New Features in September 2024
Focus
Focus
Strata Cloud Manager

New Features in September 2024

Table of Contents

New Features in September 2024

Here are the new features available in Strata Cloud Manager in September 2024.
Here are the latest new features introduced on Strata Cloud Manager. Features listed here include some feature highlights for the products supported with . For the full list of new features supported for a product you're using with Strata Cloud Manager, see the release notes for that product.

Prisma Access: Remote Browser Isolation in China

September 30, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
Remote Browser Isolation (RBI) is available in China to protect your users' managed devices from malware and potential zero-day attacks that result from web browsing activity. RBI in China works with Prisma Access in China to isolate and transfer all browsing activity to Prisma Access, which secures and isolates potentially malicious code and content away from your users' managed devices and corporate networks.
The capabilities available in RBI in China are the same as the RBI capabilities for the rest of the world, and the procedures for configuring RBI in China are the same.

Panorama CloudConnector Plugin 2.1.0

September 25, 2024
Supported for:
  • NGFW (Managed by Panorama or Strata Cloud Manager)
Panorama CloudConnector plugin 2.1.0 now supports proxy configuration settings from Panorama. These settings only take effect after a commit. Here are the scenarios:
  • Configuring proxy settings: When you configure proxy settings and perform a commit, the CloudConnector plugin won't recognize the new proxy settings during this commit. However, after the commit, the plugin will use the proxy configuration for all future interactions with the cloud.
  • Removing proxy settings: When you remove proxy settings and perform a commit, the CloudConnector plugin won't recognize the removed proxy settings during the commit. However, after the commit, the plugin will no longer use the proxy configuration for any future interactions with the cloud.
The following Panorama versions are supported:
  1. Panorama Versions 10.2.x (10.2.3 and later) and 11.0.0
    You can download this version of the CloudConnector Plugin on Panorama versions 10.2.3 or later from the Customer Support Portal or directly from PanoramaPlugins.
  2. Panorama Versions 11.0.1 and above
    To help customers, we have preinstalled this plugin with the newer Panorama versions.

Prisma Access: Agent Proxy Support for Private IP from Branches

September 20, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
Users who connect to Prisma Access Explicit Proxy through GlobalProtect agent from branches, can leverage Private IP addresses of endpoints for logging or to apply IP address based enforcement.

Prisma Access: Explicit Proxy China Support

September 20, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
Explicit Proxy is a reliable proxy solution that complies with local regulations while effectively managing internet access and safeguarding sensitive information across endpoints. And as of now, Prisma Access supports these proxy solutions in China, as well.
Multinational organizations operating in China face unique challenges in securing internet access for users and headless devices where VPN agents can't be installed due to compliance reasons or network restrictions. Prisma Access explicit proxy support in China addresses this need by providing a secure internet gateway that works without requiring default route changes to the infrastructure, while coexisting with VPN agents.
The explicit proxy support in China leverages AWS infrastructure with a 1:1 architecture where each Envoy proxy is paired with a proxy firewall virtual machine (VM). This architecture enables secure traffic handling while accommodating the unique networking constraints.
When you implement this solution, users connecting from branch locations can access the internet securely through the explicit proxy without having Global Protect clients installed. Additionally, headless devices such as IoT systems or servers can route traffic through the proxy for security inspection.
The service integrates with your existing authentication methods, including SAML and Kerberos, and supports the same Security policy rules you configure for your global deployment. Traffic is securely inspected using Palo Alto Networks NGFW capabilities, with logs and telemetry available through the same management interface you use for your global deployment. The architecture also supports routing specific domains to Service Connection when needed, providing flexibility for accessing both internet and private resources.

Prisma Access: Static IP Enhancements for Mobile Users

September 20, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
Prisma® Access enables you to assign static IP addresses for mobile users, where you can assign static IP addresses to users based on the Prisma Access theater or User-ID™.
Additionally, you can now use location groups and user groups to improve your IP address assignment for mobile users, in addition to theater and User-ID.
We also increased the number of supported IP address pool profiles to 10,000.

Prisma Access: View Prisma Access, Dataplane, and Application and Threats Content Releases in Strata Cloud Manager and Panorama

September 20, 2024
Supported for:
  • Prisma Access (Managed by Panorama or Strata Cloud Manager)
To allow you to gain more information about your Prisma Access (managed by Strata Cloud Manager) deployments, the Software Information area in the Overview page (ManageConfigurationNGFW and Prisma AccessOverview in Strata Cloud Manager and Prisma Access Version (PanoramaCloud ServicesConfigurationService Setup) in Panorama provide you with the following information:

Prisma Access: New Prisma Access Cloud Management Location

September 20, 2024
Supported on Strata Cloud Manager for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • Prisma Access (Managed by Panorama)
Prisma Access Cloud Management can now be deployed in the Qatar region.

Prisma Access Browser Visibility

September 6, 2024
Supported for:
  • Prisma Access customers with Prisma Access Browser and customers with Prisma Access Browser Standalone.
Depending on your license for Prisma Access Browser Standalone or Prisma Access Browser with Prisma Access Enterprise Bundle, the following new items are available in Strata Cloud Manager for visibility:
  • MonitorSubscription Usage
    Now shows Prisma Access Browser, either fully activated or number allocated vs. available (if it’s a partial allocation).
  • Activity InsightsUsers
    New Connect Method = PA Browser
    To see user and device details
  • Activity InsightsUsersdetails
    Select a user to drill down into details to see the new widgets such as the Prisma Access Browser Event Summary.
  • Activity InsightsApplications
    New column for count of PA Browser Events.
    Select the number of events and it will redirect you to the Prisma Access Browser management pages.
  • Activity InsightsApplicationsdetails
    Select an application to drill down into details to see the new widgets for PA Browser Access Events (the web apps or websites that users accessed) and PA Browser Data Events (the data control events that are performed) in the aggregate view or the breakdown view for allowed and blocked events.

Strata Cloud Manager: Enhanced Auto VPN Configuration for Large Enterprises

September 20, 2024
It is a complex and often difficult process to add new sites and secure connectivity across all sites in distributed enterprises that have firewalls at the edge of their network. Additionally, securing these networks requires manual configuration that is time-consuming and prone to misconfiguration.
With these Auto VPN configuration enhancements, you can configure a link bundle that enables you to combine multiple physical links into one virtual SD-WAN interface. These bundles provide multiple and more robust options for path selection and failover protection that you can specify when you onboard a next-generation firewall (NGFW) as a branch device in the VPN cluster using Prisma® Access as a hub. With bundles that include more than one physical link, you maximize application quality when a physical link deteriorates.
Create a link bundle by assigning the same link tag (using an SD-WAN Interface profile) to multiple links that have similar access and SD-WAN policy rules. For example, you can create a link tag named Low Cost Broadband and then use it to tag your cable modem and fiber optic broadband services.
In addition to improving the Auto VPN configuration settings, we extended Auto VPN connectivity to 500 sites per tenant.

Strata Cloud Manager: Advanced DNS Security

September 20, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • Feature first introduced in PAN-OS 11.2.
  • Additional feature support added in Panorama Managed Prisma Access deployments inPrisma Access 5.1 Innovation
The Advanced DNS Security service is a new subscription offering by Palo Alto Networks that operates new domain detectors in the Advanced DNS Security cloud that inspect changes in DNS responses to detect various types of DNS hijacking in real-time. With access to Advanced DNS Security, you can detect and block DNS responses from hijacked domains and misconfigured domains. Hijacked and misconfigured domains can be introduced into your network by either directly manipulating DNS responses or by exploiting the DNS infrastructure configuration settings in order to redirect users to a malicious domain from which they initiate additional attacks. The primary difference between these two techniques is where the exploit occurs. In the case of DNS hijacking, the attackers gain the ability to resolve DNS queries to attacker-operated domains by compromising some aspect of an organization's DNS infrastructure, be it through unauthorized administrative access to a DNS provider or the DNS server itself, or an MiTM attack during the DNS resolution process. Misconfigured domains present a similar problem - the attacker seeks to incorporate their own malicious domain into an organization’s DNS by taking advantage of domain configuration issues, such as outdated DNS records, which can enable attackers to take ownership of the customer’s subdomain.
Advanced DNS Security can detect and categorize hijacked and misconfigured domains in real-time by operating cloud based detection engines, which provide DNS health support by analyzing DNS responses using ML-based analytics to detect malicious activity. Because these detectors are located in the cloud, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages when changes to detectors are made. Upon initial release, Advanced DNS Security supports two analysis engines: DNS Misconfiguration Domains and Hijacking Domains. Additionally, DNS responses for all DNS queries are sent to the Advanced DNS Security cloud for enhanced response analysis to more accurately categorize and return a result in a real-time exchange. Analysis models are delivered through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no updates by the user. Advanced DNS Security is enabled and configured through the Anti-Spyware (or DNS Security) profile and require active Advanced DNS Security and Advanced Threat Prevention (or Threat Prevention) licenses.

Strata Cloud Manager: Local Deep Learning for Advanced Threat Prevention

September 20, 2024
Supported on Strata Cloud Manager for: Prisma Access (Managed by Strata Cloud Manager)
  • First introduced in PAN-OS 11.2.
Advanced Threat Prevention now supports Local Deep Learning, which provides a mechanism to perform fast, local deep learning-based analysis of zero-day and other evasive threats, as a complementary feature to the cloud-based Inline Cloud Analysis component of Advanced Threat Prevention. With an Advanced Threat Prevention license, known malicious traffic that matches against Palo Alto Networks published signature set are dropped (or have another user-defined action applied to them); however, certain traffic that matches the criteria for suspicious content are rerouted for analysis using the Deep Leaning Analysis detection module. If further analysis is necessary, the traffic is sent to the Advanced Threat Prevention cloud for additional analysis, as well as the requisite false-positive and false-negative checks. The Deep Learning detection module is based on the proven detection modules operating in the Advanced Threat Prevention cloud, and as such, have the same zero-day and advanced threat detection capabilities. However, they also have the added advantage of processing a much higher volume of traffic, without the lag associated with cloud queries. This enables you to inspect more traffic and receive verdicts in a shorter span of time. This is especially beneficial when faced with challenging network conditions.
Updates to Local Deep Learning models are delivered through content updates. Local Deep Learning is enabled and configured using the Anti-Spyware profile and requires an active Advanced Threat Prevention license.

Strata Cloud Manager: New Check Box for Overriding Security Checks

September 20, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • NGFW (Managed by Strata Cloud Manager)
Strata Cloud Manager now includes a check box in the Push Config that enables you to override or ignore security check failures. This feature allows you to continue with push operations even when certain checks would block the process. If you leave the check box unchecked (the default setting), and a best practice check with a “block” action fails, Strata Cloud Manager stops the push. Strata Cloud Manager displays the details of the failed check in the Job Details section, ensuring validation errors remain visible. This enhancement provides you with greater control over push operations.

GlobalProtect: Support for PAN-OS-11.2-DHCP-Based IP Address Assignments

September 20, 2024
Supported on NGFW:
  • First introduced in PAN-OS 11.2.0 .
Starting from PAN-OS 11.2.1, the DHCP Based IP Address Assignment feature is supported for both VM-Series virtual firewall and hardware next-generation firewall platforms.
DHCP Based IP Address Assignment feature in PAN OS 11.2.0 release is supported for VM-Series Virtual Firewalls only. The feature is not supported for hardware next-generation firewall platforms.
You can now configure a DHCP server profile on the GlobalProtect gateway to use DHCP server for managing and assigning IP addresses for the endpoints connected remotely through the GlobalProtect app. Users who are using enterprise DHCP servers can enable this feature for centralized IP management and IP address assignments. When you configure a DHCP server profile on the GlobalProtect gateway and upon successful communication between the gateway and the DHCP server, the gateway obtains DHCP IP addresses from a DHCP member server. The GlobalProtect gateway then assigns the IP addresses as the tunnel IP for the endpoints that are remotely connected through the GlobalProtect app. If the DHCP server fails to respond to the gateway within the set communication timeout and retry times period, the gateway falls back to the private Static IP pool for the allocation of IP addresses for the endpoints.
When the GlobalProtect gateway assigns the DHCP IP addresses to the endpoints, you can configure their DHCP server to create Dynamic DNS ( Address and Pointer Record) records for the GlobalProtect connected users. DDNS are useful for endpoint admins to do troubleshooting on the GlobalProtect connected remote user endpoints. The IP addresses get registered to the DDNS server only when you configure IP Address Management (IPAM) on Windows server, DDNS server, or on the Infoblox server.

GlobalProtect: Use Default Browser for SAML/CAS Authentication

September 20, 2024
Supported on NGFW
  • First introduced in PAN-OS 11.1.0
This feature enables you to configure the GlobalProtect app to use the default browser to authenticate to the GlobalProtect portal through the Client Authentication setting of the portal configuration. You can now select the Use Default Browser option on the Client Authentication screen for the app to use the default browser for SAML/CAS authentication to authenticate to the portal for the first time. The Use Default Browser option is displayed on the Client Authentication screen only when you choose SAML/CAS as the authentication profile.
Starting from PAN-OS 11.1, you do not need to set the pre-deployment keys/plist entries to configure the app to choose whether the app should use the default browser or embedded browser instead you can configure it through the Client Authentication setting of the portal configuration.
End users can benefit from using the default system browser for SAML authentication because they can leverage the same login for GlobalProtect with their saved user credentials on the default system browser such as Chrome, Firefox, or Safari.
This feature is available starting from the PAN-OS 11.1 version. For the earlier PAN-OS versions, you must use the predeployment registry key/plist setting.

Advanced URL Filtering: URL Categorization Check

September 20, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • NGFW (Managed by Strata Cloud Manager)
You can look up the URL categorization of any website while configuring a URL Filtering or URL Access Management profile. The category checker provides in-product access to Palo Alto Networks Test A Site engine, enabling you to decide whether to block or allow access to websites based on their URL categories and risk levels. To access this information, go to the Access Control section of a URL Access Management Profile, select Check URL Category, and then enter a domain or URL in the search bar. You can omit http, https, or www from your query. After entering valid input, a side panel displays descriptions of the primary URL category and risk level associated with the website in PAN-DB, Palo Alto Networks cloud-based URL database. If you disagree with the categorization, you can request recategorization of the website through the Request Change link.
Selecting Request Change redirects you to the “Change A Site” form on the external Test A Site website. The URL category change request form is prepopulated with the queried website, its current URL category, and its risk level. Select the New Category you believe is more appropriate from the list of predefined categories. Optionally, you can Comment details that would help human reviewers evaluate your request.

Enhanced Report Management

September 27, 2024
Supported for:
  • Prisma Access (Managed by Strata Cloud Manager)
  • NGFW (Managed by Strata Cloud Manager)
Strata Cloud Manager offers centralized report management to enhance visibility of network activity within your organization and to help analyze historical data and track real-time data based on your needs. This feature eliminates the need to switch across dashboards to generate reports. You can download reports using data from the dashboards and Activity Insights Summary for Prisma Access and your Palo Alto Networks Next-Generation Firewalls (NGFWs). Strata Cloud Manager also enables you to share and schedule reports at your preferred intervals.
Strata Cloud Manager generates reports using either the last 24 hours of data or the data from the past 30 days depending on the default time period settings on the dashboard. However, you can customize the time period for gathering data in a report when you schedule it. You can also manage scheduled and downloaded reports from the past 30 days to help you monitor and troubleshoot network activity effectively when needed.