New Features in November 2023
Focus
Focus
Strata Cloud Manager

New Features in November 2023

Table of Contents

New Features in November 2023

Here are the new features available in Strata Cloud Manager in November 2023.
Here are the latest new features introduced on Strata Cloud Manager. Features listed here include some feature highlights for the products supported with Strata Cloud Manager. For the full list of new features supported for a product you're using with Strata Cloud Manager, see the release notes for that product.

Cloud Management for NGFWs: Capacity Analyzer Alerts

November 20, 2023
Capacity Analyzer has been enhanced to include support for alerts, assisting you in the following:
  • Anticipate resource consumption nearing its maximum capacity and raise alerts.
  • By using the Capacity Analyzer Alert details page, you can analyze resource usage patterns at the firewall level and access a heatmap that provides a comprehensive overview of resource utilization across all their firewalls.
  • Within the Capacity Analyzer resource usage details page, you can explore associated alerts, pinpoint other firewalls encountering the same issue, and initiate actions to plan and remediate the problem.
Sometimes, you can encounter a predicament where particular features on your Next-Generation Firewalls (NGFW) approach their capacity thresholds, resulting in diminished system performance and operational disruptions. Dealing with capacity-related issues can be time-consuming, and unfortunately, these issues tend to come to light only after the limits are breached.
The Capacity Analyzer feature allows monitoring of device resource capacity by tracking metrics usage based on model types. This feature includes a heatmap visualization to display resource consumption rates and locations for each metric. It also enables planning for upgrading to higher capacity firewalls based on specific needs. This proactive approach ensures that you know about potential capacity constraints, allowing you to take preemptive action to safeguard your business operations.

Prisma SD-WAN: Public Cloud High Availability (HA)

You can now reduce complexity and increase resiliency by adding high availability to your SD-WAN for next-generation firewall public cloud deployments. Configure up to four IP addresses per SD-WAN interface, allowing you to deploy SD-WAN on public clouds to achieve failover in high availability active/passive configurations. Minimize the downtime and ensure session survivability using the active/passive HA failover in public cloud SD-WAN environments.
Currently, you can avail this feature on deployments using VM-Series in Azure and AWS public cloud HA environments by configuring a second floating IP address on the SD-WAN interfaces. The floating IP on the SD-WAN interface of the external zone must match with that of the internal zone. In the illustration, observe that 10.0.2.100 is the common floating IP between the external and internal zones during a HA failover.
This feature is supported on PAN-OS 11.1.0 and above and on IPv4 addresses only.
The following illustration is an example of VM-Series deployment in Azure HA A/P topology and shows how the secondary floating IP address is from the same subnet and applied to both trust and untrust zones of the SD-WAN interface.
In AWS instances, you can configure HA A/P failover using multiple ways, one of which is using a second IP address that acts as the floating IP.

Prisma Access:Cloud Delivered Enterprise Network Integration

Palo Alto Networks Prisma Access and Google Cloud Platform's Cross-Cloud Network (GCP CCN) bring high bandwidth, secure, and reliable connectivity to public and private apps for mobile users and users at the remote offices or branch sites. The GCP CCN integration with Prisma Access is a joint solution by the two organizations to address the challenges that you can face in a multicloud environment when you begin to use colocation (CoLo) facilities for multicloud and on-premises connectivity:
  • Managing the network infrastructure can be complex and expensive if users need to access private apps hosted by different cloud service providers (CSPs) using a CoLo facility.
  • Using multiple security products to secure apps can result in having an inconsistent security stack across your network and your organization's users.
  • Connecting with a high-bandwidth (more than 1 Gbps) connection to large branches or campus locations from a CoLo facility to a Prisma Access remote network isn't possible.
Prisma Access integrates with GCP CCN to provide security inspection for internet-bound traffic and to the private apps that are hosted in GCP, on-premises, or in a third-party cloud connected through GCP CCN. You can onboard remote sites connected through GCP CCN as either a remote network or as a service connection. This way, mobile users (on-ramp) and remote networks (off-ramp) can access public or private apps securely through Prisma Access.

