New Features in November 2024
Focus
Focus
Strata Cloud Manager

New Features in November 2024

Table of Contents

New Features in November 2024

Here are the new features available in Strata Cloud Manager in November 2024.
Here are the latest new features introduced on Strata Cloud Manager. Features listed here include some feature highlights for the products supported with Strata Cloud Manager. For the full list of new features supported for a product you're using with Strata Cloud Manager, see the release notes for that product.

Autonomous Digital Experience Management (ADEM): Specific SD-WAN Path Monitoring

November 22, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • Autonomous Digital Experience Management (ADEM)
  • Prisma SD-WAN
  • SD-WAN ION version 6.4.2 or later
  • ADEM agent 3.4.7 or later
If you have configured Prisma SD-WAN path policy rules for your remote sites, you can now specify that your synthetic application tests probe a particular SD-WAN path. This enables you to monitor the paths through which user traffic is actually flowing instead of all possible paths. Monitoring defined paths yields an application experience score that better reflects the real experience of your users so that you can make more informed decisions to improve or maintain application experience in your organization.

Strata Cloud Manager: Policy Optimizer Enhancements

November 18, 2024
Supported on Strata Cloud Manager for:
  • NGFW, including those funded by Software NGFW Credits (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Strata Cloud Manager)
Here are the Policy Optimizer enhancements:
  • Policy Optimizer considers rules created over 15 days ago for optimization.
  • After optimizing a security rule, the Policy Optimizer feature will not reselect it for optimization for the next 90 days.
  • Recommendations automatically appear in the results after optimization.
  • To optimize a rule that wasn't automatically selected by Strata Cloud Manager, add the predefined Enable-AIOps-Optimization tag to it.
  • Displays the reason for optimization failure.
  • Displays negated addresses in the recommendations.
Hone and optimize overly permissive security rules so that they only allow traffic that are actually in use in your network. Rules that are too broad introduce security gaps because they allow applications that are not in use in your network. Policy Optimizer enables you to convert these overly permissive rules to more specific, focused rules that only allow the applications you’re actually using.
Strata Cloud Manager analyzes log data and categorizes rules as overly permissive when they are allowing any application traffic, and the rules must be at least 15 days old. These rules can introduce security loopholes, if they’re allowing traffic that’s not necessary for enterprise use.
For rules identified as overly permissive, Strata Cloud Manager auto-generates recommendations you can accept to optimize the rule. The new, recommended rules are more specific and targeted than the original rule; they explicitly allow only the applications that have been detected in your network in the last 90 days.
Select an overly permissive rule to review, adjust, and accept optimization recommendations. Replacing these rules with the more specific, recommended rules strengthens your security posture. You can choose to accept some or all of the rule recommendations. Accepting recommendations to optimize a rule does not remove the original rule. The original rule remains listed below the new rules in your Security policy; this is so you can monitor the rule, and remove it when you’re confident that it’s not needed. Both the original rule and optimized rules are tagged so you can easily identify them in your Security policy.
Together with Config Cleanup, these tools help you ensure that your policy rules stay fresh and up to date.

Strata Cloud Manager: NGFW Support for Configuration APIs

November 15, 2024
Supported on Strata Cloud Manager for:
  • Prisma Access
  • NGFW (Managed by Strata Cloud Manager)
  • Cloud NGFW (Managed by Strata Cloud Manager)
The Strata Cloud Manager Configuration APIs now support both the Next Generation Firewall and Cloud Next Generation Firewall platforms. This is in addition to the already existing support for the Prisma Access (SASE) platform. To support the additional platforms, the API documentation on pan.dev has a new organization that includes a Strata Cloud Manager-specific landing page. The configuration API documentation has also been broken into functional areas and then organized by platform.
Other major changes include:
There are many other changes to the configuration APIs, both to support the new platforms, and to support new functionality. For complete details on this release, please see the Strata Cloud Manager API November 2024 Release Notes.

