Strata Cloud Manager
New Features in July 2024
Table of Contents
New Features in July 2024
Here are the new features available in Strata Cloud Manager in July 2024.
Here are the latest new features introduced on Strata Cloud Manager. Features listed here
include some feature highlights for the products supported with Strata Cloud Manager.
For the full list of new features supported for a product you're using with Strata Cloud
Manager, see the release notes for that product
Email DLP Enhancements
July 29, 2024 Supported for:
|
Enterprise Data Loss Prevention (E-DLP)
has introduced the following enhancements to Email DLP to strengthen your security
posture when inspecting outbound emails from your organization to prevent
exfiltration of sensitive data.- If you need to send an outbound email containing sensitive data, you can now forward outbound Gmail and Microsoft Exchange emails to your Proofpoint server to encrypt emails on its way to the target recipient ifEnterprise DLPdetects sensitive data. Encrypting outbound emails containing sensitive data prevents email messages from being read by an unintended or unauthorized individual.
- Email DLP now supports inspection of.emlfiles and up to five levels of nested.emlemail files.Enterprise DLPcan only nested.emlfiles, and cannot inspect any other supported file types that may contain nested files.
- (Microsoft Exchange only) You can now configureEnterprise DLPto send an email notification to the outbound email sender in an Email DLP policy rule whenEnterprise DLPdetects sensitive data to immediately notify email senders when their email was not sent out to their intended recipient due to data security violation. For example, this notification allows an email sender that erroneously sent an outbound email containing sensitive to modify their email and resend it.This applies to Email DLP policy rules where the responseActionisForward email for approval to end user's manager,Forward email for approval to admin, orQuarantine.
Browser Support for Remote Browser Isolation
July 26, 2024 Supported for:
|
In addition to Google Chrome, Microsoft Edge, and Safari browsers, the Firefox
browser is now supported for Remote Browser Isolation (RBI) on macOS and Windows
desktop operating systems.
Refer to How Remote Browser Isolation Works for the
combination of operating systems and browsers that your users can use for isolated
browsing.
Mobile Support for Remote Browser Isolation
July 26, 2024 Supported for:
|
To help broaden the device support for your managed users, mobile support is added
for Remote Browser Isolation (RBI) in addition to macOS and Windows desktop
operating systems. Your managed users can now use Android, iOS, and iPadOS devices
for isolated browsing.
Refer to How Remote Browser Isolation Works for the
combination of operating systems and browsers that are supported for RBI.
AI Runtime Security
AI Runtime Security
July 24, 2024 Supported for:
|
Palo Alto Networks
AI Runtime Security
is a purpose-built
firewall to discover, protect, and defend the enterprise traffic flows against all
potential threats focusing on addressing AI-specific vulnerabilities such as prompt
injection, and denial-of-service attacks on AI models. It combines continuous
runtime threat analysis of your AI applications, models, and data sets with AI
powered security to stop attackers in their tracks. The AI Runtime Security
leverages real-time AI-powered security
protecting your AI application ecosystem from both AI-specific and conventional
network attacks.AI Runtime Security
leverages critical anomaly detection
capabilities and protects AI models from manipulation to ensure the reliability and
integrity of AI output data. It rejects prompt injections, malicious responses,
training data poisoning, malicious URLs, command and control, embedded unsafe URLs,
and lateral threat movement. AI Runtime Security
uses Palo Alto Networks Strata Cloud
Manager (SCM) as the main configuration and management engine. To begin with,
activate and onboard your cloud service provider account on SCM. The AI Security
Profile imports security capabilities from Enterprise DLP and URL Filtering for
inline detection of threats in AI application traffic. The
AI Runtime Security
is powered by the following four key
elements: Discover
- The AI Runtime Security
discovers your
enterprise AI application and all other applications. The AI Runtime Security
dashboard provides complete visibility and
security insights of your AI and other applications in just a few clicks. You can
effortlessly gain actionable intelligence on AI traffic flows covering your
applications, models, user access, and infrastructure threats. Deploy
- The AI Runtime Security
deployment using
Terraform templates automates the deployment procedure reducing the human error,
lowering the required time for manual configuration tasks, and for protecting your
enterprise AI applications. Deploy your AI Runtime Security
instance
downloading the Terraform templates and provide permissions to your cloud service
provider account projects to analyze flow logs and DNS logs.Detect
- Identify unprotected traffic flows with potential security
threats to the cloud network and detect the potential security risks based on logs
and recommended actions to remediate.Defend
- Shield your organization’s AI application ecosystem from
AI-specific and conventional network attacks by leveraging real-time AI-powered
security. Get the continuous discovery of the AI network traffic on the containers
and namespaces. To learn more about AI Runtime Security activation, onboarding, and deployment, see
AI Runtime Security documentation.
