To help federal and government agencies meet their compliance requirements, GlobalProtect® gateways now supports standardized Internet Key Exchange version 2 (IKEv2). Standardized IKEv2 provides a more efficient connection process by using a four-message exchange instead of the eight messages required by IKEv1. This implementation includes built-in Network Address Translation (NAT) Traversal using UDP encapsulation on port 4500 and built-in health checks that automatically re-establish tunnels if a connection is interrupted. In addiiton, IKEv2 enhances resiliency against denial-of-service (DoS) attacks through improved peer validation before the system performs heavy cryptographic tasks.

For information on how to enable IKEv2 on a GlobalProtect gateway, see Configure a GlobalProtect Gateway.

GlobalProtect gateways now support the IKEv2 protocol on NGFW managed by Strata Cloud Manager.

To resolve the fragmented workflows and configuration drift caused by managing device-level internet service provider (ISP) settings, you can now configure Point-to-Point Protocol over Ethernet (PPPoE) for Layer 3 sub-interfaces centrally. This feature allows you to provision authentication credentials and specific routing metrics for connections delivered over an 802.1Q VLAN directly from a single management interface.

Manage usernames, passwords, and advanced settings—including PAP, CHAP, or auto select CHAP or PAP authentication methods, passive mode, and custom default route metrics—for your hardware and VM-Series firewalls. By supporting static address requests and access concentrator specifications, this enhancement ensures your Next-Generation Firewalls can negotiate secure connections with diverse ISP infrastructure while maintaining a unified security policy.

Centralizing these networking functions simplifies the onboarding of branch and remote locations by integrating network processing with security policy management. This approach reduces operational overhead and strengthens your overall security architecture by providing a single source of truth for critical interface configurations across your entire hybrid network environment.

You can now deploy traditional High Availability active/passive configurations on PA-5500 Series and PA-7500 firewalls (Generation 5 hardware platform). This capability addresses a critical gap for users who require active/passive failover solutions but cannot use NGFW clustering on these advanced platforms. When you configure traditional HA active/passive on these firewalls, you maintain similar configuration workflows and operational behaviors that you rely on with legacy HA deployments across other Palo Alto Networks platforms.

Unlike clustering where all members actively forward traffic, HA active/passive mode maintains the traditional model where only the active device processes traffic while the passive device remains in standby, ready to assume the active role during a failover event. You benefit from this approach when you need redundancy without the complexity of traffic distribution across multiple active devices, and when your deployment priorities focus on maintaining existing operational procedures rather than scaling throughput.

In HA Active/Passive mode, the PA-5500 Series and PA-7500 firewalls must use the High Speed Chassis Interconnect (HSCI) to connect the two chassis. The HSCI interfaces aggregate both HA1 and HA2 functions: Session synchronization and configuration synchronization. The HSCI-A is the primary interface, whereas HSCI-B can be configured as a backup interface. You can configure this solution without requiring Panorama management, maintaining the same configuration and state synchronization capabilities that exist in current-generation platforms while providing the reliability and performance characteristics of the Generation 5 architecture.

The HA active/passive capability ensures you can migrate to newer hardware platforms without redesigning your high availability architecture, while still gaining access to the enhanced performance and feature capabilities that Generation 5 platforms deliver. This approach particularly suits environments where you require the processing power of modern hardware but must maintain the operational simplicity and predictable behavior patterns of traditional active/passive high availability configurations.

Prisma Access extends the use of third-party Device-ID to include mobile users. You can create new Device-ID based Security policies specific to mobile users, or extend existing Device-ID based Security policies for remote networks to include mobile users. Use the Cloud Identity Engine along with Prisma Access to learn about IoT devices from third-party IoT detection sources or from Device Security. You can create Device-ID objects from the information you learn, and apply those Device-ID objects to Security policy rules for access and control for mobile users in the same way you can for remote networks.

Enterprise Data Loss Prevention (E-DLP) supports the inspection of data in transit that is not part of a formal file upload. This non-file traffic inspection helps prevent the exfiltration of sensitive data through collaboration applications, web forms, cloud applications, and social media. However, this non-file traffic inspection is designed for transactional web traffic (HTTP/HTTPS), where the client and server exchange data in discrete, request-response cycles. In contrast, a WebSocket connection provides a persistent, bidirectional data stream over a single connection, allowing for continuous communication without the overhead of individual request-response cycles. While a WebSocket connection can provide better performance for real-time applications, it introduces unique security challenges for preventing data loss. These challenges exist because the persistent nature of the connection allows data to flow continuously rather than in distinct bursts, and can bypass traditional traffic-inspection methods.

To address these challenges, Enterprise DLP has expanded its non-file support to include inspection of WebSocket traffic. This capability allows the detection engine to examine WebSocket persistent streams in real time to identify sensitive patterns previously hidden within the open connection. Enterprise DLP supports WebSocket inspection for the following widely adopted applications that rely heavily on streaming data:

• Microsoft Copilot
• Perplexity

You can enable WebSocket inspection by editing the Enterprise DLP data filtering settings.

Organizations that manage device compliance through a mobile device management (MDM) solution such as Microsoft Intune or Jamf can now use that compliance status to control whether the Prisma® Access Agent is authorized to establish a tunnel to Prisma Access, closing a gap where the Host Information Profile (HIP) lacked the fields needed to fully assess device compliance and required customers to maintain MDM as a separate, unsynchronized source of truth.

When a device is not enrolled in or is out of compliance with your MDM policies, the Prisma Access Agent blocks tunnel establishment and notifies the user that the device is not compliant. You connect your MDM tenant to Strata Cloud Manager and enable compliance enforcement in your agent configuration. Each time the agent requests gateway configurations, Prisma Access queries your MDM tenant using the device serial number and returns either the gateway configuration or a compliance failure that causes the agent to tear down any active tunnel and prevent reconnection. This gives your security team a single source of truth for device compliance rather than maintaining parallel policies across MDM and HIP. The initial phase supports Microsoft Intune with Windows devices managed by Strata Cloud Manager.

Many high-security organizations use several third-party tools to inspect network traffic. These teams often struggle to send all traffic—including encrypted and clear text data—through these security chains efficiently. Network Packet Broker solves this by allowing you to selectively forward traffic to third-party appliances for extra inspection. You can choose which traffic to forward based on specific criteria like source zones, users, devices, and applications.

This feature simplifies your network by removing the need for dedicated decryption or management devices. You can forward decrypted traffic, encrypted data the firewall does not inspect, and non-TLS traffic like SSH or FTP through your security chain.

The system supports various setups, including active chains for load balancing and passive chains for backup. Built-in health monitoring detects failures and triggers an automatic failover to keep your traffic moving. To help you stay informed, Strata Cloud Manager provides clear visibility through traffic logs. You can easily see which sessions went to the security chain and view detailed performance statistics to ensure your security stack is running effectively.

When managing large-scale network deployments across multiple organizational units, you may encounter limitations in how you can structure and inherit configuration profiles within your cloud-managed NGFW folder hierarchy. Previously, you could not define crypto profiles, certificates, and interface management settings at a global level and then reference or override them at child folder levels, which restricted your ability to implement consistent security policies while maintaining local customization flexibility.

The hierarchical configuration feature for IKE, IPSec, and interface objects addresses this limitation by extending profile inheritance and override capabilities to critical network security components. You can now define IPSec crypto profiles, IKE crypto profiles, pre-shared keys, and local certificates at higher levels in your folder hierarchy and override them in IPSec tunnels and IKE gateways configured at child folder levels. For interface configurations, you can inherit and override management profiles and LLDP profiles across your folder structure for all interface types. This enhancement enables you to establish standardized security profiles at the organizational level while retaining granular control for individual departments or locations.

The Prisma® Access Agent pre-logon device tunnel addresses security gaps when endpoint management depends solely on user login by establishing secure connectivity before user authentication. Previously, pre-logon functionality operated as a separate connection method with limited transition options. The pre-logon tunnel now works with both always-on and on-demand connections, allowing you to manage device and user connectivity independently.

You can now configure authentication profiles to support both SAML and certificate authentication. The agent uses device certificates during pre-logon state and applies your chosen authentication methods after users log into the operating system. The agent seamlessly transitions from device tunnel to user session by reusing the existing tunnel connection, ensuring uninterrupted connectivity without packet loss.

You control post-login behavior by configuring whether the device tunnel disconnects immediately upon OS login, within a specified timeout period, or persists until user authentication completes. Persistent mode ensures continuous endpoint connectivity and enables you to manage unattended systems, resolve remote password lockouts, deploy critical patches immediately upon boot, and support remote onboarding workflows.

Palo Alto Networks now provides support for newly added endpoints published by Fastly® as part of the continuous expansion of the EDL (External Dynamic List) Hosting Service.

To ensure security notifications are informative without being disruptive, Remote Browser Isolation (RBI) allows you to customize the banner’s content, appearance, and behavior for both desktop and mobile views. Whether you need a persistent high-visibility warning for risky sites or a subtle, timed notification for standard workflows, these granular controls adapt to your specific use cases. This capability also allows the customization of the Floating Action Button (FAB), giving you control over which browser actions are available to users in each session. Key customization features include:

• Custom Text and Branding - Override global settings to provide context-specific messaging and meet your organization’s branding requirements.
• Visibility Controls - Define whether the banner is persistent, timed, or set to disappear after the set duration.
• Actionable Elements - Choose which controls (like "Report an Issue" or "View Downloads") are visible on the banner or within the associated Floating Action Button (FAB).
• Visual Positioning - Adjust the placement or styling of the banner to ensure it does not interfere with critical web application UI elements.

When you need to enforce distinct security policies for different networks or departments on the same physical connection, a standard virtual wire can limit your ability to separate the traffic. Strata Cloud Manager now supports virtual wire subinterfaces, allowing you to logically divide your physical ports and classify traffic into different security zones without assigning MAC or IP addresses to the interfaces.

You can classify this incoming traffic based on VLAN tags, or a combination of a VLAN tag and an IP classifier like a specific address, range, or subnet. This feature allows you to integrate a firewall into an existing network and enforce specific security policies for different segments of traffic while acting as a pass-through link. By configuring virtual wire subinterfaces, you avoid the need to redesign your network, reconfigure surrounding network devices, or introduce complex routing while still gaining granular policy control over your tagged traffic.

Natural language queries in Strata™ Cloud Manager AI Canvas are powerful, but broad prompts—like "show me top users with high bandwidth"—can produce visualizations that miss your intent. A single query can map to dozens of valid interpretations: total bytes transferred versus bytes sent or received, different time windows, source users versus destination users. Until now, discovering the mismatch meant waiting for a widget to generate and then re-prompting. Clarify First eliminates that cycle by making the model a conversational partner from the moment you enter a query.

With Clarify First, Strata Copilot acts as a conversational partner during widget creation. Rather than immediately executing a query, it asks a targeted clarifying question and offers suggested refinements to resolve the key ambiguity. Once you confirm a direction, Strata Copilot presents a transparent Proposed Plan—including the exact executing prompt, data sources, query code, and chart type—before fetching any data. The resulting widget also retains the full plan in a details panel, giving you a permanent record of what was run and why the data looks the way it does.

Clarify First is available in beta for Strata Cloud Manager Pro subscribers and applies to all natural language widget creation in AI Canvas. The three-stage approach— clarifying question, Proposed Plan review, and final approval—adds intentionality to every widget you build, so the data you see reflects the question you actually meant to ask.

Reading through multiple widgets in Strata™ Cloud Manager AI Canvas and connecting patterns across them takes time and expertise—Summarizer eliminates that effort by generating instant AI-powered narratives at every level of your canvas. When you open the Summarizer panel, it automatically produces a canvas-wide AI Summary describing the data across all your widgets, along with a Highlighted Insights section that flags notable trends in your recent data.

Summarizer works at three levels. A canvas overview covers all widgets at once, including the data sources queried and key patterns observed. A widget-level breakdown focuses on a single visualization with targeted insights specific to that data. A data-point drill-down produces a forensic summary for any individual value in a chart—including the underlying query code, a link to the matching logs in Log Viewer, and related canvases under Other Relevant Views.

Throughout your session, Summarizer suggests follow-up prompts to guide your investigation, and you can enter your own prompts at any time to continue exploring specific findings. Summarizer is available in beta to Strata Cloud Manager Pro subscribers and applies to all canvases in AI Canvas.

Strata Cloud Manager now supports Legacy Data Filtering, allowing you to configure Data Filtering Profiles and Data Patterns directly within the platform. This update centralizes data security management, enabling you to define various data patterns and group them into inheritable profiles for granular policy enforcement. This resolves a previous operational limitation, enhancing your ability to protect sensitive information across your network.

To resolve unexpected blocking of legitimate traffic, you can now utilize updated tenant control logic within your Strata Cloud Manager Internet Access Policies to correctly evaluate application based match. This capability allows you to enforce granular access controls, such as permitting specific functions for sanctioned SaaS tenants while blocking access to unsanctioned instances, without disrupting expected traffic behavior.

By automatically generating distinct custom App-ID™ signatures that account for both tenant identity and permitted functions, you ensure all session transactions evaluate against the correct policy. Furthermore, you can apply different data loss prevention profiles per tenant rule directly within your application policies to maintain strict control over your data handling when configuring your Internet Access Policies.