Prisma Access: Remote Browser Isolation

Browser and web-based attacks are continuously evolving, resulting in security challenges for many enterprises. Web browsers, being a major entry point for malware to penetrate networks, pose a significant security risk to enterprises, prompting the increasing need to protect networks and devices from zero day attacks. Highly regulated industries, such as government and financial institutions, also require browser traffic isolation as a mandatory compliance requirement.
While most enterprises want to block 100% of attacks by using network security and endpoint security methods, such a goal might not be realistic. Most attacks start with the compromise of an endpoint that connects to malicious or compromised sites or by opening malicious content from those sites. An attacker only needs one miss to take over an endpoint and compromise the network. When this happens, the consequences of that compromise and the impact to your organization can be damaging.
Remote Browser Isolation (RBI) creates a no-code execution isolation environment for a user's local browser, so that no website code and files are executed on their local browser. Unlike other isolation solutions, RBI uses next-generation isolation technologies to deliver near-native experiences for users accessing websites without compromising on security.
RBI is a service that isolates and transfers all browsing activity away from the user's managed devices and corporate networks to an outside entity such as Prisma Access, which secures and isolates potentially malicious code and content within their platform. Natively integrated with Prisma Access, RBI allows you to apply isolation profiles easily to existing security policies. Isolation profiles can restrict many user controls such as copy and paste actions, keyboard inputs, and sharing options like file uploading, downloading, and printing files to keep sensitive data and information secure. All traffic in isolation undergoes analysis and threat prevention provided by Cloud-Delivered Security Services (CDSS) such as Advanced Threat Prevention, Advanced WildFire, Advanced URL Filtering, DNS Security, and SaaS Security.

Prisma Access: Service Connection Identity Redistribution Management

Sometimes, granular controls are needed for user-ID redistribution in particularly large scale Prisma Access deployments. Service Connection Identity Redistribution Management lets you select specific service connections for identity redistribution.
By default, all of your service connections, in order of proximity, are used for identity redistribution. However, you may not know which specific service connections are being used for identity redistribution at a given moment. And, depending on the number of service connections you have and the number of User-ID agents you’ve configured, this method for identity redistribution can test the limits of your system resources. To solve this, we now give you the option to decide which service connections you want to use for identity redistribution.

Cloud Management for NGFWs: IPSec VPN Monitoring

You can now view the status of the IPSec VPN tunnels to know whether or not valid IKE and IPSec SAs have been established, and whether the tunnel interface is up and available for passing traffic.
Because the tunnel interface is a logical interface, it can’t indicate a physical link status. Therefore, you must use IPSec tunnel monitoring so that the tunnel interface can verify connectivity to an IP address and determine if the path is still usable. If the IP address is unreachable, the firewall will either wait for the tunnel to recover or failover. When a failover occurs, the existing tunnel is torn down, and routing changes are triggered to set up a new tunnel and redirect traffic.
With the IPSec VPN tunnel monitoring feature, you can view the tunnel status:
  • VPN cluster tunnel status
  • IPSec tunnel status
  • IKE gateway status
  • VPN tunnel status
View the overall status of all the IPSec tunnels, IPSec tunnel status per device, and detailed status of each IPSec tunnel.

Cloud Management for NGFWs: PA-450R Next-Generation Firewall Support

The PA-450R is a new rugged firewall appliance that upgrades the PA-220R firewall. The PA-450R is designed for industrial, commercial, and government deployments. The hardware is suited for installation in harsh environments with extreme temperatures and high humidity levels.
The PA-450R is supported on PAN-OS 11.1 and later versions. The firewall features two SFP/RJ-45 combo ports and six RJ-45 ports. The RJ-45 ports include two fail-open ports that can be configured to provide a pass-through connection in the event of a power failure.
The PA-450R is powered by DC power and optionally supports power redundancy. The device has a fanless design and can be installed on a flat surface, wall, and equipment rack. The hardware is compliant with ICS/SCADA system architecture.

Cloud Management for NGFWs: PA-5445 Next-Generation Firewall

The PA-5445 adds the highest performance fixed form-factor model to the Palo Alto Networks® Next-Generation Firewall lineup. This firewall, supported on PAN-OS 11.1 and later versions, features hardware resources dedicated to networking, security, signature matching, and management. The PA-5445 is ideal for deployments in enterprise data centers, headquarters, and regional offices.
The PA-5445 has the highest App-ID speed (93Gbps), L7 threat inspection rate (70Gbps), and session count (48M) in a fixed form-factor firewall.
The PA-5445 features eight RJ-45 ports, twelve SFP+ ports, four SFP28 ports, and four form-factor pluggable QSFP28 ports that support breakout mode. The firewall also features dedicated HSCI and HA1 ports for high availability control.
The PA-5445 can be powered by AC or DC power supplies and optionally supports power redundancy. The hardware takes up 2RU of rack space and should be mounted in a 19” equipment rack.

Cloud Management for NGFWs: Inline Best Practice Checks for Device Setup

Strata Cloud Manager lets you validate your configuration against predefined Best Practices and custom checks you create based on the needs of your organization. As you make changes to your service routes, connection settings, allowed services, and administrative access settings for the management and auxiliary interfaces for your firewalls, Strata Cloud Manager gives you assessment results inline so you can take immediate corrective action when necessary. This eliminates problems that misalignments with best practices can introduce, such as conflicts and security gaps.
Inline checks let you:
  • Gauge the effectiveness of, assess the impact of, and validate changes you make to your configuration using inline assessment results.
  • Prioritize and perform remediations based on the recommendations from the inline assessment.

