When managing Panorama, administrators require consistent security controls, including centralized proxy configuration, for all outgoing communications. Historically, the Panorama CloudConnector Plugin did not automatically inherit these settings, creating a security gap where essential interactions with cloud services bypassed the defined proxy policies. This lack of integration increased administrative overhead and compromised the overall consistency of the security posture.

The Panorama CloudConnector plugin 2.1.0 now addresses this critical challenge by fully integrating with Panorama’s centralized proxy configuration settings. This enhancement ensures that the plugin automatically uses proxy configuration defined in Panorama for all future interactions with the cloud. This integration simplifies administrative workflows, eliminates the risk of misconfiguration, and ensures unified security enforcement for connectivity to cloud platforms. See Panorama CloudConnector Plugin Release Notes.

Visibility and enforcement based on an endpoint's private IP address was previously unavailable for users connecting via GlobalProtect^® agent to the Explicit Proxy. This new feature solves that challenge by allowing you to now leverage the private IP addresses of endpoints for logging and to apply IP address-based enforcement. This enhancement ensures consistent policy application and granular monitoring for users who connect to Prisma^® Access Explicit Proxy through the GlobalProtect agent from the branches.

Multinational organizations operating in China face unique challenges in securing internet access for users and headless devices where VPN agents cannot be installed due to compliance reasons or network restrictions. Prisma ^® Access explicit proxy support in China addresses this critical need by providing a secure internet gateway that works without requiring default route changes to the infrastructure, while coexisting with VPN agents.

This solution also acts as a reliable proxy solution that complies with local regulations while effectively managing internet access and safeguarding sensitive information across endpoints. The explicit proxy support in China leverages AWS infrastructure with a 1:1 architecture where each Envoy proxy is paired with a proxy firewall virtual machine (VM). This architecture enables secure traffic handling while accommodating the unique networking constraints.

When you implement this solution, users connecting from branch locations can access the internet securely through the explicit proxy without having GlobalProtect ^® clients installed. Additionally, headless devices such as IoT systems or servers can route traffic through the proxy for security inspection. The service integrates with your existing authentication methods, including SAML and Kerberos, and supports the same Security policy rules you configure for your global deployment. Palo Alto Networks NGFW capabilities securely inspect traffic, with logs and telemetry available through the same management interface you use for your global deployment. The architecture also supports routing specific domains to Service Connection when needed, providing flexibility for accessing both internet and private resources.

Managing mobile user access on networks that rely on IP address-based authorization is challenging because dynamic IP assignment from Prisma® Access can break access policies. The Static IP Allocation feature allows you to assign a fixed IP address to Prisma Access mobile users to address this challenge. This feature is useful if your network deployments restrict user access to resources using IP addresses as part of their network and application design. This functionality simplifies deployment and provides critical benefits:

You can assign static IP addresses for mobile users based on the Prisma Access theater or User-ID™

You can now use location groups and user groups to improve your IP address assignment for mobile users, in addition to theater and User-ID.

The supported number of IP address pool profiles is significantly increased, simplifying the management and scaling of large mobile user deployments.

Managing component versions and tracking End-of-Support (EoS) dates across Prisma® Access, Dataplane, and content releases typically requires checking multiple locations. Prisma Access now lets you view the status of these components in a single page for Prisma Access deployments managed by Strata Cloud Manager and Panorama® and includes notifications that show you when your current running Panorama version and plugin versions will be EoS.

Prisma® Access consists of components you manage such as Panorama and the Cloud Services plugin, components that Prisma Access manages such as the dataplane version, and components that Prisma Access manages but whose version you can control (such as the GlobalProtect® version hosted on the Prisma Access portal). Prisma Access lets you view the status of these components in a single page and provides you with this information:

Prisma Access Cloud Management can now be deployed in the Qatar region.

Depending on your license for Prisma Access Browser Standalone or Prisma Access Browser with Prisma Access Enterprise Bundle, the following new items are available in Strata Cloud Manager for visibility:

It is a complex and often difficult process to add new sites and secure connectivity across all sites in distributed enterprises that have firewalls at the edge of their network. Additionally, securing these networks requires manual configuration that is time-consuming and prone to misconfiguration.

Create a link bundle by assigning the same link tag (using an SD-WAN Interface profile) to multiple links that have similar access and SD-WAN policy rules. For example, you can create a link tag named Low Cost Broadband and then use it to tag your cable modem and fiber optic broadband services.

In addition to improving the Auto VPN configuration settings, we extended Auto VPN connectivity to 500 sites per tenant.

The Advanced DNS Security service is a new subscription offering by Palo Alto Networks that operates new domain detectors in the Advanced DNS Security cloud that inspect changes in DNS responses to detect various types of DNS hijacking in real-time. With access to Advanced DNS Security, you can detect and block DNS responses from hijacked domains and misconfigured domains. Hijacked and misconfigured domains can be introduced into your network by either directly manipulating DNS responses or by exploiting the DNS infrastructure configuration settings in order to redirect users to a malicious domain from which they initiate additional attacks. The primary difference between these two techniques is where the exploit occurs. In the case of DNS hijacking, the attackers gain the ability to resolve DNS queries to attacker-operated domains by compromising some aspect of an organization's DNS infrastructure, be it through unauthorized administrative access to a DNS provider or the DNS server itself, or an MiTM attack during the DNS resolution process. Misconfigured domains present a similar problem - the attacker seeks to incorporate their own malicious domain into an organization’s DNS by taking advantage of domain configuration issues, such as outdated DNS records, which can enable attackers to take ownership of the customer’s subdomain.

Advanced DNS Security can detect and categorize hijacked and misconfigured domains in real-time by operating cloud based detection engines, which provide DNS health support by analyzing DNS responses using ML-based analytics to detect malicious activity. Because these detectors are located in the cloud, you can access a wide array of detection mechanisms that are updated and deployed automatically without requiring the user to download update packages when changes to detectors are made. Upon initial release, Advanced DNS Security supports two analysis engines: DNS Misconfiguration Domains and Hijacking Domains. Additionally, DNS responses for all DNS queries are sent to the Advanced DNS Security cloud for enhanced response analysis to more accurately categorize and return a result in a real-time exchange. Analysis models are delivered through content updates, however, enhancements to existing models are performed as a cloud-side update, requiring no updates by the user. Advanced DNS Security is enabled and configured through the Anti-Spyware (or DNS Security) profile and require active Advanced DNS Security and Advanced Threat Prevention (or Threat Prevention) licenses.

When handling high volumes of evasive threats or operating under challenging network conditions, relying solely on cloud-based threat analysis can introduce unwanted latency. Local Deep Learning for Advanced Threat Prevention solves this challenge by providing fast, local deep learning-based analysis for zero-day threats, complementing the cloud-based Inline Cloud Analysis component of Advanced Threat Prevention.

With an active Advanced Threat Prevention license, the system quickly analyzes known malicious traffic matching published signatures and applies the configured action, such as dropping the session. For suspicious content, the Deep Learning Analysis detection module reroutes the traffic locally for immediate analysis. Because this module is based on the proven detection engines operating in the Advanced Threat Prevention cloud, you gain the same zero-day and advanced threat detection capabilities, but with the added benefit of processing a much higher traffic volume locally. This allows you to inspect more traffic and receive rapid verdicts without the lag associated with cloud queries. Content updates deliver the latest Local Deep Learning models, ensuring your detection remains current.

In security environments, strict validation checks are critical for maintaining a robust security posture, but this rigidity can sometimes be an obstacle. When pushing a configuration, a failed security check with a "block" action can halt the entire deployment process. This creates unnecessary friction in time-sensitive situations, forcing you to delay or manually reconfigure to bypass the strict rule.

Strata Cloud Manager now addresses this pain point by introducing a feature in the Push Config that allows you to override specific security check failures that would normally block a push operation. This enhancement gives you the power and flexibility to continue the deployment when you have a valid reason to proceed, ensuring you are not stalled by strict checks. This capability allows you to balance security enforcement with operational efficiency while still ensuring that all validation errors are visible for your review and necessary investigation.

You can now configure a DHCP server profile on the GlobalProtect gateway to use DHCP server for managing and assigning IP addresses for the endpoints connected remotely through the GlobalProtect app. Users who are using enterprise DHCP servers can enable this feature for centralized IP management and IP address assignments. When you configure a DHCP server profile on the GlobalProtect gateway and upon successful communication between the gateway and the DHCP server, the gateway obtains DHCP IP addresses from a DHCP member server. The GlobalProtect gateway then assigns the IP addresses as the tunnel IP for the endpoints that are remotely connected through the GlobalProtect app. If the DHCP server fails to respond to the gateway within the set communication timeout and retry times period, the gateway falls back to the private Static IP pool for the allocation of IP addresses for the endpoints.

When the GlobalProtect gateway assigns the DHCP IP addresses to the endpoints, you can configure their DHCP server to create Dynamic DNS ( Address and Pointer Record) records for the GlobalProtect connected users. DDNS are useful for endpoint admins to do troubleshooting on the GlobalProtect connected remote user endpoints. The IP addresses get registered to the DDNS server only when you configure IP Address Management (IPAM) on Windows server, DDNS server, or on the Infoblox server.

This feature enables you to configure the GlobalProtect app to use the default browser to authenticate to the GlobalProtect portal through the Client Authentication setting of the portal configuration. You can now select the Use Default Browser option on the Client Authentication screen for the app to use the default browser for SAML/CAS authentication to authenticate to the portal for the first time. The Use Default Browser option is displayed on the Client Authentication screen only when you choose SAML/CAS as the authentication profile.

Starting from PAN-OS 11.1, you do not need to set the pre-deployment keys/plist entries to configure the app to choose whether the app should use the default browser or embedded browser instead you can configure it through the Client Authentication setting of the portal configuration.

End users can benefit from using the default system browser for SAML authentication because they can leverage the same login for GlobalProtect with their saved user credentials on the default system browser such as Chrome, Firefox, or Safari.

To configure URL Access Management profiles (also known as URL Filtering profiles) and Security policy rules that block and allow the intended web traffic, you need to know the current URL categorization of a website. You also use this information to create a custom URL category or troubleshoot why a website isn't blocked or allowed as expected. While you can look up any URL on Palo Alto Networks Test A Site website, doing so requires navigating away from the management interface.

To make URL lookups more convenient and efficient, PAN-OS® 11.1 adds a URL category checker where you configure URL Access Management profiles. The category checker provides in-product access to Test A Site, which queries PAN-DB, Palo Alto Networks cloud-based URL database. Enter a domain or URL, and the results panel shows two distinct sections: one for the primary URL category and one for the risk category. Each section includes a description of the category and corresponding example sites. If you disagree with the primary URL category, you can initiate a change request from the results panel. This action redirects you to a prepopulated form on the external Test A Site website.

Managing network visibility often requires switching across multiple dashboards to analyze data. Centralized Report Management in Strata Cloud Manager eliminates this need by offering a unified system to enhance visibility of network activity within your organization and help analyze historical and track real-time data based on your needs. You can download reports using data from the dashboards and Activity Insights Summary for Prisma® Access and your Palo Alto Networks Next-Generation Firewalls (NGFWs). Strata Cloud Manager enables you to share and schedule reports at your preferred intervals.

Strata Cloud Manager generates reports using either the last 24 hours of data or the data from the past 30 days depending on the default time period settings on the dashboard. However, you can customize the time period for gathering data in a report when you schedule it. You can also manage scheduled and downloaded reports from the past 30 days to help you monitor and troubleshoot network activity effectively when needed.