Strata Cloud Manager
New Features in November 2024
Table of Contents
Expand All
|
Collapse All
Strata Cloud Manager Docs
New Features in November 2024
Here are the new features available in Strata Cloud Manager in November
2024.
Here are the latest new features introduced on Strata Cloud Manager. Features listed
here include some feature highlights for the products supported with
Strata Cloud Manager. For the full list of new features supported for a product you're
using with Strata Cloud Manager, see the release notes for that product.
Autonomous Digital Experience Management (ADEM): Specific SD-WAN Path Monitoring
November 22, 2024
Supported for:
|
If you have configured Prisma SD-WAN path policy rules for
your remote sites, you can now specify that your synthetic application tests probe a
particular SD-WAN path. This enables you to monitor the paths through which user
traffic is actually flowing instead of all possible paths. Monitoring defined paths
yields an application experience score that better reflects the real experience of
your users so that you can make more informed decisions to improve or maintain
application experience in your organization.
Strata Cloud Manager: Policy Optimizer Enhancements
November 18, 2024
Supported on Strata Cloud Manager for:
Here are the Policy Optimizer
enhancements:
|
Hone and optimize overly permissive security rules so that they only allow traffic
that are actually in use in your network. Rules that are too broad introduce
security gaps because they allow applications that are not in use in your network.
Policy Optimizer enables you to convert
these overly permissive rules to more specific, focused rules that only allow the
applications you’re actually using.
Strata Cloud Manager analyzes log data and categorizes rules as overly permissive
when they are allowing any application traffic, and the rules must be at least 15
days old. These rules can introduce security loopholes, if they’re allowing traffic
that’s not necessary for enterprise use.
For rules identified as overly permissive, Strata Cloud Manager auto-generates
recommendations you can accept to optimize the rule. The new, recommended rules are
more specific and targeted than the original rule; they explicitly allow only the
applications that have been detected in your network in the last 90 days.
Select an overly permissive rule to review, adjust, and accept optimization
recommendations. Replacing these rules with the more specific, recommended rules
strengthens your security posture. You can choose to accept some or all of the rule
recommendations. Accepting recommendations to optimize a rule does not remove the
original rule. The original rule remains listed below the new rules in your Security
policy; this is so you can monitor the rule, and remove it when you’re confident
that it’s not needed. Both the original rule and optimized rules are tagged so you
can easily identify them in your Security policy.
Together with Config Cleanup, these tools help you
ensure that your policy rules stay fresh and up to date.
Strata Cloud Manager: NGFW Support for Configuration APIs
November 15, 2024
Supported on Strata Cloud Manager for:
|
The Strata Cloud Manager Configuration APIs now support both the Next
Generation Firewall and Cloud Next Generation Firewall platforms. This is in
addition to the already existing support for the Prisma Access (SASE) platform. To
support the additional platforms, the API documentation on
pan.dev
has a new organization that includes a Strata Cloud Manager-specific
landing page.
The configuration API documentation has also been broken into functional areas and then
organized by platform.
Other major changes include:
- A new FQDN: api.strata.paloaltonetworks.com
- Restructuring of the API paths to support the new API organization.
There are many other changes to the configuration APIs, both to support the new
platforms, and to support new functionality. For complete details on this release,
please see the
Strata Cloud Manager API November 2024 Release Notes.
25,000 Remote Network and 50,000 IKE Gateway Support
November 15, 2024
Supported for:
|
You can onboard a maximum of 25,000 remote networks and 50,000 IKE gateways
per tenant in a Prisma Access deployment. To accommodate this enhancement, the
following changes have been made to the Strata Cloud Manager web interface:
- Pagination has been added so that you can choose how many rows to display in a given page.
- Filtering is enabled for remote networks.After you apply filtering, you can sort the resulting output by name.
- A new Group By field is added. If you select a group by Compute Location, all groups display but are collapsed, and the page size you selected applies to the groups. If you select a compute location to expand it, the rows display based on the page size you selected.
- When remote networks are displayed in a drop-down, the web interface displays the first 500 items. You can find the desired Remote Network in the list by typing in the text box.In addition, the total number of remote networks displays.
- The following additional pages have pagination applied:
- IPSec Tunnels
- QoS
- QoS Statistics
- Troubleshooting—Remote Networks under External Dynamic Lists
DNS Proxy Customizations
October 15, 2024
Supported for:
|
Explicit Proxy expands its support to include DNS Proxy customization. Explicit Proxy
supports DNS settings such as regional DNS, custom DNS and so on. You can also use a
third-party DNS resolver or an on-premises DNS resolver to resolve public and
private apps and can use per FQDN. This functionality is currently supported on Strata Cloud Manager only.
Named Configuration Snapshots
November 15, 2024
Supported for:
|
Save a configuration as a named snapshot in Strata Cloud Manager.
Previously in Strata Cloud Manager, users were only able to load previously pushed
configurations. Users would also have to keep track of configuration pushes if they
wanted to have a known configuration they could fall back on.
Now, with the Config Version Snapshot dashboard, you can
save an in-progress configuration as a named snapshot. Having a named snapshot
allows you to have a configuration you can easily load to get back to a known state
in Strata Cloud Manager. The named configuration snapshots have their own table and
you are able to name them to keep track of them. Saving a named snapshot replaces
the current configuration candidate.
Session Browser for Strata Cloud Managed NGFWs
November 15, 2024
Supported for:
|
To help troubleshoot your Cloud managed NGFWs, a Session Browser is
available in Strata Cloud Manager. If you're unable to interface with your NGFWs
directly due to a number of reasons, such as your firewalls not being on location,
the data needed to troubleshoot them is now available directly in Strata Cloud Manager.
When reviewing the session browser, you can filter the data by rules,
sources, destinations, or App-ID.
In addition to the session browser, the available troubleshooting capabilities for
DNS Proxy, User IP, User Group, Routing, Dynamic User Group, Dynamic Address Group,
NAT, External Dynamic Lists are now in a single dashboard.
Exclude URLs and Apps From Enterprise DLP Inspection for Non-File Based Traffic
November 1, 2024
Supported for:
|
In some cases, you might have use cases where you need to exclude certain URLs and apps from
forwarding non-file based traffic to Enterprise Data Loss Prevention (E-DLP). For example, you
might not require Enterprise DLP inspection in the following scenarios:
- You expect traffic containing sensitive data to specific URLs and apps and want to exclude them from Enterprise DLP incidents.
- You only want to inspect file based traffic for specific URLs and apps but don't require inspection of non-file based traffic.
- You identified specific URLs that receive non-file data that isn't user generated and want to exclude these URLs from Enterprise DLP inspection to avoid false positive detections.
You can use an existing Security policy rules to easily exclude these URLs and apps
from Enterprise DLP rather than create a new Security policy rule each time you
want to exclude specific URLs and apps. This allows you to continue to enforce your
data loss prevention requirements for URLs and apps that require it while excluding
the URLs and apps that don't. This eases the operational overheard of managing your
policy rulebase by reducing the total number of policy rules you need to manage
Prisma Access: New Prisma Access Cloud Management Location
November 15, 2024
Supported on Strata Cloud Manager for:
|
You can deploy Prisma Access Cloud Management in the Switzerland region.
Strata Cloud Manager: New Best Practice Assessment Checks and Custom Checks
November 15, 2024
Supported on Strata Cloud Manager for:
Strata Cloud Manager introduces the following new
checks:
|
Strata Cloud Manager lets you validate your configuration against
predefined Best Practices and custom checks
you create based on the needs of your organization. As you make changes to your
service routes, connection settings, allowed services, and administrative access
settings for the management and auxiliary interfaces for your firewalls, Strata
Cloud Manager gives you assessment results inline so you can take immediate
corrective action when necessary. This eliminates problems that misalignments with
best practices can introduce, such as conflicts and security gaps.
Inline checks let you:
- Gauge the effectiveness of, assess the impact of, and validate changes you make to your configuration using inline assessment results.
