New Features - Strata Cloud Manager - May 2026

Strata Cloud Manager normalizes application names and consolidates application management into a unified view, so you no longer need to navigate across multiple pages to find the information required to configure security policy.

You can now use a common Application Catalog page in Strata™ Cloud Manager to view and manage applications from one location. This ensures consistent application naming across all services.

From the ConfigurationApplication Catalog page, you can access application details, manage tags, review content updates, and classify applications. To help you identify the risk posture of each application, the application grid displays icons and includes a Classification column that separates your sanctioned, unsanctioned, and tolerated applications. The predefined applications side panel provides metadata so you can review application attributes without leaving the page.

To reduce email volume caused by high-frequency Associated events, Strata Cloud Manager now suppresses associated events email notifications by default across all notification profiles. Previously, when an alert became associated with an incident, you received an email notification in addition to standard Incident State Change notifications, resulting in significant notification fatigue.

With this enhancement, you continue to receive email notifications for Incident State Change events—such as when an incident is created, updated, or resolved—but you no longer receive emails for Associated Alert correlation events unless you explicitly opt in.

If your workflow requires visibility into alert-to-incident correlation activity, you can enable Associated event email notifications within your notification profiles. Enabling this option resumes delivery of Associated event emails for future events, while leaving it disabled keeps your inbox focused on actionable incident updates. This approach ensures that you maintain full control over your notification preferences without affecting other incident lifecycle notifications.

To resolve the administrative overhead of navigating between individual snippet scopes, you can now use a centralized snippet management interface in Strata Cloud Manager to organize, edit, and prioritize all of your configuration snippets from a single location.

Access the Snippet Management page from System SettingsFolder ManagementFolder & Snippet ManagementSnippets tab, or select ConfigurationNGFW and Prisma AccessOverview and click Snippet Management in the Configuration Scope under Snippets . The page displays all snippets organized by type: Predefined, Local, Published, and Subscribed. From this page, you can create new local snippets, edit snippet names, descriptions, and labels, clone existing snippets, and delete snippets you no longer need. A three-dot action menu on each snippet provides quick access to these actions without requiring you to navigate to the snippet scope first.

In System Settings, Folder Management is now Folder & Snippet Management . The Folders tab includes a new Snippets column that shows which snippets are associated with each folder. You can associate snippets with a folder directly from the folder three-dot action menu, and drag to reorder snippet priority when multiple snippets are associated. Snippets with higher priority override conflicting values from lower-priority snippets.

Natural language queries in Strata™ Cloud Manager AI Canvas are powerful, but broad prompts—like "show me top users with high bandwidth"—can produce visualizations that miss your intent. A single query can map to dozens of valid interpretations: total bytes transferred versus bytes sent or received, different time windows, source users versus destination users. Until now, discovering the mismatch meant waiting for a widget to generate and then re-prompting. Clarify First eliminates that cycle by making the model a conversational partner from the moment you enter a query.

With Clarify First, Strata Copilot acts as a conversational partner during widget creation. Rather than immediately executing a query, it asks a targeted clarifying question and offers suggested refinements to resolve the key ambiguity. Once you confirm a direction, Strata Copilot presents a transparent Proposed Plan —including the exact executing prompt, data sources, query code, and chart type—before fetching any data. The resulting widget also retains the full plan in a details panel, giving you a permanent record of what was run and why the data looks the way it does.

Clarify First is available in beta for Strata Cloud Manager Pro subscribers and applies to all natural language widget creation in AI Canvas. The three-stage approach— clarifying question, Proposed Plan review, and final approval—adds intentionality to every widget you build, so the data you see reflects the question you actually meant to ask.

Palo Alto Networks now provides support for newly added endpoints published by Fastly® as part of the continuous expansion of the EDL (External Dynamic List) Hosting Service.

You can now deploy traditional High Availability active/passive configurations on PA-5500 series firewalls (Generation 5 hardware platform). This capability addresses a critical gap for users who require active/passive failover solutions but cannot use NGFW clustering on these advanced platforms. When you configure traditional HA active/passive on the PA-5500 series firewalls, you maintain similar configuration workflows and operational behaviors that you rely on with legacy HA deployments across other Palo Alto Networks platforms.

Unlike clustering where all members actively forward traffic, HA active/passive mode maintains the traditional model where only the active device processes traffic while the passive device remains in standby, ready to assume the active role during a failover event. You benefit from this approach when you need redundancy without the complexity of traffic distribution across multiple active devices, and when your deployment priorities focus on maintaining existing operational procedures rather than scaling throughput.

