Installers can now monitor the real-time status of the NGFW activation during Zero Touch Provisioning (ZTP) deployments through the ZTP Activation Page. ZTP onboarding visibility addresses the challenge that installers with minimal technical knowledge face when they have no insight into the NGFW activation process that spans approximately 30 minutes. ZTP Activation Page now provides comprehensive bootstrap status monitoring through six sequential stages: Firewall Licensing, Content Updates, Wildfire Updates, Antivirus Updates, Routing Mode Changes, and Software Upgrades.

When you initiate NGFW activation using ZTP, you can access detailed progress information through the ZTP Activation Portal for installers and the Device Management interface for administrators. The system displays real-time status indicators for each NGFW activation stage, including spinners that provide visibility into downloads and installation.

ZTP visibility includes error handling and recovery mechanisms that allow administrators and installers to retry failed operations without requiring on-site technical support. When ZTP activation failures occur, the system provides specific error messages and retry options. For non-critical failures in antivirus or Wildfire updates, the system displays warning notifications while allowing the ZTP to continue.

Installers can also review activation history for the past 7 days through Activation History. Enhanced visibility and troubleshooting aims to reduce deployment inefficiencies and provide the seamless experience you expect from ZTP while maintaining your ability to troubleshoot issues remotely through administrator controls.

TechDocs Strata Copilot, an AI-powered assistant, is now available on the Palo Alto Networks TechDocs website. It simplifies how you find information by letting you ask questions in natural language, which eliminates the need to search through documentation or use specific keywords.

TechDocs Strata Copilot pulls answers to your queries from a comprehensive data source, such as our Network Security Documentation, Knowledge Base articles, and LIVEcommunity. Instead of just showing you a link, TechDocs Strata Copilot provides a concise summary to give you immediate clarity.

Every answer includes direct links to the source documentation, allowing you to explore the context and verify the information. This feature enhances your self-service experience by providing instant access to critical knowledge, reducing resolution times, and helping you more efficiently manage your network security solutions.

User Activity Insights in Strata Cloud Manager provides clear visibility into connected gateway agent (GlobalProtect and Prisma Access) versions and subversions for connected user devices in your deployment. Previously, GlobalProtect agent version information varied by its source (Strata Logging Service, ADEM, or SaaS agent) and lacked subversion details.

You can now access both the main agent version and detailed subversion information, including patch details. The subversion details for existing GlobalProtect devices populate over a 30-day period. However, for newly added devices, the subversion details are displayed immediately upon their first connection. The GlobalProtect agent subversions are displayed for devices connected to Prisma Access only. This clear view of your agent distribution landscape helps you identify version inconsistencies and plan updates more effectively.

By setting up roles with specific permissions and assigning them to administrators you can enforce the principle of least privilege, ensuring administrators have only the access necessary for their specific job functions.

This feature gives you fine-grained control across the web interface, CLI, REST API, and XML API. You can configure detailed access permissions over various functional areas, including device configuration, network settings, security policies, monitoring capabilities, and operational tasks. For example, you can create a network admin role that has permissions to manage interfaces and routing but is restricted from changing security profiles.

Strata Cloud Manager (SCM) now provides users the ability to customize predefined local and cloud-based applications. For each given application, you can modify the TCP Timeout, TCP Half Closed, TCP Time Wait, and Risk values to more appropriately fit the needs of your organization's network security requirements.

You can now manage device quarantine lists for NGFWs acting as GlobalProtect portals and gateways directly through Strata Cloud Manager. This capability enables you to block specific devices by adding their corresponding device information to a quarantine list while using Strata Cloud Manager as your primary management interface.

When you access the device quarantine list functionality in Strata Cloud Manager, you can view quarantined devices that have been flagged by Administrators.

Strata Cloud Manager allows you to configure and deploy GRE (Generic Routing Encapsulation) tunnels on managed NGFW platforms to establish secure, point-to-point connectivity across untrusted networks. GRE tunnels enable you to encapsulate various network layer protocols inside virtual point-to-point links, allowing you to extend your network topology across geographically distributed locations.

You can now set up a Hardware Security Module (HSM) to generate, store, and manage digital keys through Strata Cloud Manager. An HSM is a physical appliance that, once connected, provides both physical and logical protection of these cryptographic keys. By utilizing the management options in Strata Cloud Manager, you can specify HSM servers that use one or more of the following providers: SafeNet Network, nCipher nCshield Connect, or Thales CipherTrust Manager.

You can now configure a PA-7000 Series Firewall Log Forwarding Card (LFC) using Strata Cloud Manager. The LFC is a physical, high-performance slot card that forwards all dataplane logs from the firewall to an external logging system. Once installed, you can choose to configure either interface LFC 1/1 or interface LFC 1/9, as well as IPv4 or IPv6 settings, depending on your deployment needs.

Now you can deploy a custom master key in Strata Cloud Manager™ to replace the default master key on your next-generation firewalls (NGFWs), adding an extra layer of protection for your sensitive data.

When you deploy a new master key, Strata Cloud Manager re-encrypts all key material to strengthen your security posture. You can define a custom lifetime for the master key (from 1 to 18, 250 days) and set reminder notifications (1 to 365 days before expiration). This allows you to rotate keys on schedule to help minimize disruption. Regular rotation is a best practice for cryptographic key management and helps you meet compliance requirements.

The Deploy Master Key feature supports both standalone and high-availability (HA) firewall configurations, with built-in validations to ensure secure key deployment.

Strata Cloud Manager™ now provides the ability to configure and deploy NetFlow on managed next-generation firewall (NGFW) platforms. This new capability allows you to export detailed IP traffic statistics to a NetFlow collector, providing valuable data for security analysis, troubleshooting, and performance optimization. You can create server profiles to define collector destinations and export parameters, with support for Layer 3, Layer 2, virtual wire, tap, VLAN, loopback, and tunnel interfaces. This feature supports NetFlow Version 9 and both standard and enterprise templates.

Strata Cloud Manager (SCM) now provides users the ability to view all dependent applications associated with a selected application while creating Security Policy Rules. This makes it easier to build security policies without unintentionally excluding required dependent applications. To view the dependent applications, access the relevant Security Policy Rule, and from the Application / Service menu, open the Application dropdown and select the Dependent Applications button. This opens the Dependent Applications pane, which displays all dependent apps contained within the selected application it relies on, as well as the rules they are used in. Additionally, you can also add these dependencies directly to your current rule or an existing rule.

QoS enables you to prioritize and manage network traffic to ensure critical applications and services receive the necessary bandwidth and resources.

You can now configure QoS on the next-generation firewalls in Strata™ Cloud Manager. Enable QoS capabilities on NGFWs through the following configuration components for traffic prioritization and bandwidth management:

By implementing QoS, you can improve overall network efficiency, enhance user experience for critical services, and align network resource allocation with your organization's priorities. With QoS, you can maximize the value of your existing network infrastructure while ensuring that your most important traffic always gets through, even during periods of high network utilization.

Strata Cloud Manager™ now offers expanded response page customization, allowing you to tailor additional page types for a more consistent and user-friendly experience. These pages appear during authentication challenges, security restrictions, or informational notices, helping users understand what is happening while maintaining your organization’s branding.

Newly supported customizable pages include:

• GlobalProtect: Customize portal login pages, welcome screens, and help pages that guide users through the connection process.
• Authentication Services: Modify Multi-Factor Authentication (MFA) login pages and SAML authentication error pages to provide clear guidance during authentication challenges.
• SSL Decryption: Customize notification pages to inform users about traffic inspection policies and certificate errors.

If you use Panorama to manage your organizations NGFWs, you can migrate your configurations to Strata Cloud Manager for the benefits of cloud management.

Strata Cloud Manager enables you to migrate your organizations NGFW hierarchy and configurations:

For the benefits of moving to Strata Cloud Manager, click here.

Administrators can now skip reboots during PAN-OS software upgrades for cloud managed NGFWs, allowing you to decouple software installation from the reboot process and providing granular control over when your NGFWs restart after receiving software updates. You can schedule software downloads and installations to complete during designated maintenance windows while deferring the actual reboot to a time that minimizes operational impact on your network services. This separation of upgrade phases prevents unexpected downtime during critical business hours and allows you to coordinate reboots across multiple firewalls in your environment.

You configure this feature through the Software Upgrade Scheduler and configure the update to work with the needs of your business and network.

Strata Cloud Manager now provides comprehensive IPv6 capabilities to help you manage your network infrastructure in dual-stack environments. This enhancement brings IPv6 parity with PAN-OS management capabilities, allowing you to configure and manage both IPv4 and IPv6 addressing across your NGFW deployments through the cloud management platform.

You can now configure IPv6 addressing for management interfaces including dedicated management ports and auxiliary interfaces. The management interface configuration supports both static IPv6 addressing and dynamic DHCPv6 client options with configurable parameters such as non-temporary address options, temporary address options, rapid commit, and DUID type selection. For auxiliary interfaces, you can specify IPv6 addresses with prefix lengths and configure default IPv6 gateways to ensure proper routing in your management network.

You can configure a data port (a regular interface) to access external services, such as DNS servers, external authentication servers, Palo Alto Networks® services such as software, URL updates, licenses and AutoFocus. Strata Cloud Manager now supports configuring and deploying IPv6 service routes (in addition to IPv4 service routes) for all managed NGFW platforms.

The firewall uses the management (MGT) interface by default to access external services, such as DNS servers, external authentication servers, Palo Alto Networks® services such as software, URL updates, licenses and AutoFocus. An alternative to using the MGT interface is to configure a data port (a regular interface) to access these services. A service route is the path from the interface to the service on a server. Strata Cloud Manager allows you to customize service routes for various services or Use Management Interface for all services.

Strata Cloud Manager now supports Neighbor Discovery Protocol (NDP) Proxy to simplify address resolution in IPv6 environments. This feature allows the firewall to respond to link-layer address requests on behalf of devices behind it, performing a similar function to ARP for IPv4. Configuring NDP Proxy is required when you enable IPv6-to-IPv6 Network Prefix Translation (NPTv6). Key capabilities of NDP Proxy include:

Health alerts actively monitor the health and performance of your platform in real time. This approach helps in identifying issues, predicting potential problems, and implementing remediation actions to ensure your devices function optimally. Here are some key aspects:

You can now use Zero Touch Provisioning (ZTP) to deploy Gen 5 hardware through Strata Cloud Manager with enhanced device-specific QR codes that contain your device's serial number and claim key.When you scan the QR code on your PA-500 or PA-5500 series NGFWs, you are automatically directed to the ZTP Activation page with the serial number and claim key pre-populated, eliminating the need for manual data entry and reducing input errors during onboarding.