Analyzing large volumes of configuration differences during a firewall migration is challenging when constrained by small, unorganized, or unclear views. To solve this, the configuration diff feature for Panorama® migration to Strata Cloud Manager provides a comprehensive, full-screen viewer with categorized breakdowns.

Rather than scrolling through raw data, you can examine changes with greater clarity and context. The configuration diff automatically classifies informational changes into descriptive subcategories—such as default additions, updated references, and renamed objects—allowing you to quickly understand the volume and nature of modifications. You have the flexibility to switch between examining detailed line-by-line configuration changes and reviewing a structured list of affected objects grouped by type.

Additionally, the feature provides immediate visibility into whether objects were added, deleted, or modified. It also offers crucial context for unsupported items by explaining why specific objects cannot be migrated, which helps you plan necessary workarounds. When you need to share findings with stakeholders, you can export the complete diff data to ensure you capture all relevant information for offline analysis and documentation.

Strata Cloud Manager for Configuration Management is a solution that is defined and controlled based on the region where it is deployed. You can deploy Strata Cloud Manager in the locations of your choosing, based on data location preferences and where you have the most users. This selection of locations allows for optimized performance, adherence to data residency requirements, and tailored user experiences based on geographical proximity. For this reason, we are rolling out region-specific support for Strata Cloud Manager as soon as we are able to do so for each region.

You can now deploy Strata Cloud Manager in the following additional region for Configuration Management support in the Strata Cloud Manager 2026.R2.0 release: Brazil.

Distinguishing between intentional administrator modifications and automatically generated settings creates operational complexity and confusion during security audits.

System default configuration attribution solves this problem by explicitly marking system-generated configurations within your Prisma Access and NGFW deployments to ensure accurate tracking. To maintain clear audit trails, this feature automatically attributes necessary infrastructure defaults directly to System rather than your individual logged-in administrator credentials.

Differences in firewall, appliance, or folder-specific values for certain configuration objects make it difficult to share configurations across different folders and devices. To resolve this, Strata Cloud Manager expands variable support to provide greater flexibility and easier configuration management across your network.

You can now use integer variables for VLAN identifiers (0 to 4095). When you implement extended variable support, you reduce redundant tasks and maintain consistent configurations across your deployment.

Administrators managing allow and block lists require a centralized way to apply web policy rules in the browser without duplicating configuration efforts. To simplify this process, the Prisma® Browser now leverages External Dynamic Lists (EDLs) for dynamic, URL-based policy enforcement.

By using Strata Cloud Manager as a single source of truth, you can centrally manage web policy rules, accelerate adoption, and scale efficiently. You can link EDLs to policies directly within the shared policy objects interface and apply them universally across all platforms.

To ensure continuous protection against newly identified threats, the Prisma Browser automatically polls EDLs at configured intervals. Built-in administrative safeguards protect your deployment by preventing the deletion of in-use EDLs, prompting you to push configuration changes when modifying active lists, and reporting any unsupported URL entries.

Managing mobile user access on networks that rely on IP address-based authorization is challenging because dynamic IP assignment from Prisma® Access can break access policies. The Static IP Allocation feature allows you to assign a fixed IP address to Prisma Access mobile users to address this challenge. This feature is useful if your network deployments restrict user access to resources using IP addresses as part of their network and application design. This functionality simplifies deployment and provides critical benefits:

You can assign static IP addresses for mobile users based on the Prisma Access theater or User-ID™

You can now use location groups and user groups to improve your IP address assignment for mobile users, in addition to theater and User-ID.

The supported number of IP address pool profiles is significantly increased, simplifying the management and scaling of large mobile user deployments.

As quantum computing technology continues to advance, your organization faces an emerging threat to traditional cryptographic methods that secure VPN connections and remote access infrastructure. By implementing Post-Quantum Cryptography (PQC) support, you can future-proof your network security against potential quantum-based attacks that could compromise the confidentiality and integrity of your encrypted communications. This feature enables PQC support for access agents within the GlobalProtect® infrastructure, building upon the existing IKEv2 implementation for access agents to ensure your data remains protected against future decryption capabilities.

Use this feature if your organization operates in highly regulated industries or handles sensitive data that requires protection against future cryptographic threats. The implementation leverages the existing IKEv2 framework for access agents and integrates quantum-resistant algorithms to establish secure tunnels between your remote users and corporate resources. This is particularly valuable if you need to maintain compliance with emerging security standards that mandate quantum-resistant encryption or if your security posture requires defense against sophisticated adversaries who may be collecting encrypted data today for decryption once quantum computers become viable.

To resolve the administrative overhead of navigating between individual snippet scopes, you can now use a centralized snippet management interface in Strata Cloud Manager to organize, edit, and prioritize all of your configuration snippets from a single location.

Access the Snippet Management page from System SettingsFolder ManagementFolder & Snippet ManagementSnippets tab, or select ConfigurationNGFW and Prisma AccessOverview and click Snippet Management in the Configuration Scope under Snippets. The page displays all snippets organized by type: Predefined, Local, Published, and Subscribed. From this page, you can create new local snippets, edit snippet names, descriptions, and labels, clone existing snippets, and delete snippets you no longer need. A three-dot action menu on each snippet provides quick access to these actions without requiring you to navigate to the snippet scope first.

In System Settings, Folder Management is now Folder & Snippet Management. The Folders tab includes a new Snippets column that shows which snippets are associated with each folder. You can associate snippets with a folder directly from the folder three-dot action menu, and drag to reorder snippet priority when multiple snippets are associated. Snippets with higher priority override conflicting values from lower-priority snippets.

The manual and individualized process of configuring Next-Generation Firewall variables for each device creates operational inefficiencies and administrative burden, slowing down your onboarding process and making it difficult to manage at scale.

This feature introduces Sites as the primary way to deploy NGFWs. You can create a centralized properties template and set specific values for each site location. Onboarding rules automatically calculate IP addresses, hostnames, and other configuration details based on these site-specific values.

When you assign a device to a pre-configured site, the system automatically applies the correct settings. The feature supports both automatic and manual device setup, allowing installers to scan QR codes and select the appropriate site. This reduces configuration errors, speeds up deployment, and works well for branch offices, retail locations, and company expansions.

You can now activate Palo Alto Networks NGFWs at branch locations using the ZTP NGFW Activation web app that extends the existing Zero Touch Provisioning (ZTP) capabilities to mobile devices. This solution enables field installers to complete NGFW onboarding and activation without requiring technical expertise or detailed knowledge of customer network configurations. The web app is browser-based and supports both iOS and Android devices, eliminating the need for separate native applications while maintaining full compatibility with existing ZTP workflows.

The ZTP NGFW Activation web app allows for QR code scanning functionality on Gen 5 or newer hardware that automatically populates device-specific information including Serial Numbers and Claim Keys directly from labels affixed to the NGFW hardware. When you scan a QR code using your mobile device's camera, the QR code contains an embedded URL that redirects you to the ZTP Activation Page along with the Serial Number and Claim Key data. The application automatically populates these fields from the scanned QR code data, and you simply need to initiate the ZTP activation process for the device.

You gain access to all existing ZTP activation features through the web app, including the ability to view activation history for devices processed within the last seven days and monitor the status of firewalls during the provisioning process. The application maintains the same security and authentication requirements as the desktop ZTP portal while optimizing the user interface for smartphones.

This web app addresses deployment scenarios where installers work across multiple branch locations and may need to activate NGFWs for different customers without carrying laptops or requiring detailed technical documentation. The solution reduces the complexity of field deployments while maintaining the security and configuration management oversight that network security teams require for firewall provisioning workflows.

Strata Cloud Manager™ now supports migrating security policies, rules, and objects from multiple Panorama® instances into a single, centralized tenant. This feature helps you centralize visibility and simplify policy management across your network.

You can now identify auto-generated default configurations during configuration audits, as Strata Cloud Manager now shows System in the Edited by column instead of the logged-in administrator's credentials. When you review configuration changes in Config Version Snapshots, you can immediately tell which configurations were auto-generated during initial setup and which were created by you.

The Zscaler to Prisma® SASE migration tool automates the transition of Zscaler Internet Access (ZIA) and Zscaler Private Access (ZPA) configurations to Prisma Access security policies. This tool reduces manual effort and potential errors by automating the assessment, translation, and optimization of Zscaler configurations into Prisma Access-compatible formats.

You upload your Zscaler configuration either programmatically via Zscaler Cloud APIs or through a JSON file. The migration engine parses, analyzes, and converts the configuration into a Prisma Access-compatible format. The engine applies optimization logic to clean up duplicate and redundant data, thereby reducing the total policy footprint.

You can review and refine the translated configuration before importing it into Prisma Access. For general security policies and objects, the tool generates Strata Cloud Manager (SCM) snippets. ZTNA, Privileged Remote Access (PRA), and Remote Browser Isolation (RBI) configurations are applied immediately after the migration is completed without an explicit commit. Hence, it is strongly recommended that you test the migration on a pre-production tenant migrating production workflows.