- Prioritize and perform remediations based on the recommendations from the inline assessment.
Strata Cloud Manager: Policy Analyzer for Strata Cloud Manager Deployments
November 15, 2024
Supported on Strata Cloud Manager for:
Policy Analyzer now
supports NGFWs and Prisma Access deployments managed by Strata
Cloud Manager.
|
Updates to your Security policy rules are often time-sensitive and
require you to act quickly. However, you want to ensure that any update you make to
your Security policy rulebase meets your requirements and does not introduce errors
or misconfigurations (such as changes that result in duplicate or conflicting
rules).
Policy Analyzer in Strata Cloud Manager enables you to optimize time and
resources when implementing a change request. Policy Analyzer not only analyzes and
provides suggestions for possible consolidation or removal of specific rules to meet
your intent but also checks for anomalies, such as Shadows, Redundancies,
Generalizations, Correlations, and Consolidations in your rulebase.
See Policy Analyzer to learn more.
Strata Cloud Manager: Role-Based Access Control for Managing and Overriding Security Checks
November 15, 2024
Supported on Strata Cloud Manager for:
You can create or edit custom checks and override the security
check block actions only through the Strata Cloud Manager
interface.
|
Strata Cloud Manager introduces new permissions to enforce access control for
managing security checks, managing security check exceptions, and overriding
security check block actions. These permissions offer granular control and enhance
security by preventing users from making unauthorized changes to the security checks
essential for maintaining compliance. The new permissions are:
- Manage Security ChecksSecurity checks are a set of predefined best practice checks and custom checks that evaluate your configuration and identify deviations.To view predefined best practice checks and perform actions such as creating, editing, deleting, or cloning custom checks, you will now need the necessary read and write access for the Manage Security Check permission.
- Manage Security Check ExceptionsSecurity check exceptions allow you to turn off specific security checks for certain devices in your environment.To manage and view the security check exceptions, you will now need the necessary read and write access for the Manage Security Check Exception permission.
- Override Security Check Block ActionYou can override the security check block action in two ways:
- When you push the configuration to the firewall, you can choose to ignore security check failures and continue with the push operation.
- When you create or edit a Security Policy Rule, Strata Cloud Manager validates the rules against existing security checks. If the checks fail, you can choose to override and save the rule.
To perform any of the above override operations, you will now need read and write access for Override Security Check Block Action permission.
The following table outlines the predefined roles and the associated
new permissions:
Roles | Permissions |
---|---|
Superuser
|
Includes read and write access for the following permissions:
|
Network Administrator
Security Administrator
View Only Administrator
|
Includes read-only access for the following permissions:
|
For all other predefined roles, Strata Cloud Manager hides the Security
Checks and Security Check Exceptions tabs in the Security
Posture Settings. Alternatively, you can create or edit existing
custom roles and configure the necessary
permissions to view, manage, and override security checks.
Configure Source IP Address Enforcement for Authentication Cookies
November 15, 2024
Supported for:
|
You can configure the GlobalProtect portal or gateway to accept cookies from
endpoints only when the IP address of the endpoint matches the original source IP
addresses for which the cookie was issued or when the IP address of the endpoint
matches a specific network IP address range. You can define the network IP address
range using a CIDR subnet mask, such as /24 or /32. For example, if an
authentication cookie was originally issued to an endpoint with a public source IP
address of 201.109.11.10, and the subnet mask of the network IP address range is set
to /24, the authentication cookie is subsequently valid on endpoints with public
source IP addresses within the 201.109.11.0/24 network IP address range. For more
information, see GlobalProtect — Customize App
Settings.
This is an existing feature in Panorama and is now introduced in Prisma Access
managed by Strata Cloud Manager.
Configure End User Timeout Notifications
November 15, 2024
Supported for:
|
Administrators can now configure timeout settings to notify end
users before a GlobalProtect session disconnects. This is an existing feature in
Panorama and is now introduced in Prisma Access managed by Strata Cloud Manager.