Strata Cloud Manager
New Features in November 2023
Table of Contents
Expand All
|
Collapse All
Strata Cloud Manager Docs
New Features in November 2023
Here are the new features available in Strata Cloud Manager in November
2023.
Here are the latest new features introduced on Strata Cloud Manager. Features listed here
include some feature highlights for the products supported with Strata Cloud Manager.
For the full list of new features supported for a product you're using with Strata Cloud
Manager, see the release notes for that product.
Cloud Management for NGFWs: Capacity Analyzer Alerts
November 20, 2023
Capacity Analyzer has been enhanced to include support for
alerts, assisting you in the following:
Now supported for Cloud Management for
NGFWs (with an AIOps for NGFW Premium
license)
|
When Next-Generation Firewalls (NGFW) approach their capacity thresholds,
system performance diminishes and operational disruptions often occur.
Capacity-related issues are difficult to manage and typically only become visible
after the limits are breached, resulting in time-consuming, reactive remediation
efforts.
The Capacity Analyzer solves this problem by
monitoring device resource consumption to prevent potential bottlenecks. It provides
security teams with deep, centralized visibility into resource usage patterns based
on firewall model types. This capability enables proactive planning for upgrading to
higher capacity firewalls based on specific needs. This proactive approach ensures
that you receive early notification about potential capacity constraints, allowing
you to take preemptive action to safeguard your business operations and maintain
optimal performance.

Prisma SD-WAN: Public Cloud High Availability (HA)
Maintaining network resiliency and session survivability for SD-WAN in public cloud
deployments presents unique challenges, often leading to service disruptions during
a device failure. To address this, Palo Alto Networks now supports high availability (HA) for SD-WAN on
VM-Series next-generation firewalls in public cloud environments.
This feature enables an active/passive HA configuration that uses a floating IP
address to ensure seamless failover between firewalls. By maintaining session state
during a failover event, it minimizes downtime and preserves application performance
for your users. This allows you to build resilient and reliable SD-WAN architectures
in the cloud, mirroring the high availability standards traditionally found in
on-premises deployments.
This HA capability is available for VM-Series firewalls in AWS and Microsoft Azure.

Prisma Access:Cloud Delivered Enterprise Network Integration
Organizations using colocation (CoLo) facilities for multicloud and
on-premises connectivity often face challenges like managing complex, expensive
network infrastructure, dealing with inconsistent security stacks, and overcoming
bandwidth limitations. Palo Alto Networks Prisma® Access and Google Cloud Platform's
Network Connectivity Center (NCC) Gateway
(GCP NCC gateway) bring high bandwidth, secure, and reliable connectivity to public
and private apps for mobile users and users at the remote offices or branch
sites.
- Managing the network infrastructure can be complex and expensive if users need to access private apps hosted by different cloud service providers (CSPs) using a CoLo facility.
- Using multiple security products to secure apps can result in having an inconsistent security stack across your network and your organization's users.
- Difficulty in achieving high-bandwidth connections to large branches or campus locations from a CoLo facility to a remote network.
Prisma Access integrates with GCP NCC to provide security inspection for
internet-bound traffic and to the private apps that are hosted in GCP, on-premises,
or in a third-party cloud connected through GCP NCC. You can onboard remote sites
connected through GCP NCC as either a remote network or as a service connection.
This way, mobile users (on-ramp) and remote networks (off-ramp) can access public or
private apps securely through Prisma Access.
Prisma Access: Remote Browser Isolation
Browser and web-based attacks are continuously evolving, resulting in security
challenges for many enterprises. Web browsers, being a major entry point for malware
to penetrate networks, pose a significant security risk to enterprises, prompting
the increasing need to protect networks and devices from zero day attacks. Highly
regulated industries, such as government and financial institutions, also require
browser traffic isolation as a mandatory compliance requirement.
While most enterprises want to block 100% of attacks by using network security and
endpoint security methods, such a goal might not be realistic. Most attacks start
with the compromise of an endpoint that connects to malicious or compromised sites
or by opening malicious content from those sites. An attacker only needs one miss to
take over an endpoint and compromise the network. When this happens, the
consequences of that compromise and the impact to your organization can be
damaging.
Remote Browser Isolation (RBI) creates a safe isolation
environment for your users' local browsers, preventing website code and files from
executing on their local browser. Unlike other isolation solutions, RBI uses
next-generation isolation technologies to deliver near-native experiences for users
accessing websites without compromising on security.

RBI is a service that transfers all browsing activity away from your users' managed
devices and corporate networks to an outside entity, such as Prisma® Access, which
securely isolates potentially malicious code and content within its platform.
