You can now reduce complexity and increase resiliency by adding high availability to your SD-WAN for next-generation firewall public cloud deployments. Configure up to four IP addresses per SD-WAN interface, allowing you to deploy SD-WAN on public clouds to achieve failover in high availability active/passive configurations. Minimize the downtime and ensure session survivability using the active/passive HA failover in public cloud SD-WAN environments.

Currently, you can avail this feature on deployments using VM-Series in Azure and AWS public cloud HA environments by configuring a second floating IP address on the SD-WAN interfaces. The floating IP on the SD-WAN interface of the external zone must match with that of the internal zone. In the illustration, observe that 10.0.2.100 is the common floating IP between the external and internal zones during a HA failover.

The following illustration is an example of VM-Series deployment in Azure HA A/P topology and shows how the secondary floating IP address is from the same subnet and applied to both trust and untrust zones of the SD-WAN interface.

In AWS instances, you can configure HA A/P failover using multiple ways, one of which is using a second IP address that acts as the floating IP.

Palo Alto Networks Prisma Access and Google Cloud Platform's Cross-Cloud Network (GCP CCN) bring high bandwidth, secure, and reliable connectivity to public and private apps for mobile users and users at the remote offices or branch sites. The GCP CCN integration with Prisma Access is a joint solution by the two organizations to address the challenges that you can face in a multicloud environment when you begin to use colocation (CoLo) facilities for multicloud and on-premises connectivity:

Prisma Access integrates with GCP CCN to provide security inspection for internet-bound traffic and to the private apps that are hosted in GCP, on-premises, or in a third-party cloud connected through GCP CCN. You can onboard remote sites connected through GCP CCN as either a remote network or as a service connection. This way, mobile users (on-ramp) and remote networks (off-ramp) can access public or private apps securely through Prisma Access.

Browser and web-based attacks are continuously evolving, resulting in security challenges for many enterprises. Web browsers, being a major entry point for malware to penetrate networks, pose a significant security risk to enterprises, prompting the increasing need to protect networks and devices from zero day attacks. Highly regulated industries, such as government and financial institutions, also require browser traffic isolation as a mandatory compliance requirement.

While most enterprises want to block 100% of attacks by using network security and endpoint security methods, such a goal might not be realistic. Most attacks start with the compromise of an endpoint that connects to malicious or compromised sites or by opening malicious content from those sites. An attacker only needs one miss to take over an endpoint and compromise the network. When this happens, the consequences of that compromise and the impact to your organization can be damaging.

Remote Browser Isolation (RBI) creates a no-code execution isolation environment for a user's local browser, so that no website code and files are executed on their local browser. Unlike other isolation solutions, RBI uses next-generation isolation technologies to deliver near-native experiences for users accessing websites without compromising on security.

RBI is a service that isolates and transfers all browsing activity away from the user's managed devices and corporate networks to an outside entity such as Prisma Access, which secures and isolates potentially malicious code and content within their platform. Natively integrated with Prisma Access, RBI allows you to apply isolation profiles easily to existing security policies. Isolation profiles can restrict many user controls such as copy and paste actions, keyboard inputs, and sharing options like file uploading, downloading, and printing files to keep sensitive data and information secure. All traffic in isolation undergoes analysis and threat prevention provided by Cloud-Delivered Security Services (CDSS) such as Advanced Threat Prevention, Advanced WildFire, Advanced URL Filtering, DNS Security, and SaaS Security.

Sometimes, granular controls are needed for user-ID redistribution in particularly large scale Prisma Access deployments. Service Connection Identity Redistribution Management lets you select specific service connections for identity redistribution.

By default, all of your service connections, in order of proximity, are used for identity redistribution. However, you may not know which specific service connections are being used for identity redistribution at a given moment. And, depending on the number of service connections you have and the number of User-ID agents you’ve configured, this method for identity redistribution can test the limits of your system resources. To solve this, we now give you the option to decide which service connections you want to use for identity redistribution.

You can now view the status of the IPSec VPN tunnels to know whether or not valid IKE and IPSec SAs have been established, and whether the tunnel interface is up and available for passing traffic.

