New Features

Next-Generation Firewall

New Features

Table of Contents

New Features

Review the latest features supported with AIOps for NGFW Premium and Free licenses.
Review the latest new features that are supported with your AIOps for NGFW Premium or AIOps for NGFW Free licenses.
Also check out:

AIOps for NGFW
on the
Strata Cloud Manager

AIOps for NGFW is now supported on the new
Strata Cloud Manager
platform. Starting in June 2023, we'll be rolling out phased updates to provide you with the new platform experience. We'll be updating your
AIOps for NGFW
app so that it is on the
Strata Cloud Manager
platform, alongside your other Palo Alto Networks products and subscriptions that are supported for unified management. This change gives you a new navigation for your
AIOps for NGFW
features, introduces new features, and means you can use common workflows and features across AIOps for NGFW and your other products that are also updated for
Strata Cloud Manager
. Learn more:
Introducing Strata Cloud Manager: The AI-Powered Network Security Platform
Palo Alto Networks
Strata Cloud Manager
is the new AI-Powered network security management and operations platform. With
Strata Cloud Manager
, you can easily manage and monitor your Palo Alto Networks network security infrastructure ━ your NGFWs and SASE environment ━ from a single, streamlined user interface. This new cloud management experience gives you:
  • Shared policy for SASE and your NGFWs, and a unified view into security effectiveness.
  • AI-Powered ADEM for Prisma SASE; this new Prisma Access add-on license automates complex IT operations, to increase productivity and reduce time to resolution for issues.
  • Best practice recommendations and workflows to strengthen security posture and eliminate risk.
  • A common alerting framework that identifies network disruptions, so you can maintain optimal health and performance.
  • Enhanced user experience, with contextual and interactive use-case driven dashboards and license-aware data enrichment.
Learn more about Strata Cloud Manager

Proactive Support Ticket for Alerts

AIOps for NGFW now proactively creates a support ticket in the event of an issue. This feature is enabled by default. With this functionality, AIOps for NGFW helps you promptly address issues, preventing the delays and disruptions that manual processes can bring. Proactive support ticket is created for the following alerts:
  • Degraded System Drive
  • FE100 Failure
  • Fan Issues
  • Fatal Machine Check Failure
  • NPC Card - FE100 Failure
  • Path Monitor Failure - Card
  • Port Failure
  • MPC Card - CPLD Failure

Enhancements to Probable Root Cause Analysis

To troubleshoot the issues that cause alerts, AIOps for NGFW leverages advanced AI capabilities to provide probable causes for these alerts. By reviewing these probable causes, you can identify the source of the issue and follow the provided recommendations for resolving it. You can view the probable causes for the following scenarios:
  • High Processing Activity
  • Single or Multiple Greedy Session Detection and Remediation
  • Session Exhaustion with Connectivity Loss
  • High Packet Buffer Utilization due to Single Application
  • High Packet Descriptor On-Chip Utilization due to Single Application
  • Slow-Path DoS Attack Detection and Remediation Suggestion
  • High URL Cache Lookup Activity Detection and Remediation
  • High Content Processing Activity Detection and Remediation

Regional Support for Hosting AIOps for NGFW

You can now host your instance of AIOps for NGFW in the following regions:
  • Israel
  • Indonesia
  • Taiwan
  • Qatar
In this way, your telemetry and firewall log data is processed by a local AIOps for NGFW instance without the data ever leaving your geographic region. To host AIOps for NGFW in new regions for new customers, select the desired region during the Free or Premium activation process. If you are an existing customer with an AIOps for NGFW instance, it will continue to operate from its original location.