In HA Active/Passive mode, the PA-5500 series firewalls must use the High Speed Chassis Interconnect (HSCI) to connect the two chassis. The HSCI interfaces aggregate both HA1 and HA2 functions: Session synchronization and configuration synchronization. The HSCI-A is the primary interface, whereas HSCI-B can be configured as a backup interface. You can configure this solution without requiring Panorama management, maintaining the same configuration and state synchronization capabilities that exist in current-generation platforms while providing the reliability and performance characteristics of the Generation 5 architecture.

The PA-5500 series firewalls with HA active/passive capability ensures you can migrate to newer hardware platforms without redesigning your high availability architecture, while still gaining access to the enhanced performance and feature capabilities that Generation 5 platforms deliver. This approach particularly suits environments where you require the processing power of modern hardware but must maintain the operational simplicity and predictable behavior patterns of traditional active/passive high availability configurations.

The Prisma® Access Agent pre-logon device tunnel addresses security gaps when endpoint management depends solely on user login by establishing secure connectivity before user authentication. Previously, pre-logon functionality operated as a separate connection method with limited transition options. The pre-logon tunnel now works with both always-on and on-demand connections, allowing you to manage device and user connectivity independently.

You can now configure authentication profiles to support both SAML and certificate authentication. The agent uses device certificates during pre-logon state and applies your chosen authentication methods after users log into the operating system.

You control post-login behavior by configuring whether the device tunnel disconnects immediately upon OS login, within a specified timeout period, or persists until user authentication completes. Persistent mode ensures continuous endpoint connectivity and enables you to manage unattended systems, resolve remote password lockouts, deploy critical patches immediately upon boot, and support remote onboarding workflows.

To resolve the fragmented workflows and configuration drift caused by managing device-level internet service provider (ISP) settings, you can now configure Point-to-Point Protocol over Ethernet (PPPoE) for Layer 3 sub-interfaces centrally. This feature allows you to provision authentication credentials and specific routing metrics for connections delivered over an 802.1Q VLAN directly from a single management interface.

Manage usernames, passwords, and advanced settings—including PAP, CHAP, or auto select CHAP or PAP authentication methods, passive mode, and custom default route metrics—for your hardware and VM-Series firewalls. By supporting static address requests and access concentrator specifications, this enhancement ensures your Next-Generation Firewalls can negotiate secure connections with diverse ISP infrastructure while maintaining a unified security policy.

Centralizing these networking functions simplifies the onboarding of branch and remote locations by integrating network processing with security policy management. This approach reduces operational overhead and strengthens your overall security architecture by providing a single source of truth for critical interface configurations across your entire hybrid network environment.

To ensure end user notifications are informative without being disruptive, Remote Browser Isolation (RBI) allows you to customize the banner’s content, appearance, and behavior for both desktop and mobile views. Whether you need a persistent high-visibility warning for risky sites or a subtle, timed notification for standard workflows, these granular controls adapt to your specific use cases. This capability also allows the customization of the Floating Action Button (FAB), giving you control over which browser actions are available to users in each session. Key customization features include:

• Custom Text and Branding - Override global settings to provide context-specific messaging and meet your organization’s branding requirements.

• Visibility Controls - Define whether the banner is persistent, timed, or set to disappear after the set duration.

• Actionable Elements - Choose which controls (like "Report an Issue" or "View Downloads") are visible on the banner or within the associated Floating Action Button (FAB).

• Visual Positioning - Adjust the placement or styling of the banner to ensure it does not interfere with critical web application UI elements.

The manual and individualized process of configuring Next-Generation Firewall variables for each device creates operational inefficiencies and administrative burden, slowing down your onboarding process and making it difficult to manage at scale.

This feature introduces Sites as the primary way to deploy NGFWs. You can create centralized properties and set specific values for each site location. Onboarding rules automatically calculate IP addresses, hostnames, and other configuration variables based on these site-specific values.

When you assign a device to a pre-configured site, the system automatically applies the correct settings. The feature supports both automatic and manual device setup, allowing installers to scan QR codes to access the onboarding page and then select the appropriate site. This reduces configuration errors, speeds up deployment, and works well for branch offices, retail locations, and company expansions.

For more information, see Site Management for Automated NGFW Onboarding.

Strata Cloud Manager adds support for PAN-OS Native Data Filtering, allowing you to configure Data Filtering Profiles and Data Patterns directly within the platform. This update centralizes data security management, enabling you to define various data patterns and group them into inheritable profiles for granular policy enforcement. This resolves a previous operational limitation, enhancing your ability to protect sensitive information across your network.

