Management Features
Table of Contents
                    
          Expand All
          |
          Collapse All
        
        Next-Generation Firewall Docs
- 
                  
                  
- 
                  
                  
- 
                  
                  
- 
                  
                  
- 
                  
                  
- 
                  
                  
- 
                  
                  - PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
 
- 
                  
                  - PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
 
Management Features
What new management features are in PAN-OS 11.1?
    Accelerate Insights and Enhance Security with Telemetry Autoenablement
| September 2025 
 | 
Telemetry autoenablement for Palo Alto
                Networks devices streamlines the activation and configuration of telemetry,
                eliminating complex workflows and manual setup. This feature ensures that upon
                device onboarding, telemetry is automatically enabled and configured to stream data
                to the correct data residency region, determined by your location or existing
                configurations.
Strata Cloud Manager or hub now manages telemetry settings, rather than
                individual Panorama or firewall devices. These services store information for all
                devices within a tenant service group (TSG), simplifying and automating telemetry
                configuration. This approach removes operational hurdles, enabling full utilization
                of telemetry's benefits while maintaining control over data sharing preferences.
Consistent telemetry data streaming provides enhanced security, faster
                security responses, and access to advanced features through critical threat
                insights. Telemetry autoenablement ensures your devices send valuable diagnostic and
                usage information, significantly improving support case resolution times and
                offering real-time insights into performance, usage, and potential issues.
You have the ability to manage your telemetry settings at the TSG
                level, including the option to change the telemetry tier from Full to Diagnostic
                through the hub interface or Strata Cloud Manager. This tiered approach ensures you
                can choose the level of information shared while adhering to data privacy
                requirements. Additionally, all telemetry configuration changes are logged for audit
                purposes, assisting with compliance and security policy adherence.
API Key Certificate
| November 2023 
 | 
 With PAN-OS and Panorama, the option to encrypt the API key using a self-signed
                certificate is now available, ensuring enhanced security when you retrieve your API
                key. This feature utilizes the PAN-OS device certificate management function to
                encrypt the API key for added protection. 
See use cases for Keys and Certificates on PAN-OS for more
                information on how to manage certificates using PAN-OS and Panorama.
This feature introduces a new field under DeviceSetupManagementAuthentication settings that enables you to select an API Key
                    Certificate to encrypt your API key. To use this feature, simply
                generate an RSA Certificate above 3,027 bits and select the created certificate as
                the API key certificate under the Authentication Settings
                option.
The existing workflow to generate the API key will still be the same, but now all
                existing API keys will be invalid when you add or change an API key certificate.
Configuration Audit Enhancements
| November 2023 
 | 
Configuration changes often complicate adherence to strict industry compliance
                standards and tracing the specific source of unexpected system outages. On Panorama® management server, configuration audit now provides granular,
                object-level detail to significantly simplify this process. Your security
                administrators can now perform a configuration audit to compare the precise
                differences between any two selected configuration versions stored within your  Panorama. When reviewing a configuration audit, the Change Summary section
                provides a simplified, granular, per-object view of every configuration object that
                was added, deleted, or modified. This ensures that security administrators can
                quickly assess the impact of changes, immediately trace back potential outage causes
                to a specific admin and time, and perform regular security compliance audits with
                high precision. The improvements to configuration audits on Panorama enable
                security administrators focus immediately on critical details, such as the object
                name, its exact location, the modification time, and the administrator who performed
                the operation, enabling fast and effective remediation.
Policy Rulebase Management Using Tags
| November 2023 
 | 
Managing complex security environments often leads to sprawling policy rulebases,
                making efficient administration and auditing extremely difficult. Policy Rulebase
                Tag Management solves this challenge by allowing your security administrators to
                easily categorize and organize your policy rules. Tags enable security
                administrators to quickly identify the purpose, function, or ownership of any policy
                rule, fostering a clearer understanding of your organization's overall security
                posture. Policy Rulebase Management Using Tags ensures administrators maintain
                precision and control regardless of the scale of their network security
                infrastructure.
After assigning tags to policy rules, security administrators can use the integrated
                    Tag Browser to visually group and manage
                your policy rulebase. This organization streamlines common operational procedures
                and helps improve efficiency. For instance, your security administrators can now
                add, delete, or move sets of related policies more efficiently than navigating a
                flattened rule hierarchy. Furthermore, security administrators can filter the policy
                rulebase using one or more tag search criteria, dramatically narrowing the list of
                displayed rules for precise management. Importantly, viewing the rulebase using
                these visual tags does not alter the fundamental rule evaluation order, preserving
                security integrity/
Palo Alto Networks supports Policy Rulebase Management Using Tags across all policy
                rulebases for your Panorama® management server and standalone NGFW running
                    PAN-OS 10.2.5 or later 10.2 release or PAN-OS 11.0.3
                or later 11.0 release. If you manage NGFW using a Panorama,
                you can centrally create and assign these organization tags. 
Secure Copy Protocol Support
| November 2023 
 | 
In air-gapped deployments where your devices have no outbound internet connection,
                your security administrator can enable Secure Copy Protocol (SCP) to
                upload essential files directly to your Next-Generation Firewall (NGFW). PAN-OS® supports SCP uploads for superuser administrators only,
                ensuring granular control over who can perform uploads. Once SCP uploads are enabled
                for a superuser administrator, you can use this account to write custom scripts and
                automation for file uploads using the command-line interface (CLI) rather than the
                web interface. This ability is critical for maintaining security and operational
                readiness in isolated networks.
SCP uploads are supported from local devices running a Microsoft Windows, macOS, or
                any Linux operating system. The upload must be performed exclusively from your local
                device command-line. Palo Alto Networks does not support SCP applications like
                WinSCP and FileZilla. You can use SCP Support to upload all critical operational
                files, including PAN-OS software versions and patches, content updates
                (such as Applications and Threats, WildFire, and antivirus), XML configuration
                files, PAN-OS plugins, and license key files. PAN-OS generates a
                system log every time an SCP upload succeeds or fails, providing a clear audit trail
                for compliance and security monitoring.
Strata Command Center
| March 2024 
 | 
Network security administrators often struggle with fragmented visibility
                across their security infrastructure, making it difficult to quickly assess overall
                network health, identify emerging threats, and understand the impact of security
                events on user experience. Traditional approaches require navigating between
                multiple dashboards and tools to piece together a comprehensive view of security
                posture.
The Strata Cloud Manager Command Center
                serves as your new NetSec homepage and provides your first stop to assess the
                health, security, and efficiency of your network. In a single view, the command
                center shows you all users and IoT devices accessing the internet, SaaS
                applications, and private apps, and demonstrates how Prisma® Access, your NGFWs, and
                your security services protect them.
 
  View Preferred and Base Releases of PAN-OS Software
| May 2024 
 | 
The Panorama web interface now displays the preferred releases and the
                corresponding base releases of PAN-OS software. Before you upgrade or downgrade
                Panorama or PAN-OS, you can view the list of preferred and base releases and choose
                your preferred target PAN-OS release. Preferred releases offer the latest and the
                most advanced features and ensure stability and performance. When there are no
                preferred releases available, the corresponding base version is not displayed. If
                necessary, you can choose to view either preferred releases or base releases.