Dynamic Privilege Access
July 24, 2024 Supported for:
|
For Enterprise IT and IT Enabled Services (ITES) companies that need to control which
users have access to their customer projects, Dynamic Privilege Access provides a
seamless, secure, and compartmentalized way for your users to access only those
projects that they are assigned to. Employees are typically assigned to several
customer projects and are provided with siloed access to these projects so that an
authorized user can access only one customer project at a time.
A new predefined role called the
Project Admin
is available to
allow project administrators to create and manage project definitions. Project
administrators have the ability to map projects to select Prisma Access location
groups, and create IP address assignments using DHCP based on the project and
location group.Panorama to Strata Cloud Manager Migration
Strata Cloud Manager
MigrationJuly 24, 2024 Supported for:
|
If you have an existing Prisma Access (managed by Panorama) deployment and want to
switch from Panorama to cloud management, Palo Alto Networks offers an in-product workflow that lets you migrate
your existing Prisma Access configuration to Strata Cloud Manager. While this
migration workflow is disabled by default, you can reach out to your account teams
to enable this feature and begin the migration to cloud management.
Benefits of moving to cloud management include:
- Continuous best practice assessments
- Secure default configurations
- Machine Learning (ML)-based configuration optimization
- Simplified web security workflow
- Comprehensive and actionable visualizations
- Intuitive workflows for complex tasks
- Simple and secure management APIs
- Cloud-native architecture provides scalability, resilience, and global reach
- No hardware to manage or software to maintain
View and Monitor Dynamic Privilege Access
July 24, 2024 Supported for:
|
Dynamic Privilege Access enables Prisma Access to apply different network and
Security policy rules to mobile user flows based on the project your users are
working on. In the Strata Cloud Manager Command Center, you can view user-based access information in your
environment.
Gain visibility into your Prisma Access Agent deployment by using Strata Cloud
Manager to monitor your users' project activity. In the Strata Cloud Manager Command
Center, you can view project-based access information in your
environment.
Support for Deleting Connector IP Blocks
July 24, 2024 Supported for:
|
To allow more flexibility after you configure Connector IP Blocks, you can now delete and update the Connector IP Blocks.
However, you can delete the Connector IP Blocks only after you delete all the ZTNA
objects such as connectors, applications, wildcards, and connector-groups on the
tenant.
Strata Cloud Manager: Cross-Scope Referenceability in Snippets
July 24, 2024 Supported for :
|
Enterprises need to enforce configuration objects and global settings consistently
across all deployments. By referencing global settings across various scopes, such
as snippets or folders, organizations can streamline operations, eliminate redundant
configurations, and enhance centralized management. For example, organizations can
effectively manage custom URL categories for access policy rules, threat prevention
profiles, zones, addresses, and other objects representing standard network
segments.
This feature allows you to reference any common configurations or objects attached to
a global scope and push to
NGFW
s or Prisma Access
deployments.
These shared objects and configurations within the global scope are available to all
the snippets. Snippets associated with the global scope are considered a global
snippet, and the objects defined within these snippets can be referenced across any snippets in the
configuration. This simplifies the process of managing configurations from a single
location, updating, and enforcing global standards across all deployments.Strata Cloud Manager: Disable Default HIP Profiles
July 24, 2024 Supported for :
|
The default HIP objects and HIP profiles in
Strata Cloud Manager
have been moved from the Global-Default snippet to the HIP-Default
snippet, providing greater flexibility in managing the default HIP profiles. You can
choose to disable the default HIP profiles by
disassociating the HIP-Default snippet from the global folder.Enterprise DLP: File Type Exclusion
July 24, 2024 Supported for:
|
Enterprise Data Loss Prevention (E-DLP)
now supports creating a file type exclusion list when
modifying a DLP Rule to define the type of traffic to
inspect, the impacted file types, action, and log severity for the data profile
match criteria. Creating a file type exclusion list, rather than an inclusion list,
instructs the NGFW
or Prisma Access
tenant to forward all file
types except for those specified in the exclusion list to Enterprise DLP
for
inspection and verdict rendering. A DLP Rule can be configured with an inclusion or
exclusion file type list, but not both.