New Features in September 2023
Focus
Focus
Strata Cloud Manager

New Features in September 2023

Table of Contents

New Features in September 2023

Here are the new features available in Strata Cloud Manager in September 2023.
Here are the latest new features introduced on Strata Cloud Manager. Features listed here include some feature highlights for the products supported with Strata Cloud Manager. For the full list of new features supported for a product you're using with Strata Cloud Manager, see the release notes for that product.

Prisma Access: Traffic Mirroring and PCAP Support

September 29, 2023
Supported on Strata Cloud Manager for:
Prisma Access secures your traffic in real time based on traffic inspection, threat analysis, and security policies. While you can view Prisma Access logs to view security events, your organization might have a requirement to save packet capture (PCAP) files for forensic and analytical purposes, for example:
  • You need to examine your traffic using industry-specific or privately-developed monitoring and threat tools in your organization and those tools require PCAPs for additional content inspection, threat monitoring, and troubleshooting.
  • After an intrusion attempt or the detection of a new zero-day threat, you need to preserve and collect PCAPs for forensic analysis both before and after the attempt. After you analyze the PCAPs and determine the root cause of the intrusion event, you could then create a new policy or implement a new security posture.
  • Your organization needs to download and archive PCAPs for a specific period of time and retrieve as needed for legal or compliance requirements.
  • Your organization requires PCAPs for network-level troubleshooting (for example, your networking team requires data at a packet level to debug application performance or other network issues).
To accomplish these objectives, you can enable traffic replication which uses the Prisma Access cloud to replicate traffic and encrypt PCAP files using your organization's encryption certificates. To store the PCAP files, you create a GCP service account, which Prisma Access uses as the storage location of the PCAP files.

Prisma Access: New Local Zones

September 29, 2023
New local zones:
  • South America West (Lima)
  • Nigeria (Lagos)
  • New Zealand (Auckland)
Now supported on Strata Cloud Manager for:
Local zones place compute, storage, database, and other services close to large population and industry centers. These locations have their own compute locations.
Keep in mind the following guidelines when deploying local zones:
  • Local zone locations do not use Palo Alto Networks registered IP addresses.
  • 1 Gbps support for remote networks is not supported.
  • Remote network and service connection node redundancy across availability zones is not available if you deploy them in the same local zone, as both nodes are provisioned in a single zone.
  • These local zones do not use Palo Alto Networks registered IPs. If you have problems accessing URLs, report the website issue using https://reportasite.gpcloudservice.com/ or reach out to Palo Alto Networks support.

Prisma Access: Microsoft Defender for Cloud Apps Integration

September 29, 2023
Supported on Strata Cloud Manager for:
Integrate Prisma Access with Microsoft Defender for Cloud Apps to sync unsanctioned applications and block them inline using Prisma Access automatically.
After you integrate Microsoft Defender for Cloud Apps with Prisma Access, Prisma Access creates a block security policy for URLs that are blocked in Microsoft Defender for Cloud Apps. You can view the list of unsanctioned applications after configuring the integration settings. The Prisma Access-Microsoft Defender for Cloud Apps integration enables you to gain visibility and to discover all cloud applications and shadow IT applications being used as well as provide closed loop remediation for unsanctioned applications.

Cloud Management for NGFWs: New Predefined BGP Distribution Profile (Auto VPN & SD-WAN)

September 29, 2023
Supported on Strata Cloud Manager for:
Auto VPN (ManageConfigurationNGFW and Prisma AccessGlobal SettingsAuto VPN) allows you to configure secure connectivity between Strata Cloud Manager and your managed firewalls using SD-WAN. The routing protocol used by Auto VPN is the Border Gateway Protocol (BGP) Redistribution profile and determines the network reachability based on IP prefixes available within autonomous systems (AS). Firewalls added to a VPN cluster on are now automatically assigned the predefined All-Connected-Routes BGP Redistribution profile by default. The All-Connected-Routes BGP Redistribution broadcasts all connected routes to the VPN peers in the cluster. Additionally, this BGP Redistribution profile not only provides the tunnel and route peering configuration required for connectivity, but also completes route advertisements to allow for branch to branch communication.

