New Features in June 2024
Focus
Focus
Strata Cloud Manager

New Features in June 2024

Table of Contents

New Features in June 2024

Here are the new features available in Strata Cloud Manager in June 2024.
Here are the latest new features introduced on Strata Cloud Manager. Features listed here include some feature highlights for the products supported with Strata Cloud Manager. For the full list of new features supported for a product you're using with Strata Cloud Manager, see the release notes for that product.

Prisma Access: Third-Party CDR Integration for Remote Browser Isolation

June 28, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
Protect your users against zero-day threats hidden in files that they download from the internet by integrating Remote Browser Isolation (RBI) with a third-party content disarm and reconstruction (CDR) provider.
When users browse the web and download various types of files to their local devices, they are exposed to zero-day threats. Even with file scanning or antivirus solutions in play, these threats could escape detection, allowing malware to be delivered to your users’ managed devices and rendering them as patient-zero.
With third-party CDR integration, any files downloaded while in RBI will be disarmed and reconstructed using CDR. The CDR provider will remove the malicious content from the files and deliver the sanitized files in their original file formats to the user.
You can integrate with Votiro to utilize Votiro's CDR capabilities to process and appropriately sanitize a file before it is downloaded to the user’s device from RBI, thus keeping the user protected from any potentially malicious executables embedded in the file.

Strata Cloud Manager: Custom Checks for Security Profiles

June 14, 2024
Custom checks have been newly added to the following security profiles:
  • DNS Security Profile
  • File Blocking Profile
  • Anti Spyware Profile
  • Vulnerability Protection Profile
  • Decryption Profile
Strata Cloud Manager lets you validate your configuration against predefined Best Practices and custom checks you create based on the needs of your organization. As you make changes to your service routes, connection settings, allowed services, and administrative access settings for the management and auxiliary interfaces for your firewalls, Strata Cloud Manager gives you assessment results inline so you can take immediate corrective action when necessary. This eliminates problems that misalignments with best practices can introduce, such as conflicts and security gaps.
Inline checks let you:
  • Gauge the effectiveness of, assess the impact of, and validate changes you make to your configuration using inline assessment results.
  • Prioritize and perform remediations based on the recommendations from the inline assessment.

Strata Cloud Manager: New Inline Best Practice Checks

June 14, 2024
Supported for:
The new inline checks empower you to:
  • Secure your GlobalProtect Gateway server authentication SSL/TLS Service Profile by ensuring that it is set to the minimum version "TLS 1.2," guarding against vulnerabilities inherent in weaker TLS versions.
  • Safeguard your business by ensuring that you use sanctioned applications, distinguishing officially approved SaaS applications from unsanctioned ones that may be tolerated or blocked for employee use.
  • Enhance monitoring by ensuring that you enable keep-alive for HA2. This helps you to monitor the connection between the device and its HA peer on the HA2 link to ensure that the connection is up.
  • Optimize security by ensuring that the Authentication Portal session timeout in Redirect mode is set to greater than recommended value.
  • Verify management interface settings, including connection settings, allowed services, and administrative access permissions over the management interface.
  • Check session settings such as rematching sessions, accelerated aging, timeouts, and Global Packet Buffer Protection.
  • Ensure dynamic updates scheduler settings for Antivirus, Applications and Threats, and WildFire are correctly configured.
Strata Cloud Manager lets you validate your configuration against predefined Best Practices and custom checks you create based on the needs of your organization. As you make changes to your service routes, connection settings, allowed services, and administrative access settings for the management and auxiliary interfaces for your firewalls, Strata Cloud Manager gives you assessment results inline so you can take immediate corrective action when necessary. This eliminates problems that misalignments with best practices can introduce, such as conflicts and security gaps.
Inline checks let you:
  • Gauge the effectiveness of, assess the impact of, and validate changes you make to your configuration using inline assessment results.
  • Prioritize and perform remediations based on the recommendations from the inline assessment.

Cloud Management for NGFWs: Auto VPN Configuration for HA Pairs

June 14, 2024
(HA deployments only) In an Auto VPN with SD-WAN configuration, the Auto VPN can now generate the appropriate configuration automatically for the active and passive HA peers (both branch and hub HA pairs). It enables the HA failovers to be seamless between the HA pairs.

Prisma Access: Fast-Session Delete

June 14, 2024
Supported on Strata Cloud Manager for: Prisma Access (Managed by Strata Cloud Manager)
If your deployment has a requirement to delete sessions quickly, you can enable fast session delete, which allows Prisma Access to reuse TCP port numbers before the TCP TIME_WAIT period expires, and can be useful for SSL decrypted sessions that may be short-lived. You can enable this functionality for Remote Networks, Service Connections, and Mobile Users —GlobalProtect; for Mobile Users—Explicit Proxy deployments, this functionality is enabled by default and cannot be changed.

Prisma Access: FQDNs for Remote Network and Service Connection IPSec Tunnels

June 14, 2024
Supported on Strata Cloud Manager for: Prisma Access (Managed by Strata Cloud Manager)
When you onboard a Service Connection or Remote Network connection, a public IP address is assigned for the other side of the IPSec tunnel (the Service IP Address). You use these public IP addresses for your CPE in you branch site or headquarters or data center location. Keeping records of all the IP addresses you need to configure on your CPE can be time consuming.
Instead of IP addresses, Prisma Access provides you FQDNs to use for the other end of the IPSec tunnel for Service Connections and Remote Network Connections, thus facilitating CPE setup at your branch sites or headquarters or data center locations.

Prisma Access: Native IPv6 Compatibility

June 14, 2024
Supported on Strata Cloud Manager for: Prisma Access (Managed by Strata Cloud Manager)
Prisma Access is extending its support for IPv6 from private applications to encompass comprehensive end-to-end IPv6 support for Mobile Users, Remote Networks, and Service Connections. One advantageous aspect of native IPv6 support is its capacity to enable Mobile Users utilizing IPv6-only endpoints to establish connections with Prisma Access via IPv6 connections using GlobalProtect. Additionally, this support facilitates accessing public SaaS applications over the internet, particularly where those destinations necessitate IPv6 connections.
IPv6 boasts a significantly larger address space compared to IPv4, thereby accommodating an almost limitless number of unique IP addresses. Through native IPv6 support, Prisma Access is engineered to be compatible with both IPv6 and dual-stack connections, facilitating the migration process from IPv4 to IPv6. This compatibility ensures backward compatibility and empowers organizations in their transition to cloud-based and IPv6-enabled networks.

Prisma Access: Service Connection Support for Explicit Proxy

Supported in: Prisma Access (Managed by Strata Cloud Manager) deployments in Prisma Access 5.1 Preferred and Innovation
Requires GlobalProtect in Proxy Mode to access private and partner apps in a data center and a minimum PAN-OS dataplane of 10.2.10.
Prisma Access Explicit Proxy now supports service connections to enable you to access resources in your data center. With this change, you will still be able to benefit from a proxy connection while accessing external dynamic lists, partner apps, or private apps hosted in your data center.

Strata Cloud Manager: Manage and Share Common Configuration Using Snippet Sharing

June 14, 2024
Supported on Strata Cloud Manager for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • NGFW (Managed by Strata Cloud Manager)
Manually sharing and keeping the configuration synchronized across multiple tenants is both error prone and inefficient.
This feature provides a unique and flexible way to share common configuration in a multitenant environment. You can save and manage any combination of configuration as a snippet, seamlessly sharing them across tenants under a customer account. This offers tremendous flexibility and control in managing shared configuration across tenants. This feature offers a variety of use cases such as updating configurations from lab to production environments, migrating configurations between tenants, centralizing configuration management for common use cases across tenants, and managing global configurations in a multibusiness unit setup.

Strata Cloud Manager: Global Find Using Config Search

June 14, 2024
Supported on Strata Cloud Manager for:
Config Search in Strata Cloud Manager enables you to search configuration objects and settings for a particular string, such as IP addresses, object name, referenced objects, duplicate objects, policy names, policy rules, policies covered for specific CVEs, rule UUID, predefined snippets, or application name.
The search results are categorized and provide links to the configuration location in the Strata Cloud Manager, allowing you to easily find all occurrences and references of the searched string.

Strata Cloud Manager: Local Configuration Management

June 14, 2024
Supported on Strata Cloud Manager for: NGFW (Managed by Strata Cloud Manager)
Eliminate the need for context switching from central management to individual firewalls for managing local configurations.
This feature enhances readability, simplifies troubleshooting, and reduces manual effort by providing visibility and control over local firewall configurations through Strata Cloud Manager. Additionally, it identifies any conflicting or overridden objects between local and pushed configurations, making it easier to troubleshoot.

Strata Cloud Manager: Changes to Behavior for Web Traffic Handling

June 14, 2024
Supported on Strata Cloud Manager for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • NGFW (Managed by Strata Cloud Manager)
Embrace Web Access policies when creating new Internet Security policies or configurations, preserving existing rules in your setup. Web Security policies offer a framework for abstracting policies, enabling translation of user intent into the language understood by the enforcement node. This ensures continuity for current rules without altering user experience through default rule ordering.
This capability incrementally enhances existing Web Security workflows. Newly created Global Web Access policy rules are positioned between Web Security rules and the regular security rules, with Global Catch All policies placed on top of the intrazone default rules in post-rules.

Strata Logging Service in Strata Cloud Manager

June, 2024
In addition to the Strata Logging Service app available on the hub, you can now also use Strata Cloud Manager to manage your Strata Logging Service instances.
Supported on Strata Cloud Manager with Strata Logging Service license.
Strata Cloud Manager is not available to you to manage your instances hosted in China or in FedRAMP high regions. Continue to use the Strata Logging Service app to manage the instances in these regions.
You can now manage your Strata Logging Service instance with Strata Cloud Manager. After you have activated and deployed Strata Logging Service, log in to Strata Cloud Manager on hub and select SettingsStrata Logging Service to manage your Strata Logging Service instance. Additionally, you can also continue to use the Strata Logging Service standalone app available on the hub to manage your instances. The logging data is the same in both Strata Logging Service app and Strata Cloud Manager, except for their web interface differences.
Use Strata Logging Service to:

Enterprise DLP: End User Coaching

June 14, 2024
Supported on Strata Cloud Manager for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • NGFW (Managed by Strata Cloud Manager)
End User Coaching allows you to notify and coach end users when their actions violate a Security policy rule because it contains sensitive data that cannot leave your corporate network. Prisma Access (Managed by Strata Cloud Manager) administrators can immediately notify end users through the Access Experience User Interface (UI) when an end user uploads, downloads, or posts content that is blocked by Enterprise Data Loss Prevention (E-DLP). End user notifications are configured using the User Coaching Notification Template created on Strata Cloud Manager and are associated with a DLP rule for both File-Based and Non-File Based traffic. The notification template allows you to fully customize the message to be displayed in the notification and support variables to dynamically fill in DLP incident information based on the file name, traffic direction, application, and action. After an Enterprise DLP incident is generated, the end user who generated the incident can view the Data Security notification to view more details about current and past notifications.