Natively integrated with Prisma Access, RBI allows you to apply isolation profiles
easily to existing security policies. Isolation profiles can restrict many user
controls such as copy and paste actions, keyboard inputs, and sharing options like
file uploading, downloading, and printing files to keep sensitive data and
information secure. All traffic in isolation undergoes analysis and threat
prevention provided by Cloud-Delivered Security Services (CDSS), ensuring robust
security before content reaches the user.
Prisma Access: Service Connection Identity Redistribution Management
Sometimes, granular controls are needed for user-ID redistribution in
particularly large scale Prisma Access deployments. Service Connection Identity
Redistribution Management lets you select specific service connections for identity redistribution.
By default, all of your service connections, in order of proximity, are
used for identity redistribution. However, you may not know which specific service
connections are being used for identity redistribution at a given moment. And,
depending on the number of service connections you have and the number of User-ID
agents you’ve configured, this method for identity redistribution can test the
limits of your system resources. To solve this, we now give you the option to decide
which service connections you want to use for identity redistribution.
Cloud Management for NGFWs: IPSec VPN Monitoring
Because an IPSec VPN tunnel is a logical interface, it cannot reflect the
status of the underlying physical link. This limitation can cause a firewall to
continue routing traffic to an unusable path, leading to silent traffic loss until
the failure is manually detected.
To address this, PAN-OS® now includes IPSec tunnel monitoring to actively verify
connectivity to a target IP address through the tunnel. If the target becomes
unreachable, the firewall marks the path as unusable and automatically initiates a
failover. During failover, the existing tunnel is torn down, routing changes are
triggered, and a new tunnel is established to redirect traffic. The feature provides
status visibility for both the IKE gateway and individual IPSec tunnels, which
allows the firewall to maintain high availability and reduce traffic loss.
Cloud Management for NGFWs: PA-450R Next-Generation Firewall Support
Securing industrial and remote environments requires a durable firewall capable of
withstanding harsh conditions. The PA-450R is a rugged firewall appliance
purpose-built to address this challenge. As an upgrade to the PA-220R, the PA-450R
is designed for industrial, commercial, and government deployments. This hardware is
also suited for installation in harsh environments with extreme temperatures and
high humidity levels.
The PA-450R supports PAN-OS® 11.1 and later versions. It features two SFP/RJ-45 combo
ports and six RJ-45 ports. Two of these ports are fail-open, providing a
pass-through connection in the event of a power failure.
This appliance uses DC power and supports optional power redundancy. Its fanless
design and rugged build allow for secure installation on a flat surface, wall, or
equipment rack. This hardware meets ICS/SCADA system architecture compliance
standards.
Cloud Management for NGFWs: PA-5445 Next-Generation Firewall
Securing enterprise data centers and regional headquarters demands a next-generation
firewall with exceptional performance. The PA-5445 addresses this need as the
highest-performance fixed form-factor model in the Palo Alto Networks® firewall
lineup. It features hardware resources dedicated to networking, security, signature
matching, and management.
The PA-5445 supports PAN-OS® 11.1 and later versions. It achieves the highest App-ID
speed (93Gbps), L7 threat inspection rate (70Gbps), and session count (48M) in a
fixed form-factor firewall. For connectivity, it includes eight RJ-45 ports, twelve
SFP+ ports, four SFP28 ports, and four QSFP28 ports that support breakout mode. It
also features dedicated HSCI and HA1 ports for high availability control.
The PA-5445 uses AC or DC power supplies and supports optional power redundancy. This
hardware occupies 2RU of rack space and is designed to mount in a 19-inch equipment
rack.
Cloud Management for NGFWs: Inline Best Practice Checks for Device Setup
Strata Cloud Manager lets you validate your configuration against
predefined Best Practices and custom checks
you create based on the needs of your organization. As you make changes to your
service routes, connection settings, allowed services, and administrative access
settings for the management and auxiliary interfaces for your firewalls, Strata
Cloud Manager gives you assessment results inline so you can take immediate
corrective action when necessary. This eliminates problems that misalignments with
best practices can introduce, such as conflicts and security gaps.
Inline checks let you:
- Gauge the effectiveness of, assess the impact of, and validate changes you make to your configuration using inline assessment results.
- Prioritize and perform remediations based on the recommendations from the inline assessment.
Cloud Management for NGFWs: VM-Series Device Management
Previously, you had to manually include information such as DNS entries and IP
addresses in the init.cfg file when creating a firewall image for
your cloud environments. This release adds support for a bootstrapping process that
allows you to configure newly deployed firewalls without manually configuring them
prior to deployment. This new process associates the firewall with a Panorama
managed host to automate the onboarding and configuration of your software firewall.
With this functionality, the bootstrapping process:
- Automatically instantiates, onboards, and configures the firewall instance without prior knowledge of the firewall serial number.
