0% found this document useful (0 votes)

269 views94 pages

Strata Cloud Manager AIOps

The document provides an overview of Strata Cloud Manager AIOps, detailing its features, licensing changes, and activation procedures for NGFWs. It outlines the transition from AIOps for NGFW Premium licenses to Strata Cloud Manager Essentials and Pro, effective May 8, 2025. Additionally, it describes the functionalities available in both free and premium tiers, emphasizing the importance of device telemetry and security posture monitoring.

Uploaded by

pekgator

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

269 views94 pages

Strata Cloud Manager AIOps

Uploaded by

pekgator

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 94

Strata Cloud Manager AIOps

docs.paloaltonetworks.com
Contact Information
Corporate Headquarters:
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
www.paloaltonetworks.com/company/contact-support

About the Documentation

• For the most recent version of this guide or for access to related documentation, visit the Technical
Documentation portal docs.paloaltonetworks.com.
• To search for a specific topic, go to our search page docs.paloaltonetworks.com/search.html.
• Have feedback or questions for us? Leave a comment on any page in the portal, or write to us at
[email protected].

© 2023-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo
Alto Networks. A list of our trademarks can be found at www.paloaltonetworks.com/company/
trademarks.html. All other marks mentioned herein may be trademarks of their respective companies.

Last Revised
May 24, 2023

Strata Cloud Manager AIOps 2 ©2025 Palo Alto Networks, Inc.

Table of Contents
AIOps for NGFW................................................................................................ 5
Regions for AIOps for NGFW.................................................................................................. 7
Free and Premium Features......................................................................................................9
How to Activate AIOps for NGFW...................................................................................... 13
Where Are My AIOps for NGFW Features?......................................................................18
Panorama CloudConnector Plugin....................................................................................... 23
Get Alert Notifications.............................................................................................................27
Troubleshoot NGFW Connectivity and Policy Enforcement Anomalies......................29

Device Telemetry for AIOps for NGFW.....................................................35

Domains Required for AIOps for NGFW.............................................................................37

Optimize Security Posture.............................................................................39

Monitor Security Posture Insights........................................................................................ 40
Monitor Feature Adoption......................................................................................................42
Monitor Security Subscriptions............................................................................................. 46
Assess Vulnerabilities............................................................................................................... 48
Monitor Compliance Summary.............................................................................................. 51
Proactively Enforce Security Checks....................................................................................53
Policy Analyzer...........................................................................................................................57
Types of Anomalies That Policy Analyzer Detects................................................58
Pre-Change Policy Analysis.........................................................................................58
Pre-Change Policy Analysis Reports......................................................................... 63
Post-Change Policy Analysis.......................................................................................65

NGFW Health and Software Management............................................... 67

Monitor Device Health............................................................................................................ 68
Get Upgrade Recommendations............................................................................................70
Analyze Metric Capacity..........................................................................................................73

Best Practices for NGFWs............................................................................ 85

On-Demand BPA Report.........................................................................................................89
Can I Still Generate BPA Reports from the Customer Support Portal?............ 89
Best Practices.............................................................................................................................91

Strata Cloud Manager AIOps 3 ©2025 Palo Alto Networks, Inc.

Table of Contents

Strata Cloud Manager AIOps 4 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW
Drawing on data collected through PAN-OS device telemetry, AIOps for NGFW gives you
an overview of the health and security of your next-generation firewall deployment to help
you identify areas of improvement and close security gaps. AIOps for NGFW derives health
information from device telemetry metrics related to the operational status of your devices. For
security information, AIOps for NGFW analyzes the configuration of your devices against Palo
Alto Networks best practices to point out any potential gaps in your security posture.
AIOps for NGFW Premium & Strata Cloud Manager
Strata Cloud Manager provides unified management and operations only for NGFWs with an
AIOps for NGFW Premium license.
• PAN-OS and Panorama managed NGFWs: Use Strata Cloud Manager to monitor deployment
health and security posture for NGFWs with an AIOps for NGFW Premium license.
• Cloud managed NGFWs: If you have an AIOps for NGFW Premium license, you can also
leverage Strata Cloud Manager for cloud management for NGFWs.
Strata Cloud Manager Licensing Changes
Starting in October 2024, Strata Cloud Manager has two licensing tiers: Strata Cloud Manager
Essentials and Strata Cloud Manager Pro. This unified structure streamlines the deployment
of network security offerings, including AIOps for NGFW, Autonomous Digital Experience
Management (ADEM), cloud management functionality, and Strata Logging Service. See Strata
Cloud Manager License.
Strata Cloud Manager Essentials replaces AIOps for NGFW Free, offering access to all the AIOps
for NGFW Free features and additional capabilities. Strata Cloud Manager Essentials and Strata
Cloud Manager Pro are available to activate in customer support portal (CSP) accounts that don't
have: Strata Logging Service with sized storage, AIOps for NGFW Free or Premium, or Prisma®
Access.
License Migration and End-of-Sale Announcement
Palo Alto Networks has announced May 8, 2025, as the end-of-sale date for the AIOps for
NGFW Premium licenses. Starting in March 2025, existing customers with these licenses will be
automatically migrated to alternative licenses in phases at no additional cost.
• AIOps for NGFW Free customers → Migrated to Strata Cloud Manager Essentials. Following
the migration, the AIOps for NGFW Free tile will not be available on hub. Instead, you need to
use the Strata Cloud Manager tile to access the features.
• AIOps for NGFW Premium customers → Migrated to Strata Cloud Manager Pro.
Get started:
• Free and Premium AIOps for NGFW
• Activate AIOps for NGFW
• Start sending device telemetry to AIOps for NGFW
• New Features

5
AIOps for NGFW

• On-Demand BPA Report

• AIOps for NGFW Incidents and Alerts

Strata Cloud Manager AIOps 6 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Regions for AIOps for NGFW

Where Can I Use This? What Do I Need?

• NGFW, including those funded by One of these:

Software NGFW Credits
AIOps for NGFW Free or Strata Cloud
Manager Essentials
AIOps for NGFW Premium or Strata Cloud
Manager Pro

The region that you select when you activate AIOps for NGFW determines the physical location
in which AIOps processes your data.
AIOps for NGFW is not offered in all the regions where the Strata Logging Service (SLS)
infrastructure is supported. AIOps for NGFW deployment will expand to additional regions soon
to match the telemetry data destinations. Currently, if you send your telemetry data to a region
where the AIOps application is not supported, your data will be processed by an AIOps for NGFW
instance in the United States-Americas region.
When you activate AIOps for NGFW, these restrictions are applied automatically. For example,
if you select Germany as the region to activate an instance of AIOps for NGFW, only Germany-
based SLS tenants can be attached to that instance.

• The same regions that support AIOps for NGFW also support NGFWs in Strata Cloud
Manager.
• If your telemetry data is sent to a region different from the AIOps for NGFW
application's region, you might experience delays in telemetry processing and reduced
data visibility within your application.

Refer to the following table to understand the AIOps data processing for the various telemetry
destination regions.

Strata Logging Service Region Supported Region for an AIOps for NGFW Instance to
Process Data

Germany Germany

United Kingdom United Kingdom

Netherlands - Europe Netherlands - Europe

Italy - Europe Italy - Europe

Spain - Europe Spain - Europe

Switzerland - Europe Switzerland - Europe

Strata Cloud Manager AIOps 7 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Strata Logging Service Region Supported Region for an AIOps for NGFW Instance to
Process Data

France - Europe France - Europe

Poland - Europe Poland - Europe

Korea Korea

Indonesia Indonesia

Israel Israel

Taiwan Taiwan

Qatar Qatar

Singapore Singapore

Australia Australia

India India

Saudi Arabia Saudi Arabia

Japan Japan

Canada Canada

Remaining SLS Regions United States-Americas

Strata Cloud Manager AIOps 8 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Free and Premium Features

Where Can I Use This? What Do I Need?

• NGFW, including those funded by One of these:

Software NGFW Credits
AIOps for NGFW Free or Strata Cloud
Manager Essentials
AIOps for NGFW Premium or Strata Cloud
Manager Pro

AIOps for NGFW comes in two license tiers: free and premium.
Free AIOps for NGFW features enrich your understanding of your firewall deployment.
Free features:
• assess the firewall’s configuration and identify areas for improvement
• provide easy access to runtime and historical telemetry data from firewalls
• detect system issues (independent of the detection method)
• reduce time to resolution through alert/notification workflows
• provide dynamic dashboards and visualizations for several security subscriptions
With a premium tier license, you have access to both free and premium features. Premium
features focus on ensuring full utilization and maximal security outcome from your firewalls.
Premium features:
• Cloud management for NGFWs

Contact your account team to enable Cloud Management for NGFWs using Strata
Cloud Manager.
• use advanced ML techniques to promote an always-optimal security posture that responds to
the changing threat and network landscapes, thereby reducing the attack surface
• provide dynamic dashboards and visualizations for WildFire and IOC Search
• interact with data and visualize the relationships between events on the network in the Strata
Cloud Manager Command Center to uncover anomalies or find ways to enhance your network
security

Strata Cloud Manager AIOps 9 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Strata Cloud Manager has two licensing tiers: Strata Cloud Manager Essentials and Strata
Cloud Manager Pro. This unified structure streamlines the deployment of network security
offerings, including AIOps for NGFW, Autonomous Digital Experience Management
(ADEM), cloud management functionality, and Strata Logging Service. See Strata Cloud
Manager License.
Palo Alto Networks has announced May 8, 2025, as the end-of-sale date for the AIOps
for NGFW Premium licenses. Starting in March 2025, existing customers with these
licenses will be automatically migrated to alternative licenses in phases at no additional
cost.
• AIOps for NGFW Free customers → Migrated to Strata Cloud Manager Essentials.
Following the migration, the AIOps for NGFW Free tile will not be available on hub.
Instead, you need to use the Strata Cloud Manager tile to access the features.
• AIOps for NGFW Premium customers → Migrated to Strata Cloud Manager Pro.