Cloud Management for NGFWs: VM-Series Device Management

This release adds support for a bootstrapping process that allows you to configure newly deployed firewalls without manually configuring them prior to deployment. Previously, a firewall image was created for your cloud environments that required you to manually include information such as DNS entries and IP addresses in the init.cfg file.
This new process associates the firewall with a Panorama management host to automate the onboarding and configuration of your software firewall. With this functionality, the bootstrapping process:
  • Automatically instantiates, onboards, and configures the firewall instance without prior knowledge of the firewall serial number.
  • Automatically onboards the Strata Cloud Manager tenant, from which the tenant receives the initial configuration and becomes fully operational without manual intervention.
Create the bootstrap package with the following fields:
  • panorama-server. Use this field to specify cloud management for your Panorama host. This field initiates a TLS connection to the Strata Cloud Manager service edge. For example, panorama-server=cloud. Values other than cloud are interpreted as a Panorama Internet Protocol or FQDN, and will initiate a Panorama management connection. A value defined for panorama-server-2 is ignored when panorama-server=cloud.
  • dgname. This field is used to define the Cloud Management folder in which the firewall is mapped.
  • vm-series-auto-registration-pin-id. Include the VM-Series registration PIN ID. This automates the process of instantiating the firewall instance by establishing the connection to the Strata Cloud Manager service edge.
  • vm-series-auto-registration-pin-value. Include the VM-Series registration PIN VALUE to automate the process of instantiating the firewall instance by establishing the connection to the Strata Cloud Manager service edge.
    The PIN ID and PIN VALUE fields are use to request a Thermite certificate. This certificate is used to authenticate the device and build a secure connection to the cloud service, such as Strata Cloud Manager.

Cloud Management for NGFWs: Security Posture Checks

Stata Cloud Manager leverages a set of predefined Best Practice Checks that align with industry-specific standard cybersecurity controls, such as CIS (Center for Internet Security) and NIST (National Institute of Standards and Technology) and custom checks you create based on the specific needs of your organization. These checks evaluate configurations, identifying deviations from best practices or compliance requirements. Previously, we collectively called these Compliance Checks.
For this release, we've rolled Compliance Checks into Security Posture Settings. Security Posture Settings brings together the functionality of both the AIOps and Cloud Manager security check settings pages.
Security Checks also now let you:
  • Create custom checks by cloning select existing checks, making check customization even easier.
  • Exclude checks from being applied to your deployment. In special cases where you want to turn off certain checks for some areas of your deployment or there are reasons specific checks don't make sense for you, instead of disabling them, now you can restrict where checks are applied in your deployment.
    • The new Check Exception feature replaces the "Enable/Disable" functionality of the old settings page.
    • Cloud Manager Support for real-time inline check exemptions isn't available in this release, but we're working hard to bring it to you soon.
  • Raise an Alert (default) for a failed check, or Block a configuration with failing checks from being pushed out to your deployment.
  • Get field-level, inline checks during policy creation and device setup that show you where your configuration does not align with best practice or custom checks, inline, so you can take immediate action.

Cloud Management for NGFWs: GlobalProtect

You can now use GlobalProtect with cloud-managed NGFWs to secure your mobile workforce. Enable your cloud-managed NGFWs as GlobalProtect gateways and portals, in order to provide flexible, secure remote access to users everywhere.
Whether checking email from home or updating corporate documents from an airport, the majority of today's employees work outside the physical corporate boundaries. This workforce mobility increases productivity and flexibility while simultaneously introducing significant security risks. Every time users leave the building with their laptops or smart phones, they are bypassing the corporate firewall and associated policies that are designed to protect both the user and the network. GlobalProtect ™ solves the security challenges introduced by roaming users by extending the same next-generation firewall-based policies that are enforced within the physical perimeter to all users, no matter where they are located.

Cloud Management for NGFWs: IP Protocol Scan Protection

November 2, 2023
Supported on Strata Cloud Manager for:
Palo Alto Networks now offers reconnaissance protection for IP protocol scans. IP protocol scans cycle through IP protocol numbers to determine the IP protocols and services supported by target machines. Malicious actors use this scanning technique to identify and exploit open and insecure protocols. This feature enables your firewall to detect and block, allow, or alert on these scans. For example, you can configure the firewall to drop subsequent packets from a host exhibiting behavior consistent with IP protocol scans.
You can configure protection against IP protocol scans in the Reconnaissance Protection settings of a Zone Protection profile. The firewall identifies IP protocol scans based on the specified number of scan events that occurs within a specified interval. If necessary, you can exclude the IP addresses of trusted internal groups performing vulnerability testing from reconnaissance protection. Details of each detected scan are available in the Threat logs.

Cloud Management for NGFWs: TLSv1.3 Support for SSL/TLS Service Profiles (Administrative Access)

November 2, 2023
Supported on Strata Cloud Manager for:
You can now configure TLSv1.3 in SSL/TLS service profiles to secure administrative access to management interfaces. TLSv1.3 delivers several performance and security enhancements, including shorter SSL/TLS handshakes and more secure cipher suites. In an SSL/TLS service profile, you can select TLSv1.3 as the minimum or maximum supported protocol version for connections to the management interface. Selecting TLSv1.3 automatically enables the following TLSv1.3 cipher suites:
  • TLS-AES-128-GCM-SHA256
  • TLS-AES-256-GCM-SHA384
  • TLS-CHACHA20-POLY1305-SHA256
    TLS-CHACHA20-POLY1305-SHA256 is not supported in FIPS-CC mode.
However, you can deselect any key exchange algorithms, encryption algorithms, or authentication algorithms as needed. In addition to offering TLSv1.3 support, SSL/TLS service profiles now enable customization of the key exchange algorithms, encryption algorithms, and authentication algorithms supported.

Source IP Address Enforcement for Authentication Cookies

Enforce authentication cookies
You can configure the GlobalProtect portal or gateway to accept cookies from endpoints only when the IP address of the endpoint matches the original source IP addresses for which the cookie was issued or when the IP address of the endpoint matches a specific network IP address range. You can define the network IP address range using a CIDR subnet mask, such as /24 or /32. For example, if an authentication cookie was originally issued to an endpoint with a public source IP address of 201.109.11.10, and the subnet mask of the network IP address range is set to /24, the authentication cookie is subsequently valid on endpoints with public source IP addresses within the 201.109.11.0/24 network IP address range. For more information, see GlobalProtect — Customize App Settings.
This is an existing feature in Panorama and is now introduced in Prisma Access managed by Strata Cloud Manager.

End User Timeout Notifications

Configure notifications
Administrators can now configure timeout settings to notify end users before a GlobalProtect session disconnects. This is an existing feature in Panorama and is now introduced in Prisma Access managed by Strata Cloud Manager.

Separate Client Authentication for Portal and Gateway

Separate auth
Prisma Access now allows you to separate client authentication for portals and gateways for enhanced security and flexibility. You can apply distinct certificate profiles to each. This feature is supported for both multi-portal and coexistent tenants.

Source IP Address Enforcement for Authentication Cookies

Enforce authentication cookies
You can configure the GlobalProtect portal or gateway to accept cookies from endpoints only when the IP address of the endpoint matches the original source IP addresses for which the cookie was issued or when the IP address of the endpoint matches a specific network IP address range. You can define the network IP address range using a CIDR subnet mask, such as /24 or /32. For example, if an authentication cookie was originally issued to an endpoint with a public source IP address of 201.109.11.10, and the subnet mask of the network IP address range is set to /24, the authentication cookie is subsequently valid on endpoints with public source IP addresses within the 201.109.11.0/24 network IP address range. For more information, see GlobalProtect — Customize App Settings.
This is an existing feature in Panorama and is now introduced in Prisma Access managed by Strata Cloud Manager.

IoT Security: Device Visibility and Automatic Policy Rule Recommendations

Strata Cloud Manager integrates with IoT Security to provide visibility into the devices on your network and automated policy rule recommendations for policy enforcement on next-generation firewalls and Prisma Access. By having IoT Security functionality in Strata Cloud Manager, IoT device visibility and policy rule recommendations become available in the same platform you're using to manage firewalls and interact with other network security products.
When your firewalls or Prisma Access is subscribed to IoT Security, you can use the following IoT Security features from the Strata Cloud Manager web interface:
  • IoT Security Dashboard: In Strata Cloud Manager, there is an IoT Security dashboard with information about the devices on the network, their device profiles and operating systems, and how they are distributed by device type across subnets. For advanced IoT Security products (Enterprise IoT Security Plus, Industrial IoT Security, or Medical IoT Security), the IoT Security dashboard additionally displays the total number of active alerts to date and vulnerabilities to date.
  • Assets Inventory: See a dynamically maintained inventory of the devices on your network with numerous attributes for each one such as its IP and MAC addresses; profile, vendor, model, and OS; and (for advanced IoT Security products) its device-level risk score.
  • Security Policy Rule Recommendations: IoT Security provides Strata Cloud Manager with automatically generated Security policy rule recommendations organized by device profile. There is one recommendation per application per profile. Choose a profile, select the rule recommendations you want to use, and then the next-generation firewalls or Prisma Access sites where you want to enforce them.