Reading through multiple widgets in Strata™ Cloud Manager AI Canvas and connecting patterns across them takes time and expertise—Summarizer eliminates that effort by generating instant AI-powered narratives at every level of your canvas. When you open the Summarizer panel, it automatically produces a canvas-wide AI Summary describing the data across all your widgets, along with a Highlighted Insights section that flags notable trends in your recent data.

Summarizer works at three levels. A canvas overview covers all widgets at once, including the data sources queried and key patterns observed. A widget-level breakdown focuses on a single visualization with targeted insights specific to that data. A data-point drill-down produces a forensic summary for any individual value in a chart—including the underlying query code, a link to the matching logs in Log Viewer, and related canvases under Other Relevant Views.

Throughout your session, Summarizer suggests follow-up prompts to guide your investigation, and you can enter your own prompts at any time to continue exploring specific findings. Summarizer is available in beta to Strata Cloud Manager Pro subscribers and applies to all canvases in AI Canvas.

You can now identify auto-generated default configurations during configuration audits, as Strata Cloud Manager now shows System in the Edited by column instead of the logged-in administrator's credentials. When you review configuration changes in Config Version Snapshots, you can immediately tell which configurations were auto-generated during initial setup and which were created by you.

Differences in firewall, appliance, or folder-specific values for certain configuration objects make it difficult to share configurations across different folders and devices. To resolve this, Strata Cloud Manager expands variable support to provide greater flexibility and easier configuration management across your network.

You can now use integer variables for VLAN identifiers (0 to 4095). When you implement extended variable support, you reduce redundant tasks and maintain consistent configurations across your deployment.

To eliminate custom parsing and improve entity visibility, payload Version 2 (V2) aligns your downstream webhook and ServiceNow integrations with the Unified Incident Framework data model. Previously, payloads used a legacy contract designed for Prisma® Access alerts, which exposed generic resource identifiers and concatenated tenant strings. Now, you receive structured primary and related impacted objects directly in the payload, providing immediate visibility into the specific entities affected by an incident without additional transformation logic.

If you consume Strata Cloud Manager incident data through webhooks or ServiceNow, the V2 payload provides dedicated fields for the Tenant Service Group ID and product name. This structure enables you to programmatically route and prioritize incidents across multi-tenant and multi-product environments. Because the schema remains consistent between webhooks and ServiceNow, you can maintain a single integration pipeline to handle incident lifecycle events from either channel.

On ServiceNow, incident records now include Primary Impacted Objects and Related Impacted objects populated across all incident types, giving you the same structured entity data available in webhook payloads. Strata Cloud Manager transmits the TSG ID and Subtenant ID fields as independent values rather than the previously concatenated string, eliminating the need for custom parsing in your ServiceNow workflows. New fields for Product, Incident URL, and Cleared Time provide context for incident triage and resolution tracking. You need to map these fields in ServiceNow to get them.

You can now activate Palo Alto Networks NGFWs at branch locations using the ZTP NGFW Activation web app that extends the existing Zero Touch Provisioning (ZTP) capabilities to mobile devices. This solution enables field installers to complete NGFW onboarding and activation without requiring technical expertise or detailed knowledge of customer network configurations. The web app is browser-based and supports both iOS and Android devices, eliminating the need for separate native applications while maintaining full compatibility with existing ZTP workflows.

The ZTP NGFW Activation web app allows for QR code scanning functionality on Gen 5 or newer hardware that automatically populates device-specific information including Serial Numbers and Claim Keys directly from labels affixed to the NGFW hardware. When you scan a QR code using your mobile device's camera, the QR code contains an embedded URL that redirects you to the ZTP Activation Page along with the Serial Number and Claim Key data. The application automatically populates these fields from the scanned QR code data, and you simply need to initiate the ZTP activation process for the device.

You gain access to all existing ZTP activation features through the web app, including the ability to view activation history for devices processed within the last seven days and monitor the status of firewalls during the provisioning process. The application maintains the same security and authentication requirements as the desktop ZTP portal while optimizing the user interface for smartphones.

This web app addresses deployment scenarios where installers work across multiple branch locations and may need to activate NGFWs for different customers without carrying laptops or requiring detailed technical documentation. The solution reduces the complexity of field deployments while maintaining the security and configuration management oversight that network security teams require for firewall provisioning workflows.

Update: The ZTP web app now includes two new features to make branch firewall deployments faster and more reliable. Before starting activation, you can use your phone's camera to take a photo of the firewall and verify that the ethernet cable is connected to the right port. The app also uses your phone's location to automatically show nearby deployment sites, so you can select the correct site without searching through a full list. You can still change your location or browse all sites manually if needed.