Feature Set Free Premium (use Strata

Cloud Manager)

Strengthen Security Posture Partial Yes

• Security Posture Insights Yes Yes

• Feature Adoption Yes Yes

• Security Posture Settings No Yes

• Software Upgrade Recommendations No Yes

• CDSS Adoption Yes Yes

• Policy Analyzer No Yes

• On-Demand BPA Report Yes Yes

• Panorama CloudConnector Plugin No Yes

• Capacity Analyzer No Yes

• NGFW SDWAN Dashboard No Yes

• Compliance Summary Dashboard No Yes

Proactively Resolve Firewall Disruptions Partial Yes

• Alerts and Incidents Partial Yes

• PAN-OS CVEs dashboard Yes Yes

Strata Cloud Manager AIOps 10 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Feature Set Free Premium (use Strata

Cloud Manager)

• Probable Cause Analysis for Alerts No Yes

Troubleshoot with Logs Yes Yes

• View, query and export logs in Log Viewer Yes Yes

Check licenses and other

requirements to use Log
Viewer.

• Export Metadata for Troubleshooting Yes Yes

• View audit log Yes Yes

Optimize Your Security Investment Partial Yes

• Device ranking based on health and Yes Yes

security posture

• All dashboards and reports except Threat Yes Yes

Insights dashboard

• Threat Insights dashboard and report No Yes

• Search for security artifacts No Yes

• Build custom dashboard No Yes

• Strata Cloud Manager Command Center No Yes

Notifications Partial Yes

• Email Notifications Yes Yes

• ServiceNow Integration No Yes

Engagement and Support No Yes

• In-product support ticket creation No Yes

capability for operational issues

requires Platinum Tier Support

on the firewall (except for
Power Supply Failure alerts)

Strata Cloud Manager AIOps 11 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

New capabilities in the product, across all feature categories, will be assigned to the Free
and Premium tiers based solely on the discretion of Palo Alto Networks.

Strata Cloud Manager AIOps 12 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

How to Activate AIOps for NGFW

Where Can I Use This? What Do I Need?

• NGFW, including those funded by One of these:

Software NGFW Credits
AIOps for NGFW Free or Strata Cloud
Manager Essentials
AIOps for NGFW Premium or Strata Cloud
Manager Pro

Here are the different scenarios for activating AIOps for NGFW:

Scenario Plan

Activating AIOps for NGFW Free Activate AIOps for NGFW (Free)

Activating AIOps for NGFW Premium (use Activate AIOps for NGFW Through Common
Strata Cloud Manager app) Services

Onboarding new devices to the activated Associate devices to a tenant

AIOps for NGFW Free instance
Enable Telemetry on Devices

Onboarding new devices to the activated Associate devices to a tenant

AIOps for NGFW Premium (use Strata Cloud
Associate devices in tenant to app
Manager app)
Enable Telemetry on Devices

Activating ELA AIOps for NGFW Premium Activate Enterprise License Agreement (ELA)
AIOps for NGFW Premium

Using Strata Cloud Manager (AIOps for Activate a Software NGFW Credits License
NGFW Premium) to manage VM-Series Agreement

Using Strata Cloud Manager (AIOps for Activate a Software NGFW Credits License
NGFW Premium) for Panorama Managed VM- for Panorama Managed VM-Series
Series

Converting AIOps for NGFW Premium trial Convert Trial License to Production
license to production

Activate Strata Cloud Manager Essentials and • Activate Strata Cloud Manager Essentials
Strata Cloud Manager Pro • Activate Strata Cloud Manager Pro

Strata Cloud Manager AIOps 13 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Strata Cloud Manager is available, featuring two licensing tiers: Strata Cloud Manager Essentials
and Strata Cloud Manager Pro. This unified structure streamlines the deployment of network
security offerings, including AIOps for NGFW, Autonomous Digital Experience Management
(ADEM), cloud management functionality, and Strata Logging Service.
Strata Cloud Manager Essentials replaces AIOps for NGFW Free, offering access to all the AIOps
for NGFW Free features and additional capabilities. Strata Cloud Manager Essentials and Strata
Cloud Manager Pro are available to activate in customer support portal (CSP) accounts that don't
have: Strata Logging Service with sized storage, AIOps for NGFW Free or Premium, or Prisma
Access.
Palo Alto Networks has announced May 8, 2025, as the end-of-sale date for the AIOps for
NGFW Premium licenses. Starting in March 2025, existing customers with these licenses will be
automatically migrated to alternative licenses in phases at no additional cost.
• AIOps for NGFW Free customers → Migrated to Strata Cloud Manager Essentials. Following
the migration, the AIOps for NGFW Free tile will not be available on hub. Instead, you need to
use the Strata Cloud Manager tile to access the features.
• AIOps for NGFW Premium customers → Migrated to Strata Cloud Manager Pro.

FedRAMP accounts can't use AIOps for NGFW. To check if this applies to you, sign in to
your Customer Support Portal account and select Account Management > Account
Details. If you see a FedRamp Account listed, then you cannot use AIOps for NGFW.

Activate AIOps for NGFW (Free)

Activation requires the Account Administrator or App Administrator role.
1. Log in to the hub.
2. Go to the AIOps for NGFW Free activation URL: https://apps.paloaltonetworks.com/
activation/aiops-free.

Strata Cloud Manager AIOps 14 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

3. Complete the form.

Customer Support Account Your Customer Support Portal account ID.

Tenant Select the tenant where you will activate the

AIOps for NGFW Free instance. If you don’t
have an existing tenant, select Create New.

Region The deployment region and the region where

your data logs are stored. See Regions for
AIOps for NGFW.

Strata Logging Service The Strata Logging Service from which you
want to send data to AIOps for NGFW Free.

Strata Cloud Manager AIOps 15 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

If you have a logging SLS, you can associate it

with AIOps for NGFW Free and select the SLS
region. Otherwise, you can skip it.

4. Agree to the Terms and Conditions and Activate.

5. AIOps for NGFW Free is ready after Status shows Complete.

Strata Cloud Manager AIOps 16 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

6. Associate devices to a tenant containing your AIOps for NGFW Free instance.
1. Log in to the hub.
2. Select Common Services > Device Associations.

3. Select Add Device.

4. Select one or more firewalls or Panorama appliances and Save.
You need to associate Panorama to the tenant containing AIOps for NGFW Free if you're
onboarding Panorama-managed deployments. Make sure to individually associate all the
firewalls managed by Panorama to the tenant.
The devices that you associated with the tenant will be automatically added to AIOps for
NGFW Free. For more information, see Associate devices to a tenant.

• For AIOps for NGFW Free activation, associating apps with devices isn't required.
• You can associate devices to a tenant at the beginning of activation if you already
have an existing tenant.
• You can remove device associations if, for example, you are retiring or returning a
firewall or Panorama appliance, or if you want to associate it with another tenant
service group (TSG).
7. Enable telemetry on devices.
1. Confirm the device is registered in the Customer Support Portal by logging in to
support.paloaltonetworks.com, switch to your account (if necessary), and identify your
device in Assets > Devices.
2. Install a device certificate on the devices you want to onboard.
3. Enable telemetry sharing on the devices.

After you onboard the devices and enable telemetry, it takes around a couple of
hours for the first set of insights to be visible on the AIOps for NGFW dashboard.
The process of generating and sending telemetry on the device's side is done in
batches, with each metric being sampled and collected at a frequency optimized for
the use cases the metric is used for. This batch process can result in a delay between
onboarding the firewall and the availability of insights. It might take several hours
for all insights associated with a newly onboarded device to appear on the AIOps for
NGFW dashboard.
8. Log in to AIOps for NGFW Free by clicking on its icon in the hub.

Strata Cloud Manager AIOps 17 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Where Are My AIOps for NGFW Features?

This content is for the cloud management of Next-Generation Firewalls with AIOps for
NGFW and Strata Cloud Manager. To get started managing Next-Generation Firewalls
with PAN-OS, click here.

Where Can I Use This? What Do I Need?

• NGFW, including those funded by One of these:

Software NGFW Credits
AIOps for NGFW Free or Strata Cloud
Manager Essentials
AIOps for NGFW Premium or Strata Cloud
Manager Pro

Palo Alto Networks Strata Cloud Manager is a new AI-Powered, unified network security
management platform. Now, you can use Strata Cloud Manager to interact with and manage
AIOps for NGFW together with your other Palo Alto Networks products and subscriptions.
To launch Strata Cloud Manager:
• Go to the hub and launch the Strata Cloud Manager app
• Go directly to the Strata Cloud Manager URL

• Strata Cloud Manager provides unified management and operations only for
NGFWs using the AIOps for NGFW Premium license. The application tile name
on the hub for AIOps for NGFW (the premium app only) is now changed to Strata
Cloud Manager. With this update, the application URL has also changed to
stratacloudmanager.paloaltonetworks.com, and you’ll also now see the Strata Cloud
Manager logo on the left navigation pane. Continue to use the AIOps for NGFW Free
app for the NGFWs onboarded to AIOps for NGFW Free.
• Contact your account team to enable Cloud Management for NGFWs using Strata
Cloud Manager.

If you've previously used the AIOps for NGFW app, here's where you can find your features in
Strata Cloud Manager:

Table 1:

AIOps for NGFW App Where to find these same features in Strata
Cloud Manager:

Dashboards → Go to →Dashboards →Device Health

Strata Cloud Manager AIOps 18 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

AIOps for NGFW App Where to find these same features in Strata
Cloud Manager:

Alerts → Go to →Incidents & Alerts →NGFW

Monitor → Go to →Monitor →Devices →NGFW

Posture → Go to Dashboards to see:

• Best Practices dashboard
• Security Posture Insights dashboard
• NGFW SD-WAN dashboard
• Security Advisory dashboard (PAN-OS
CVEs)
• CDSS Adoption dashboard

Strata Cloud Manager AIOps 19 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

AIOps for NGFW App Where to find these same features in Strata
Cloud Manager:
• On-Demand BPA dashboard
• Feature Adoption dashboard
• Compliance Summary dashboard

→ Go to →Manage →Security Posture to

find:
• Settings - Panorama Managed
• Config Cleanup
• Policy Optimizer
• Compliance Checks
• Policy Analyzer

Activity → Go to Dashboards to see:

• Network Usage
• Threat Insights
• Application Usage
• Advanced WildFire
• DNS Security
• Executive Summary
• User Activity

Strata Cloud Manager AIOps 20 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

AIOps for NGFW App Where to find these same features in Strata
Cloud Manager:

→ Go to Reports to generate reports for

supported dashboards.
→ Go to Incidents & Alerts for Log Viewer.

Workflows → Go to Workflows > Software Upgrades to

use the Upgrade Recommendations.

Reports → Go to Reports to schedule reports for

supported dashboards.

Search → Go to Monitor for the IoC Search.

Strata Cloud Manager AIOps 21 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

AIOps for NGFW App Where to find these same features in Strata
Cloud Manager:

Settings → Go to Incidents & Alerts > NGFW >

Incidents & Alerts Settings to see Forecast
and Anomaly Incidents & Alerts.
→ Go to Incidents & Alerts > NGFW to set
Notification Rules.
→ Go to Settings to see:
• Audit Logs
• User Preferences

→ Go to Manage > Security Posture to

customize Settings - Panorama Managed.
→ Go to Help →Export Tenant Metadata.

– Looking for how to manage NGFWs with

Strata Cloud Manager?
This is supported only with Strata Cloud
Manager with AIOps for NGFW Premium, and
is not available in the AIOps for NGFW app.
→ Go to Manage > Configuration > NGFWs
and Prisma Access and Workflows > NGFW
Setup.

Strata Cloud Manager AIOps 22 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Panorama CloudConnector Plugin

Where Can I Use This? What Do I Need?

• NGFW, including those funded by AIOps for NGFW Premium or Strata Cloud
Software NGFW Credits Manager Pro

Want to proactively check your policy rules for adherence to best practices? You should not
have to wait to get an alert and then fix a problem after you’ve pushed your policy rules. Connect
AIOps for NGFW or Strata Cloud Manager to your Panorama to evaluate your configuration
against certain best practice checks before pushing it to your managed firewalls. See Proactively
Enforcing Security Checks.
Updates to your Security policy rules are often time-sensitive and require you to act quickly.
However, you want to ensure that any update you make to your security policy rulebase meets
your requirements and does not introduce errors or misconfigurations (such as changes that result
in duplicate or conflicting rules).
To achieve this, the Policy Analyzer in Strata Cloud Manager enables you to optimize time and
resources when implementing a change request. Policy Analyzer not only analyzes and provides
suggestions for possible consolidation or removal of specific rules to meet your intent but
also checks for anomalies, such as Shadows, Redundancies, Generalizations, Correlations and
Consolidations in your rulebase.
Connect AIOps for NGFW or Strata Cloud Manager to your Panorama and use Policy Analyzer to
add or optimize your Security policy rulebase. See Policy Analyzer.
You’ll need these things to connect AIOps for NGFW to your Panorama:

AIOps for NGFW or Strata Cloud Manager instance: You don't need an AIOps for NGFW
Premium license to install the Panorama CloudConnector plugin. However, the Premium
license is required to use premium features like the Policy Analyzer and Proactive Best Practice
Assessment (BPA).

Strata Cloud Manager AIOps 23 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

A Panorama with a device certificate installed.

Strata Cloud Manager AIOps 24 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

The Panorama CloudConnector Plugin installed on your Panorama running PAN OS 10.2.3 and
above.
You need to enable this plugin using the command:
> request plugins cloudconnector enable basic

• To help customers, we have preinstalled this plugin with newer Panorama versions
(11.0.1 and above).
• If you have already installed both the AIOps plugin and the CloudConnector plugin,
uninstall the AIOps plugin, as they are identical and only the name has changed.
Ensure that you have only one plugin installed, which should be the latest version of
the CloudConnector plugin.

If you installed the AIOps plugin on PAN-OS 10.2.3 and then upgraded to PAN-OS 11.0.1 or
later, a default version of the plugin will be installed with the new PAN-OS version. This results
in both plugins being present on Panorama. In this case, follow these steps:
1. In the Panorama web interface, select Panorama > Plugins and Uninstall the AIOps plugin.
2. Enable the CloudConnector plugin:
> request plugins cloudconnector enable basic
CloudConnector plugin 2.2.0 supports proxy configuration settings from Panorama. These
settings only take effect after a commit. Here are the scenarios:
• Configuring Proxy Settings: When you configure proxy settings and perform a commit, the
CloudConnector plugin won't recognize the new proxy settings during this commit. After
the commit, the plugin will use the proxy configuration for future interactions with the
cloud.
• Removing Proxy Settings: When you remove proxy settings and perform a commit,
the CloudConnector plugin won't recognize the removed proxy settings during the
commit. After the commit, the plugin will no longer use the proxy configuration for future
interactions with the cloud.

Strata Cloud Manager AIOps 25 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Device telemetry enabled on your Panorama.

A security policy rule that allows communication between Panorama and the FQDN that
corresponds to your Strata Logging Service host region:

Americas (americas) https://prod.us.secure-policy.cloudmgmt.paloaltonetworks.com/

Australia (au) https://prod.au.secure-policy.cloudmgmt.paloaltonetworks.com/

Canada (ca) https://prod.ca.secure-policy.cloudmgmt.paloaltonetworks.com/

Europe (europe) https://prod.eu.secure-policy.cloudmgmt.paloaltonetworks.com/

FedRAMP (gov) https://prod.gov.secure-policy.cloudmgmt.paloaltonetworks.com/

Germany (de) https://prod.de.secure-policy.cloudmgmt.paloaltonetworks.com/

India (in) https://prod.in.secure-policy.cloudmgmt.paloaltonetworks.com/

Japan (jp) https://prod.jp.secure-policy.cloudmgmt.paloaltonetworks.com/

Singapore (sg) https://prod.sg.secure-policy.cloudmgmt.paloaltonetworks.com/

United Kingdom (uk) https://prod.uk.secure-policy.cloudmgmt.paloaltonetworks.com/

Strata Cloud Manager AIOps 26 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Get Alert Notifications

Where Can I Use This? What Do I Need?

• NGFW, including those funded by One of these:

Software NGFW Credits
AIOps for NGFW Free or Strata Cloud
Manager Essentials
AIOps for NGFW Premium or Strata Cloud
Manager Pro

Integrating Strata Cloud Manager into your existing operations involves setting up proactive
alerts, allowing you to detect and manage potential issues before they escalate into serious
complications. These alerts can be tailored to match your operations team's case management
protocol, such as the commonly used P1s or P2s.
For instance, you might set up an alert system wherein critical alerts, which represent the most
critical issues, are instantaneously escalated to your security team for immediate attention. On
the other hand, warning alerts, which are of lesser urgency but still significant, can be arranged for
daily review. Such an arrangement ensures efficient incident management while maintaining the
smooth running of your operations.
Another option is to route alerts based on teams; certain categories of alerts, or even specific
alerts, can be routed to different teams that will be best equipped to handle them. You can define
notification preferences, such as which alerts trigger notifications, how you receive notifications,
and how often you receive them, create a notification rule.
Here is a video that shows how to create a notification rule.
STEP 1 | Select Incidents & Alerts > Incident & Alert Settings > Notification Rules > + Add
Notification Rule

STEP 2 | Enter a Name and Description.

STEP 3 | Add New Condition to specify the Rule Conditions that will trigger the notification.
For example, to create a notification for hardware alerts, select subCategory, Equals, and
Hardware.

Strata Cloud Manager AIOps 27 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

STEP 4 | Choose the Notification Type and Recipients of the notification.

1. If choosing Email, select an email group, which is a group of users that will receive the
email notifications, or Create a New Email Group.
1. If creating a new email group, enter an Email Group Name and begin typing the
Email Addresses of those you want to add to the group. Press the Return key after
completing each email address.
2. Select Next.
3. Select the frequency with which you want to send these notifications:
• Immediately
• Grouped and sent every 4 hours
• Grouped and sent once a day
2. If choosing ServiceNow, enter the ServiceNow URL, client credentials, ServiceNow
credentials, and the ServiceNow API Version.
1. Test your connection to ensure the integration is working.
2. Select Next.

STEP 5 | Save Rule.

Strata Cloud Manager AIOps 28 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Troubleshoot NGFW Connectivity and Policy

Enforcement Anomalies
Where Can I Use This? What Do I Need?

• NGFW, including those funded by AIOps for NGFW Premium or Strata Cloud
Software NGFW Credits Manager Pro
Strata Logging Service license is required
for logging
If you have a Prisma Access license, you
can use Folder Management to view
your predefined folders and enable Web
Security for a folder

Troubleshoot your NGFWs from Strata Cloud Manager without having to move between various
firewall interfaces. If you experience connectivity issues after deploying and configuring your
NGFWs, you can get an aggregate view of your routing and tunnel states, and drill down to
specifics to find anomalies and problematic configurations.
Troubleshoot your identity-based policy rules and dynamically defined endpoints. You can check
the status of specific NGFWs and expose possible mismatches between how you expect a policy
to work and its actual enforcement behavior.
Troubleshooting lets you drill down on issue that might arise within these networking and identity
features–track down and resolve connectivity issues or policy enforcement anomalies:
Network Troubleshooting
• NAT
• DNS Proxy
Identity and Policy Troubleshooting
• User Groups
• Dynamic Address Groups
• Dynamic User Groups
• User ID
Firewall Troubleshooting
• Session Browser

Strata Cloud Manager AIOps 29 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Go to Manage > Configuration > NGFW and Prisma Access > Operations > Troubleshooting >
Session Browser to start troubleshooting your firewalls.
Or, you can go to the feature you want to troubleshoot and select the Troubleshooting button to
get started.
View and sort troubleshooting jobs you've run by Status, Action, Search Target, and Timestamp.

Feature Feature Location Available Actions Action Scope Job Output

Organized By:

Session Browser Manage > Filter by: Firewalls you • Session ID

(Firewall) Configuration specify
• Firewalls • Start Time
> NGFW and
Prisma Access > • Rule Name • Zones
Operations > > • Source Zone • Source
Troubleshooting
• Source • Destination
> Session
Browser Address • Ports
• Source User • Protocol
• Source Port • Application
• Destination • Ingress
Zone
• Egress
• Destination
Address • Bytes

• Destination
Port
• App-ID

DNS Proxy Manage • Show DNS Firewalls you • Domain

(Network) Configuration Proxy Cache specify Name
> NGFW and
• Search the • IP Address
Prisma Access >
DNS Proxy • Type–IPv4
Device Settings
Cache Address
> DNS Proxy
Record (A),
IPv6 Address
Record
(AAAA),
Canonical
Name Record
(CNAME),
Mail
Exchange
Record (MX),
and Pointer
to a canonical
name (PTR)

Strata Cloud Manager AIOps 30 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Feature Feature Location Available Actions Action Scope Job Output

Organized By:
• Class:
Internet (IN
TCP/IP),
Chaos (CH),
and Hesiod
(HS)
• Time-to-
live (TTL) in
seconds
• Hits–Number
of times the
record was
requested
since the last
reboot

User Groups Manage • Show User Firewalls you • Username

(Identity) Configuration Group specify
• Group
> NGFW and
• Search User
Prisma Access >
Group
Identity Services
> Cloud Identity
Engine

Dynamic Manage • Show All Firewalls you • Name

Address Groups Configuration Dynamic specify
• Filter
(Identity) > NGFW and Address
Prisma Access Groups • Members
> Objects >
• Search for
Address >
a Dynamic
Address Groups
Address
Group
(Chosen from
a list)

Dynamic User Manage • Search by Firewalls you • Members

Groups (Identity) Configuration Dynamic User specify (Username)
> NGFW and Group and / or

Strata Cloud Manager AIOps 31 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Feature Feature Location Available Actions Action Scope Job Output

Organized By:
Prisma Access • Search by Dynamic
> Objects > Username User Group
Dynamic User
Groups

User ID Manage • Show All User Firewalls you • IP

(Identity) Configuration IP Mapping specify
• User
> NGFW and
• Search For • From
Prisma Access >
User IP
Identity Services • Idle Timeout
Mapping
> Identity
• Max Timeout
Redistribution

Export Metadata for Troubleshooting

To provide technical support with the information they need to better assist you,
AIOps for NGFW enables you to export your deployment data to your local machine. This data
arrives in JSON files that are compressed in the gzip format.
1. Select Help > Export Tenant Metadata.

2. Prepare Metadata.

Strata Cloud Manager AIOps 32 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

3. Download your metadata file.

The metadata file name contains your Customer Support Portal (CSP) ID, your AIOps for
NGFW tenant ID, and the timestamp for the export: <csp-tenant-timestamp>.gzip.

Strata Cloud Manager AIOps 33 ©2025 Palo Alto Networks, Inc.

AIOps for NGFW

Strata Cloud Manager AIOps 34 ©2025 Palo Alto Networks, Inc.

Device Telemetry for
AIOps for NGFW
Where Can I Use This? What Do I Need?

• , including those funded by Software One of these:

NGFW Credits
or
or

AIOps for NGFW assesses the health of the firewalls in your deployment by analyzing telemetry
data that your PAN-OS devices send to Strata Logging Service. To send this data, you must have
enabled device telemetry on your devices.
Once telemetry is configured, your next-generation firewalls send raw telemetry data to
Strata Logging Service at fixed intervals. Strata Logging Service parses and translates this raw data
so that AIOps for NGFW can provide you with device status, visualizations, and alerts.
Onboard your devices to begin sending device telemetry to AIOps for NGFW.

Enable Telemetry on Devices

Follow the steps below to use AIOps for NGFW with your PAN-OS devices.

35
Device Telemetry for AIOps for NGFW

If your outbound traffic passes through a proxy, ensure that you have allowed the Domains
Required for AIOps for NGFW.

You need to onboard Panorama on AIOps for NGFW if you are onboarding Panorama-
managed deployments.

1. Confirm the device is registered in the Customer Support Portal by logging in to

support.paloaltonetworks.com, switch to your account (if necessary), and identify your device
in Assets > Devices.
2. Install a device certificate on the devices you want to onboard.
3. Enable telemetry sharing on the devices.

After you onboard the devices and enable telemetry, it takes around couple of hours
for the first set of insights to be visible on the AIOps for NGFW dashboard. The
process of generating and sending telemetry on the device's side is done in batches,
with each metric being sampled and collected at a frequency optimized for the
use-cases the metric is used for. This batch process can result in a delay between
onboarding the firewall and the availability of insights. It might take several hours
for all insights associated with a newly onboarded device to appear on the AIOps for
NGFW dashboard.

Strata Cloud Manager AIOps 36 ©2025 Palo Alto Networks, Inc.

Device Telemetry for AIOps for NGFW

Domains Required for AIOps for NGFW

Where Can I Use This? What Do I Need?

• , including those funded by Software One of these:

NGFW Credits
or
or

If outbound traffic from your devices passes through a proxy, ensure that you have allowed the
following FQDNs in order to successfully use AIOps for NGFW.

Domains to Access AIOps for NGFW

Allow these domains in order to access the AIOps for NGFW application, regardless of your
geographic region.
• *.prod.di.paloaltonetworks.cloud
• *.paloaltonetworks.com
• *.prod.di.paloaltonetworks.com
• *.prod.reporting.paloaltonetworks.com
• *.receiver.telemetry.paloaltonetworks.com
• https://storage.googleapis.com

App-IDs and Domains to Send Telemetry

See TCP Ports and FQDNs Required for Strata Logging Service for the App-IDs and ports that
you must allow on your Palo Alto Networks firewalls to successfully send telemetry data to
AIOps for NGFW.
On your proxy server, in addition to allowing the required ports and FQDNs, allow the domain
that corresponds to your geographic region so that your devices can send telemetry data to
AIOps for NGFW.

Region Domain

US http://br-prd1.us.cdl.paloaltonetworks.com/

Europe http://br-prd1.nl.cdl.paloaltonetworks.com/

UK http://br-prd1.uk.cdl.paloaltonetworks.com/

Canada http://br-
prd1.ca1.ne1.cdl.paloaltonetworks.com/

Singapore http://br-
prd1.sg1.se1.cdl.paloaltonetworks.com/

Strata Cloud Manager AIOps 37 ©2025 Palo Alto Networks, Inc.

Device Telemetry for AIOps for NGFW

Region Domain

Japan http://br-
prd1.jp1.ne1.cdl.paloaltonetworks.com/

Australia http://br-
prd1.au1.se1.cdl.paloaltonetworks.com/

Germany http://br-
prd1.de1.ew3.cdl.paloaltonetworks.com/

India http://br-
prd1.in1.as1.cdl.paloaltonetworks.com/

Strata Cloud Manager AIOps 38 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture
Where Can I Use This? What Do I Need?

• , including those funded by Software One of these:

NGFW Credits
or
or

In addition to helping you keep your firewalls functionally healthy, AIOps for NGFW aids in
verifying that they are providing you with effective protection against security threats.

Security posture assessments currently don't support multiple virtual systems; only the
default virtual system (vsys1) is considered during configuration processing.

• Monitor Security Posture Insights: Get visibility into the security status and trend of your
deployment based on the security postures of the onboarded NGFW devices.
• Monitor Feature Adoption: View the security features that you're using in your deployment.
• Monitor Security Subscriptions: View the recommended Cloud-Delivered Security Services
(CDSS) subscriptions and their usage in your devices.
• Assess Vulnerabilities: View the vulnerabilities impacting a specific firewall and PAN-OS
version, aiding in your decision-making process regarding whether an upgrade is necessary.
• Monitor Compliance Summary: View a history of changes to the security checks made up to 12
months in the past, grouped together by the Center for Internet Security (CIS) and the National
Institute of Standards and Technology (NIST) frameworks.
• Proactively Enforce Security Checks: Take proactive measures against suboptimal
configurations by blocking commits that don't pass particular best practice checks.
• Policy Analyzer: Get analysis and suggestions for possible consolidation or removal of specific
policy rules to meet your intended Security posture, as well as checks for anomalies, such as
shadows, redundancies, generalizations, correlations, and consolidations in your rulebase.

39
Optimize Security Posture

Monitor Security Posture Insights

Where Can I Use This? What Do I Need?

• , including those funded by Software • One of these:

NGFW Credits
or
or
• A role that has permission to view the
dashboard

You can use the Security Posture Insights dashboard to get visibility into the security status
and trend of your deployment based on the security postures of the onboarded NGFW devices.
The severity of the security score (0-100) and its corresponding security grade (good, fair, poor,
critical) determine the security posture of a device. The security score is calculated based on the
priority, quantity, type, and status of the open alerts.
1. Navigate to Dashboards > Security Posture Insights to get started.

Strata Cloud Manager AIOps 40 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

2. View the health of your devices using the Device Security Posture. You can view the following:
• The total number of onboarded NGFWs.
• The number of devices that have not sent telemetry data for over 12 hours.
• The priority of security score for the onboard devices in your deployment. Click the number
link to know the device details and security statistics.
For example, you can view 7 critical risks for all the devices.

In this case, you can click on the critical alerts and see the devices that generate alerts. You can
further drill down and notice that the “User credential protection” has not been enabled on the
firewalls. You can address this issue across all devices to avoid phishing attacks.
3. Review your devices that are most unhealthy and regressing security scores over the last 30
days. You can view the health of your devices, including their operational status, software
version, and other important metrics.
You can also notice if some devices are running outdated software versions. In this case, you
can plan an upgrade to the latest recommended version, which you can find out by Upgrade
Recommendations.
4. Check the security posture trend of your deployment for the selected time period. Hover over
the trigger point to know the devices and active alerts that are contributing to the security
posture trend. You can view trends for one or more devices filtered by the hostname, model, or
software version.
For more information, see Dashboard: Security Posture Insights.

Strata Cloud Manager AIOps 41 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

Monitor Feature Adoption

Where Can I Use This? What Do I Need?

• , including those funded by Software • One of these:

NGFW Credits
or
or
• A role that has permission to view the
dashboard

In Dashboards > Feature Adoption, you can view the security features that you are using in
your deployment. This helps you make sure that you are getting the most out of your Palo Alto
Networks security subscriptions and firewall features.

This dashboard shows where your security policy is strong and where there are gaps in capability
adoption that you can focus on improving. To gain maximum visibility into traffic and maximum
protection against attacks, set goals for security capability adoption and use the following

Strata Cloud Manager AIOps 42 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

recommendations as a best practice baseline. Assess your current posture against the baseline to
identify gaps in security policy capability adoption.
Adoption Summary helps identify devices, zones, and areas where you can improve security policy
capability adoption. You can review adoption information by Device Group, Serial Number & Vsys,
Zones, Areas of Architecture, Tags, Rule Details, and Zone Mappings. Filter on Device Group to
narrow the scope and identify gaps.
In Feature Adoption, you can also view whether your security features are configured according
to Palo Alto Networks best practices by selecting Best Practices.
.

To focus on best practice compliance for a specific set of firewalls, you can filter the chart
based on device group.

Strata Cloud Manager AIOps 43 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

Select the section for a feature on the chart to view which policy rules can be improved.

Strata Cloud Manager AIOps 44 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

Select a rule to view its details without needing to leave the app.

For more information, see Dashboard: Feature Adoption.

Strata Cloud Manager AIOps 45 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

Monitor Security Subscriptions

Where Can I Use This? What Do I Need?

• , including those funded by Software • One of these:

NGFW Credits
or
or
• A role that has permission to view the
dashboard

In Dashboard > Posture > CDSS Adoption, you can view the recommended Cloud-Delivered
Security Services (CDSS) subscriptions and their usage in your devices. This helps you to identify
security gaps and harden the security posture of your enterprise. After you navigate to this page,
you will see a pop-up asking you to confirm or update your zone roles in NGFWs to get accurate
security services recommendations. You can follow the link in this pop-up window to map zones
to roles.

Currently, this dashboard only supports four security subscriptions: Advanced Threat
Prevention, Advanced URL Filtering, DNS Security and Wildfire.

1. At the top of the CDSS Adoption page, you can view the number of total known NGFWs and
number of NGFWs sending telemetry in your instance.
2. The adoption of CDSS involves progressing through activation, configuration, and adherence
to best practices. To track progress for each subscription, simply click on the numbers in the
graph to view a list of devices that require updates along this journey. In this case, let us check
the NGFWs where DNS security is not configured.

Strata Cloud Manager AIOps 46 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

3. Check NGFWs on which DNS Security configuration is recommended but not configured. View
details to check source role and destination role.

4. View Policies to view the details of the rules and corresponding source and destination zones.
Further, you can click a rule name to view its details.
5. Navigate back to the funnel graph. You can view the same information in the pie chart format
as well.
6. When you do not need a recommended security service for any reason, you can override it. In
this case, we don't need the DNS security service. Click the cancel icon next to DNS.

7. Select one of the reasons for overriding the recommendation.

8. Click Override.
This concludes how to view the recommended CDSS subscriptions and their usage in your
devices.
For more information, see Dashboard: CDSS Adoption.

Strata Cloud Manager AIOps 47 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

Assess Vulnerabilities
Where Can I Use This? What Do I Need?

• , including those funded by Software One of these:

NGFW Credits
or
or

Strata Cloud Manager shows you which vulnerabilities affect a given firewall and PAN-OS version
to help you decide whether you should upgrade. Navigate to Incidents & Alerts > NGFW > All
Alerts and select the PAN-OS Known Vulnerability alert to see the latest security advisories
impacting the firewall that raised the alert.
Select Vulnerabilities in this PAN-OS version to view the affected feature for a vulnerability in
the Feature Affected column. This helps you to decide whether to upgrade a firewall based on the
vulnerability and its impact on your enabled feature. If a CVE is not associated with a feature, then
the value under Feature Affected is blank. This type of CVE affects the firewall with the specified
model or version.
By default, the PAN-OS Known Vulnerability alert shows all of the vulnerabilities in the PAN-
OS version on the device. However, if you enabled Product Usage telemetry on the firewall, you
can choose to view only the vulnerabilities that affect the particular firewall based on its enabled
features. That way, you can better understand which vulnerabilities are a concern for the firewall
and make a more informed decision about whether to upgrade.

Strata Cloud Manager AIOps 48 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

Strata Cloud Manager AIOps 49 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

You can also use the PAN-OS CVEs dashboard that shows you the number of devices impacted
by a specific vulnerability based on the features that have been enabled on devices. Strata Cloud
Manager analyzes the features that have been enabled to determine the devices impacted by the
CVE. The following task shows how to assess vulnerabilities that impact devices and generate
upgrade recommendation to fix the vulnerabilities.

This task shows how to assess vulnerabilities that impact devices and generate upgrade
recommendation to fix the vulnerabilities.
STEP 1 | From Strata Cloud Manager, navigate to Dashboards > PAN-OS CVEs.

STEP 2 | Expand a CVE to view the devices impacted by it.

STEP 3 | Select devices that you want to upgrade to fix the vulnerabilities.

STEP 4 | Generate Upgrade Recommendations.

STEP 5 | Click the newly generated report for the devices.

STEP 6 | Select one of the upgrade options to view details about New Features, PAN-OS Known
Vulnerabilities, Changes of Behavior, and PAN-OS Known Issues
You can Export the details in a CSV file and download it.

Strata Cloud Manager AIOps 50 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

Monitor Compliance Summary

Where Can I Use This? What Do I Need?

• , including those funded by Software or

NGFW Credits License to view data from supported
product in the dashboard: Prisma Access

To get to the Compliance Summary Dashboard, go to Dashboards, and then select the
Compliance Summary tab. You can view a history of changes to the security checks made up to
12 months in the past, grouped together by the Center for Internet Security (CIS) and the National
Institute of Standards and Technology (NIST) frameworks. For each framework, you’ll see a list
of controls as well as the percentage of current and average compliance rate, total number of
best practice checks, and the number of failed checks for each control. Interact with the chart
and the list to see the relationship between controls and their historical statistics. View details
of individual controls and their associated checks, and select a best practice check to view the
firewall configuration that is failing the check.The CIS Critical Security Controls framework is a
prioritized set of recommended actions and best practices that help protect organizations and
their data from known cyber attack vectors.

You can view check summaries for 11 of the 16 basic and foundational CIS controls:
• CSC 3: Continuous Vulnerability Management
• CSC 4: Controlled Use of Administrative Privileges
• CSC 6: Maintenance, Monitoring, and Analysis of Audit Logs
• CSC 7: Email and Web Browser Protections
• CSC 8: Malware Defenses
• CSC 9: Limitation and Control of Network Ports, Protocols, and Services
• CSC 11: Secure configuration for Network Devices, such as Firewalls, Routers, and Switches
• CSC 12: Boundary Defense
• CSC 13: Data Protection

Strata Cloud Manager AIOps 51 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

• CSC 14: Controlled Access Based on the Need to Know

• CSC 16: Account Monitoring and Control
The NIST Cybersecurity Framework SP 800-53 Controls framework provides guidance for federal
agencies and other organizations to implement and maintain security and privacy controls for
their information systems. You can view check summaries for eight families of NIST controls:
• SC: Access Control
• AU: Audit and Accountability
• CM: Configuration Management
• CP: Contingency Planning
• IA: Identification and Authentication
• RA: Risk Assessment
• SC: System and Communications Protection
• SI: System and Information Integrity
For more information, see Dashboard: Compliance Summary.

Strata Cloud Manager AIOps 52 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

Proactively Enforce Security Checks

Where Can I Use This? What Do I Need?

• , including those funded by Software or

NGFW Credits

You can customize security posture checks for your deployment to maximize relevant
recommendations using the features below.
• Security Checks
List of the best practice checks that AIOps for NGFW uses to evaluate your configuration.
The configuration of firewalls and Panorama is compared to Palo Alto Networks best practice
checks to assess the security posture of your devices and to generate security alerts. You can
see a list of the best practice checks that are used to evaluate your configuration.
Here, you can:
1. Set the severity level for checks to identify the checks that are the most critical to your
deployment.
2. Temporarily disable checks.
If you choose to disable a check, you can specify how long it will remain disabled and leave a
comment explaining the reason for disabling it.
3. Set the response when a check fails.
• Zone to Role Mapping
Map the zones in NGFWs to roles to get customized recommendations.
• Role to Security Service Mapping
Manage the security services needed for traffic between zones and roles in all NGFWs.
The Panorama CloudConnector Plugin enables you to take proactive measures against suboptimal
configurations by blocking commits that do not pass particular best practice checks. When you
indicate in AIOps for NGFW that you want a check to Fail Commit, Panorama automatically
blocks commits of any configuration that does not pass that check. Rather than wait to receive
an alert about a failed best practice check, use the plugin to keep configuration issues out of your
deployment in the first place.
STEP 1 | Ensure that you meet all prerequisites, and install the plugin.

STEP 2 | Specify the best practice checks that will block commits on failure.
1. Select Manage > Security Posture > Settings.
2. Find the check that you want to block commits.
3. Set Action on Fail to Fail Commit

Strata Cloud Manager AIOps 53 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

STEP 3 | Verify by attempting to commit a configuration that does not pass the check.
1. Log in to Panorama.
2. Violate the best practice check that you specified to Fail Commit.

3. Select Commit > Commit to Panorama > Validate Configuration.

Strata Cloud Manager AIOps 54 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

Strata Cloud Manager AIOps 55 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

You should see a dialog stating that the validation failed because the configuration did not pass
the best practice check.

Setting a check to Fail Commit causes the check to fail both validation and the actual
commit operation.

See Manage: Security Posture Settings for more information.

Strata Cloud Manager AIOps 56 ©2025 Palo Alto Networks, Inc.

Optimize Security Posture

Policy Analyzer
Where Can I Use This? What Do I Need?

• , including those funded by Software or

NGFW Credits Panorama CloudConnector Plugin for
• Panorama managed deployments

Updates to your Security policy are often time-sensitive and require you to act quickly. However,
you want to ensure that any update you make to your Security policy meets your requirements
and does not introduce errors or misconfigurations (such as changes that result in duplicate or
conflicting rules).
The Policy Analyzer feature in Strata Cloud Manager enables you to optimize time and resources
when implementing a change request. Policy Analyzer not only analyzes and provides suggestions
for possible consolidation or removal of specific rules to meet your intent but also checks for
anomalies, such as Shadows, Redundancies, Generalizations, Correlations, and Consolidations in
your rulebase.
Use Policy Analyzer to add or optimize your Security policy:
• Before adding a new Security policy—Check to see if new rules need to be added. Policy
Analyzer recommends how best to change your existing Security policy to meet your
requirements without adding another rule, if possible.
• Streamline and optimize your existing Security policy rules—See where you can update your
rules to minimize bloat and eliminate conflicts and also to ensure that traffic enforcement
aligns with the intent of your Security policy.
Analyze your Security policy rules both before and after you commit your changes.
• Pre-Change Policy Analysis—Enables you to evaluate the impact of a new rule and analyze the
intent of the new rules against the rules that already exist to recommend how to best meet the
intent.
• Post-Change Policy Analysis—Enables you to clean the existing rulebase by identifying
Shadows, Redundancies, and other anomalies that have accumulated over time.

Policy Analyzer supports both NGFW and Prisma Access deployments, managed by
Panorama or Strata Cloud Manager.
Policy Analyzer for Panorama managed deployments requires the following:
• CloudConnector Plugin 1.1.0 or later on your Panorama appliance. You need to
enable this plugin using the command:

> request plugins cloudconnector enable basic

We recommend you to install the latest version of the CloudConnector plugin.

• Panorama needs to be updated to PAN-OS version 10.2.3 or a later version.

Optimize Security Posture

Types of Anomalies That Policy Analyzer Detects

Policy Analyzer detects the following types of anomalies across your Security policy:
• Shadows—Rules that are not hit because a rule higher in the rulebase covers the same traffic.
Security policy rules are evaluated in the rulebase from the top down so shadows are created
when a rule higher in the rulebase matches the same traffic that a rule lower in order matches
and the rules are configured with a different action. If you remove the rule lower in order, the
Security policy does not change.
• Redundancies—Two or more rules that match the same traffic and are configured with the
same action.
• Generalizations—When a rule lower in the rulebase matches the traffic of a rule higher in the
rulebase, but not the other way around, and the rules take a different action. If the order of the
two policy rules is reversed, the Security policy is impacted.
• Correlations—Rules that correlate with another rule when one rule matches some packets of
the other rule but results in a different action. If the order of the two rules is reversed, the
Security policy is impacted.
• Consolidations—Rules that you can consolidate into a single rule because the action is the same
and only one attribute is different. You can merge the rules into a single rule by modifying the
attributes of one of the rules and deleting the others.

Pre-Change Policy Analysis

Where Can I Use This? What Do I Need?

• , including those funded by Software or

NGFW Credits Panorama CloudConnector Plugin for
• Panorama managed deployments

The Security policy rule Pre-Change analysis performs the new intent satisfaction analysis:
• New Intent Satisfaction Analysis—Checks whether the intent of a new Security policy rule is
already covered by an existing rule.
Before you begin:
1. Go to Manage > Security Posture > Policy Analyzer > Pre-change Policy Analysis.

Optimize Security Posture

2. At the top of the Policy Analyzer page, select Cloud Manager for Strata Cloud Manager
managed deployments or select a Panorama instance for Panorama managed deployments
containing the policy rules that you need to analyze.

3. Start a Security Policy Analysis.

Perform the following steps to start a new analysis:

Optimize Security Posture

STEP 1 | Enter Analysis Name and Analysis Description.

Here’s an image showing the Panorama deployment:

Here’s an image showing the Strata Cloud Manager deployment:

On a Panorama appliance, device groups are hierarchical. There are four levels of device
groups that you can create and you assign NGFWs to the device group at the lowest level of
the hierarchy. The policy that you create at a higher level is then inherited by all the device
groups under it. You can run the analysis for up to 10 device groups with NGFWs directly
assigned to them, which allows you to analyze all the policy rules that are pushed to that set of
directly assigned NGFWs.
For Strata Cloud Manager managed deployments, folders are hierarchical. The leaf folder or
the final folder containing the devices are shown.

STEP 2 | Select an existing Security policy set to analyze.

Optimize Security Posture

STEP 3 | Specify the type of analysis by selecting one or more analysis types:
• New Intent Satisfaction Analysis
Add New Security Rule Intent for analysis.

Specify information about the new security rule, and AIOps for NGFW can check if existing
rules cover the intent.

Enter the values for the components of a security policy rule. The default value for the fields
related to a security rule is “Any.”
Save the settings.
Review the summary of the new security rule intent.

Optimize Security Posture

You can create up to 10 new security rules, or you can copy a rule and edit it.

STEP 4 | Submit Analysis Request or Save As Draft to edit the rule later.
View the status of an analysis on the Policy Analyzer page under Analysis Requests.

You can cancel a rule whose status is in-progress and it will be shown as Canceled.
After the analysis is complete, view the analysis report.

Optimize Security Posture

Pre-Change Policy Analysis Reports

Where Can I Use This? What Do I Need?

• , including those funded by Software or

NGFW Credits Panorama CloudConnector Plugin for
• Panorama managed deployments

Select an analysis report whose status is completed to view the results of the policy analysis. You
can view the results of the analysis.
Intent Satisfaction Results
From the list of analyses under Analysis Requests, click an analysis to view its analysis results.
These results include:
1. Summary of the analysis with details about device groups and the anomaly count.
2. Click the name of a device group to view the result of the intent satisfaction analysis:
• Intent Fully Met—Your security rule is a duplicate of one of the existing rules in the device
group.
• Intent Partially Met—Your security rule is partially meeting the intent of one of the existing
rules in the device group.
• Intent not met—Your security rule is a unique rule that is not present in the device group.
You can add this rule to the device group.

Optimize Security Posture

3. View the results of the analysis for the new security rule intent.

In this example, there are two rules. The intent of the first rule matches fully with existing rules
and the intent of the second rule matches partially with the existing rules.
4. View the details of the new security rule and check the intent satisfaction results.

In this example, all the attributes of the new rule intent rule 1 matches the attributes of the
existing rule Shared Rule 1. The intent of the new rule fully matches the intent of the existing
rule. Therefore, you need not add this new rule to the configuration.

Optimize Security Posture

Post-Change Policy Analysis

Where Can I Use This? What Do I Need?

• , including those funded by Software or

NGFW Credits Panorama CloudConnector Plugin for
• Panorama managed deployments

Strata Cloud Manager analyzes device configurations as soon as you push them, detecting
anomalies. It also performs an analysis every 4 hours. For Panorama managed configurations,
Strata Cloud Manager performs the analysis when you commit the configuration on Panorama.
Policy Analyzer analyzes this configuration for Shadows, Redundancies and other anomalies, and
the results are available for review in Manage > Security Posture > Policy Analyzer > Post-change
Policy Analysis.
You can view the following information:
1. Shows the summary of the analysis across all the policy sets, that is, all the device groups with
NGFWs directly assigned to them. You can view the anomalies or the anomalies based on high
priority. The values in this report show the unique number of anomalies found in all the device
groups. The colors in the chart indicate the different types of anomalies.

2. Timestamps for analysis that includes:

• Existing Security policy snapshot - The timestamp for when the configuration was marked
as running in Panorama following a commit, or the timestamp for when the configuration
was marked as running in Strata Cloud Manager after a push.
• Time analysis started
• Time analysis finished
• The time it took to complete the analysis
3. View the status of the Security policy and the number of anomalies for every policy.
4. View a breakdown of anomalies for a selected Security policy.

Optimize Security Posture

5. View anomaly details for every rule in a Security policy.

6. View the attributes of a selected rule and the details of the anomaly.

This image shows an example of the redundancy anomaly. In this example, the BND rule is
already covered by another BND Users rule. Therefore, you can remove the BND rule.
7. View the suggested next steps to remediate an anomaly.

NGFW Health and Software
Management
This chapter describes how to manage NGFW health and software upgrades.
• View Device Health - View the cumulative health status and performance of your deployment
based on the health scores of the onboarded NGFWs.
• Upgrade Recommendations - Create recommendations to determine the best software version
for your devices that can be upgraded.
• Analyze Metric Capacity - Analyze and monitor your devices' resource capacity by keeping
track of their metrics usage based on their model types.

67
NGFW Health and Software Management

Monitor Device Health

Where Can I Use This? What Do I Need?

• , including those funded by Software One of these:

NGFW Credits
or
or

The Device Health dashboard shows you the cumulative health status and performance of
your deployment based on the health scores of the onboarded NGFWs. The device health is
determined by the severity of the health score (0-100) and its corresponding health grade (good,
fair, poor, critical). The health score is calculated based on the priority, quantity, type, and status
of the open alerts.
Here is an example how you can optimize device performance using the Device Health
dashboard.
As a network administrator for a large enterprise, you've been tasked with improving the overall
health and performance of your firewalls. Your goal is to proactively identify and address potential
issues before they impact network operations.
By following the below task-based approach, you'll leverage the Strata Cloud Manager's Device
Health features to maintain a high-performing and reliable network infrastructure, minimizing
downtime and enhancing overall security posture.

NGFW Health and Software Management

1. Access the Device Health dashboard in Strata Cloud Manager to get an overview of the health
status of your firewalls.

2. Review the Health Score for each firewall, focusing on devices with scores below 80, which
indicate potential issues.
3. Analyze the Device Health Statistics to identify specific areas of concern, such as high CPU
usage, memory utilization, or session count.
4. Examine the Device Health Score Trend over the past 30 days to spot any recurring patterns or
gradual declines in performance.
5. For firewalls with consistently low health scores or declining trends, drill down into the detailed
metrics to pinpoint the root causes.
6. Develop and implement a remediation plan for the affected devices, which may include:
• Optimizing security policies
• Upgrading hardware for overutilized devices
• Adjusting network configurations to balance traffic load
After implementing changes, continue monitoring the Device Health dashboard to verify
improvements and ensure sustained optimal performance.
For more information, see Dashboard: Device Health.

NGFW Health and Software Management

Get Upgrade Recommendations

Where Can I Use This? What Do I Need?

• , including those funded by Software or

NGFW Credits

Select Workflows > Software Upgrades > Upgrade Recommendations to use Strata Cloud
Manager to analyze the features that are enabled on your firewalls and create a customized
recommendation that provides specific information for your network:
• The best software version to run on your devices.
• Information about new features, changes to behavior, vulnerabilities, and software issues in
each recommended software version.
Types of upgrade recommendations:
• System-generated recommendations that are generated from device telemetry data twice each
week.
• User-generated custom recommendations that are generated when you select devices for
specific PAN-OS CVEs.
• User-generated recommendations that you generate by uploading a tech support file (TSF) of a
firewall.

You can perform the following tasks for every recommendation.

• View the number of devices that require an upgrade and any vulnerabilities that you need to
address.

NGFW Health and Software Management

• Edit the name of a recommendation to differentiate between custom recommendations.

• Filter the recommendations by Creation Date, Recommendations Name, and
Recommendations Generated By.
• Delete recommendations that failed or are no longer appropriate.

Generate On-Demand Upgrade Recommendations

1. Generate On Demand Upgrade Recommendations.
2. Select a tech support file (TSF) and Upload it.

• You can upload a TSF of only one device at a time and the TSF must be in the .tgz
format.
• You can generate a software upgrade recommendations only from a TSF that you
generate for and upload from a firewall running the PAN-OS 9.1 or a later PAN-OS
version.

3. View the software upgrade recommendations after the status is Ready.

You can also check Status to see if there are any errors related to the upload, file format, or
processing of the TSF.

View Software Upgrade Recommendations Report

Click a recommendation to view the detailed report with the upgrade options for your
devices. Select an upgrade option to view details about New Features, Changes of Behavior,
Vulnerabilities Based on Enabled Features, and PAN-OS Known Issues. You can also Export this
report in a CSV format.

NGFW Health and Software Management

• The recommendation report includes information specific to the enabled features on

your devices.
• For PAN-OS Known Issues, the Associated Case Count represents the number of
customers who reported the issue.

NGFW Health and Software Management

Analyze Metric Capacity

Where Can I Use This? What Do I Need?

• or

From Strata Cloud Manager, navigate to Monitor > Capacity Analyzer to analyze and monitor
your devices' resource capacity by keeping track of their metrics usage based on their model
types. You can analyze metrics using the following methods:
• Analyze Metric Capacity based on Metric, Model, and Device
• Analyze Metric Capacity Based on Based on Device Models
• Analyze Metric Capacity Based on Metrics
Capacity Analyzer is enhanced to support alerts that help you to anticipate resource consumption
nearing its maximum capacity and raise alerts. See Manage Capacity Analyzer Alerts.

The Capacity Analyzer feature is not supported for the VM Series firewalls.

Analyze Metric Capacity based on Metric, Model, and Device

1. On the Capacity Analyzer Heatmap, hover your cursor over a cell to view the metric capacity
usage for all devices belonging to the corresponding device model.
In this example, the pop-up window displays the ARP table size metric capacity for all the
devices that belong to the PA-220 model.

NGFW Health and Software Management

2. Click a cell corresponding to the device model and the metric to check the capacity usage. In
this example, we are clicking the ARP table size for the PA-220 device model.

You can view the following:

• ARP table size metric capacity for all devices belonging to the PA-220 model.

NGFW Health and Software Management

• Select one of the host names to view the metric capacity trend.
• Alerts raised for the metric and predicted date when the metric will reach its maximum
capacity.
• Predicted trend for the metric. Strata Cloud Manager forecasts the date when the metric
will hit the maximum capacity. You can hover your cursor over the graph to check the
metric capacity at any specific point of time.

NGFW Health and Software Management

Analyze Metric Capacity Based on Device Models

1. From the Capacity Analyzer heat map, select a device model to view all its associated metrics.

NGFW Health and Software Management

Each row displays a metric's utilized capacity, indicating the number of resources used for that
metric in a device. Additionally, you can view the alerts raised for the metric and predicted date
when the metric will reach its maximum capacity.
2. In the Capacity Analyzer table, select a metric to view its trend on a device.

NGFW Health and Software Management

3. Select a device to view the metric trend for it.

You can select the Prediction Time to check the predicted trend for the metric. Strata Cloud
Manager forecasts the date when the metric will hit the maximum capacity.
You can hover your cursor over the graph to check the metric capacity at any specific point of
time.

NGFW Health and Software Management

Under Alert Name, you can view the alerts raised for the address objects metric corresponding
to a host name.

NGFW Health and Software Management

Analyze Metric Capacity Based on Metrics

1. From the Capacity Analyzer heat map, select a metric to view its capacity in all the devices in a
tabular format. In this example, the ARP table size metric is selected.

You can also select a metric type and drill down to a metric to view its capacity in all
the devices in a tabular format. For example, Configuration Resource type metric >
Objects > Address Objects.

NGFW Health and Software Management

Each row displays the ARP table size metric’s used and unused capacity for every host under
device models. Additionally, you can view the alerts raised for this metric for every host and
the predicted date when the metric will reach its maximum capacity.

NGFW Health and Software Management

2. Select a host name to view the graphical trend of the selected metric.
You can select the Prediction Time to check the predicted trend for the metric. Strata Cloud
Manager forecasts the date when the metric will hit the maximum capacity.

NGFW Health and Software Management

You can hover your cursor over the graph to check the metric capacity at any specific point of
time.

Best Practices for NGFWs
Where Can I Use This? What Do I Need?

• , including those funded by Software One of these:

NGFW Credits
or
or

AIOps for NGFW helps you tighten security posture by aligning with best practices. You can
leverage AIOps for NGFW to assess your Panorama, NGFW, and Panorama-managed Prisma
Access security configurations against best practices and remediate failed best practice checks.
AIOps for NGFW streamlines the process of checking InfoSec compliance on your network
infrastructure.
AIOps for NGFW is free, and the following AIOps Best Practice Assessment (BPA) capabilities are
available without an AIOps premium license. For the full list of available Best Practice features,
see Built-In Best Practices:
• Check the Best Practices Dashboard for daily best practices reports, and their mapping to
Center for Internet Security’s Critical Security Controls (CSC) checks, to help you identify

85
Best Practices for NGFWs

areas where you can make changes to improve your best practices compliance. Share the best
practice report as a PDF and schedule it to be regularly delivered to your inbox.

