  You can see the usage count under Total Unique Users.
• MonitorPrisma Access Locations
  New widget for Explicit Proxy locations, status, and connectivity to Strata Logging Service.

You can now quickly determine if Palo Alto Networks provides protection against specific vulnerabilities using Strata Copilot. When investigating specific CVEs, Strata Copilot searches comprehensive data sources to provide detailed protection information including unique threat IDs, descriptions, categories, compatible PAN-OS versions, release dates, and current status.

To receive information about available safeguards for deeper investigation, you can simply ask questions like:

"Is there coverage for the CVE mentioned in this article? <articleURL>"

"Does Palo Alto Networks protect against <CVE>?"

Designed for enterprise-scale performance, Strata Copilot handles large datasets related to Threat Detection and Prevention data while delivering responses in under 5 seconds for most threat intelligence queries. Strata Copilot minimizes latency between data updates and availability to ensure you always receive the most current information about CVE protection status and potential threat actor exploitation activity in your environment.