Because the tunnel interface is a logical interface, it can’t indicate a physical link status. Therefore, you must use IPSec tunnel monitoring so that the tunnel interface can verify connectivity to an IP address and determine if the path is still usable. If the IP address is unreachable, the firewall will either wait for the tunnel to recover or failover. When a failover occurs, the existing tunnel is torn down, and routing changes are triggered to set up a new tunnel and redirect traffic.

With the IPSec VPN tunnel monitoring feature, you can view the tunnel status:

View the overall status of all the IPSec tunnels, IPSec tunnel status per device, and detailed status of each IPSec tunnel.

The PA-450R is a new rugged firewall appliance that upgrades the PA-220R firewall. The PA-450R is designed for industrial, commercial, and government deployments. The hardware is suited for installation in harsh environments with extreme temperatures and high humidity levels.

The PA-450R is supported on PAN-OS 11.1 and later versions. The firewall features two SFP/RJ-45 combo ports and six RJ-45 ports. The RJ-45 ports include two fail-open ports that can be configured to provide a pass-through connection in the event of a power failure.

The PA-450R is powered by DC power and optionally supports power redundancy. The device has a fanless design and can be installed on a flat surface, wall, and equipment rack. The hardware is compliant with ICS/SCADA system architecture.

The PA-5445 adds the highest performance fixed form-factor model to the Palo Alto Networks® Next-Generation Firewall lineup. This firewall, supported on PAN-OS 11.1 and later versions, features hardware resources dedicated to networking, security, signature matching, and management. The PA-5445 is ideal for deployments in enterprise data centers, headquarters, and regional offices.

The PA-5445 has the highest App-ID speed (93Gbps), L7 threat inspection rate (70Gbps), and session count (48M) in a fixed form-factor firewall.

The PA-5445 features eight RJ-45 ports, twelve SFP+ ports, four SFP28 ports, and four form-factor pluggable QSFP28 ports that support breakout mode. The firewall also features dedicated HSCI and HA1 ports for high availability control.

The PA-5445 can be powered by AC or DC power supplies and optionally supports power redundancy. The hardware takes up 2RU of rack space and should be mounted in a 19” equipment rack.

Strata Cloud Manager lets you validate your configuration against predefined Best Practices and custom checks you create based on the needs of your organization. As you make changes to your service routes, connection settings, allowed services, and administrative access settings for the management and auxiliary interfaces for your firewalls, Strata Cloud Manager gives you assessment results inline so you can take immediate corrective action when necessary. This eliminates problems that misalignments with best practices can introduce, such as conflicts and security gaps.

Inline checks let you:

This release adds support for a bootstrapping process that allows you to configure newly deployed firewalls without manually configuring them prior to deployment. Previously, a firewall image was created for your cloud environments that required you to manually include information such as DNS entries and IP addresses in the init.cfg file.

This new process associates the firewall with a Panorama management host to automate the onboarding and configuration of your software firewall. With this functionality, the bootstrapping process:

• Automatically instantiates, onboards, and configures the firewall instance without prior knowledge of the firewall serial number.
• Automatically onboards the Strata Cloud Manager tenant, from which the tenant receives the initial configuration and becomes fully operational without manual intervention.

Create the bootstrap package with the following fields:

• panorama-server. Use this field to specify cloud management for your Panorama host. This field initiates a TLS connection to the Strata Cloud Manager service edge. For example, panorama-server=cloud. Values other than cloud are interpreted as a Panorama Internet Protocol or FQDN, and will initiate a Panorama management connection. A value defined for panorama-server-2 is ignored when panorama-server=cloud.
• dgname. This field is used to define the Cloud Management folder in which the firewall is mapped.
• vm-series-auto-registration-pin-id. Include the VM-Series registration PIN ID. This automates the process of instantiating the firewall instance by establishing the connection to the Strata Cloud Manager service edge.
• vm-series-auto-registration-pin-value. Include the VM-Series registration PIN VALUE to automate the process of instantiating the firewall instance by establishing the connection to the Strata Cloud Manager service edge.
  The PIN ID and PIN VALUE fields are use to request a Thermite certificate. This certificate is used to authenticate the device and build a secure connection to the cloud service, such as Strata Cloud Manager.

Stata Cloud Manager leverages a set of predefined Best Practice Checks that align with industry-specific standard cybersecurity controls, such as CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology) and custom checks you create based on the specific needs of your organization. These checks evaluate configurations, identifying deviations from best practices or compliance requirements. Previously, we collectively called these Compliance Checks.

For this release, we've rolled Compliance Checks into Security Posture Settings. Security Posture Settings brings together the functionality of both the AIOps and Cloud Manager security check settings pages.

Security Checks also now let you:

Palo Alto Networks now offers reconnaissance protection for IP protocol scans. IP protocol scans cycle through IP protocol numbers to determine the IP protocols and services supported by target machines. Malicious actors use this scanning technique to identify and exploit open and insecure protocols. This feature enables your firewall to detect and block, allow, or alert on these scans. For example, you can configure the firewall to drop subsequent packets from a host exhibiting behavior consistent with IP protocol scans.

You can configure protection against IP protocol scans in the Reconnaissance Protection settings of a Zone Protection profile. The firewall identifies IP protocol scans based on the specified number of scan events that occurs within a specified interval. If necessary, you can exclude the IP addresses of trusted internal groups performing vulnerability testing from reconnaissance protection. Details of each detected scan are available in the Threat logs.

You can now configure TLSv1.3 in SSL/TLS service profiles to secure administrative access to management interfaces. TLSv1.3 delivers several performance and security enhancements, including shorter SSL/TLS handshakes and more secure cipher suites. In an SSL/TLS service profile, you can select TLSv1.3 as the minimum or maximum supported protocol version for connections to the management interface. Selecting TLSv1.3 automatically enables the following TLSv1.3 cipher suites:

However, you can deselect any key exchange algorithms, encryption algorithms, or authentication algorithms as needed. In addition to offering TLSv1.3 support, SSL/TLS service profiles now enable customization of the key exchange algorithms, encryption algorithms, and authentication algorithms supported.

You can configure the GlobalProtect portal or gateway to accept cookies from endpoints only when the IP address of the endpoint matches the original source IP addresses for which the cookie was issued or when the IP address of the endpoint matches a specific network IP address range. You can define the network IP address range using a CIDR subnet mask, such as /24 or /32. For example, if an authentication cookie was originally issued to an endpoint with a public source IP address of 201.109.11.10, and the subnet mask of the network IP address range is set to /24, the authentication cookie is subsequently valid on endpoints with public source IP addresses within the 201.109.11.0/24 network IP address range. For more information, see GlobalProtect — Customize App Settings.

This is an existing feature in Panorama and is now introduced in Prisma Access managed by Strata Cloud Manager.

Administrators can now configure timeout settings to notify end users before a GlobalProtect session disconnects. This is an existing feature in Panorama and is now introduced in Prisma Access managed by Strata Cloud Manager.

You can configure the GlobalProtect portal or gateway to accept cookies from endpoints only when the IP address of the endpoint matches the original source IP addresses for which the cookie was issued or when the IP address of the endpoint matches a specific network IP address range. You can define the network IP address range using a CIDR subnet mask, such as /24 or /32. For example, if an authentication cookie was originally issued to an endpoint with a public source IP address of 201.109.11.10, and the subnet mask of the network IP address range is set to /24, the authentication cookie is subsequently valid on endpoints with public source IP addresses within the 201.109.11.0/24 network IP address range. For more information, see GlobalProtect — Customize App Settings.

This is an existing feature in Panorama and is now introduced in Prisma Access managed by Strata Cloud Manager.

Strata Cloud Manager integrates with IoT Security to provide visibility into the devices on your network and automated policy rule recommendations for policy enforcement on next-generation firewalls and Prisma Access. By having IoT Security functionality in Strata Cloud Manager, IoT device visibility and policy rule recommendations become available in the same platform you're using to manage firewalls and interact with other network security products.

When your firewalls or Prisma Access is subscribed to IoT Security, you can use the following IoT Security features from the Strata Cloud Manager web interface: