By uploading a Tech Support File (TSF) in AIOps for NGFW, you can now generate a software upgrade plan for devices that have the PAN-OS version 9.1 or later. This plan suggests the optimal software version that can be installed on your devices and offers details about new features, modifications to behavior, vulnerabilities, and software issues associated with each suggested software version.

Panorama CloudConnector (Formerly, AIOps Plugin for Panorama) now enables you to use the Panorama AWS Plugin 5.0.0 to author and push device group based policies to Cloud NGFW for AWS resources.

Now that AIOps for NGFW is compatible with tenant service groups (TSGs), you can use Common Services to activate an Enterprise License Agreement add-on of AIOps for NGFW.

You can now use the tenant view to access AIOps for NGFW with Tenant Service Groups (TSGs). This view enables you to activate licenses and manage subscriptions, tenants, identity, and access using Common Services.

The existing AIOps for NGFW app instances will be migrated from the support account view to the tenant view. You can find these AIOps for NGFW instances by toggling View by Support Account off.

In the tenant view, apps and services are organized by the tenant instead of by support account.

You can now host your instance of AIOps for NGFW in the following regions:

In this way, your telemetry and firewall log data is processed by a local AIOps for NGFW instance without the data ever leaving your geographic region. To host AIOps for NGFW in new regions for new customers, select the desired region during the Free or Premium activation process. If you are an existing customer with an AIOps for NGFW instance, it will continue to operate from its original location.

For compliance with data privacy regulations, you can now host your instance of AIOps for NGFW in the United Kingdom and Netherlands if you have a Strata Logging Service instance in these regions. That way, your telemetry and firewall log data is processed by a local AIOps for NGFW instance without the data ever leaving your geographic region. To host AIOps for NGFW in the United Kingdom or Netherlands, select it as your Region during Free or Premium activation.

You can now generate an upgrade plan for the CVE impacted devices from Security Advisory Summary.

The upgrade plan includes:

You can now view service alerts about your CDL instance within AIOps for NGFW. These alerts enable you to stay aware of the latest service availability, log storage, and connection issues affecting your CDL instance, providing you with the context and recommendations necessary to take the appropriate actions against them.

AIOps for NGFW now raises the below service alerts:

AIOps for NGFW uses machine learning to understand your deployment and generates alerts that dynamically adjust based on the metric’s historical value and your usage trends. This feature dramatically reduces the occasions where you might perceive an Alert as a false positive.

New CLI remediations have been added to an additional 18 security alerts. You can now view these CLI commands under alert recommendations, helping you to remediate the issues triggering an alert. Additionally, CLI commands are now grouped so that you can copy all relevant commands for a configuration object at the same time and run them on your devices.

To help you better understand the metrics and correlate them in charts, metrics for NAT, Zone Protection Profile (ZPP), and Application Statistics are converted to rate metrics. The following metrics are new and enhanced:

You can now run the Best Practice Assessment (BPA) for devices with the PAN-OS version 9.1 and later by uploading a Tech Support File (TSF) in AIOps for NGFW. You can generate the on-demand BPA report for devices that are not sending telemetry data or onboarded to AIOps for NGFW. BPA measures your security posture against Palo Alto Networks’ best practice guidance. Importantly, the BPA includes checks for the Center for Internet Security’s Critical Security Controls (CSC).

Policy Analyzer makes the everyday time consuming tasks simple, precise, and error free. Before adding a new rule to meet a firewall change request, you can now verify if the rule needs to be added at all, if existing rules can be modified to meet the request, and much more. You can also assess the existing rulebase to identify any shadows, redundancies, and other anomalies that might exist.

Analyze your Security policy rules both before and after you commit your changes.

New Security Checks are available to help you make sure you’re adhering to best practices for an even wider array of security features.

To help you decide which devices you need to upgrade to protect from vulnerabilities, you can now view the impacted devices for each CVE in Security Advisory Summary. You can filter CVEs by using these details, such as Host Name and Model, and sort them further by Devices Impacted or Severity of the CVE.

To help you identify security gaps and harden the security posture of your enterprise, AIOps for NGFW now provides a comprehensive view into your available security subscriptions and their license usage in your devices. You can view these security subscriptions in graphical and tabular formats.

To help you with planning upgrades for devices, AIOps for NGFW now analyzes your devices to create a detailed report recommending software upgrade options.

You can select an upgrade option to view further details about New Features, PAN-OS Known Vulnerabilities, and PAN-OS Known Issues.

To help you with detailed visibility for your IPSec VPN tunnel deployments, AIOps for NGFW now raises the Tunnel Down alert when a tunnel status is down.

You can click this alert to view more details, which include events and runtime tunnel status.

You can click an event to view Metric Details along with a chart displaying the tunnel status metric.

AIOps for NGFW now raises an alert when a certificate for a firewall or Panorama appliance feature is going to expire. This alert enables you to proactively respond before a feature ceases to function and avoid potential business disruption.

This feature currently supports these certificates for firewalls:

And these certificates for Panorama appliances:

For compliance with data privacy regulations, you can now host your instance of AIOps for NGFW in Germany if you have a Strata Logging Service instance in Germany. That way, your telemetry and firewall log data is processed by a local AIOps for NGFW instance without the data ever leaving your geographic region.

To host AIOps for NGFW in Germany, select it as your Region during Free or Premium activation.

To help better inform your decision about whether to upgrade a firewall, you can now view the affected feature mapped to a vulnerability. The Feature Affected column under Vulnerabilities in this PAN-OS version includes information about the affected feature for a vulnerability. If a CVE is not associated with a feature, then the value under Feature Affected is blank.

To tell you when an issue affects a group of Panorama-managed firewalls, AIOps for NGFW now raises alerts against entire device groups and template stacks. This helps you quickly understand if an alert applies to several firewalls and whether to take remediation steps at the Panorama level.

Alert tables now feature a new Location column that identifies the device group or template stack and an IP address column. You can also group your firewalls by Location.

In the details of an alert, you can now view the device group or template stack associated with the alert.

As part of this update, all existing alerts will be cleared and new alerts will be raised in their place. Some alerts will also have new names.

From the Summary dashboard, you can now get a quick view of your network activity as found in Activity. See information about your total user count, applications, traffic, and blocked threats all in one place, and select any one type of network activity to view logs and learn more about it.

To help technical support assist you more quickly, you can now export the firewall and Panorama appliance data that AIOps collects to a compressed JSON file. This file also contains your Customer Support Portal ID, Cortex Data Lake tenant ID, and AIOps for NGFW instance ID to help support personnel know where to investigate.

To help you better monitor your devices, the Device Details page has been updated to display more detailed topographies, telemetry information, high availability (HA) links, and the connection status between HA pairs. This gives you more visibility into which devices are in HA pairs and how they are operating.

The Device Details Overview graph has been divided into two sections, Device Connections and Service Connections, to make it easier to monitor the connections between your devices and ensure that they are secure and up-to-date.

Device Connections shows you the relationships between the device and others in your deployment, such as its managing Panorama or HA peer. Service Connections displays the Logging or Security services to which the device is connected.

New Security Checks are available to help you make sure you’re adhering to best practices for an even wider array of security features.

See Settings > Security Checks or the Alert Reference for a complete list.

If you use Panorama to manage firewalls, you can now install a plugin that helps you proactively prevent suboptimal configurations from entering your deployment. The plugin enables you to identify particular Security Checks in AIOps for NGFW that will cause Panorama to prevent commits of any configuration that do not pass those checks.

This feature is available only in AIOps for NGFW Premium.

You can now set the Severity for best practice checks to reflect how important they are for your particular deployment and help you focus on the checks that are most critical to you.

To help better inform your decision about whether to upgrade a firewall, you can now view the known vulnerabilities that apply to the firewall based on its enabled features, in addition to the vulnerabilities in the PAN-OS version generally. Each entry includes information related to the vulnerability, such as its CVE identifier and the PAN-OS version in which it was fixed.

To view the vulnerabilities impacting a specific firewall according to its enabled features, you must enable Product Usage telemetry on the firewall.

To continue better helping you oversee your high availability deployments, AIOps for NGFW now raises the following alerts:

You can now filter the Feature Adoption and Feature Configuration charts based on device group to learn how well a specific set of firewalls are utilizing security features and passing Palo Alto Networks best practice checks.

Drill down into a feature to view the specific policy rules that are not using the feature or do not have it configured according to best practices.