Strata Cloud Manager lets you validate your configuration against predefined

Best Practices

and custom checks you create based on the needs of your organization. As you make changes to your service routes, connection settings, allowed services, and administrative access settings for the management and auxiliary interfaces for your firewalls, Strata Cloud Manager gives you assessment results inline so you can take immediate corrective action when necessary. This eliminates problems that misalignments with best practices can introduce, such as conflicts and security gaps.

Inline checks let you:

Strata Cloud Manager lets you validate your configuration against predefined

Best Practices

and custom checks you create based on the needs of your organization. As you make changes to your service routes, connection settings, allowed services, and administrative access settings for the management and auxiliary interfaces for your firewalls, Strata Cloud Manager gives you assessment results inline so you can take immediate corrective action when necessary. This eliminates problems that misalignments with best practices can introduce, such as conflicts and security gaps.

Inline checks let you:

You can now configure a DHCP server profile on the GlobalProtect gateway to use DHCP server for managing and assigning IP addresses for the endpoints connected remotely through the GlobalProtect app. Users who are using enterprise DHCP servers can enable this feature for centralized IP management and IP address assignments. When you configure a DHCP server profile on the GlobalProtect gateway and upon successful communication between the gateway and the DHCP server, the gateway obtains DHCP IP addresses from a DHCP member server. The GlobalProtect gateway then assigns the IP addresses as the tunnel IP for the endpoints that are remotely connected through the GlobalProtect app. If the DHCP server fails to respond to the gateway within the set communication timeout and retry times period, the gateway falls back to the private Static IP pool for the allocation of IP addresses for the endpoints.

When the GlobalProtect gateway assigns the DHCP IP addresses to the endpoints, you can configure their DHCP server to create Dynamic DNS ( Address and Pointer Record) records for the GlobalProtect connected users. DDNS are useful for endpoint admins to do troubleshooting on the GlobalProtect connected remote user endpoints. The IP addresses get registered to the DDNS server only when you configure IP Address Management (IPAM) on Windows server, DDNS server, or on the Infoblox server.

To configure the feature, see DHCP Based IP Address Assignment and Management for GlobalProtect section in the GlobalProtect Admin Guide

(

HA deployments only

) In an Auto VPN with SD-WAN configuration, the Auto VPN can now generate the appropriate configuration automatically for the active and passive HA peers (both branch and hub HA pairs). It enables the HA failovers to be seamless between the HA pairs.

If your deployment has a requirement to delete sessions quickly, you can enable fast session delete, which allows Prisma Access to reuse TCP port numbers before the TCP TIME_WAIT period expires, and can be useful for SSL decrypted sessions that may be short-lived. You can enable this functionality for Remote Networks, Service Connections, and Mobile Users —GlobalProtect; for Mobile Users—Explicit Proxy deployments, this functionality is enabled by default and cannot be changed.

When you onboard a Service Connection or Remote Network connection, a public IP address is assigned for the other side of the IPSec tunnel (the Service IP Address). You use these public IP addresses for your CPE in you branch site or headquarters or data center location. Keeping records of all the IP addresses you need to configure on your CPE can be time consuming.

Instead of IP addresses, Prisma Access provides you FQDNs to use for the other end of the IPSec tunnel for Service Connections and Remote Network Connections, thus facilitating CPE setup at your branch sites or headquarters or data center locations.

Prisma Access is extending its support for IPv6 from

private applications

to encompass comprehensive end-to-end IPv6 support for Mobile Users, Remote Networks, and Service Connections. One advantageous aspect of native IPv6 support is its capacity to enable Mobile Users utilizing IPv6-only endpoints to establish connections with Prisma Access via IPv6 connections using GlobalProtect. Additionally, this support facilitates accessing public SaaS applications over the internet, particularly where those destinations necessitate IPv6 connections.

IPv6 boasts a significantly larger address space compared to IPv4, thereby accommodating an almost limitless number of unique IP addresses. Through native IPv6 support, Prisma Access is engineered to be compatible with both IPv6 and dual-stack connections, facilitating the migration process from IPv4 to IPv6. This compatibility ensures backward compatibility and empowers organizations in their transition to cloud-based and IPv6-enabled networks.

Prisma Access

Explicit Proxy now supports service connections to enable you to access resources in your data center. With this change, you will still be able to benefit from a proxy connection while accessing external dynamic lists, partner apps, or private apps hosted in your data center.

Manually sharing and keeping the configuration synchronized across multiple tenants is both error prone and inefficient.

This feature provides a unique and flexible way to share common configuration in a multitenant environment. You can save and manage any combination of configuration as a snippet, seamlessly sharing them across tenants under a customer account. This offers tremendous flexibility and control in managing shared configuration across tenants. This feature offers a variety of use cases such as updating configurations from lab to production environments, migrating configurations between tenants, centralizing configuration management for common use cases across tenants, and managing global configurations in a multibusiness unit setup.

Config Search

in Strata Cloud Manager enables you to search configuration objects and settings for a particular string, such as IP addresses, object name, referenced objects, duplicate objects, policy names, policy rules, policies covered for specific CVEs, rule UUID, predefined snippets, or application name.

The search results are categorized and provide links to the configuration location in the Strata Cloud Manager, allowing you to easily find all occurrences and references of the searched string.

Embrace Web Access policies when creating new Internet Security policies or configurations, preserving existing rules in your setup. Web Security policies offer a framework for abstracting policies, enabling translation of user intent into the language understood by the enforcement node. This ensures continuity for current rules without altering user experience through default rule ordering.

This capability incrementally enhances existing Web Security workflows. Newly created Global Web Access policy rules are positioned between Web Security rules and the regular security rules, with Global Catch All policies placed on top of the intrazone default rules in post-rules.

You can now manage your

Strata Logging Service

instance with

Strata Cloud Manager

. After you have activated and deployed

Strata Logging Service

, log in to

Strata Cloud Manager

on hub and select

Settings

Strata Logging Service

to manage your

Strata Logging Service

instance. Additionally, you can also continue to use the

Strata Logging Service

standalone app available on the hub to manage your instances. The logging data is the same in both

Strata Logging Service

app and

Strata Cloud Manager

, except for their web interface differences.

Use

Strata Logging Service

to:

Check the status of a
Strata Logging Service
instance
View and onboard firewalls, Cloud NGFW, Prisma Access, or Panorama appliances
View the allocated log storage quota, the available storage space, and the number of days the logs are retained based on your incoming log rate
Configure log storage quota
Search, filter, and export log data
Forward log data to external servers for long-term storage, SOC, or internal audit

End User Coaching allows you to notify and coach end users when their actions violate a Security policy rule because it contains sensitive data that cannot leave your corporate network.

Prisma Access (Managed by Strata Cloud Manager)

administrators can immediately notify end users through the Access Experience User Interface (UI) when an end user uploads, downloads, or posts content that is blocked by

Enterprise Data Loss Prevention (E-DLP)

. End user notifications are configured using the User Coaching Notification Template created on

Strata Cloud Manager

and are associated with a DLP rule for both

File-Based

and

Non-File Based

traffic. The notification template allows you to fully customize the message to be displayed in the notification and support variables to dynamically fill in DLP incident information based on the file name, traffic direction, application, and action. After an

Enterprise DLP

incident is generated, the end user who generated the incident can view the Data Security notification to view more details about current and past notifications.