With PAN-OS and Panorama, the option to encrypt the API key using a self-signed certificate is now available, ensuring enhanced security when you retrieve your API key. This feature utilizes the PAN-OS device certificate management function to encrypt the API key for added protection.

See use cases for Keys and Certificates on PAN-OS for more information on how to manage certificates using PAN-OS and Panorama.

This feature introduces a new field under DeviceSetupManagementAuthentication settings that enables you to select an API Key Certificate to encrypt your API key. To use this feature, simply generate an RSA Certificate above 3,027 bits and select the created certificate as the API key certificate under the Authentication Settings option.

The existing workflow to generate the API key will still be the same, but now all existing API keys will be invalid when you add or change an API key certificate.

Configuration changes often complicate adherence to strict industry compliance standards and tracing the specific source of unexpected system outages. On Panorama® management server, configuration audit now provides granular, object-level detail to significantly simplify this process. Your security administrators can now perform a configuration audit to compare the precise differences between any two selected configuration versions stored within your Panorama. When reviewing a configuration audit, the Change Summary section provides a simplified, granular, per-object view of every configuration object that was added, deleted, or modified. This ensures that security administrators can quickly assess the impact of changes, immediately trace back potential outage causes to a specific admin and time, and perform regular security compliance audits with high precision. The improvements to configuration audits on Panorama enable security administrators focus immediately on critical details, such as the object name, its exact location, the modification time, and the administrator who performed the operation, enabling fast and effective remediation.

Managing complex security environments often leads to sprawling policy rulebases, making efficient administration and auditing extremely difficult. Policy Rulebase Tag Management solves this challenge by allowing your security administrators to easily categorize and organize your policy rules. Tags enable security administrators to quickly identify the purpose, function, or ownership of any policy rule, fostering a clearer understanding of your organization's overall security posture. Policy Rulebase Management Using Tags ensures administrators maintain precision and control regardless of the scale of their network security infrastructure.

After assigning tags to policy rules, security administrators can use the integrated Tag Browser to visually group and manage your policy rulebase. This organization streamlines common operational procedures and helps improve efficiency. For instance, your security administrators can now add, delete, or move sets of related policies more efficiently than navigating a flattened rule hierarchy. Furthermore, security administrators can filter the policy rulebase using one or more tag search criteria, dramatically narrowing the list of displayed rules for precise management. Importantly, viewing the rulebase using these visual tags does not alter the fundamental rule evaluation order, preserving security integrity/

Palo Alto Networks supports Policy Rulebase Management Using Tags across all policy rulebases for your Panorama® management server and standalone NGFW running PAN-OS 10.2.5 or later 10.2 release or PAN-OS 11.0.3 or later 11.0 release. If you manage NGFW using a Panorama, you can centrally create and assign these organization tags.

In air-gapped deployments where your devices have no outbound internet connection, your security administrator can enable Secure Copy Protocol (SCP) to upload essential files directly to your Next-Generation Firewall (NGFW). PAN-OS® supports SCP uploads for superuser administrators only, ensuring granular control over who can perform uploads. Once SCP uploads are enabled for a superuser administrator, you can use this account to write custom scripts and automation for file uploads using the command-line interface (CLI) rather than the web interface. This ability is critical for maintaining security and operational readiness in isolated networks.

SCP uploads are supported from local devices running a Microsoft Windows, macOS, or any Linux operating system. The upload must be performed exclusively from your local device command-line. Palo Alto Networks does not support SCP applications like WinSCP and FileZilla. You can use SCP Support to upload all critical operational files, including PAN-OS software versions and patches, content updates (such as Applications and Threats, WildFire, and antivirus), XML configuration files, PAN-OS plugins, and license key files. PAN-OS generates a system log every time an SCP upload succeeds or fails, providing a clear audit trail for compliance and security monitoring.

Network security administrators often struggle with fragmented visibility across their security infrastructure, making it difficult to quickly assess overall network health, identify emerging threats, and understand the impact of security events on user experience. Traditional approaches require navigating between multiple dashboards and tools to piece together a comprehensive view of security posture.

The Strata Cloud Manager Command Center serves as your new NetSec homepage and provides your first stop to assess the health, security, and efficiency of your network. In a single view, the command center shows you all users and IoT devices accessing the internet, SaaS applications, and private apps, and demonstrates how Prisma® Access, your NGFWs, and your security services protect them.

The Panorama web interface now displays the preferred releases and the corresponding base releases of PAN-OS software. Before you upgrade or downgrade Panorama or PAN-OS, you can view the list of preferred and base releases and choose your preferred target PAN-OS release. Preferred releases offer the latest and the most advanced features and ensure stability and performance. When there are no preferred releases available, the corresponding base version is not displayed. If necessary, you can choose to view either preferred releases or base releases.