Cloud Management for NGFWs: Custom Path Quality Profile (SD-WAN)

September 29, 2023
Supported on Strata Cloud Manager for:
Create a custom path quality profile on Strata Cloud Manager for firewalls leveraging SD-WAN. A path quality profile allows you to define unique network quality requirements for business-critical and latency-sensitive applications, application filters, application groups, services, service objects and service group objects that have requirements based on latency, jitter, and packet loss percentage. Applications and services can share a path Quality profile. Specify the maximum threshold for each parameter, above which the firewall considers the path deteriorated enough to select a better path.
The firewall treats the latency, jitter, and packet loss thresholds as OR conditions, meaning if any one of the thresholds is exceeded, the firewall selects the new best (preferred) path. Any path that has latency, jitter, and packet loss less than or equal to all three thresholds is considered qualified and the firewall selected the path based on the associated Traffic Distribution profile.

Cloud Management for NGFWs: Pre-Shared Keys Refresh (Auto VPN & SD-WAN)

September 29, 2023
Supported on Strata Cloud Manager for:
Auto VPN allows you to configure secure connectivity between Strata Cloud Manager and your managed firewalls using SD-WAN. Peers in the VPN cluster use a pre-shared key to mutually authenticate each other. Strata Cloud Manager now allows you to refresh the pre shared keys used for authenticating VPN tunnels for existing VPN clusters (ManageConfigurationNGFW and Prisma AccessGlobal SettingsAuto VPN).

Cloud Management for NGFWs: Cloud IP Tag Collection (with the Cloud Identity Engine)

September 29, 2023
Supported on Strata Cloud Manager for:
Enforcing your security policy consistently across all the firewalls in your network relies on those firewalls having the most up-to-date identity information from your sources, such as cloud-based identity management systems. With the array of management systems and large numbers of users and devices, it can often be time-consuming and difficult to correlate identity information with its originating sources and ensure that it was provided to all necessary devices.
You can now use Strata Cloud Manager with the Cloud Identity Engine to manage IP address-to-tag (also known as IP-tag) mappings and simplify your security policy by creating tag-based rules. When you configure a cloud connection in the Cloud Identity Engine to your cloud-based identity management system (either Azure or AWS), you can use the Cloud Identity Engine to collect IP-tag mappings.
You can see all of your IP-tag mappings, as well as their associated sources, in the Cloud Identity Manager. Using filters to highlight the most relevant information, you can quickly identify issues with your security policy, such as a source that is currently unavailable. You can then use the Strata Cloud Manager to create tag-based security policy using dynamic address groupsand distribute it to the firewalls in your network to ensure they have the latest information needed to consistently enforce security policy. You can also share the IP-tag mappings with other firewalls in your network by using User Context segments in the Cloud Identity Engine.
By leveraging the capabilities of Strata Cloud Manager with the identity information that the Cloud Identity Engine provides, you can more easily create and manage your security policy using tags.

Cloud Management for NGFWs: Configuration Version Snapshot

September 29, 2023
Supported on Strata Cloud Manager for:
Manage configuration pushes for your cloud managed NGFWs alongside your Prisma Access deployments with Config Version Snapshots.
Evaluate configuration pushes, compare your candidate configuration to previously pushed configurations, and rollback recent changes in the event of any unintended consequences of a recent push.
Load previous configurations to use as candidates for your configuration push and make further changes to expand the scope of the original configuration. Restore previous configurations to immediately rollback the changes of a recent configuration push.
Review the devices or deployments impacted or targeted by your configuration pushes for the full scope of the changes.

Cloud Management for NGFWs: Troubleshooting for NGFW Connectivity and Policy Enforcement

September 29, 2023
Supported on Strata Cloud Manager for:
Troubleshoot these networking and identity features–track down and resolve connectivity issues or policy enforcement anomalies:
Network Troubleshooting for NAT and DNS Proxy
Troubleshoot your NGFWs from Strata Cloud Manager without having to move between various firewall interfaces. If you experience connectivity issues after deploying and configuring your NGFWs, you can get an aggregate view of your routing and tunnel states, and drill down to specifics to find anomalies and problematic configurations.
Identity and Policy Troubleshooting
Troubleshoot your identity-based policy rules and dynamically defined endpoints. Check the status of specific NGFWs and expose possible mismatches between how you expect a policy to work and its actual enforcement behavior.

Cloud Management for NGFWs: Config Cleanup

September 29, 2023
Supported on Strata Cloud Manager for:
Do dynamic business needs often require you to deal with rapid configuration changes that result in complex configurations with a number of zero hit rules, zero hit objects, unused objects, and duplicate objects? Such configurations can lead to a poor security posture and can inadvertently increase the attack surface of your network. Config Cleanup has you covered.
Config Cleanup gives you a comprehensive view of all policy rules that have no hits, objects that aren't referenced directly or indirectly in your configuration, objects that are referenced in a policy rule but have no hits in the Traffic log during the specified time frame, and objects of the same type with different names but have the same values so that you can better:
  • Manage attack surface exposure
  • Prioritize remediation actions
  • Remediate over time
  • Respond to audit questions when they arise
Identify and remove unused configuration objects and policy rules from your configuration. Removing unused configuration objects eases administration by removing clutter and preserving only the configuration objects that are required for security enforcement.
Review unused objects and policy rules across your entire Strata Cloud Manager configuration for the last 6 months, and optimize policy rules that are overly permissive rules to convert these to be more specific, focused rules that only allow the applications you’re actually using.
Together with Policy Optimizer, these tools help you ensure that your policy rules stay fresh and up to date.

Cloud Management for NGFWs: Policy Optimizer

September 29, 2023
Supported on Strata Cloud Manager for:
Hone and optimize overly permissive security rules so that they only allow traffic that are actually in use in your network. Rules that are too broad introduce security gaps because they allow applications that are not in use in your network. Policy Optimizer enables you to convert these overly permissive rules to more specific, focused rules that only allow the applications you’re actually using.
Strata Cloud Manager analyzes log data and categorizes rules as overly permissive when they are allowing any application traffic, and the rules must be at least 15 days old. These rules can introduce security loopholes, if they’re allowing traffic that’s not necessary for enterprise use.
For rules identified as overly permissive, Strata Cloud Manager auto-generates recommendations you can accept to optimize the rule. The new, recommended rules are more specific and targeted than the original rule; they explicitly allow only the applications that have been detected in your network in the last 90 days.
Select an overly permissive rule to review, adjust, and accept optimization recommendations. Replacing these rules with the more specific, recommended rules strengthens your security posture. You can choose to accept some or all of the rule recommendations. Accepting recommendations to optimize a rule does not remove the original rule. The original rule remains listed below the new rules in your Security policy; this is so you can monitor the rule, and remove it when you’re confident that it’s not needed. Both the original rule and optimized rules are tagged so you can easily identify them in your Security policy.
Together with Config Cleanup, these tools help you ensure that your policy rules stay fresh and up to date.

Cloud Management for NGFWs: Explicit Web Proxy

September 29, 2023
Supported on Strata Cloud Manager for:
Prisma Access has its own, separate method of configuring explicit proxy. This new feature applies only to cloud-managed firewalls.
You can now configure a web proxy on the firewalls you're managing with Strata Cloud Manager. That means that if you plan to use an NGFW as a proxy device to secure your network, you can now configure your proxy settings across your deployment from a simple, unified management interface.
This interface includes an in-app proxy auto-configuration (PAC) file editor so that you can edit your proxy settings and modify your PAC file all in one place whenever network changes arise.
The web proxy supports two methods for routing traffic:
  • For the explicit proxy method, the request contains the destination IP address of the configured proxy and the client browser sends requests to the proxy directly. You can use one of following methods to authenticate users with the explicit proxy:
    • Kerberos, which requires a web proxy license.
    • SAML 2.0, which requires a Prisma Access license and the add-on web proxy license.
  • For the transparent proxy method, the request contains the destination IP address of the web server and the proxy transparently intercepts the client request (either by being in-line or by traffic steering). There is no client configuration and Panorama is optional. Transparent proxy requires a loopback interface, User-ID configuration in the proxy zone, and specific Destination NAT (DNAT) rules, which you can configure using Transparent Proxy Rules in Strata Cloud Manager. Transparent proxy does not support X-Authenticated Users (XAU) or Web Cache Communications Protocol (WCCP).
You can push web proxy configurations to the following platforms:
  • PA-1400
  • PA-3400
  • VM Series (with a minimum of four vCPUs)

Strata Cloud Manager: SaaS Application Endpoint Lists and Enforcement

September 29, 2023
Supported on Strata Cloud Manager for:
SaaS providers publish lists of the IP addresses and URL endpoints their SaaS applications use, and frequently update these lists. Strata Cloud Manager now consumes application endpoint lists from the Palo Alto Networks EDL Hosting Service, so that you can easily enforce policy for SaaS providers including (but not limited to):
  • Microsoft
  • Azure
  • Amazon Web Services (AWS)
  • Google Cloud Platform (GCP)
  • Salesforce (SFDC) public endpoints
  • Microsoft Defender
  • Zoom
  • GitHub
In Strata Cloud Manager, you can now subscribe to SaaS application endpoints lists (both optional and required), and reference the lists in policies for your cloud-managed NGFWS and Prisma Access.
Important to know:
  • This feature natively integrates the Palo Alto Networks EDL Hosting Service with Strata Cloud Manager. If you are or were previously using the EDL Hosting Service, the introduction of this feature doesn't impact any of your existing configuration. Any EDLs you've already created that reference a feed URL will continue to work as expected.
  • Until now, the O365-Best-Practice snippet enabled you to directly subscribe to M365 endpoint lists in Strata Cloud Manager. With this feature, this snippet is now updated to be an application endpoint list. If you were using this snippet in a policy rule, the update is seamless, and the policy rule will reference the migrated application endpoint list.
  • SaaS Tenant Restrictions continue to provide you a way limit SaaS app usage to enterprise accounts (to stop users from accessing their personal accounts on the company network).
  • SaaS providers publish lists of the IP addresses and URL endpoints their SaaS applications use, and frequently update these lists. Strata Cloud Manager now hosts these SaaS application endpoint lists directly, so that you can enforce policy for application endpoints from SaaS providers including (but not limited to):

Strata Cloud Manager: Snippet Deletion

September 29, 2023
Supported on Strata Cloud Manager for:
Snippets are configuration objects, or groups of configuration objects, that can be associated with your folders, firewalls, and Prisma Access deployments. They are use to standardize configurations, allowing you to push changes quickly to all areas. Snippets are classified in two ways: Predefined and Custom. Predefined snippets are available to all Strata Cloud Manager users and can be used to quickly get your new firewalls and deployments up and running with best practice configurations. Customs snippets are any snippets created by administrators.
Delete custom snippets that are no longer associated with any deployments, firewalls, or folders to keep your configuration scope organized.
Unused snippets can be deleted straight from the configuration scope view.
Deleting customs snippets is supported. Predefined snippets available in Strata Cloud Manager can't be deleted.

Strata Cloud Manager: Enhancements to WildFire Dashboard

September 27, 2023
Supported on Strata Cloud Manager for:
The Advanced WildFire dashboard is now enhanced to provide a comprehensive view of sample analysis data that you can use to make informed decisions. The dashboard displays the source of WildFire sample submissions, insights into unique and new samples by threat type, and context on the most recent submissions from your network. The dashboard also enables filtering of data based on a file hash.

Strata Cloud Manager: Advanced WildFire Analysis Data in IoC Search

September 15, 2023
Supported on Strata Cloud Manager for:
IOC search now gives you visibility into analysis results of samples Advanced WildFire analyzes, a cloud-based engine that detects and prevents highly evasive malware threats. Use this data along with the static and dynamic WildFire analysis data for file analysis in IOC search results to view the file behaviors observed by WildFire and for post-execution analysis.
Perform an IOC search for a file hash to view the Advanced Dynamic WildFire analysis data under the Advanced WildFire Dynamic AnalysisAdvanced WildFire Dynamic Analysis.

Strata Cloud Manager: Signature-Based PCAP in Threat Logs

September 15, 2023
Supported on Strata Cloud Manager for:
You can now view and download signature-based packet captures (PCAPs), along with the inline detected PCAPs in threat logs. These packet captures provide context around a threat to help you report false-positives or learn more about the methods used by the attacker. To download a PCAP, view threat type logs in the Log Viewer and download packet captures.

Strata Cloud Manager: Log Viewer Visibility Enhancements

September 15, 2023
Supported on Strata Cloud Manager for:
Log Viewer is enhanced to search and view relevant logs easily. The enhancements include:
  • Autosuggestions for field values when you select a field in the query builder.
  • Search field names using substrings (for example, search with the string ‘user’ returns suggestions such as source_user, destination_user).
  • Search for a field based on the displayed field name in the log table and not just the actual field name in the log record. The query builder uses the displayed field name.
  • Press Shift + Enter to start a new line in the query builder, and press Enter to submit a query.