Panorama CloudConnector plugin 2.1.0 now supports proxy configuration settings from Panorama. These settings only take effect after a commit. Here are the scenarios:

The following Panorama versions are supported:

See Panorama CloudConnector Plugin Release Notes.

Visibility and enforcement based on an endpoint's private IP address was previously unavailable for users connecting via GlobalProtect^® agent to the Explicit Proxy. This new feature solves that challenge by allowing you to now leverage the private IP addresses of endpoints for logging and to apply IP address-based enforcement. This enhancement ensures consistent policy application and granular monitoring for users who connect to Prisma^® Access Explicit Proxy through the GlobalProtect agent from the branches.

Multinational organizations operating in China face unique challenges in securing internet access for users and headless devices where VPN agents cannot be installed due to compliance reasons or network restrictions. Prisma ^® Access explicit proxy support in China addresses this critical need by providing a secure internet gateway that works without requiring default route changes to the infrastructure, while coexisting with VPN agents.

This solution also acts as a reliable proxy solution that complies with local regulations while effectively managing internet access and safeguarding sensitive information across endpoints. The explicit proxy support in China leverages AWS infrastructure with a 1:1 architecture where each Envoy proxy is paired with a proxy firewall virtual machine (VM). This architecture enables secure traffic handling while accommodating the unique networking constraints.

When you implement this solution, users connecting from branch locations can access the internet securely through the explicit proxy without having GlobalProtect ^® clients installed. Additionally, headless devices such as IoT systems or servers can route traffic through the proxy for security inspection. The service integrates with your existing authentication methods, including SAML and Kerberos, and supports the same Security policy rules you configure for your global deployment. Palo Alto Networks NGFW capabilities securely inspect traffic, with logs and telemetry available through the same management interface you use for your global deployment. The architecture also supports routing specific domains to Service Connection when needed, providing flexibility for accessing both internet and private resources.

Prisma® Access enables you to assign static IP addresses for mobile users, where you can assign static IP addresses to users based on the Prisma Access theater or User-ID™.

Additionally, you can now use location groups and user groups to improve your IP address assignment for mobile users, in addition to theater and User-ID.

We also increased the number of supported IP address pool profiles to 10,000.

To allow you to gain more information about your Prisma Access (managed by Strata Cloud Manager) deployments, the Software Information area in the Overview page (ManageConfigurationNGFW and Prisma AccessOverview in Strata Cloud Manager and Prisma Access Version (PanoramaCloud ServicesConfigurationService Setup) in Panorama provide you with the following information:

Prisma Access Cloud Management can now be deployed in the Qatar region.

Depending on your license for Prisma Access Browser Standalone or Prisma Access Browser with Prisma Access Enterprise Bundle, the following new items are available in Strata Cloud Manager for visibility:

It is a complex and often difficult process to add new sites and secure connectivity across all sites in distributed enterprises that have firewalls at the edge of their network. Additionally, securing these networks requires manual configuration that is time-consuming and prone to misconfiguration.

Create a link bundle by assigning the same link tag (using an SD-WAN Interface profile) to multiple links that have similar access and SD-WAN policy rules. For example, you can create a link tag named Low Cost Broadband and then use it to tag your cable modem and fiber optic broadband services.

In addition to improving the Auto VPN configuration settings, we extended Auto VPN connectivity to 500 sites per tenant.

The Advanced DNS Security service is a new subscription offering by Palo Alto Networks that operates new domain detectors in the Advanced DNS Security cloud that inspect changes in DNS responses to detect various types of DNS hijacking in real-time. With access to Advanced DNS Security, you can detect and block DNS responses from hijacked domains and misconfigured domains. Hijacked and misconfigured domains can be introduced into your network by either directly manipulating DNS responses or by exploiting the DNS infrastructure configuration settings in order to redirect users to a malicious domain from which they initiate additional attacks. The primary difference between these two techniques is where the exploit occurs. In the case of DNS hijacking, the attackers gain the ability to resolve DNS queries to attacker-operated domains by compromising some aspect of an organization's DNS infrastructure, be it through unauthorized administrative access to a DNS provider or the DNS server itself, or an MiTM attack during the DNS resolution process. Misconfigured domains present a similar problem - the attacker seeks to incorporate their own malicious domain into an organization’s DNS by taking advantage of domain configuration issues, such as outdated DNS records, which can enable attackers to take ownership of the customer’s subdomain.

Advanced DNS Security can detect and categorize hijacked and misconfigured domains in real-time by operating cloud based detection engines, which provide DNS health support by analyzing DNS responses using ML-based analytics to detect malicious activity. Because these detectors are located in the cloud, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages when changes to detectors are made. Upon initial release, Advanced DNS Security supports two analysis engines: DNS Misconfiguration Domains and Hijacking Domains. Additionally, DNS responses for all DNS queries are sent to the Advanced DNS Security cloud for enhanced response analysis to more accurately categorize and return a result in a real-time exchange. Analysis models are delivered through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no updates by the user. Advanced DNS Security is enabled and configured through the Anti-Spyware (or DNS Security) profile and require active Advanced DNS Security and Advanced Threat Prevention (or Threat Prevention) licenses.

Advanced Threat Prevention now supports Local Deep Learning, which provides a mechanism to perform fast, local deep learning-based analysis of zero-day and other evasive threats, as a complementary feature to the cloud-based Inline Cloud Analysis component of Advanced Threat Prevention. With an Advanced Threat Prevention license, known malicious traffic that matches against Palo Alto Networks published signature set are dropped (or have another user-defined action applied to them); however, certain traffic that matches the criteria for suspicious content are rerouted for analysis using the Deep Leaning Analysis detection module. If further analysis is necessary, the traffic is sent to the Advanced Threat Prevention cloud for additional analysis, as well as the requisite false-positive and false-negative checks. The Deep Learning detection module is based on the proven detection modules operating in the Advanced Threat Prevention cloud, and as such, have the same zero-day and advanced threat detection capabilities. However, they also have the added advantage of processing a much higher volume of traffic, without the lag associated with cloud queries. This enables you to inspect more traffic and receive verdicts in a shorter span of time. This is especially beneficial when faced with challenging network conditions.

Updates to Local Deep Learning models are delivered through content updates. Local Deep Learning is enabled and configured using the Anti-Spyware profile and requires an active Advanced Threat Prevention license.

Strata Cloud Manager now includes a check box in the Push Config that enables you to override or ignore security check failures. This feature allows you to continue with push operations even when certain checks would block the process. If you leave the check box unchecked (the default setting), and a best practice check with a “block” action fails, Strata Cloud Manager stops the push. Strata Cloud Manager displays the details of the failed check in the Job Details section, ensuring validation errors remain visible. This enhancement provides you with greater control over push operations.

You can now configure a DHCP server profile on the GlobalProtect gateway to use DHCP server for managing and assigning IP addresses for the endpoints connected remotely through the GlobalProtect app. Users who are using enterprise DHCP servers can enable this feature for centralized IP management and IP address assignments. When you configure a DHCP server profile on the GlobalProtect gateway and upon successful communication between the gateway and the DHCP server, the gateway obtains DHCP IP addresses from a DHCP member server. The GlobalProtect gateway then assigns the IP addresses as the tunnel IP for the endpoints that are remotely connected through the GlobalProtect app. If the DHCP server fails to respond to the gateway within the set communication timeout and retry times period, the gateway falls back to the private Static IP pool for the allocation of IP addresses for the endpoints.

When the GlobalProtect gateway assigns the DHCP IP addresses to the endpoints, you can configure their DHCP server to create Dynamic DNS ( Address and Pointer Record) records for the GlobalProtect connected users. DDNS are useful for endpoint admins to do troubleshooting on the GlobalProtect connected remote user endpoints. The IP addresses get registered to the DDNS server only when you configure IP Address Management (IPAM) on Windows server, DDNS server, or on the Infoblox server.

This feature enables you to configure the GlobalProtect app to use the default browser to authenticate to the GlobalProtect portal through the Client Authentication setting of the portal configuration. You can now select the Use Default Browser option on the Client Authentication screen for the app to use the default browser for SAML/CAS authentication to authenticate to the portal for the first time. The Use Default Browser option is displayed on the Client Authentication screen only when you choose SAML/CAS as the authentication profile.

Starting from PAN-OS 11.1, you do not need to set the pre-deployment keys/plist entries to configure the app to choose whether the app should use the default browser or embedded browser instead you can configure it through the Client Authentication setting of the portal configuration.

End users can benefit from using the default system browser for SAML authentication because they can leverage the same login for GlobalProtect with their saved user credentials on the default system browser such as Chrome, Firefox, or Safari.

You can look up the URL categorization of any website while configuring a URL Filtering or URL Access Management profile. The category checker provides in-product access to Palo Alto Networks Test A Site engine, enabling you to decide whether to block or allow access to websites based on their URL categories and risk levels. To access this information, go to the Access Control section of a URL Access Management Profile, select Check URL Category, and then enter a domain or URL in the search bar. You can omit http, https, or www from your query. After entering valid input, a side panel displays descriptions of the primary URL category and risk level associated with the website in PAN-DB, Palo Alto Networks cloud-based URL database. If you disagree with the categorization, you can request recategorization of the website through the Request Change link.

Selecting Request Change redirects you to the “Change A Site” form on the external Test A Site website. The URL category change request form is prepopulated with the queried website, its current URL category, and its risk level. Select the New Category you believe is more appropriate from the list of predefined categories. Optionally, you can Comment details that would help human reviewers evaluate your request.

Strata Cloud Manager offers centralized report management to enhance visibility of network activity within your organization and to help analyze historical data and track real-time data based on your needs. This feature eliminates the need to switch across dashboards to generate reports. You can download reports using data from the dashboards and Activity Insights Summary for Prisma Access and your Palo Alto Networks Next-Generation Firewalls (NGFWs). Strata Cloud Manager also enables you to share and schedule reports at your preferred intervals.

Strata Cloud Manager generates reports using either the last 24 hours of data or the data from the past 30 days depending on the default time period settings on the dashboard. However, you can customize the time period for gathering data in a report when you schedule it. You can also manage scheduled and downloaded reports from the past 30 days to help you monitor and troubleshoot network activity effectively when needed.