SD-WAN and Auto VPN Updates for Cloud-Managed NGFWs

Updates to SD-WAN and Auto VPN for Cloud-Managed NGFWs on
Strata Cloud Manager
The following enhancements are introduced for SD-WAN on
Strata Cloud Manager
for cloud-managed NGFWs.
  • Refresh Pre Shared Keys for Auto VPN
    Strata Cloud Manager
    now allows you to refresh the pre shared keys used for authenticating VPN tunnels for existing VPN clusters (
    NGFW and Prisma Access
    Global Settings
    Auto VPN
  • New Predefined BGP Redistribution Profile
    —By default, firewalls added to a VPN cluster are now assigned the predefined
    BGP Redistribution profile.
    BGP Redistribution profile provides the tunnel and route peering configuration required for connectivity, and completes route advertisements to allow for branch to branch communication.
  • Create a Custom Path Quality Profile
    —You can now create one or more custom path quality profiles to optimize the latency, jitter, and packet loss thresholds for your business needs.
    NGFW and Prisma Access
    Network Policies
    SD-WAN Policy
    Path Quality
    Add Path Quality Profile

Cloud Management of NGFWs

Manage Palo Alto Networks Next-Generation firewalls from
Strata Cloud Manager
Manage your Palo Alto Networks Next-Generation firewalls from
Strata Cloud Manager
. Cloud Management of NGFW is a cloud-delivered and AI-powered security solution to manage Palo Alto Networks' advanced ML-powered firewalls alongside your Prisma Access deployments.
Cloud Management of NGFWs is done from a single streamlined user interface and leverages Palo Alto Networks best-in-class cloud-delivered security services. To manage your Next-Gen firewalls from
Strata Cloud Manager
, you must enable
AIOps for NGFW Premium
which also draws on PAN-OS device telemetry data to give you an overview of the health and security of your cloud managed NGFWs. For logging,
Cortex Data Lake
provides a secure, resilient, and fault tolerant centralized log storage and aggregation.

VM Flex License Agreement for
AIOps for NGFW

Now you can use Common Services to activate a VM Flex license agreement for
AIOps for NGFW

Capacity Analyzer

Learn about what's new in Capacity Analyzer.
The Capacity Analyzer feature in AIOps for NGFW allows monitoring of device resource capacity by tracking metrics usage based on model types. It provides a comprehensive understanding of current metric usage and available headroom up to maximum capacity. The feature includes a heatmap visualization to display resource consumption rates and locations for each metric. It also enables planning for upgrading to higher capacity firewalls based on specific needs.

Compliance Summary Dashboard

View a history of changes to security checks.
Check the Compliance dashboard to view a history of changes to the security checks made up to 12 months in the past, grouped together by Center for Internet Security (CIS) and National Institute of Standards and Technology (NIST) frameworks.

Best Practices Dashboard

The best practices dashboard and reports measure your security posture against Palo Alto Networks’ best practice guidance.
Check the Best Practices dashboard for daily best practices reports, and their mapping to Center for Internet Security’s Critical Security Controls (CSC) checks, to help you identify areas where you can make changes to improve your best practices compliance. Share the best practice report as a PDF and schedule it to be regularly delivered to your inbox. This release introduces the following new features:
  • Ability to export BPA reports in .csv format for use in third-party applications such as Microsoft Excel
  • Ability to download CLI remediations in .txt format. CLI remediations are generated using TSF data you upload when generating an On-Demand BPA report. (PAN-OS 9.1 and above TSFs)
  • Ability to view historical trend charts for BPA checks

Security Posture Insights Dashboard

Get visibility into the security status and trend of your deployment based on the security postures of the onboarded NGFW devices.
Get visibility into the security status and trend of your deployment based on the security postures of the onboarded NGFWs with Security Posture Insights. Use this dashboard to:
  • Know the trend of issues that impact the security posture of your deployment.
  • Understand the security improvements that you have made in your deployment by looking at the historical security score data.
  • Narrow down devices where there is an opportunity to improve the security posture and prioritize the issues to resolve them.

On-Demand BPA & Adoption Summary

Generate a BPA Report with Feature Adoption Summary on demand.
Run the Best Practice Assessment (BPA) and Feature Adoption summary directly from
Strata Cloud Manager
. Just upload a Tech Support File (TSF) to generate the on-demand BPA report for devices that are not sending telemetry data or onboarded to AIOps for NGFW (PAN-OS devices running versions 9.1 and above).
The BPA evaluates your security posture against Palo Alto Networks best practices and prioritizes improvements for devices. Security best practices prevent known and unknown threats, reduce the attack surface, and provide visibility into traffic, so you can know and control which applications, users, and content are on your network.

Custom Dashboard

Create and customize dashboards to get visibility into areas of interest in your network.
Apart from the default dashboards, you can now build a custom dashboard based on your network and security visibility requirements. You can use various types of customizable widgets from the widget library to create the dashboard. The widgets available to you depend on the services
supported with your licenses
. You can add up to 10 widgets in a custom dashboard and create 10 custom dashboards per user. The custom dashboard can be customized at any time. These are some of the customizations available in the custom dashboard:
  • Customize dashboard settings such as layout, dashboard name, and descriptions
  • Edit widget title, description, and show or hide filters
  • Filter and sort data
  • Look at the
    Sample Data
    view to know how your widget looks in the dashboard

Device Health Dashboard

The Device Health dashboard provides an overall view of the health and performance of your NGFW devices.
The Device health dashboard shows you the cumulative health status and performance of your onboarded NGFW devices. The device health is determined by the severity of the health score (0-100) and its corresponding health grade (good, fair, poor, critical). The health score is calculated based on the priority, quantity, type, and status of the open alerts.
This dashboard helps you:
  • Understand the deployment improvements that you have made over a period by looking at the historical health score data.
  • Narrow down devices that require attention in your deployment and prioritize the issues to resolve them.
  • Review the device statistics and fix the critical alerts on the device to improve the health score and deployment health.

Advanced Threat Prevention Dashboard

Identify opportunities to strengthen your security posture with the threat prevention dashboard.
The Advanced Threat Prevention dashboard gives insight into unknown malware, command and control (C2), and vulnerability exploit attempts in your network. The dashboard gives visibility into the real-time threat detection data by inline cloud analysis along with threats detected based on the threat signatures generated from malicious traffic data collected from various Palo Alto Networks services.
This dashboard provides:
  • a time line view of threats allowed and blocked, list of source IPs and users responsible for generating command and control (C2) traffic, and hosts targeted by cloud-detected exploits.
  • contextual links to Log Viewer to get context around the threat.
  • IOC search result to learn about the usage patterns related to host generating traffic and host targeted by vulnerability exploits.
  • cloud report and packet capture from the logs to get additional context and use Palo Alto Networks threat analytics data and threat intelligence to improve your incident response processes.
The dashboard helps to understand the security effectiveness of the Advanced Threat Prevention service. Use the data along with the analysis data from your other Palo Alto Networks security services to prevent security infringement on your network infrastructure.

Enhancements to CDSS Dashboard

Learn about the enhancements in the CDSS dashboard.
In order to enhance the security of your enterprise by identifying and addressing potential security vulnerabilities, AIOps for NGFW offers a streamlined workflow that enables you to monitor the implementation of CDSS features using the CDSS dashboard. This allows you to easily track the progress of CDSS feature activation, configuration, and adherence to best practices. Moreover, you have the option to override recommendations at the firewall level, saving time by avoiding the need to override them for each role-pair individually.

Feature Adoption Dashboard

Monitor the security features you’re using.
Monitor Feature Adoption and stay abreast of which security features you’re using in your deployment and potential gaps in coverage. This release introduces the following new features:
  • TSF upload-generated CLI remediations (PAN-OS 9.1 and above TSFs)
  • Historical adoption trend charts
  • Per-device views of adoption (including for Panorama-managed devices)
  • Ability to export adoption data as .csv file

NGFW SDWAN Dashboard

Learn about what's new in the NGFW SDWAN dashboard.
The NGFW SD-WAN dashboard provides performance metrics for cloud-managed firewalls with SD-WAN, allowing visibility into application and link performance. It helps troubleshoot issues across VPN clusters, isolates problems to affected sites, applications, and links, and generates actionable alerts for poor links and applications. These alerts are based on data-driven thresholds and offer insights into trends with machine learning-powered detection and forecasting.

Recommended For You