Strata Cloud Manager for Configuration Management is a solution that is defined and controlled based on the region where it is deployed. You can deploy Strata Cloud Manager in the locations of your choosing, based on data location preferences and where you have the most users. For this reason, we are rolling out region-specific support for Strata Cloud Manager as soon as we are able to do so for each region.

Strata Cloud Manager now includes several web interface enhancements to improve your configuration management experience. These updates optimize workflows and provide greater visibility into your network security settings.

Changes include:

Telemetry autoenablement for Palo Alto Networks devices streamlines the activation and configuration of telemetry, eliminating complex workflows and manual setup. This feature ensures that upon device onboarding, telemetry is automatically enabled and configured to stream data to the correct data residency region, determined by your location or existing configurations.

Strata Cloud Manager or hub now manages telemetry settings, rather than individual Panorama or firewall devices. These services store information for all devices within a tenant service group (TSG), simplifying and automating telemetry configuration. This approach removes operational hurdles, enabling full utilization of telemetry's benefits while maintaining control over data sharing preferences.

Consistent telemetry data streaming provides enhanced security, faster security responses, and access to advanced features through critical threat insights. Telemetry autoenablement ensures your devices send valuable diagnostic and usage information, significantly improving support case resolution times and offering real-time insights into performance, usage, and potential issues.

You have the ability to manage your telemetry settings at the TSG level, including the option to change the telemetry tier from Full to Diagnostic through the hub interface or Strata Cloud Manager. This tiered approach ensures you can choose the level of information shared while adhering to data privacy requirements. Additionally, all telemetry configuration changes are logged for audit purposes, assisting with compliance and security policy adherence.

By setting up roles with specific permissions and assigning them to administrators you can enforce the principle of least privilege, ensuring administrators have only the access necessary for their specific job functions.

This feature gives you fine-grained control across the web interface, CLI, REST API, and XML API. You can configure detailed access permissions over various functional areas, including device configuration, network settings, security policies, monitoring capabilities, and operational tasks. For example, you can create a network admin role that has permissions to manage interfaces and routing but is restricted from changing security profiles.

Strata Cloud Manager (SCM) now provides users the ability to customize predefined local and cloud-based applications. For each given application, you can modify the TCP Timeout, TCP Half Closed, TCP Time Wait, and Risk values to more appropriately fit the needs of your organization's network security requirements.

You can configure a data port (a regular interface) to access external services, such as DNS servers, external authentication servers, Palo Alto Networks® services such as software, URL updates, licenses and AutoFocus. Strata Cloud Manager now supports configuring and deploying IPv6 service routes (in addition to IPv4 service routes) for all managed NGFW platforms.

Strata Cloud Manager now provides IPv6 address support for many configurations. The following areas support both IPv4 and IPv6 addresses in the IP address fields.

Strata Cloud Manager allows you to configure and deploy GRE (Generic Routing Encapsulation) tunnels on managed NGFW platforms to establish secure, point-to-point connectivity across untrusted networks. GRE tunnels enable you to encapsulate various network layer protocols inside virtual point-to-point links, allowing you to extend your network topology across geographically distributed locations.

Now you can deploy a custom master key in Strata Cloud Manager™ to replace the default master key on your next-generation firewalls (NGFWs), adding an extra layer of protection for your sensitive data.

When you deploy a new master key, Strata Cloud Manager re-encrypts all key material to strengthen your security posture. You can define a custom lifetime for the master key (from 1 to 18, 250 days) and set reminder notifications (1 to 365 days before expiration). This allows you to rotate keys on schedule to help minimize disruption. Regular rotation is a best practice for cryptographic key management and helps you meet compliance requirements.

The Deploy Master Key feature supports both standalone and high-availability (HA) firewall configurations, with built-in validations to ensure secure key deployment.

You can now configure a PA-7000 Series Firewall Log Forwarding Card (LFC) using Strata Cloud Manager. The LFC is a physical, high-performance slot card that forwards all dataplane logs from the firewall to an external logging system. Once installed, you can choose to configure either interface LFC 1/1 or interface LFC 1/9, as well as IPv4 or IPv6 settings, depending on your deployment needs.

Strata Cloud Manager™ now provides the ability to configure and deploy NetFlow on managed next-generation firewall (NGFW) platforms. This new capability allows you to export detailed IP traffic statistics to a NetFlow collector, providing valuable data for security analysis, troubleshooting, and performance optimization. You can create server profiles to define collector destinations and export parameters, with support for Layer 3, Layer 2, virtual wire, tap, VLAN, loopback, and tunnel interfaces. This feature supports NetFlow Version 9 and both standard and enterprise templates.

Strata Cloud Manager™ now offers expanded response page customization, allowing you to tailor additional page types for a more consistent and user-friendly experience. These pages appear during authentication challenges, security restrictions, or informational notices, helping users understand what is happening while maintaining your organization’s branding.

Newly supported customizable pages include:

• GlobalProtect: Customize portal login pages, welcome screens, and help pages that guide users through the connection process.
• Authentication Services: Modify Multi-Factor Authentication (MFA) login pages and SAML authentication error pages to provide clear guidance during authentication challenges.
• SSL Decryption: Customize notification pages to inform users about traffic inspection policies and certificate errors.

You can now set up a Hardware Security Module (HSM) to generate, store, and manage digital keys through Strata Cloud Manager. An HSM is a physical appliance that, once connected, provides both physical and logical protection of these cryptographic keys. By utilizing the management options in Strata Cloud Manager, you can specify HSM servers that use one or more of the following providers: SafeNet Network, nCipher nCshield Connect, or Thales CipherTrust Manager.

The firewall uses the management (MGT) interface by default to access external services, such as DNS servers, external authentication servers, Palo Alto Networks® services such as software, URL updates, licenses and AutoFocus. An alternative to using the MGT interface is to configure a data port (a regular interface) to access these services. A service route is the path from the interface to the service on a server. Strata Cloud Manager allows you to customize service routes for various services or Use Management Interface for all services.

Strata Cloud Manager (SCM) now provides users the ability to view all dependent applications associated with a selected application while creating Security Policy Rules. This makes it easier to build security policies without unintentionally excluding required dependent applications. To view the dependent applications, access the relevant Security Policy Rule, and from the Application / Service menu, open the Application dropdown and select the Dependent Applications button. This opens the Dependent Applications pane, which displays all dependent apps contained within the selected application it relies on, as well as the rules they are used in. Additionally, you can also add these dependencies directly to your current rule or an existing rule.

The Operational Health view and User Device Experience widgets in the Strata Cloud Manager Command Center now display Fair metrics alongside the existing Good and Poor performance indicators, providing you with more granular visibility into user session quality and network performance degradation levels. This enhanced categorization helps you better identify and address performance issues that fall between optimal and severely degraded states, enabling more precise troubleshooting and policy optimization decisions.

Virtual router support for cloud managed NGFWs addresses some configuration gaps in Strata Cloud Manager by implementing missing capabilities that are present in Panorama, enabling seamless migration for customers with existing virtual router deployments. You benefit from this enhancement when migrating from Panorama to Strata Cloud Manager because it eliminates configuration blockers that would otherwise prevent successful migration or require extensive reconfiguration of your routing protocols. The feature specifically targets configuration options identified in current Panorama deployments, ensuring that your existing BGP, OSPF, and static routing configurations can be preserved during the migration process.

You can configure enhanced BGP parameters including authentication profiles with secret keys, dampening profiles with configurable cutoff and decay settings, advanced peer connection options such as idle hold time and incoming connection management, and sophisticated route aggregation with suppress filters. The feature provides expanded OSPF capabilities including MD5 authentication profiles with key management, password-based authentication options, and enhanced area configuration parameters. You also gain access to improved static routing options including next virtual router capabilities and advanced route table configurations for both IPv4 and IPv6 implementations.