Maintaining network resiliency and session survivability for SD-WAN in public cloud deployments presents unique challenges, often leading to service disruptions during a device failure. To address this, Palo Alto Networks now supports high availability (HA) for SD-WAN on VM-Series next-generation firewalls in public cloud environments.

This feature enables an active/passive HA configuration that uses a floating IP address to ensure seamless failover between firewalls. By maintaining session state during a failover event, it minimizes downtime and preserves application performance for your users. This allows you to build resilient and reliable SD-WAN architectures in the cloud, mirroring the high availability standards traditionally found in on-premises deployments.

This HA capability is available for VM-Series firewalls in AWS and Microsoft Azure.

Organizations using colocation (CoLo) facilities for multicloud and on-premises connectivity often face challenges like managing complex, expensive network infrastructure, dealing with inconsistent security stacks, and overcoming bandwidth limitations. Palo Alto Networks Prisma® Access and Google Cloud Platform's Network Connectivity Center (NCC) Gateway (GCP NCC gateway) bring high bandwidth, secure, and reliable connectivity to public and private apps for mobile users and users at the remote offices or branch sites.

Prisma Access integrates with GCP NCC to provide security inspection for internet-bound traffic and to the private apps that are hosted in GCP, on-premises, or in a third-party cloud connected through GCP NCC. You can onboard remote sites connected through GCP NCC as either a remote network or as a service connection. This way, mobile users (on-ramp) and remote networks (off-ramp) can access public or private apps securely through Prisma Access.

Browser and web-based attacks are continuously evolving, resulting in security challenges for many enterprises. Web browsers, being a major entry point for malware to penetrate networks, pose a significant security risk to enterprises, prompting the increasing need to protect networks and devices from zero day attacks. Highly regulated industries, such as government and financial institutions, also require browser traffic isolation as a mandatory compliance requirement.

While most enterprises want to block 100% of attacks by using network security and endpoint security methods, such a goal might not be realistic. Most attacks start with the compromise of an endpoint that connects to malicious or compromised sites or by opening malicious content from those sites. An attacker only needs one miss to take over an endpoint and compromise the network. When this happens, the consequences of that compromise and the impact to your organization can be damaging.

Remote Browser Isolation (RBI) creates a safe isolation environment for your users' local browsers, preventing website code and files from executing on their local browser. Unlike other isolation solutions, RBI uses next-generation isolation technologies to deliver near-native experiences for users accessing websites without compromising on security.

RBI is a service that transfers all browsing activity away from your users' managed devices and corporate networks to an outside entity, such as Prisma® Access, which securely isolates potentially malicious code and content within its platform. Natively integrated with Prisma Access, RBI allows you to apply isolation profiles easily to existing security policies. Isolation profiles can restrict many user controls such as copy and paste actions, keyboard inputs, and sharing options like file uploading, downloading, and printing files to keep sensitive data and information secure. All traffic in isolation undergoes analysis and threat prevention provided by Cloud-Delivered Security Services (CDSS), ensuring robust security before content reaches the user.

Sometimes, granular controls are needed for user-ID redistribution in particularly large scale Prisma Access deployments. Service Connection Identity Redistribution Management lets you select specific service connections for identity redistribution.

By default, all of your service connections, in order of proximity, are used for identity redistribution. However, you may not know which specific service connections are being used for identity redistribution at a given moment. And, depending on the number of service connections you have and the number of User-ID agents you’ve configured, this method for identity redistribution can test the limits of your system resources. To solve this, we now give you the option to decide which service connections you want to use for identity redistribution.

Because an IPSec VPN tunnel is a logical interface, it cannot reflect the status of the underlying physical link. This limitation can cause a firewall to continue routing traffic to an unusable path, leading to silent traffic loss until the failure is manually detected.

To address this, PAN-OS® now includes IPSec tunnel monitoring to actively verify connectivity to a target IP address through the tunnel. If the target becomes unreachable, the firewall marks the path as unusable and automatically initiates a failover. During failover, the existing tunnel is torn down, routing changes are triggered, and a new tunnel is established to redirect traffic. The feature provides status visibility for both the IKE gateway and individual IPSec tunnels, which allows the firewall to maintain high availability and reduce traffic loss.

Securing industrial and remote environments requires a durable firewall capable of withstanding harsh conditions. The PA-450R is a rugged firewall appliance purpose-built to address this challenge. As an upgrade to the PA-220R, the PA-450R is designed for industrial, commercial, and government deployments. This hardware is also suited for installation in harsh environments with extreme temperatures and high humidity levels.

