New Features - Device Security - October 2025

Device Security supports integrating with ManageEngine Endpoint Central to learn about endpoints and vulnerabilities from ManageEngine . Device Security can retrieve device details or vulnerabilities from ManageEngine, and it uses that information to enrich the Device Security inventories and risk visibility. Device Security also creates new devices in the assets inventory for devices learned through the ManageEngine integration.

( December 2025 ) Device Security can now learn about static IP addresses and DHCP leases when integrating with Microsoft DHCP Servers.

( October 2025 ) Device Security supports integrating with Microsoft DHCP Servers to learn about DHCP clients from the servers. Device Security can retrieve information such as multi-interface configurations, installed software, DHCP reserved IP addresses, and BitLocker status, and Device Security uses that information to enrich its inventories.

Device Security supports integrating with SentinelOne Singularity Endpoint to learn about endpoints and vulnerabilities from SentinelOne . Device Security can retrieve device details or vulnerabilities from SentinelOne Singularity, and it uses that information to enrich the Device Security inventories and risk visibility. Device Security also creates new devices in the assets inventory for devices learned through the SentinelOne integration.

Device Security supports integrating with Siemens Industrial Asset Hub to learn about devices managed by Siemens Industrial Asset Hub . Device Security can retrieve device details from Siemens and use that information to enrich the Device Security inventory. Device Security also creates new devices in the assets inventory for devices learned through the Siemens Industrial Asset Hub integration.

Device Security can now learn additional information when integrated with Microsoft SCCM. When configuring the integration instance, you can choose to have Device Security learn the following information:

• Installed software
• Windows updates
• BitLocker data

( September 2025 ) Introduced in PAN-OS 11.1.11.

Device Security enables you to secure your connected device environments with both inbound and outbound policy recommendations. While PAN-OS and Panorama initially supported only outbound policy recommendations, the addition of inbound policy recommendations lets you create a more comprehensive security posture for your IT and IoT devices. Creating policy rule recommendations based on both outbound and inbound profile behaviors helps prevent vulnerability exploitation, lateral movement, and other security risks that outbound policies alone cannot address.

You can now view both inbound and outbound behaviors for device profiles in the UI and create security policies accordingly. For outbound behaviors, the source is the IT/IoT device profile, while the destination can be any . For inbound behaviors, you can now set the source as any, and the destination is the IT/IoT device profile. This symmetrical approach lets you control both what your IT/IoT devices can access, as well as what other enterprise sources can access your IT/IoT devices, implementing a true Zero Trust security model.

The policy recommendation workflow supports both per-device and per-profile levels, giving you flexibility in how you implement security policies. When creating policies, you can specify source and destination attributes including device profiles, IP addresses, and FQDNs. The naming convention for policies intelligently selects the appropriate profile name (whether in source or destination) to ensure clarity in your policy set. For policy rule recommendations based on inbound profile behaviors, the name has "-inbound" appended.

By leveraging both inbound and outbound policy recommendations, you can significantly reduce your attack surface by allowing only trusted behaviors for your IT/IoT devices. This is particularly valuable for securing critical infrastructure and sensitive device deployments where you need to control both inbound and outbound traffic.

( January 2026 ) Device Security now includes information from the European Union’s Medical Device Regulation (EU MDR) for medical device recalls. In the Recalls table, view the Source column to see if the recall comes from EU MDR.

( December 2025 ) When the Medical Device Security vertical is enabled, you can filter the Recalls table by the Source attribute.

( October 2025 ) Device Security now includes information from Germany's Federal Institute for Drugs and Medical Devices (Bundesinstitut für Arzneimittel und Medizinprodukte, BfArM) for medical device recalls. In the Recalls table, view the Source column to see if the recall comes from BfArM.

Manually tracking medical device recalls across multiple regulatory bodies is often a complex, error-prone process that can compromise patient safety and regulatory compliance. Device Security includes a Medical Device Recalls page that helps you identify and respond to recalls for medical devices in your network.

The Medical Device Recalls page provides a centralized view of all recalls for medical devices in your network, including the recall identifier, the recall status, the recall source, and the recalled devices and profiles in your network. You can view the recall source file by clicking on the Recall ID.

This centralized view of recalls helps you maintain regulatory compliance, reduce the operational overhead of manual tracking, and proactively mitigate risks associated with compromised medical equipment.

( October 2025 ) The Network Discovery plugin version 2.2.3 introduces an enhancement for SNMP crawling to skip IP phones. This helps improve runtime and performance for an SNMP crawl. Version 2.2.3 also includes a number of addressed issues to improve runtime performance and results. See Known Issues in Network Discovery 2.2 for a full list of addressed issues. The Network Discovery plugin version 3.0.1 includes the same functionality as Network Discovery 2.2.3 for firewalls running PAN-OS 12.1.2 and later.

( August 2025 ) The Network Discovery plugin version 2.2.2 includes a number of addressed issues to improve runtime performance and results output. See Known Issues in Network Discovery 2.2 for a full list of addressed issues.

( July 2025 ) The Network Discovery plugin version 2.2.1 includes a number of addressed issues to improve configuration and runtime performance. See Known Issues in Network Discovery 2.2 for a full list of addressed issues.

( January 2026 ) The Device Security polling integration with Cortex XSOAR now supports the following protocols for polling:

• GE CARESCAPE Gateway

• Ping/ICMP Connection Test and ICMP Traffic

• Hikvision for custom OID

• Axis Communications for older devices

( October 2025 ) The Device Security polling integration with Cortex XSOAR now supports the following protocols for polling:

• Beckhoff TwinCAT UDP

• Codesys TCP

• Siemens PLC HTTP/HTTPS

( August 2025 ) The Device Security polling integration with Cortex XSOAR now supports the following protocols for polling:

• HTTP / HTTPS banner extraction

• GE-SRTP

• Beckhoff TwinCAT

( April 2025 ) The Device Security polling integration with Cortex XSOAR now supports the following protocols for polling:

• Axis Communications

• FTP Banner

Additionally, you can now provide a DNS server when configuring polling with reverse DNS to get device hostnames.

( January 2025 ) The Device Security polling integration with Cortex XSOAR now supports the following protocols for polling:

• Cognex Discovery

• EPM

• Moxa

• Niagara Fox

When creating an Advanced Device-ID object in Device Security, you can now select from all device attributes for the matching criteria. This includes using third-party device attributes for the matching criteria. While you can select from all device attributes, you can only include up to 30 attributes for each Device-ID object, and you can't cross-reference to alert or vulnerability attributes. To take advantage of this expanded support for device attributes, your firewalls receiving Device Context (verdicts) must be running PAN-OS 12.1.2 or later, and you must enable Advanced Device-ID.

Device Security adds a new System-created Custom Attribute called Managed Status . You can edit the Value Rule for Managed Status to automate when and which devices should automatically be marked as managed or unmanaged. Unlike other custom attributes, you can define the Managed Status attribute with saved queries or saved filters. To view and customize the Managed Status custom attribute, visit the Custom Attributes page in Device Security in Strata Cloud Manager .

Device Security now supports adding third-party integration instances to network segments. You can configure network segments with third-party integration instances, firewalls, or both. By adding third-party integration instances to network segments, you ensure that devices and attributes learned from third-parties are mapped correctly in instances where you may have overlapping IP addresses in your network.

Device Security now generates daily system alerts as System Event when third-party integration jobs fail. If jobs run multiple times a day, the system alert only happens if more than 50% of jobs fail. To get email notifications about the system alerts, update the setting under System Event Notifications Configuration in Device Security in Strata Cloud Manager .