- Automatically onboards the Strata Cloud Manager tenant, which receives the initial configuration and becomes fully operational without manual intervention.
The bootstrapping process requires specific fields to function. For instance, the
panorama-server field specifies cloud management for your Panorama host, initiating
a TLS connection to the Strata Cloud Manager service edge. Setting the value to
cloud initiates a connection to the service edge, while any other value is
interpreted as a Panorama IP address or FQDN for a direct Panorama management
connection. The value defined for panorama-server-2 is ignored when
panorama-server=cloud.
You also need to define the Cloud Management folder using the dgname
field, which maps the firewall. The
vm-series-auto-registration-pin-id and
vm-series-auto-registration-pin-value fields automate firewall
instance instantiation by establishing the connection to the Strata Cloud Manager
service edge. These PIN ID and PIN value fields are used to request a Thermite
certificate, which authenticates the device and builds a secure connection to the
cloud service, such as Strata Cloud Manager.
Cloud Management for NGFWs: Security Posture Checks
Managing configuration compliance and security best practices often requires
navigating multiple, siloed settings pages, leading to inconsistent enforcement and
complex exception handling. Strata Cloud Manager now unifies these critical
capabilities into Security Posture Settings,
consolidating security check functionality previously split across AIOps and Cloud
Manager pages. This unification streamlines your security workflow, allowing you to
manage both predefined best practice checks (aligned with industry standards like
CIS and NIST) and custom organizational checks from a single centralized location.
This feature enhances policy granularity by offering a centralized Check
Exception capability, allowing you to restrict where checks apply to your
deployment rather than simply enabling or disabling them globally. Furthermore,
security checks raise an Alert (default) for a failed check, or Block a
configuration with failing checks from being pushed out to your deployment.
security checks provide immediate, field-level feedback during policy creation,
empowering you to address configuration deviations instantly and ensure alignment
with best practices before any policy deployment.
Cloud Management for NGFWs: GlobalProtect
You can now use GlobalProtect with
cloud-managed NGFWs to
secure your mobile workforce. Enable your cloud-managed NGFWs as
GlobalProtect gateways and portals, in order to provide
flexible, secure remote access to users everywhere.
|
Whether checking email from home or updating corporate documents from an airport, the
majority of today's employees work outside the physical corporate boundaries. This
workforce mobility increases productivity and flexibility while simultaneously
introducing significant security risks. Every time users leave the building with
their laptops or smart phones, they are bypassing the corporate firewall and
associated policies that are designed to protect both the user and the network.
GlobalProtect ™ solves the security challenges
introduced by roaming users by extending the same next-generation firewall-based
policies that are enforced within the physical perimeter to all users, no matter
where they are located.
Cloud Management for NGFWs: IP Protocol Scan Protection
November 2, 2023
Supported on Strata Cloud Manager for:
|
Malicious actors scan Internet Protocol (IP) numbers to identify and exploit open and
insecure protocols on target hosts. This reconnaissance technique involves cycling
through IP protocol numbers to discover the IP protocols and services that the
target host supports, sometimes with the help of automated tools. Starting with
PAN-OS® 11.1, you can enable reconnaissance protection against
IP protocol scans.
When enabled, your Next-Generation Firewall (NGFW) detects IPv4 and IPv6 protocol
scans based on a specified number of scan events that occur within a specified
interval. By default, your NGFW generates an alert in the Threat logs when these
thresholds are met. However, you can configure the NGFW to take other actions, such
as dropping subsequent packets from the source IP address to the target host for a
specified time. To minimize false positives and allow legitimate activity, you can
exclude the IP addresses of trusted internal groups performing vulnerability testing
from this protection.
Details of each detected scan are available in Threat logs.
Cloud Management for NGFWs: TLSv1.3 Support for SSL/TLS Service Profiles (Administrative Access)
November 2, 2023
Supported on Strata Cloud Manager for:
|
You can now configure TLSv1.3 in SSL/TLS service profiles to secure
administrative access to management interfaces. TLSv1.3 delivers several performance
and security enhancements, including shorter SSL/TLS handshakes and more secure
cipher suites. In an SSL/TLS service profile, you can select TLSv1.3 as the minimum
or maximum supported protocol version for connections to the management interface.
Selecting TLSv1.3 automatically enables the following TLSv1.3 cipher suites:
- TLS-AES-128-GCM-SHA256
- TLS-AES-256-GCM-SHA384
- TLS-CHACHA20-POLY1305-SHA256TLS-CHACHA20-POLY1305-SHA256 is not supported in FIPS-CC mode.
However, you can deselect any key exchange algorithms, encryption algorithms,
or authentication algorithms as needed. In addition to offering TLSv1.3 support, SSL/TLS
service profiles now enable customization of the key exchange algorithms, encryption
algorithms, and authentication algorithms supported.
Enforcing Authentication Cookie Validation
Enforce authentication cookies
In mobile and roaming environments, preventing session hijacking is critical for
maintaining robust security. Previously, an endpoint's authentication cookie could
be used even if the device's network location changed, creating a potential security
risk if the cookie was intercepted.
To mitigate this threat, you can now enforce that the GlobalProtect portal or gateway
accepts authentication cookies only when the endpoint's IP address matches the
original source IP address or falls within a designated network range. This security
enhancement is important for maintaining session integrity in environments where
users may roam within a campus or corporate subnet.
Enabling this capability ensures that if the network originally issued an
authentication cookie to an endpoint within a secure network range, the cookie
remains valid only for endpoints within that same network segment. By binding the
authentication cookie to a designated network range, you mitigate the risk of
unauthorized access attempts.
This existing feature in Panorama is now available in Prisma Access managed by Strata
Cloud Manager. For more information, see GlobalProtect — Customize App
Settings.
End User Timeout Notifications
Configure notifications
In remote and mobile work environments, unexpected session disconnections due to
login lifetime or inactivity timeouts can interrupt user workflow and lead to poor
productivity. Without advance warning, users may lose their context or unsaved
work.
To prevent this frustrating experience, administrators can now configure timeout
settings that proactively notify end users before a GlobalProtect session
disconnects. This capability allows you to customize the following to provide a
better user experience:
- Advance Warning for Expiry: Set the amount of advance notice users receive before a session expires due to the maximum Login Lifetime or Inactivity Logout period being reached.
- Custom Notifications: Tailor the notification message content to clearly inform users why their session is ending and what their next steps should be.
- Administrator Logout Message: Specify whether to notify end users and customize the display message when an administrator manually logs them out of a session.
By clearly communicating when sessions are about to expire, you help users save their
work and re-establish a connection without interruption, improving security posture
and reducing help desk tickets related to sudden disconnections.
This existing feature in Panorama is now available in Prisma Access managed by Strata
Cloud Manager. For more information, seeconfigure timeout settings.
Separate Client Authentication for Portal and Gateway
Separate auth
Prisma Access now allows you to separate client authentication for portals and gateways
for enhanced security and flexibility. You can apply distinct certificate profiles to
each. This feature is supported for both multi-portal and coexistent tenants.
Enforcing Authentication Cookie Validation
Enforce authentication cookies
In mobile and roaming environments, preventing session hijacking is critical for
maintaining robust security. Previously, an endpoint's authentication cookie could
be used even if the device's network location changed, creating a potential security
risk if the cookie was intercepted.
To mitigate this threat, you can now enforce that the GlobalProtect portal or gateway
accepts authentication cookies only when the endpoint's IP address matches the
original source IP address or falls within a designated network range. This security
enhancement is important for maintaining session integrity in environments where
users may roam within a campus or corporate subnet.
Enabling this capability ensures that if the network originally issued an
authentication cookie to an endpoint within a secure network range, the cookie
remains valid only for endpoints within that same network segment. By binding the
authentication cookie to a designated network range, you mitigate the risk of
unauthorized access attempts.
This existing feature in Panorama is now available in Prisma Access managed by Strata
Cloud Manager. For more information, see GlobalProtect — Customize App
Settings.
IoT Security: Device Visibility and Automatic Policy Rule Recommendations
Strata Cloud Manager integrates with IoT Security to provide visibility into the devices on
your network and automated policy rule recommendations for policy enforcement on
next-generation firewalls and Prisma Access. By having Device Security functionality in Strata Cloud Manager, IoT device
visibility and policy rule recommendations become available in the same platform
you're using to manage firewalls and interact with other network security
products.
When your firewalls or Prisma Access is subscribed to Device Security, you can use the following IoT Security features from the Strata Cloud Manager web interface:
- IoT Security Dashboard: In Strata Cloud Manager, there is an IoT Security dashboard with information about the devices on the network, their device profiles and operating systems, and how they are distributed by device type across subnets. For advanced Device Security products (Enterprise Device Security Plus, Industrial Device Security, or Medical Device Security), the IoT Security dashboard additionally displays the total number of active alerts to date and vulnerabilities to date.
- Assets Inventory: See a dynamically maintained inventory of the devices on your network with numerous attributes for each one such as its IP and MAC addresses; profile, vendor, model, and OS; and (for advanced Device Security products) its device-level risk score.
- Security Policy Rule Recommendations: Device Security provides Strata Cloud Manager with automatically generated Security policy rule recommendations organized by device profile. There is one recommendation per application per profile. Choose a profile, select the rule recommendations you want to use, and then the next-generation firewalls or Prisma Access sites where you want to enforce them.