The PA-450R supports PAN-OS® 11.1 and later versions. It features two SFP/RJ-45 combo ports and six RJ-45 ports. Two of these ports are fail-open, providing a pass-through connection in the event of a power failure.

This appliance uses DC power and supports optional power redundancy. Its fanless design and rugged build allow for secure installation on a flat surface, wall, or equipment rack. This hardware meets ICS/SCADA system architecture compliance standards.

Securing enterprise data centers and regional headquarters demands a next-generation firewall with exceptional performance. The PA-5445 addresses this need as the highest-performance fixed form-factor model in the Palo Alto Networks® firewall lineup. It features hardware resources dedicated to networking, security, signature matching, and management.

The PA-5445 supports PAN-OS® 11.1 and later versions. It achieves the highest App-ID speed (93Gbps), L7 threat inspection rate (70Gbps), and session count (48M) in a fixed form-factor firewall. For connectivity, it includes eight RJ-45 ports, twelve SFP+ ports, four SFP28 ports, and four QSFP28 ports that support breakout mode. It also features dedicated HSCI and HA1 ports for high availability control.

The PA-5445 uses AC or DC power supplies and supports optional power redundancy. This hardware occupies 2RU of rack space and is designed to mount in a 19-inch equipment rack.

Strata Cloud Manager lets you validate your configuration against predefined Best Practices and custom checks you create based on the needs of your organization. As you make changes to your service routes, connection settings, allowed services, and administrative access settings for the management and auxiliary interfaces for your firewalls, Strata Cloud Manager gives you assessment results inline so you can take immediate corrective action when necessary. This eliminates problems that misalignments with best practices can introduce, such as conflicts and security gaps.

Inline checks let you:

Previously, you had to manually include information such as DNS entries and IP addresses in the init.cfg file when creating a firewall image for your cloud environments. This release adds support for a bootstrapping process that allows you to configure newly deployed firewalls without manually configuring them prior to deployment. This new process associates the firewall with a Panorama managed host to automate the onboarding and configuration of your software firewall.

With this functionality, the bootstrapping process:

• Automatically instantiates, onboards, and configures the firewall instance without prior knowledge of the firewall serial number.
• Automatically onboards the Strata Cloud Manager tenant, which receives the initial configuration and becomes fully operational without manual intervention.

The bootstrapping process requires specific fields to function. For instance, the panorama-server field specifies cloud management for your Panorama host, initiating a TLS connection to the Strata Cloud Manager service edge. Setting the value to cloud initiates a connection to the service edge, while any other value is interpreted as a Panorama IP address or FQDN for a direct Panorama management connection. The value defined for panorama-server-2 is ignored when panorama-server=cloud.

You also need to define the Cloud Management folder using the dgname field, which maps the firewall. The vm-series-auto-registration-pin-id and vm-series-auto-registration-pin-value fields automate firewall instance instantiation by establishing the connection to the Strata Cloud Manager service edge. These PIN ID and PIN value fields are used to request a Thermite certificate, which authenticates the device and builds a secure connection to the cloud service, such as Strata Cloud Manager.

Managing configuration compliance and security best practices often requires navigating multiple, siloed settings pages, leading to inconsistent enforcement and complex exception handling. Strata Cloud Manager now unifies these critical capabilities into Security Posture Settings, consolidating security check functionality previously split across AIOps and Cloud Manager pages. This unification streamlines your security workflow, allowing you to manage both predefined best practice checks (aligned with industry standards like CIS and NIST) and custom organizational checks from a single centralized location. This feature enhances policy granularity by offering a centralized Check Exception capability, allowing you to restrict where checks apply to your deployment rather than simply enabling or disabling them globally. Furthermore, security checks raise an Alert (default) for a failed check, or Block a configuration with failing checks from being pushed out to your deployment. security checks provide immediate, field-level feedback during policy creation, empowering you to address configuration deviations instantly and ensure alignment with best practices before any policy deployment.

Malicious actors scan Internet Protocol (IP) numbers to identify and exploit open and insecure protocols on target hosts. This reconnaissance technique involves cycling through IP protocol numbers to discover the IP protocols and services that the target host supports, sometimes with the help of automated tools. Starting with PAN-OS® 11.1, you can enable reconnaissance protection against IP protocol scans.

When enabled, your Next-Generation Firewall (NGFW) detects IPv4 and IPv6 protocol scans based on a specified number of scan events that occur within a specified interval. By default, your NGFW generates an alert in the Threat logs when these thresholds are met. However, you can configure the NGFW to take other actions, such as dropping subsequent packets from the source IP address to the target host for a specified time. To minimize false positives and allow legitimate activity, you can exclude the IP addresses of trusted internal groups performing vulnerability testing from this protection.

Details of each detected scan are available in Threat logs.

You can now configure TLSv1.3 in SSL/TLS service profiles to secure administrative access to management interfaces. TLSv1.3 delivers several performance and security enhancements, including shorter SSL/TLS handshakes and more secure cipher suites. In an SSL/TLS service profile, you can select TLSv1.3 as the minimum or maximum supported protocol version for connections to the management interface. Selecting TLSv1.3 automatically enables the following TLSv1.3 cipher suites:

However, you can deselect any key exchange algorithms, encryption algorithms, or authentication algorithms as needed. In addition to offering TLSv1.3 support, SSL/TLS service profiles now enable customization of the key exchange algorithms, encryption algorithms, and authentication algorithms supported.

In mobile and roaming environments, preventing session hijacking is critical for maintaining robust security. Previously, an endpoint's authentication cookie could be used even if the device's network location changed, creating a potential security risk if the cookie was intercepted.

To mitigate this threat, you can now enforce that the GlobalProtect portal or gateway accepts authentication cookies only when the endpoint's IP address matches the original source IP address or falls within a designated network range. This security enhancement is important for maintaining session integrity in environments where users may roam within a campus or corporate subnet.

Enabling this capability ensures that if the network originally issued an authentication cookie to an endpoint within a secure network range, the cookie remains valid only for endpoints within that same network segment. By binding the authentication cookie to a designated network range, you mitigate the risk of unauthorized access attempts.

This existing feature in Panorama is now available in Prisma Access managed by Strata Cloud Manager. For more information, see GlobalProtect — Customize App Settings.

In remote and mobile work environments, unexpected session disconnections due to login lifetime or inactivity timeouts can interrupt user workflow and lead to poor productivity. Without advance warning, users may lose their context or unsaved work.

To prevent this frustrating experience, administrators can now configure timeout settings that proactively notify end users before a GlobalProtect session disconnects. This capability allows you to customize the following to provide a better user experience:

• Advance Warning for Expiry: Set the amount of advance notice users receive before a session expires due to the maximum Login Lifetime or Inactivity Logout period being reached.
• Custom Notifications: Tailor the notification message content to clearly inform users why their session is ending and what their next steps should be.
• Administrator Logout Message: Specify whether to notify end users and customize the display message when an administrator manually logs them out of a session.

By clearly communicating when sessions are about to expire, you help users save their work and re-establish a connection without interruption, improving security posture and reducing help desk tickets related to sudden disconnections.

This existing feature in Panorama is now available in Prisma Access managed by Strata Cloud Manager. For more information, seeconfigure timeout settings.

In mobile and roaming environments, preventing session hijacking is critical for maintaining robust security. Previously, an endpoint's authentication cookie could be used even if the device's network location changed, creating a potential security risk if the cookie was intercepted.

To mitigate this threat, you can now enforce that the GlobalProtect portal or gateway accepts authentication cookies only when the endpoint's IP address matches the original source IP address or falls within a designated network range. This security enhancement is important for maintaining session integrity in environments where users may roam within a campus or corporate subnet.

Enabling this capability ensures that if the network originally issued an authentication cookie to an endpoint within a secure network range, the cookie remains valid only for endpoints within that same network segment. By binding the authentication cookie to a designated network range, you mitigate the risk of unauthorized access attempts.

This existing feature in Panorama is now available in Prisma Access managed by Strata Cloud Manager. For more information, see GlobalProtect — Customize App Settings.

Strata Cloud Manager integrates with IoT Security to provide visibility into the devices on your network and automated policy rule recommendations for policy enforcement on next-generation firewalls and Prisma Access. By having Device Security functionality in Strata Cloud Manager, IoT device visibility and policy rule recommendations become available in the same platform you're using to manage firewalls and interact with other network security products.

When your firewalls or Prisma Access is subscribed to Device Security, you can use the following IoT Security features from the Strata Cloud Manager web interface: