Overly permissive security rules—such as those allowing "any" application traffic—are common in large networks, creating security gaps by enabling unused applications and unnecessarily increasing the attack surface. Manual review and optimization of these broad rules require extensive log analysis and introduce deployment risk. Strata Cloud Manager introduces Policy Optimizer that analyzes log data to identify overly permissive security rules. Policy Optimizer auto-generates specific, focused rule recommendations based only on the applications actively observed on your network. This capability eliminates the need for manual log analysis, strengthens your security posture, and reduces administrative overhead. Administrators receive actionable, auto-generated optimization recommendations that can be reviewed and accepted through a guided workflow, ensuring that rule consolidation and replacement are secure and policy integrity is maintained. Together with Config Cleanup, these tools help you ensure that your policy rules stay fresh and up to date.

The Strata Cloud Manager Configuration APIs now support both the Next Generation Firewall and Cloud Next Generation Firewall platforms. This is in addition to the already existing support for the Prisma Access (SASE) platform. To support the additional platforms, the API documentation on pan.dev has a new organization that includes a Strata Cloud Manager-specific landing page. The configuration API documentation has also been broken into functional areas and then organized by platform.

Other major changes include:

There are many other changes to the configuration APIs, both to support the new platforms, and to support new functionality. For complete details on this release, please see the Strata Cloud Manager API November 2024 Release Notes.

As enterprise networks expand, the ability to onboard and manage large-scale remote networks and IKE gateways becomes critical for maintaining performance and security. To accommodate the capacity increase for Prisma® Access deployments, the Strata Cloud Manager web interface now provides enhanced tools for navigating and managing large lists of remote networks and IKE gateways. These improvements, including advanced filtering, sorting, and grouping options, ensure administrators can quickly find, manage, and monitor remote networks, IPSec tunnels, and QoS settings, which significantly improves operational efficiency at scale.

The interface now provides pagination, allowing you to choose how many rows to display on a given page. A search ability is added, allowing you to find the desired remote network in the list by typing its Name in the text box. You can also group by compute locations. All groups display in a collapsed view and the page size you selected applies to the groups. When you select a compute location to expand it, the view displays based on the page size you selected.

Organizations using Explicit Proxy often face challenges integrating their cloud security with specialized internal network infrastructure, particularly regarding custom Domain Name Service (DNS) resolution. This limitation can interrupt seamless access to both public internet applications and critical internal private resources. Explicit Proxy now expands its capabilities to include comprehensive DNS Proxy customization, solving this hybrid networking challenge. This feature allows you to seamlessly integrate regional DNS, custom third-party resolvers, or existing on-premises DNS infrastructure. By supporting FQDN-based resolution, the solution guarantees that all applications—whether public or privately hosted—are resolved correctly and securely. This optimization is supported on Panorama Managed Prisma ^® Access, delivering a more robust and flexible security posture for hybrid environments and optimizing the user experience.

Save a configuration as a named snapshot in Strata Cloud Manager for enhanced configuration management and version control. Previously in Strata Cloud Manager, users were limited to loading only previously pushed configurations that had been committed to the firewalls. This restriction meant that administrators had to manually keep track of configuration pushes and timing if they wanted to maintain access to a known good configuration they could fall back on during troubleshooting or rollback scenarios.

Now, with the new Config Version Snapshot dashboard, you can save any in-progress configuration as a named snapshot, providing unprecedented flexibility in configuration management workflows. Having a named snapshot capability allows you to preserve specific configuration states that you can easily load to restore Strata Cloud Manager to a known working state, regardless of whether that configuration was ever pushed to production firewalls.

The named configuration snapshots feature includes a dedicated management interface with their own organized table view, where you can assign descriptive names to each snapshot for easy identification and tracking. This naming convention enables teams to maintain clear documentation of configuration milestones, test states, or backup points. For example, you might save snapshots labeled "Pre-Migration Baseline," "Security Policy Update v2.1," or "Known Good State - Q4 2024."

When you save a named snapshot, it replaces the current configuration candidate in your workspace, allowing you to immediately begin working from that restored state. This functionality is particularly valuable for testing configuration changes, maintaining configuration templates, or quickly reverting to stable configurations during incident response scenarios.

To help troubleshoot your cloud managed NGFWs, a Session Browser is now available in Strata Cloud Manager. The session browser addresses common challenges faced by security teams who are unable to interface with their NGFWs directly due to various operational constraints, such as NGFWs not being physically on location, network connectivity issues, or security policies that restrict direct device access.

The Session Browser provides real-time visibility into network traffic and session data, enabling administrators to diagnose issues remotely without requiring physical presence at the NGFW location. When reviewing session information, you can leverage advanced filtering capabilities to quickly isolate relevant data by rules, sources, destinations, or App-ID™. This granular filtering allows for efficient troubleshooting by narrowing down sessions to specific applications, user groups, or network segments that may be experiencing issues.

Beyond the core session browsing functionality, this release consolidates previously scattered troubleshooting capabilities into a unified experience. The available troubleshooting tools for DNS Proxy, User IP mapping, User Group configurations, Routing tables, Dynamic User Group membership, Dynamic Address Group populations, NAT policy evaluation, and External Dynamic Lists are now accessible through a single dashboard. This consolidation significantly reduces the time spent navigating between different interfaces and provides a complete view of your NGFW's operational status.

This feature allows distributed security teams to maintain optimal NGFW performance and quickly resolve network issues regardless of their physical proximity to the infrastructure.

Managing a complex security policy rulebase and minimizing false positive data loss prevention incidents requires fine-grained control over network inspection settings. The Enterprise Data Loss Prevention (E-DLP) Exclude URLs and Apps for Non-File Based Traffic feature enables your data security administrators to precisely define traffic inspection exceptions within a DLP rule.

Your data security administrators can now easily exclude certain URLs and apps from having their non-file based traffic forwarded to Enterprise DLP for inspection. This exclusion capability is essential for several scenarios. For example, when you have traffic containing sensitive data destined for specific, trusted URLs and you want to exclude them from incident reporting, or when you only require file-based traffic inspection for specific apps but do not need inspection of accompanying non-file based data. This prevents unnecessary processing and avoids false positive detections.

By configuring these targeted exclusions using existing Security policy rules, you significantly ease the operational overhead of managing your policy rulebase, reducing the total number of policy rules required and improving overall system efficiency. This allows you to continue enforcing your data loss prevention requirements only where they are most needed.

Strata Cloud Manager for Configuration Management is a solution that is defined and controlled based on the region where it is deployed. You can deploy Strata Cloud Manager in the locations of your choosing, based on data location preferences and where you have the most users. For this reason, we are rolling out region-specific support for Strata Cloud Manager as soon as we are able to do so for each region.

Strata Cloud Manager lets you validate your configuration against predefined Best Practices and custom checks you create based on the needs of your organization. As you make changes to your service routes, connection settings, allowed services, and administrative access settings for the management and auxiliary interfaces for your firewalls, Strata Cloud Manager gives you assessment results inline so you can take immediate corrective action when necessary. This eliminates problems that misalignments with best practices can introduce, such as conflicts and security gaps.

Inline checks let you:

Time-sensitive security policy changes carry the high risk of introducing errors, misconfigurations, or conflicts into the rulebase, requiring slow and complex manual audit processes. Policy integrity is difficult to maintain at scale, leading to decreased performance and potential security gaps. Strata Cloud Manager introduces Policy Analyzer, enabling administrators to optimize time and resources when implementing any change request. Policy Analyzer provides immediate, automated analysis of the security rulebase to ensure policy updates meet defined intent and technical requirements. It proactively checks for anomalies, such as Shadows, Redundancies, Generalizations, Correlations, and Consolidations, that otherwise require labor-intensive manual checking. By identifying conflicting or duplicate rules before deployment, Policy Analyzer streamlines change management, reduces the risk of misconfiguration, and ensures the continued performance and integrity of your network security posture.

Strata Cloud Manager introduces new permissions to enforce access control for managing security checks, managing security check exceptions, and overriding security check block actions. These permissions offer granular control and enhance security by preventing users from making unauthorized changes to the security checks essential for maintaining compliance. The new permissions are:

The following table outlines the predefined roles and the associated new permissions:

For all other predefined roles, Strata Cloud Manager hides the Security Checks and Security Check Exceptions tabs in the Security Posture Settings. Alternatively, you can create or edit existing custom roles and configure the necessary permissions to view, manage, and override security checks.

You can configure the GlobalProtect portal or gateway to accept cookies from endpoints only when the IP address of the endpoint matches the original source IP addresses for which the cookie was issued or when the IP address of the endpoint matches a specific network IP address range. You can define the network IP address range using a CIDR subnet mask, such as /24 or /32. For example, if an authentication cookie was originally issued to an endpoint with a public source IP address of 201.109.11.10, and the subnet mask of the network IP address range is set to /24, the authentication cookie is subsequently valid on endpoints with public source IP addresses within the 201.109.11.0/24 network IP address range. For more information, see GlobalProtect — Customize App Settings.

This is an existing feature in Panorama and is now introduced in Prisma Access managed by Strata Cloud Manager.

Administrators can now configure timeout settings to notify end users before a GlobalProtect session disconnects. This is an existing feature in Panorama and is now introduced in Prisma Access managed by Strata Cloud Manager.

Health alerts actively monitor the health and performance of your platform in real time. This approach helps in identifying issues, predicting potential problems, and implementing remediation actions to ensure your devices function optimally. Here are some key aspects: