Strata Cloud Manager
New Features in September 2023
Table of Contents
New Features in September 2023
Here are the new features available in Strata Cloud Manager in September
2023.
Here are the latest new features introduced on Strata Cloud Manager. Features listed here
include some feature highlights for the products supported with Strata Cloud Manager.
For the full list of new features supported for a product you're using with Strata Cloud
Manager, see the release notes for that product.
Prisma Access: Traffic Mirroring and PCAP Support
|
September 29, 2023
Supported on Strata Cloud Manager for:
|
Prisma Access secures your traffic in real time based on traffic inspection, threat
analysis, and security policies. While you can view Prisma Access logs to view
security events, your organization might have a requirement to save packet capture (PCAP) files for forensic and
analytical purposes, for example:
- You need to examine your traffic using industry-specific or privately-developed monitoring and threat tools in your organization and those tools require PCAPs for additional content inspection, threat monitoring, and troubleshooting.
- After an intrusion attempt or the detection of a new zero-day threat, you need to preserve and collect PCAPs for forensic analysis both before and after the attempt. After you analyze the PCAPs and determine the root cause of the intrusion event, you could then create a new policy or implement a new security posture.
- Your organization needs to download and archive PCAPs for a specific period of time and retrieve as needed for legal or compliance requirements.
- Your organization requires PCAPs for network-level troubleshooting (for example, your networking team requires data at a packet level to debug application performance or other network issues).
To accomplish these objectives, you can enable traffic replication which uses the
Prisma Access cloud to replicate traffic and encrypt PCAP files using your
organization's encryption certificates. To store the PCAP files, you create a GCP service account, which Prisma Access uses as the
storage location of the PCAP files.
Prisma Access: New Local Zones
|
September 29, 2023
New local zones:
Now supported on Strata Cloud Manager for:
|
Local zones place compute, storage,
database, and other services close to large population and industry centers. These
locations have their own compute locations.
Keep in mind the following guidelines when deploying local zones:
- Local zone locations do not use Palo Alto Networks registered IP addresses.
- 1 Gbps support for remote networks is not supported.
- Remote network and service connection node redundancy across availability zones is not available if you deploy them in the same local zone, as both nodes are provisioned in a single zone.
- These local zones do not use Palo Alto Networks registered IPs. If you have problems accessing URLs, report the website issue using https://reportasite.gpcloudservice.com/ or reach out to Palo Alto Networks support.
Prisma Access: Microsoft Defender for Cloud Apps Integration
|
September 29, 2023
Supported on Strata Cloud Manager for:
|
Integrate Prisma Access with Microsoft Defender
for Cloud Apps to sync unsanctioned applications and block them inline
using Prisma Access automatically.
After you integrate Microsoft Defender for Cloud Apps with Prisma Access, Prisma
Access creates a block security policy for URLs that are blocked in Microsoft
Defender for Cloud Apps. You can view the list of unsanctioned applications after
configuring the integration settings. The Prisma Access-Microsoft Defender for Cloud
Apps integration enables you to gain visibility and to discover all cloud
applications and shadow IT applications being used as well as provide closed loop
remediation for unsanctioned applications.
Cloud Management for NGFWs: New Predefined BGP Distribution Profile (Auto VPN & SD-WAN)
|
September 29, 2023
Supported on Strata Cloud Manager for:
|
Auto VPN () allows you to configure secure connectivity between Strata Cloud Manager and your managed firewalls using SD-WAN. The routing protocol used by Auto
VPN is the Border Gateway Protocol (BGP) Redistribution profile and determines the
network reachability based on IP prefixes available within autonomous systems (AS).
Firewalls added to a VPN cluster on are now automatically assigned the predefined
All-Connected-Routes BGP Redistribution profile by
default. The All-Connected-Routes BGP Redistribution
broadcasts all connected routes to the VPN peers in the cluster. Additionally, this
BGP Redistribution profile not only provides the tunnel and route peering
configuration required for connectivity, but also completes route advertisements to
allow for branch to branch communication.
Cloud Management for NGFWs: Custom Path Quality Profile (SD-WAN)
|
September 29, 2023
Supported on Strata Cloud Manager for:
|
Create a custom path quality profile on Strata Cloud Manager for firewalls
leveraging SD-WAN. A path quality profile allows you
to define unique network quality requirements for business-critical and
latency-sensitive applications, application filters, application groups, services,
service objects and service group objects that have requirements based on latency,
jitter, and packet loss percentage. Applications and services can share a path
Quality profile. Specify the maximum threshold for each parameter, above which the
firewall considers the path deteriorated enough to select a better path.
The firewall treats the latency, jitter, and packet loss thresholds as OR conditions,
meaning if any one of the thresholds is exceeded, the firewall selects the new best
(preferred) path. Any path that has latency, jitter, and packet loss less than or
equal to all three thresholds is considered qualified and the firewall selected the
path based on the associated Traffic Distribution profile.
Cloud Management for NGFWs: Pre-Shared Keys Refresh (Auto VPN & SD-WAN)
|
September 29, 2023
Supported on Strata Cloud Manager for:
|
Auto VPN allows you to configure secure
connectivity between Strata Cloud Manager and your managed firewalls using SD-WAN. Peers in the VPN cluster use a
pre-shared key to mutually authenticate each other. Strata Cloud Manager now allows
you to refresh the pre shared keys used for authenticating VPN tunnels for existing
VPN clusters ().
Cloud Management for NGFWs: Cloud IP Tag Collection (with the Cloud Identity Engine)
|
September 29, 2023
Supported on Strata Cloud Manager for:
|
Enforcing your security policy consistently across all the firewalls in your network
relies on those firewalls having the most up-to-date identity information from your
sources, such as cloud-based identity management systems. With the array of
management systems and large numbers of users and devices, it can often be
time-consuming and difficult to correlate identity information with its originating
sources and ensure that it was provided to all necessary devices.
You can now use Strata Cloud Manager with the Cloud Identity Engine to manage IP
address-to-tag (also known as IP-tag) mappings and simplify your security policy by
creating tag-based rules. When you configure a cloud connection in the Cloud
Identity Engine to your cloud-based identity management system (either Azure or
AWS), you can use the Cloud Identity Engine to collect IP-tag mappings.
You can see all of your IP-tag mappings, as well as their associated sources, in the
Cloud Identity Manager. Using filters to highlight the most relevant information,
you can quickly identify issues with your security policy, such as a source that is
currently unavailable. You can then use the Strata Cloud Manager to create tag-based
security policy using dynamic address groupsand distribute it to
the firewalls in your network to ensure they have the latest information needed to
consistently enforce security policy. You can also share the IP-tag mappings with
other firewalls in your network by using User Context segments in the Cloud
Identity Engine.
By leveraging the capabilities of Strata Cloud Manager with the identity information
that the Cloud Identity Engine provides, you can more easily create and manage your
security policy using tags.
Cloud Management for NGFWs: Configuration Version Snapshot
|
September 29, 2023
Supported on Strata Cloud Manager for:
|
Manage configuration pushes for your cloud managed NGFWs alongside your Prisma Access
deployments with Config Version Snapshots.
Evaluate configuration pushes, compare your candidate configuration to previously
pushed configurations, and rollback recent changes in the event of any unintended
consequences of a recent push.
Load previous configurations to use as candidates for your configuration push and
make further changes to expand the scope of the original configuration. Restore
previous configurations to immediately rollback the changes of a recent
configuration push.
Review the devices or deployments impacted or targeted by your configuration pushes
for the full scope of the changes.
Cloud Management for NGFWs: Troubleshooting for NGFW Connectivity and Policy Enforcement
|
September 29, 2023
Supported on Strata Cloud Manager for:
|
Troubleshoot these
networking and identity features–track down and resolve connectivity issues or
policy enforcement anomalies:
Network Troubleshooting for NAT and DNS Proxy
Troubleshoot your NGFWs from Strata Cloud Manager without having to move
between various firewall interfaces. If you experience connectivity issues after
deploying and configuring your NGFWs, you can get an aggregate view of your routing
and tunnel states, and drill down to specifics to find anomalies and problematic
configurations.
Identity and Policy Troubleshooting
Troubleshoot your identity-based policy rules and dynamically defined
endpoints. Check the status of specific NGFWs and expose possible mismatches between
how you expect a policy to work and its actual enforcement behavior.
Cloud Management for NGFWs: Config Cleanup
|
September 29, 2023
Supported on Strata Cloud Manager for:
|
Do dynamic business needs often require you to deal with rapid configuration changes
that result in complex configurations with a number of zero hit rules, zero hit
objects, unused objects, and duplicate objects? Such configurations can lead to a
poor security posture and can inadvertently increase the attack surface of your
network. Config Cleanup has you covered.
Config Cleanup gives you a comprehensive view of all policy rules that have no hits,
objects that aren't referenced directly or indirectly in your configuration, objects
that are referenced in a policy rule but have no hits in the Traffic log during the
specified time frame, and objects of the same type with different names but have the
same values so that you can better:
- Manage attack surface exposure
- Prioritize remediation actions
- Remediate over time
- Respond to audit questions when they arise
Identify and remove unused configuration objects and policy rules from your
configuration. Removing unused configuration objects eases administration by
removing clutter and preserving only the configuration objects that are required for
security enforcement.
Review unused objects and policy rules across your entire Strata Cloud Manager
configuration for the last 6 months, and optimize policy rules that are overly
permissive rules to convert these to be more specific, focused rules that only allow
the applications you’re actually using.
Together with Policy Optimizer, these tools help you
ensure that your policy rules stay fresh and up to date.
Cloud Management for NGFWs: Policy Optimizer
|
September 29, 2023
Supported on Strata Cloud Manager for:
|
Hone and optimize overly permissive security rules so that they only allow traffic
that are actually in use in your network. Rules that are too broad introduce
security gaps because they allow applications that are not in use in your network.
Policy Optimizer enables you to convert
these overly permissive rules to more specific, focused rules that only allow the
applications you’re actually using.
Strata Cloud Manager analyzes log data and categorizes rules as overly permissive
when they are allowing any application traffic, and the rules must be at least 15
days old. These rules can introduce security loopholes, if they’re allowing traffic
that’s not necessary for enterprise use.
For rules identified as overly permissive, Strata Cloud Manager auto-generates
recommendations you can accept to optimize the rule. The new, recommended rules are
more specific and targeted than the original rule; they explicitly allow only the
applications that have been detected in your network in the last 90 days.
Select an overly permissive rule to review, adjust, and accept optimization
recommendations. Replacing these rules with the more specific, recommended rules
strengthens your security posture. You can choose to accept some or all of the rule
recommendations. Accepting recommendations to optimize a rule does not remove the
original rule. The original rule remains listed below the new rules in your Security
policy; this is so you can monitor the rule, and remove it when you’re confident
that it’s not needed. Both the original rule and optimized rules are tagged so you
can easily identify them in your Security policy.
Together with Config Cleanup, these tools help you
ensure that your policy rules stay fresh and up to date.
Cloud Management for NGFWs: Explicit Web Proxy
|
September 29, 2023
Supported on Strata Cloud Manager for:
|
Prisma Access has its own, separate method of configuring explicit proxy. This
new feature applies only to cloud-managed firewalls.
You can now configure a web proxy on the firewalls you're
managing with Strata Cloud Manager. That means that if you plan to use an
NGFW as a proxy device to secure your network, you can now configure your proxy
settings across your deployment from a simple, unified management interface.
This interface includes an in-app proxy auto-configuration (PAC) file
editor so that you can edit your proxy settings and modify your PAC file all in one
place whenever network changes arise.
The web proxy supports two methods for routing traffic:
- For the explicit proxy method, the request
contains the destination IP address of the configured proxy and the client
browser sends requests to the proxy directly. You can use one of following
methods to authenticate users with the explicit proxy:
- Kerberos, which requires a web proxy license.
- SAML 2.0, which requires a Prisma Access license and the add-on web proxy license.
- For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules, which you can configure using Transparent Proxy Rules in Strata Cloud Manager. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP).
You can push web proxy configurations to the following platforms:
- PA-1400
- PA-3400
- VM Series (with a minimum of four vCPUs)
Strata Cloud Manager: SaaS Application Endpoint Lists and Enforcement
|
September 29, 2023
Supported on Strata Cloud Manager for:
|
SaaS providers publish lists of the IP addresses and URL endpoints their SaaS
applications use, and frequently update these lists. Strata Cloud Manager now
consumes application endpoint lists from the Palo Alto Networks EDL Hosting Service, so that you can
easily enforce policy for SaaS providers including (but not limited to):
- Microsoft
- Azure
- Amazon Web Services (AWS)
- Google Cloud Platform (GCP)
- Salesforce (SFDC) public endpoints
- Microsoft Defender
- Zoom
- GitHub
In Strata Cloud Manager, you can now subscribe to SaaS application
endpoints lists (both optional and required), and reference the lists in policies
for your cloud-managed NGFWS and Prisma Access.
Important to know:
- This feature natively integrates the Palo Alto Networks EDL Hosting Service with Strata Cloud Manager. If you are or were previously using the EDL Hosting Service, the introduction of this feature doesn't impact any of your existing configuration. Any EDLs you've already created that reference a feed URL will continue to work as expected.
- Until now, the O365-Best-Practice snippet enabled you to directly subscribe to M365 endpoint lists in Strata Cloud Manager. With this feature, this snippet is now updated to be an application endpoint list. If you were using this snippet in a policy rule, the update is seamless, and the policy rule will reference the migrated application endpoint list.
- SaaS Tenant Restrictions continue to provide you a way limit SaaS app usage to enterprise accounts (to stop users from accessing their personal accounts on the company network).
- SaaS providers publish lists of the IP addresses and URL endpoints their SaaS applications use, and frequently update these lists. Strata Cloud Manager now hosts these SaaS application endpoint lists directly, so that you can enforce policy for application endpoints from SaaS providers including (but not limited to):
Strata Cloud Manager: Snippet Deletion
|
September 29, 2023
Supported on Strata Cloud Manager for:
|
Snippets are configuration objects, or groups of configuration objects, that can be
associated with your folders, firewalls, and Prisma Access deployments. They are use
to standardize configurations, allowing you to push changes quickly to all areas.
Snippets are classified in two ways: Predefined and Custom. Predefined snippets are
available to all Strata Cloud Manager users and can be used to quickly get your new
firewalls and deployments up and running with best practice configurations. Customs
snippets are any snippets created by administrators.
Delete custom snippets that are no longer associated
with any deployments, firewalls, or folders to keep your configuration scope
organized.
Unused snippets can be deleted straight from the configuration scope view.
Deleting customs snippets is supported. Predefined snippets available in Strata Cloud
Manager can't be deleted.
Strata Cloud Manager: Enhancements to WildFire Dashboard
|
September 27, 2023
Supported on Strata Cloud Manager for:
|
The Advanced WildFire dashboard is now
enhanced to provide a comprehensive view of sample analysis data that you can use to
make informed decisions. The dashboard displays the source of WildFire sample
submissions, insights into unique and new samples by threat type, and context on the
most recent submissions from your network. The dashboard also enables filtering of
data based on a file hash.
Strata Cloud Manager: Advanced WildFire Analysis Data in IoC Search
|
September 15, 2023
Supported on Strata Cloud Manager for:
|
IOC search now gives you visibility
into analysis results of samples Advanced WildFire analyzes, a
cloud-based engine that detects and prevents highly evasive malware threats. Use
this data along with the static and dynamic WildFire analysis data for file analysis
in IOC search results to view the file behaviors observed by WildFire and for
post-execution analysis.
Perform an IOC search for a file hash to view the Advanced Dynamic WildFire analysis
data under the .
Strata Cloud Manager: Signature-Based PCAP in Threat Logs
|
September 15, 2023
Supported on Strata Cloud Manager for:
|
You can now view and download signature-based packet captures (PCAPs), along with the
inline detected PCAPs in threat logs. These packet captures provide context around a
threat to help you report false-positives or learn more about the methods used by
the attacker. To download a PCAP, view threat type logs in the Log Viewer and download packet
captures.
Strata Cloud Manager: Log Viewer Visibility Enhancements
|
September 15, 2023
Supported on Strata Cloud Manager for:
|
Log Viewer is enhanced to search
and view relevant logs easily. The enhancements include:
- Autosuggestions for field values when you select a field in the query builder.
- Search field names using substrings (for example, search with the string ‘user’ returns suggestions such as source_user, destination_user).
- Search for a field based on the displayed field name in the log table and not just the actual field name in the log record. The query builder uses the displayed field name.
- Press Shift + Enter to start a new line in the query builder, and press Enter to submit a query.
