Generic detection rules often fail to match specific operational requirements when monitoring Prisma® Access infrastructure. To address this, the incident customization feature in Strata Cloud Manager allows you to define custom raise and clear conditions for tunnel, BGP connectivity, and site capacity incidents through the Unified Incident Framework. This capability gives you granular control over when Strata Cloud Manager generates and resolves incidents based on your unique environment.

You can configure specific time-based thresholds for detecting infrastructure issues across your remote network and service connection deployments. You can define the duration a resource, such as a tunnel or BGP, must be down before an incident is raised, and conversely, the length of time it must be up before that incident is cleared. This flexibility ensures that transient issues do not generate unnecessary alerts while still capturing genuine problems. The feature integrates object-based filtering, enabling you to apply different thresholds to specific sites or BGP peers. Strata Cloud Manager performs a longest-match evaluation against your resource hierarchy, meaning you can set conservative default thresholds for your entire infrastructure while defining more aggressive detection parameters for mission-critical connections.

Health incidents actively monitor the health and performance of your platform in real time. This approach helps in identifying issues, predicting potential problems, and implementing remediation actions to ensure your devices function optimally. Here are some key aspects:

Storing and transmitting direct user credentials for third-party integrations creates significant security risks and often violates organizational compliance policies. To solve these vulnerabilities, OAuth 2.0 authentication for ServiceNow integrations in Strata Cloud Manager provides a secure, token-based mechanism that eliminates the need to transmit sensitive passwords directly. This feature, part of Strata Cloud Manager, allows you to leverage industry-standard protocols to establish secure connections without exposing username and password combinations in your notification profiles.

The client credentials grant type implementation allows you to authenticate using client ID and client secret pairs. Strata Cloud Manager automatically handles access token acquisition and renewal, ensuring your incident management workflows continue without manual intervention. Because tokens have limited lifespans and are easily revocable, this approach offers superior protection compared to basic authentication. You can implement least-privilege access patterns, ensuring the integration only receives the minimum permissions necessary for ticket management.

Organizations with strict security mandates benefit from improved audit trails and granular access control. You can migrate existing ServiceNow notification profiles from basic authentication to OAuth seamlessly, maintaining your current incident management workflows while significantly enhancing your credential security posture.

When you deploy workloads in cloud environments, those workloads frequently scale up and down with changing demand. If you write firewall security policies using static IP addresses, you must manually update those policies every time your teams deploy new services or scale existing ones. This creates a gap between how quickly your infrastructure changes and how quickly your security policies can adapt, leading to either security risks from overly permissive rules or operational problems from blocked legitimate traffic.

Automated Tag-based Security solves this problem by automatically collecting tags from your cloud workloads and making them available to your firewalls through Dynamic Address Groups. Instead of writing policies based on IP addresses, you write policies based on workload identity using the same tags your teams already apply in AWS, Azure, GCP, or Kubernetes. When workloads scale up or down, your security policies continue to apply correctly without manual intervention.

You connect your cloud provider accounts, create monitoring definitions that specify which tags to collect, then configure which firewalls should receive those tags. After you commit your changes, the system automatically begins distributing tags to your firewalls. As new firewalls join folders with distribution settings configured, they automatically begin receiving the appropriate tags without manual configuration. Similarly, when firewalls leave those folders, the system automatically removes the associated tags, ensuring your security policies remain aligned with your current infrastructure.

Historically, organizations requiring comprehensive traffic capture for forensic or historical purposes faced limited options: deploy costly standalone SSL/TLS decryption appliances, rely on solutions that provide incomplete visibility, or accept the visibility gaps caused by encrypted traffic.

Decryption Port Mirroring eliminates these tradeoffs by providing a solution that improves your security monitoring, incident response, and data retention. When enabled, your Next-Generation Firewall (NGFW) forwards cleartext copies of decrypted SSL/TLS and SSH proxy traffic to external traffic collection or analysis tools through a configured Ethernet interface. No other specialized hardware is required.

You can mirror traffic before or after Security policy rule enforcement to meet your specific needs. By default, the NGFW mirrors all decrypted traffic before policy enforcement. This enables security teams to replay events and analyze traffic that generated a threat or was dropped by the firewall. Post-enforcement mirroring excludes dropped packets, which reduces false positives on third-party data loss prevention (DLP) or intrusion prevention system (IPS) devices.

Decryption Port Mirroring is supported on all hardware and VM-Series NGFWs and requires the free Decryption Port Mirroring license.

Threat actors leverage specific DNS queries to bypass security filters or conduct network reconnaissance. For example, SVCB (Type 64) and HTTPS (Type 65) records can facilitate encrypted connections that evade traditional inspection, while ANY (Type 255) queries allow attackers to retrieve all known record types to map your internal network. Without the ability to distinguish and control these specific record types, your organization remains vulnerable to sophisticated evasion techniques and information gathering.

Palo Alto Networks now provides the option in Strata Cloud Manager to block ECH (Encrypted Client Hello), which is a draft state proposal to encrypt the entire ‘client hello’ message. This includes SVCB (Type 64), HTTPS (Type 65), and ANY (Type 255) DNS record types. While enabling ECH offers some data privacy, such as ALPN and SNI, it can also prevent certain firewall services that use the client hello from operating as intended. To maintain optimal function of the security services of the firewall, Palo Alto Networks recommends blocking all ECH-supporting record types.

Many application servers use load-balanced DNS to return only a subset of resolved IP addresses per query, which can cause security policy match failures unless the firewall maintains an aggregate list of all valid IP addresses. Strata™ Cloud Manager now supports the Load Balanced DNS setting for fully qualified domain name (FQDN) address objects to ensure your Security policy rules consistently match traffic for distributed cloud services and load-balanced application environments.

When enabled, the network security platform maintains an aggregate list of up to 100 resolved IP addresses per domain that have not yet reached their time-to-live (TTL) expiration. Instead of a replacement logic, this intelligent maintenance ensures that all valid source and destination IPs returned across multiple DNS queries are available for policy enforcement. The system uses an intelligent retry interval that doubles if no changes are detected, allowing the IP list to refresh without impacting management plane performance. This ensures your security posture remains robust even for applications with highly dynamic or distributed IP pools.

Strata Cloud Manager now supports forwarding next-generation firewall (NGFW) management plane logs to external destinations, for monitoring, archiving, and analysis. This feature extends existing visibility beyond data plane traffic.

You can configure forwarding for System, Config, User-ID™, IP-Tag, HIP Match, and GlobalProtect® log types to Syslog, HTTP, SNMP, and email servers. You can apply granular filters based on severity and event attributes to monitor administrative activity, system health, and user mapping events within your centralized logging infrastructure.

The PA-505 and PA-510 firewalls upgrade the capabilities of earlier PA-400 Series models with targeted enhancements for small branch offices, retail locations, and managed security service environments. The PA-505 features seven RJ-45 ports and the PA-510 features eight RJ-45 ports for connectivity. These platforms have threat performance of 800 Mbps to 1.2 Gbps. The PA-505 in particular includes upgraded memory from 8GB to 16GB and increased storage from 64GB to 128GB. Both of these models support local logging, Zero Touch Provisioning (ZTP), and high availability deployments.

The PA-505 and PA-510 are first supported on PAN-OS® version 12.1.3. You can manage these firewalls through multiple interfaces including CLI, Firewall Web Interface, Panorama, and Strata Cloud Manager.

Adopting post-quantum cryptography (PQC) is critical to protecting your organization and its assets against future quantum computers, which will break today’s classical cryptography. Failure to adopt PQC early increases the risk of compromise of sensitive data with attacks like Harvest Now, Decrypt Later already under way. On the other hand, upgrading legacy applications and systems is a time-consuming and costly process that risks service disruption and data security without proper guardrails in place. Accounting for these concerns, PAN-OS® 12.1 adds support for securing TLSv1.3 sessions using post-quantum (PQ) key encapsulation mechanisms (KEMs) to SSL Forward Proxy, SSL Inbound Inspection, Decryption Mirror, and the Network Packet Broker features.

In decryption profiles, you can enable PQ KEMs standardized by the National Institute of Standards and Technology (NIST) or nonstandardized, experimental options. You can also specify if your selected algorithms are preferred by the client-side, server-side, or both. Next-Generation Firewalls (NGFWs) now serve as cipher translation proxies, translating between PQC and classical encryption for applications that are not yet post-quantum ready. For example, you can use quantum-safe encryption for communications between end users and NGFWs but classical encryption for connections between an NGFW and applications.

This solution secures both legacy and quantum-safe systems and applications, enables you to meet PQC mandates, and reduces stress and complexity around PQC upgrades.

Future quantum computers will break today's encryption. Adversaries are taking advantage by stealing encrypted data today to decrypt once a cryptographically relevant quantum computer (CRQC) is available. This "Harvest Now, Decrypt Later" strategy requires a proactive response. Management connections are prime targets for adversaries because the encrypted traffic contains sensitive, long-lived data such as login credentials and configuration details. To defend against the quantum computing threat, PAN-OS® 12.1 now supports post-quantum cryptography (PQC) for administrative access to Next-Generation Firewalls (NGFWs) and Panorama®. This feature protects TLSv1.3 management connections using quantum-resistant algorithms standardized by the National Institute of Standards and Technology (NIST).

SSL/TLS service profiles now offer ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism), the post-quantum key exchange algorithm specified in FIPS 203. The NGFW or Panorama ensures interoperability by automatically negotiating a supported classical algorithm if a web browser doesn't support PQC. You can also enable hybrid post-quantum key exchange, which combines a classical algorithm like ECDH with a post-quantum algorithm to generate a shared key. Hybrid key exchange secures your organization from attacks by today's classical computers and future CRQCs. These capabilities prevent disruption to critical operations and ease your transition to PQC.

You can also generate certificates using the NIST-approved digital signatures: ML-DSA (Module-Lattice-based Digital Signature Algorithm) and SLH-DSA (Stateless Hash-based Digital Signature Algorithm). These algorithms are specified in FIPS-204 and FIPS-205, respectively. PQC certificates are for testing only while industry standards are under development.

Zero Touch Provisioning (ZTP) can now use cellular interfaces to automatically deploy and configure NGFW (Managed by Panorama or Strata Cloud Manager) in remote locations with limited connectivity or lacking traditional wired connections.

ZTP now supports multiple connectivity scenarios, including cellular-only, ethernet-only, and hybrid connectivity. This provides the flexibility to adapt to various network environments, particularly distributed networks, retail locations, or temporary sites where traditional wired connectivity might be unavailable. This capability integrates directly with existing workflows to maintain management consistency and enable efficient remote deployment without requiring on-site IT intervention. Built to support current and future 5G-enabled platforms, ZTP over Cellular ensures long-term adaptability and reduced operational costs by streamlining the secure onboarding of remote assets.

ZTP over cellular interfaces are supported on devices running PAN-OS 12.1.2 and later.

You can now activate Palo Alto Networks NGFWs at branch locations using the ZTP NGFW Activation web app that extends the existing Zero Touch Provisioning (ZTP) capabilities to mobile devices. This solution enables field installers to complete NGFW onboarding and activation without requiring technical expertise or detailed knowledge of customer network configurations. The web app is browser-based and supports both iOS and Android devices, eliminating the need for separate native applications while maintaining full compatibility with existing ZTP workflows.

The ZTP NGFW Activation web app allows for QR code scanning functionality on Gen 5 or newer hardware that automatically populates device-specific information including Serial Numbers and Claim Keys directly from labels affixed to the NGFW hardware. When you scan a QR code using your mobile device's camera, the QR code contains an embedded URL that redirects you to the ZTP Activation Page along with the Serial Number and Claim Key data. The application automatically populates these fields from the scanned QR code data, and you simply need to initiate the ZTP activation process for the device.

You gain access to all existing ZTP activation features through the web app, including the ability to view activation history for devices processed within the last seven days and monitor the status of firewalls during the provisioning process. The application maintains the same security and authentication requirements as the desktop ZTP portal while optimizing the user interface for smartphones.

This web app addresses deployment scenarios where installers work across multiple branch locations and may need to activate NGFWs for different customers without carrying laptops or requiring detailed technical documentation. The solution reduces the complexity of field deployments while maintaining the security and configuration management oversight that network security teams require for firewall provisioning workflows.