As a general rule, you cannot have any overlapping subnets within a Prisma Access deployment. That is, the subnets for all remote network locations, your service connections, and your Prisma Access for mobile users IP address pool cannot overlap. However, in some circumstances you cannot avoid having overlapping subnets. Prisma Access allows you to onboard remote network locations with overlapping subnets, as long as you select Overlapped Subnets check box in the remote network settings when you plan for remote networks. However, you can use overlapping subnets only in few use cases.

Prisma Access enforces policies for mobile user licenses over 30 days instead of 90 days. Though there is no strict policing of the mobile user count, the service tracks the number of unique users over the last 30 days to ensure that you have purchased the proper license tier for your user base, and stricter policing of user count may be enforced if continued overages occur. This change is applicable for all types of mobile user licenses.

Time-sensitive security policy changes carry the high risk of introducing errors, misconfigurations, or conflicts into the rulebase, requiring slow and complex manual audit processes. Policy integrity is difficult to maintain at scale, leading to decreased performance and potential security gaps. Strata Cloud Manager introduces Policy Analyzer, enabling administrators to optimize time and resources when implementing any change request. Policy Analyzer provides immediate, automated analysis of the security rulebase to ensure policy updates meet defined intent and technical requirements. It proactively checks for anomalies, such as Shadows, Redundancies, Generalizations, Correlations, and Consolidations, that otherwise require labor-intensive manual checking. By identifying conflicting or duplicate rules before deployment, Policy Analyzer streamlines change management, reduces the risk of misconfiguration, and ensures the continued performance and integrity of your network security posture.

Security administrators rely on predefined best practice checks that align with industry standards, such as CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology). However, the rigidity of applying these checks globally often forces you to manually bypass or ignore critical security findings for specific operational exceptions, risking compliance and increasing administrative overhead.

Strata Cloud Manager now addresses this by supporting real-time inline check exemptions. Exemptions allow you to restrict where security checks are applied within your deployment, rather than requiring you to disable the checks entirely. This capability ensures you maintain a robust global security posture while flexibly accommodating specific organizational needs. Additionally, essential check information is now delivered in a consolidated, contextual view, simplifying your configuration evaluation workflow and allowing you to balance security enforcement with operational efficiency.

When you need to create similar configuration snippets with slight variations, manually rebuilding each snippet from scratch wastes valuable time and increases the risk of configuration errors. This challenge becomes particularly frustrating when you want to use an existing snippet as a foundation for new deployments or when adapting proven configurations for different network segments.

You can now clone existing snippets in Strata Cloud Manager, allowing you to use any preexisting snippet as a template for new configurations. This cloning capability eliminates the need to configure completely new objects when you want to create variations of existing snippets.

Snippets are configuration objects, or groups of configuration objects, that you can associate with your folders, firewalls, and Prisma® Access deployments onboarded to Strata Cloud Manager. You use them to standardize configurations, enabling you to push changes quickly to multiple areas simultaneously. Snippets help you manage common configurations centrally for consistent security enforcement across NGFW and Prisma Access deployments.

Snippets are classified in two ways: Predefined and Custom. Predefined snippets are available to all Strata Cloud Manager users and help you quickly get your new firewalls and deployments up and running with best practice configurations. Custom snippets are any snippets that administrators create.

When you clone a snippet, the system creates an independent copy that is not associated with any devices, folders, or deployments. This allows you to customize the cloned snippet freely without having to disassociate it from existing resources before you begin making modifications.

If you use a Terminal Access Controller Access-Control System Plus (TACACS+) server for user authorization and authentication, you can now log accounting information to fully make use of the authentication, authorization, and accounting (AAA) framework that is the basis for TACACS+.

The TACACS+ Accounting feature allows you to use a TACACS+ server profile to record user behavior, such as when a user started using a specific service, the duration of use for the service, and when they stopped using the service. The TACACS+ Accounting feature helps to create logs and records of the initiation and termination of services, as well as any services in progress during the user’s session, that you can then use later if needed for auditing purposes.

When you configure and enable an Accounting server profile, the TACACS+ server provides information to the firewall about the initiation, duration, and termination of services by users. The firewall also generates a log when the TACACS+ server successfully provides the accounting records to the server that you configure in the profile. If the firewall is unable to successfully send the accounting records to any of the servers in the profile, the firewall generates a critical severity alert to the system logs.

By using your existing TACACS+ server, you can now configure it to provide even more information about the use of services by users on your network, giving you even more robust visibility into user activity on your network.

Today, post-quantum cryptography (PQC) algorithms and hybrid PQC algorithms (classical and PQC algorithms combined) are accessible through open-source libraries and integrated into web browsers and other technologies. Traffic encrypted by PQC or hybrid PQC algorithms cannot be decrypted yet, making these algorithms vulnerable to misuse. To address these concerns, Palo Alto Networks firewalls now detect, block, and log the use of PQC and hybrid PQC algorithms in TLSv1.3 sessions. Successful detection, blocking, and logging of PQC and hybrid PQC algorithms depends on your SSL Decryption policy rules.

If SSL traffic matches an SSL Forward Proxy or SSL Inbound Inspection Decryption policy rule, the firewall prevents negotiation with PQC, hybrid PQC, and other unsupported algorithms. Specifically, the firewall removes these algorithms from the ClientHello, forcing the client to negotiate with classical algorithms. (For a list of supported cipher suites, see PAN-OS 11.1 Decryption Cipher Suites.) This enables continuous decryption and threat identification through deep packet inspection. If the client strictly negotiates PQC or hybrid PQC algorithms, the firewall drops the session. In the Decryption log for the dropped session, the error message states that the "client only supports post-quantum algorithms.” To see details of successful or unsuccessful TLS handshakes in the Decryption logs, enable both options in your Decryption policy rules.

If SSL traffic matches a “no-decrypt” Decryption policy rule or doesn’t match any Decryption policy rules, the firewall allows negotiation with PQC or hybrid PQC algorithms. However, details of sessions that negotiate these algorithms are available in Decryption logs only when session traffic matches a "no-decrypt" Decryption policy rule.

Additionally, new threat signatures offer additional visibility into the use of PQC and hybrid PQC algorithms in your network. These signatures monitor ServerHello responses and trigger alerts for SSL sessions that successfully negotiate with the most commonly known PQC and hybrid PQC algorithms. A Threat Prevention license is required to receive alerts.

You can now use GlobalProtect with cloud-managed NGFWs to secure your mobile workforce. Enable your cloud-managed NGFWs as GlobalProtect gateways and portals, in order to provide flexible, secure remote access to users everywhere.

Whether checking email from home or updating corporate documents from an airport, the majority of today's employees work outside the physical corporate boundaries. This workforce mobility increases productivity and flexibility while simultaneously introducing significant security risks. Every time users leave the building with their laptops or smart phones, they are bypassing the corporate firewall and associated policies that are designed to protect both the user and the network. GlobalProtect ™ solves the security challenges introduced by roaming users by extending the network security policy that you're enforcing within the physical perimeter to all users, no matter where they are located.

You can centrally manage the certificates you use to secure communication across your network.

You can now export the private key from Strata Cloud Manager for a self-signed certificate. However, the export of private keys for an externally signed certificate is restricted. The supported export formats are as follows:

Prisma Access Cloud Management can now be deployed in the India region.

The Strata Cloud Manager user session inactivity timeout occurs after 30 minutes of inactivity. Five minutes prior to the timeout, you get a notification that the session is about to time out unless you press a key or move your cursor. If you don't do anything, the notification will count down the time until approximately five seconds remain.

If you still don't press a key or move your cursor, you'll lose any unsaved work and you'll need to log in again. The inactivity timeout applies to all tenants managed in the Strata Cloud Manager.

Health alerts actively monitor the health and performance of your platform in real time. This approach helps in identifying issues, predicting potential problems, and implementing remediation actions to ensure your devices function optimally. Here are some key aspects: