>
    Strata Copilot
    New Strata Cloud Manager Management Features (May 2025)
    Focus
    Download PDF
    Focus
    1. Home
    2. Strata Cloud Manager
    3. New Features in Strata Cloud Manager
    4. New Features in May 2025
    5. New Strata Cloud Manager Management Features (May 2025)
    Download PDF
    Strata Cloud Manager

    New Strata Cloud Manager Management Features (May 2025)

    Table of Contents

    New Strata Cloud Manager Management Features (May 2025)

    See the new configuration management features we've added to Strata Cloud Manager in May 2025.
    Here's the new configuration management features we've added to Strata Cloud Manager in May 2025; we use a scheduled upgrade to deliver these features to you and they are supported with the Cloud Manager 2025.R3.0 release version. Check your Strata Cloud Manager in-product notifications for updates on the release upgrade schedule. You can verify which Strata Cloud Manager release version you're running by navigating to your configuration overview, and checking the Cloud Management Version.

    Strata Cloud Manager: New Best Practice Assessment Checks and Custom Checks

    May 16, 2025
    Supported on Strata Cloud Manager for:
    Strata Cloud Manager introduces the following new checks:
    • Custom checks include support for verifying subnet matches within IP address objects and groups.
    • Inline Best Practices Assessment (BPA) supports all the configuration objects in Strata Cloud Manager.
    • BPA check supports verifying whether a vulnerability protection security profile is applied to the GlobalProtect interface to protect the GlobalProtect services from attacks using published product security vulnerabilities.
    Strata Cloud Manager lets you validate your configuration against predefined Best Practices and custom checks you create based on the needs of your organization. As you make changes to your service routes, connection settings, allowed services, and administrative access settings for the management and auxiliary interfaces for your firewalls, Strata Cloud Manager gives you assessment results inline so you can take immediate corrective action when necessary. This eliminates problems that misalignments with best practices can introduce, such as conflicts and security gaps.
    Inline checks let you:
    • Gauge the effectiveness of, assess the impact of, and validate changes you make to your configuration using inline assessment results.
    • Prioritize and perform remediations based on the recommendations from the inline assessment.

    Strata Cloud Manager: Config Cleanup Enhancements

    May 16, 2025
    Supported on Strata Cloud Manager for:
    • NGFW, including those funded by Software NGFW Credits (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Strata Cloud Manager)
    Here are the enhancements for Config Cleanup:
    • Role-Based Access Control (RBAC): Access to Config Cleanup operations is governed by RBAC, allowing you to view either the Admin View or the User View based on your assigned role.
    • Unified Filtering Experience: Seamless navigation with consistent filter dropdowns and text across the Unused Objects, Zero Hit Objects, and Zero Hit Policy Rules pages.
    • Advanced Filtering Options: Use the new filter ranges (30+ Days, 60+ Days, 90+ Days) and a customizable option for precise data view control.
    • Dynamic Zero Hit Object Calculation: Filters now recalculate Zero Hit Objects based on “Days with Zero Hits” in real time, providing more relevant information.
    • Streamlined Rule Details: Explore Zero Hit Objects Rule details in a single-table sidecar for improved clarity and easier data interpretation.
    These enhancements offer improved usability, and more precise control over your configuration cleanup process.
    Do dynamic business needs often require you to deal with rapid configuration changes that result in complex configurations with a number of zero hit rules, zero hit objects, unused objects, and duplicate objects? Such configurations can lead to a poor security posture and can inadvertently increase the attack surface of your network. Config Cleanup has you covered.
    Config Cleanup gives you a comprehensive view of all policy rules that have no hits, objects that aren't referenced directly or indirectly in your configuration, objects that are referenced in a policy rule but have no hits in the Traffic log during the specified time frame, and objects of the same type with different names but have the same values so that you can better:
    • Manage attack surface exposure
    • Prioritize remediation actions
    • Remediate over time
    • Respond to audit questions when they arise
    Identify and remove unused configuration objects and policy rules from your configuration. Removing unused configuration objects eases administration by removing clutter and preserving only the configuration objects that are required for security enforcement.
    Review unused objects and policy rules across your entire Strata Cloud Manager configuration for the last 6 months, and optimize policy rules that are overly permissive rules to convert these to be more specific, focused rules that only allow the applications you’re actually using.
    Together with Policy Optimizer, these tools help you ensure that your policy rules stay fresh and up to date.

    Strata Cloud Manager: Policy Optimizer Enhancements

    May 16, 2025
    Supported on Strata Cloud Manager for:
    • NGFW, including those funded by Software NGFW Credits (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Strata Cloud Manager)
    Policy Optimizer now allows you to create address groups within policy recommendations, addressing challenges in efficiently managing firewall policies at scale. You can create source and destination address groups within recommended rules, allowing you to adjust and preview suggested groups before accepting recommendations. These enhancements streamline the process of optimizing firewall policies, helping you balance security and operational efficiency as your network grows.
    Hone and optimize overly permissive security rules so that they only allow traffic that are actually in use in your network. Rules that are too broad introduce security gaps because they allow applications that are not in use in your network. Policy Optimizer enables you to convert these overly permissive rules to more specific, focused rules that only allow the applications you’re actually using.
    Strata Cloud Manager analyzes log data and categorizes rules as overly permissive when they are allowing any application traffic, and the rules must be at least 15 days old. These rules can introduce security loopholes, if they’re allowing traffic that’s not necessary for enterprise use.
    For rules identified as overly permissive, Strata Cloud Manager auto-generates recommendations you can accept to optimize the rule. The new, recommended rules are more specific and targeted than the original rule; they explicitly allow only the applications that have been detected in your network in the last 90 days.
    Select an overly permissive rule to review, adjust, and accept optimization recommendations. Replacing these rules with the more specific, recommended rules strengthens your security posture. You can choose to accept some or all of the rule recommendations. Accepting recommendations to optimize a rule does not remove the original rule. The original rule remains listed below the new rules in your Security policy; this is so you can monitor the rule, and remove it when you’re confident that it’s not needed. Both the original rule and optimized rules are tagged so you can easily identify them in your Security policy.
    Together with Config Cleanup, these tools help you ensure that your policy rules stay fresh and up to date.

    Strata Cloud Manager: IPv4 Multicast Routing Support

    May 16, 2025
    Supported for:NGFW (Managed by Strata Cloud Manager)
    Strata Cloud Manager (SCM) now enables you to configure IPv4 multicast routing on virtual routers and logical routers. You can enable Protocol-Independent Multicast (PIM), Internet Group Management Protocol (IGMP), and Multicast Source Discovery Protocol (MSDP) on supported interfaces. Additionally, SCM enables you to configure PIM Interface Timer profiles, MSDP Timer profiles, and IGMP Interface Query profiles. You can also create IPv4 mroutes, which are static unicast routes that point to a multicast source. Logical routers support only IGMPv2 and IGMPv3 (not IGMPv1). Only logical routers support a multicast static group (virtual routers do not).

    Enhanced Visibility for ZTP Onboarding

    May 16, 2025
    Supported for: NGFW (Managed by Strata Cloud Manager)
    Enhanced onboarding and bootstrapping visibility for Strata Cloud Manager improves the NGFW activation process for branch locations, providing visibility and troubleshooting capabilities. This feature addresses the challenges faced by installers with minimal technical knowledge who are responsible for onboarding firewalls. Enhanced visibility for onboarding and bootstrapping offers real-time status updates to administrators throughout the process.
    With enhanced visibility for onboarding and bootstrapping, you can monitor the detailed bootup status, including the license download, content upgrade, software upgrade, and configuration push. The feature introduces status bars that reflect the progress of each stage, ensuring you have a clear understanding of the activation process. In case of any interruptions or errors, such as issues with device certificates, TSG ID validation, software updates, or content updates, the bootstrap status indicates where the process failed and allows you to immediately restart.

    Strata Cloud Manager: Configuration Management Support by Region

    May 16, 2025
    Supported on:
    • Prisma Access (Managed by Strata Cloud Manager)
    • Prisma Access (Managed by Panorama)
    Strata Cloud Manager now supports the following additional regions:
    • Saudi Arabia
    • Israel
    • Indonesia
    Strata Cloud Manager for Configuration Management is a solution that is defined and controlled based on the region where it is deployed. You can deploy Strata Cloud Manager in the locations of your choosing, based on data location preferences and where you have the most users. For this reason, we are rolling out region-specific support for Strata Cloud Manager as soon as we are able to do so for each region.

    Enhanced UI for Security Policy Rules and Software Update Schedules

    May 16, 2025
    Supported on Strata Cloud Manager
    Strata Cloud Manager introduces a set of user interface improvements designed to make policy and device management more intuitive and efficient. These updates focus on simplifying workflows, improving data visibility, and enhancing the overall user experience.
    • New security policy rules can now be inserted right after a selected rule, instead of always being added to the end of the list, simplifying the organization and management of rules.
    • The NGFW software update schedules now feature pagination with clearly defined column headings, improving both clarity and performance when handling large datasets. In addition, the device details for each schedule now open in a sidebar instead of expanding within the table, allowing users to view details without losing context or disrupting the table structure.

    © 2025 Palo Alto Networks, Inc. All rights reserved.