You can onboard a maximum of 25,000 remote networks and 50,000 IKE gateways per tenant in a Prisma Access deployment. To accommodate this enhancement, the following changes have been made to the Strata Cloud Manager web interface:

Explicit Proxy expands its support to include DNS Proxy customization. Explicit Proxy supports DNS settings such as regional DNS, custom DNS and so on. You can also use a third-party DNS resolver or an on-premises DNS resolver to resolve public and private apps and can use per FQDN. This functionality is currently supported on Strata Cloud Manager only.

Save a configuration as a named snapshot in Strata Cloud Manager. Previously in Strata Cloud Manager, users were only able to load previously pushed configurations. Users would also have to keep track of configuration pushes if they wanted to have a known configuration they could fall back on.

Now, with the Config Version Snapshot dashboard, you can save an in-progress configuration as a named snapshot. Having a named snapshot allows you to have a configuration you can easily load to get back to a known state in Strata Cloud Manager. The named configuration snapshots have their own table and you are able to name them to keep track of them. Saving a named snapshot replaces the current configuration candidate.

To help troubleshoot your Cloud managed NGFWs, a Session Browser is available in Strata Cloud Manager. If you're unable to interface with your NGFWs directly due to a number of reasons, such as your firewalls not being on location, the data needed to troubleshoot them is now available directly in Strata Cloud Manager.

When reviewing the session browser, you can filter the data by rules, sources, destinations, or App-ID.

In addition to the session browser, the available troubleshooting capabilities for DNS Proxy, User IP, User Group, Routing, Dynamic User Group, Dynamic Address Group, NAT, External Dynamic Lists are now in a single dashboard.

In some cases, you might have use cases where you need to exclude certain URLs and apps from forwarding non-file based traffic to Enterprise Data Loss Prevention (E-DLP). For example, you might not require Enterprise DLP inspection in the following scenarios:

You can use an existing Security policy rules to easily exclude these URLs and apps from Enterprise DLP rather than create a new Security policy rule each time you want to exclude specific URLs and apps. This allows you to continue to enforce your data loss prevention requirements for URLs and apps that require it while excluding the URLs and apps that don't. This eases the operational overheard of managing your policy rulebase by reducing the total number of policy rules you need to manage

You can deploy Prisma Access Cloud Management in the Switzerland region.

Strata Cloud Manager lets you validate your configuration against predefined Best Practices and custom checks you create based on the needs of your organization. As you make changes to your service routes, connection settings, allowed services, and administrative access settings for the management and auxiliary interfaces for your firewalls, Strata Cloud Manager gives you assessment results inline so you can take immediate corrective action when necessary. This eliminates problems that misalignments with best practices can introduce, such as conflicts and security gaps.

Inline checks let you:

Updates to your Security policy rules are often time-sensitive and require you to act quickly. However, you want to ensure that any update you make to your Security policy rulebase meets your requirements and does not introduce errors or misconfigurations (such as changes that result in duplicate or conflicting rules).

Policy Analyzer in Strata Cloud Manager enables you to optimize time and resources when implementing a change request. Policy Analyzer not only analyzes and provides suggestions for possible consolidation or removal of specific rules to meet your intent but also checks for anomalies, such as Shadows, Redundancies, Generalizations, Correlations, and Consolidations in your rulebase.

See Policy Analyzer to learn more.

Strata Cloud Manager introduces new permissions to enforce access control for managing security checks, managing security check exceptions, and overriding security check block actions. These permissions offer granular control and enhance security by preventing users from making unauthorized changes to the security checks essential for maintaining compliance. The new permissions are:

The following table outlines the predefined roles and the associated new permissions:

For all other predefined roles, Strata Cloud Manager hides the Security Checks and Security Check Exceptions tabs in the Security Posture Settings. Alternatively, you can create or edit existing custom roles and configure the necessary permissions to view, manage, and override security checks.

You can configure the GlobalProtect portal or gateway to accept cookies from endpoints only when the IP address of the endpoint matches the original source IP addresses for which the cookie was issued or when the IP address of the endpoint matches a specific network IP address range. You can define the network IP address range using a CIDR subnet mask, such as /24 or /32. For example, if an authentication cookie was originally issued to an endpoint with a public source IP address of 201.109.11.10, and the subnet mask of the network IP address range is set to /24, the authentication cookie is subsequently valid on endpoints with public source IP addresses within the 201.109.11.0/24 network IP address range. For more information, see GlobalProtect — Customize App Settings.

This is an existing feature in Panorama and is now introduced in Prisma Access managed by Strata Cloud Manager.

Administrators can now configure timeout settings to notify end users before a GlobalProtect session disconnects. This is an existing feature in Panorama and is now introduced in Prisma Access managed by Strata Cloud Manager.