25,000 Remote Network and 50,000 IKE Gateway Support

November 15, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
You can onboard a maximum of 25,000 remote networks and 50,000 IKE gateways per tenant in a Prisma Access deployment. To accommodate this enhancement, the following changes have been made to the Strata Cloud Manager web interface:
  • Pagination has been added so that you can choose how many rows to display in a given page.
  • Filtering is enabled for remote networks.
    After you apply filtering, you can sort the resulting output by name.
  • A new Group By field is added. If you select a group by Compute Location, all groups display but are collapsed, and the page size you selected applies to the groups. If you select a compute location to expand it, the rows display based on the page size you selected.
  • When remote networks are displayed in a drop-down, the web interface displays the first 500 items. You can find the desired Remote Network in the list by typing in the text box.
    In addition, the total number of remote networks displays.
  • The following additional pages have pagination applied:
    • IPSec Tunnels
    • QoS
    • QoS Statistics
    • Troubleshooting—Remote Networks under External Dynamic Lists

DNS Proxy Customizations

October 15, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
Explicit Proxy expands its support to include DNS Proxy customization. Explicit Proxy supports DNS settings such as regional DNS, custom DNS and so on. You can also use a third-party DNS resolver or an on-premises DNS resolver to resolve public and private apps and can use per FQDN. This functionality is currently supported on Strata Cloud Manager only.

Named Configuration Snapshots

November 15, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • NGFW (Managed by Strata Cloud Manager)
Save a configuration as a named snapshot in Strata Cloud Manager. Previously in Strata Cloud Manager, users were only able to load previously pushed configurations. Users would also have to keep track of configuration pushes if they wanted to have a known configuration they could fall back on.
Now, with the Config Version Snapshot dashboard, you can save an in-progress configuration as a named snapshot. Having a named snapshot allows you to have a configuration you can easily load to get back to a known state in Strata Cloud Manager. The named configuration snapshots have their own table and you are able to name them to keep track of them. Saving a named snapshot replaces the current configuration candidate.

Session Browser for Strata Cloud Managed NGFWs

November 15, 2024
Supported for:
  • NGFW (Managed by Strata Cloud Manager)
To help troubleshoot your Cloud managed NGFWs, a Session Browser is available in Strata Cloud Manager. If you're unable to interface with your NGFWs directly due to a number of reasons, such as your firewalls not being on location, the data needed to troubleshoot them is now available directly in Strata Cloud Manager.
When reviewing the session browser, you can filter the data by rules, sources, destinations, or App-ID.
In addition to the session browser, the available troubleshooting capabilities for DNS Proxy, User IP, User Group, Routing, Dynamic User Group, Dynamic Address Group, NAT, External Dynamic Lists are now in a single dashboard.

Exclude URLs and Apps From Enterprise DLP Inspection for Non-File Based Traffic

November 1, 2024
Supported for:
  • NGFW (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Strata Cloud Manager)
In some cases, you might have use cases where you need to exclude certain URLs and apps from forwarding non-file based traffic to Enterprise Data Loss Prevention (E-DLP). For example, you might not require Enterprise DLP inspection in the following scenarios:
  • You expect traffic containing sensitive data to specific URLs and apps and want to exclude them from Enterprise DLP incidents.
  • You only want to inspect file based traffic for specific URLs and apps but don't require inspection of non-file based traffic.
  • You identified specific URLs that receive non-file data that isn't user generated and want to exclude these URLs from Enterprise DLP inspection to avoid false positive detections.
You can use an existing Security policy rules to easily exclude these URLs and apps from Enterprise DLP rather than create a new Security policy rule each time you want to exclude specific URLs and apps. This allows you to continue to enforce your data loss prevention requirements for URLs and apps that require it while excluding the URLs and apps that don't. This eases the operational overheard of managing your policy rulebase by reducing the total number of policy rules you need to manage

Prisma Access: New Prisma Access Cloud Management Location

November 15, 2024
Supported on Strata Cloud Manager for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
You can deploy Prisma Access Cloud Management in the Switzerland region.

Strata Cloud Manager: New Best Practice Assessment Checks and Custom Checks

November 15, 2024
Supported on Strata Cloud Manager for:
Strata Cloud Manager introduces the following new checks:
Strata Cloud Manager lets you validate your configuration against predefined Best Practices and custom checks you create based on the needs of your organization. As you make changes to your service routes, connection settings, allowed services, and administrative access settings for the management and auxiliary interfaces for your firewalls, Strata Cloud Manager gives you assessment results inline so you can take immediate corrective action when necessary. This eliminates problems that misalignments with best practices can introduce, such as conflicts and security gaps.
Inline checks let you:
  • Gauge the effectiveness of, assess the impact of, and validate changes you make to your configuration using inline assessment results.
  • Prioritize and perform remediations based on the recommendations from the inline assessment.

Strata Cloud Manager: Policy Analyzer for Strata Cloud Manager Deployments

November 15, 2024
Supported on Strata Cloud Manager for:
  • NGFW, including those funded by Software NGFW Credits (Managed by Strata Cloud Manager or Panorama)
  • Prisma Access (Managed by Strata Cloud Manager or Panorama)
Policy Analyzer now supports NGFWs and Prisma Access deployments managed by Strata Cloud Manager.
Updates to your Security policy rules are often time-sensitive and require you to act quickly. However, you want to ensure that any update you make to your Security policy rulebase meets your requirements and does not introduce errors or misconfigurations (such as changes that result in duplicate or conflicting rules).
Policy Analyzer in Strata Cloud Manager enables you to optimize time and resources when implementing a change request. Policy Analyzer not only analyzes and provides suggestions for possible consolidation or removal of specific rules to meet your intent but also checks for anomalies, such as Shadows, Redundancies, Generalizations, Correlations, and Consolidations in your rulebase.
See Policy Analyzer to learn more.

Strata Cloud Manager: Role-Based Access Control for Managing and Overriding Security Checks

November 15, 2024
Supported on Strata Cloud Manager for:
  • NGFW
  • Prisma Access
You can create or edit custom checks and override the security check block actions only through the Strata Cloud Manager interface.
Strata Cloud Manager introduces new permissions to enforce access control for managing security checks, managing security check exceptions, and overriding security check block actions. These permissions offer granular control and enhance security by preventing users from making unauthorized changes to the security checks essential for maintaining compliance. The new permissions are:
  • Manage Security Checks
    Security checks are a set of predefined best practice checks and custom checks that evaluate your configuration and identify deviations.
    To view predefined best practice checks and perform actions such as creating, editing, deleting, or cloning custom checks, you will now need the necessary read and write access for the Manage Security Check permission.
  • Manage Security Check Exceptions
    Security check exceptions allow you to turn off specific security checks for certain devices in your environment.
    To manage and view the security check exceptions, you will now need the necessary read and write access for the Manage Security Check Exception permission.
  • Override Security Check Block Action
    You can override the security check block action in two ways:
    • When you push the configuration to the firewall, you can choose to ignore security check failures and continue with the push operation.
    • When you create or edit a Security Policy Rule, Strata Cloud Manager validates the rules against existing security checks. If the checks fail, you can choose to override and save the rule.
    To perform any of the above override operations, you will now need read and write access for Override Security Check Block Action permission.
The following table outlines the predefined roles and the associated new permissions:
RolesPermissions
Superuser
Includes read and write access for the following permissions:
  • Manage Security Checks
  • Manage Security Check Exception
  • Override Security Check Block Action
Network Administrator
Security Administrator
View Only Administrator
Includes read-only access for the following permissions:
  • Manage Security Checks
  • Manage Security Check Exception
For all other predefined roles, Strata Cloud Manager hides the Security Checks and Security Check Exceptions tabs in the Security Posture Settings. Alternatively, you can create or edit existing custom roles and configure the necessary permissions to view, manage, and override security checks.

Configure Source IP Address Enforcement for Authentication Cookies

November 15, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
You can configure the GlobalProtect portal or gateway to accept cookies from endpoints only when the IP address of the endpoint matches the original source IP addresses for which the cookie was issued or when the IP address of the endpoint matches a specific network IP address range. You can define the network IP address range using a CIDR subnet mask, such as /24 or /32. For example, if an authentication cookie was originally issued to an endpoint with a public source IP address of 201.109.11.10, and the subnet mask of the network IP address range is set to /24, the authentication cookie is subsequently valid on endpoints with public source IP addresses within the 201.109.11.0/24 network IP address range. For more information, see GlobalProtect — Customize App Settings.
This is an existing feature in Panorama and is now introduced in Prisma Access managed by Strata Cloud Manager.

Configure End User Timeout Notifications

November 15, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
Administrators can now configure timeout settings to notify end users before a GlobalProtect session disconnects. This is an existing feature in Panorama and is now introduced in Prisma Access managed by Strata Cloud Manager.