• Monitor Feature Adoption and stay abreast of which security features you’re using in your
deployment and potential gaps in coverage.

Best Practices for NGFWs

• Get Security Posture Alerts from AIOps for NGFW to know when your security settings may
need a closer look.
Command Line Interface (CLI) remediations are also available in AIOps for NGFW under Alerts
> Security > Alert Details. View recommendations intended to help you to remediate the
issues triggering an alert.

Security alerts and CLI remediations are available only for devices sharing telemetry.
This feature doesn’t support Tech Support File (TSF) manual upload for PAN-OS
devices running versions 9.1 and above.
• Generate BPA reports for (non-telemetry) PAN-OS devices running versions 9.1 and above,
now including feature adoption metrics. If you’ve been using the BPA standalone tool to
generate BPA reports, you might be wondering “Can I Still Generate BPA Reports from the
Customer Support Portal?” We’ve got you covered as well.

Best Practices for NGFWs

With a premium license, AIOps for NGFW also offers advanced security posture capabilities.
Premium features focus on ensuring full utilization and maximal security from your firewalls.
Check out what both free and premium licenses have to offer.

Best Practices for NGFWs

On-Demand BPA Report

Where Can I Use This? What Do I Need?

• , including those funded by Software One of these:

NGFW Credits
or
or

You can now run the Best Practice Assessment (BPA) and Feature Adoption summary directly
from Strata Cloud Manager. Just upload a Tech Support File (TSF). You can generate the on-
demand BPA report for devices that are not sending telemetry data or onboarded to AIOps for
NGFW.
The BPA evaluates your security posture against Palo Alto Networks best practices and prioritizes
improvements for devices. Security best practices prevent known and unknown threats,
reduce the attack surface, and provide visibility into traffic, so you can know and control which
applications, users, and content are on your network. Additionally, best practices include checks
for the Center for Internet Security’s Critical Security Controls (CSC). See the best practices
guidance to bolster security posture and implement improvements.

Can I Still Generate BPA Reports from the Customer Support

Portal?
Before AIOps existed, you went to the Customer Support Portal to access and run the BPA.
Today, the preferred way to generate and download Best Practice Assessment report for NGFW/
Panorama Managed Prisma Access is from AIOps.
After July 17, 2023 you'll no longer be able to access and run the BPA from the Customer Support
Portal.
STEP 1 | Go to the Hub and activate AIOps for NGFW. It’s free. You can activate without
Strata Logging Service if you don’t want to onboard devices with telemetry enabled at this
time.

The best practices dashboard, security alerts, and adoption summary features are not
available for devices onboarded without Strata Logging Service or telemetry enabled.

STEP 2 | Log in to your activated instance AIOps for NGFW. You’ll see the following tabs, even
without Strata Logging Service:
• Posture
• Activity
• Settings

STEP 3 | Go to Dashboards > On Demand BPA.

STEP 4 | Generate New BPA Report.

Best Practices for NGFWs

STEP 5 | Select TSF and Upload TSF file.

The upload time is dependent on the size of your .tgz file and your Internet speed. Uploading
the file could take a few minutes for larger files. Expand In-Progress to view the status of the
TSF files.

• On-demand BPA supports only the Tech Support Files (TSF) in the .tgz file format.
• On-demand BPA supports TSFs from devices with the PAN-OS version 9.1 or above
for report generation.

STEP 6 | Select View Report below Completed after the TSF is processed to view the generated BPA
report from your device.

Best Practices for NGFWs

Best Practices
Where Can I Use This? What Do I Need?

• or
• license
Enable telemetry sharing on devices

What does this dashboard show you?

The dashboard shows aggregated data per Prisma Access and NGFW/Panorama
associated with your tenant.

Navigate to Strata Cloud Manager > Dashboards > More Dashboards > Best Practices dashboard
to measure your security posture against Palo Alto Networks’ best practice guidance. Importantly,
the best practices assessment includes checks for the Center for Internet Security’s Critical
Security Controls (CSC). CSC checks are called out separately from other best practice checks, so
you can easily pick out and prioritize updates that will bring you up to CSC compliance.
How can you use the data from the dashboard?
While best practice guidance aims to help you bolster your security posture, findings in this report
can also help you to identify areas where you can make changes to more effectively manage your
environment.

Best Practices for NGFWs

The best practice dashboard is divided into five sections:

• Summary
Gives you a comprehensive view of all the failed checks for a device across the configuration
types (Security, Network, Identity, and Service Setup), View historical trend charts for BPA
checks and assess your best practice adoption rate for key feature areas.
• Security
Shows the rules, rulebases, or profiles that are failing best practice and CSC checks for the
selected device and location. When available, CLI remediations allow you to resolve issue with

Best Practices for NGFWs

your policy rules. CLI remediations are generated using TSF data you upload when generating
an On-Demand BPA Report.
• Rulebases
Looks at how your policy is organized, and whether configuration settings that apply across
many rules align with best practices (including CSC checks).
• Rules
Shows you the rules failing best practice and CSC checks. See where you can take quick
action to fix failed checks. Rules are sorted based on session count, so you can start by
reviewing and updating the rules that are impacting the most traffic.
• Profiles
Shows you how your profiles stack up against best practices, including CSC checks. Profiles
perform advanced inspection for traffic matched to a security or decryption rule.
• Identity
Shows whether the authentication enforcement settings (authentication rule, authentication
profile, and authentication portal) for a device meet the best practices and comply with CSC
checks.
• Network
Checks whether the application override rules and network settings align with best practice
and CSC checks.
• Service Setup
See how the subscriptions you have enabled on your devices are aligning with the best practice
and CSC checks. You can review the WildFire setup, GlobalProtect portal and GlobalProtect
gateway configurations here and fix the failed checks.

Best Practices for NGFWs

Share, Download, and Schedule Reports for a Dashboard

You can download, share, and schedule reports covering the data the dashboard displays
in PDF and .csv formats displays, and CLI remediations in .txt format. Find these icons in
the top right of the dashboard:

Strata Cloud Manager Getting Started
No ratings yet
Strata Cloud Manager Getting Started
594 pages
AI-Powered Network Security Solution
100% (1)
AI-Powered Network Security Solution
10 pages
Ultimate Test Drive Next Gen Firewall Presentation
No ratings yet
Ultimate Test Drive Next Gen Firewall Presentation
33 pages
ML-Powered NGFW: Palo Alto PA-800 Series
No ratings yet
ML-Powered NGFW: Palo Alto PA-800 Series
6 pages
Pa 220
No ratings yet
Pa 220
6 pages
PA-3200 Series: Advanced Firewall Solutions
0% (1)
PA-3200 Series: Advanced Firewall Solutions
6 pages
Pa 400 Series
No ratings yet
Pa 400 Series
6 pages
Pa 5200 Series
No ratings yet
Pa 5200 Series
6 pages
Pa 3200 Series
No ratings yet
Pa 3200 Series
6 pages
Pa 7000 Series
No ratings yet
Pa 7000 Series
7 pages
Pa 7500
No ratings yet
Pa 7500
5 pages
Pa 400r Series
No ratings yet
Pa 400r Series
7 pages
Pa 5400 Series 11 0
No ratings yet
Pa 5400 Series 11 0
6 pages
Pa 5400 Series Pan Os 10 2
No ratings yet
Pa 5400 Series Pan Os 10 2
6 pages
Pa 5200 Series
No ratings yet
Pa 5200 Series
6 pages
Pa 3400 Series
No ratings yet
Pa 3400 Series
7 pages
Pa 1400 Series
No ratings yet
Pa 1400 Series
7 pages
Panorama
No ratings yet
Panorama
9 pages
Pa 5450 Series
No ratings yet
Pa 5450 Series
7 pages
Pa 3400 Series
No ratings yet
Pa 3400 Series
7 pages
Highlights: Strata by Palo Alto Networks - PA-450R - Datasheet
No ratings yet
Highlights: Strata by Palo Alto Networks - PA-450R - Datasheet
6 pages
Globalprotect Cloud Service Ds
100% (1)
Globalprotect Cloud Service Ds
4 pages
Pa 400 Series
No ratings yet
Pa 400 Series
7 pages
Strata Learning Guide
No ratings yet
Strata Learning Guide
3 pages
Pa 5400 Series
No ratings yet
Pa 5400 Series
6 pages
Pa 3400 Series
No ratings yet
Pa 3400 Series
6 pages
Pa 3400 Series
No ratings yet
Pa 3400 Series
7 pages
Pa 3400 Series
No ratings yet
Pa 3400 Series
7 pages
Pa 400 Series
No ratings yet
Pa 400 Series
7 pages
Pa 1400 Series
No ratings yet
Pa 1400 Series
7 pages
Pa 5400 Series
No ratings yet
Pa 5400 Series
7 pages
Pa 5400 Series
No ratings yet
Pa 5400 Series
7 pages
Pa 400 Series
No ratings yet
Pa 400 Series
7 pages
Pa 1400 Series
No ratings yet
Pa 1400 Series
7 pages
AIops Presentation
No ratings yet
AIops Presentation
43 pages
PA-800 Series: Highlights
No ratings yet
PA-800 Series: Highlights
6 pages
Pa 5400 Series
No ratings yet
Pa 5400 Series
7 pages
PA-5400 Series
No ratings yet
PA-5400 Series
7 pages
Customer Deck - NGFW - Cloud NGFW For Azure - External (May 2025)
100% (1)
Customer Deck - NGFW - Cloud NGFW For Azure - External (May 2025)
39 pages
Dobt
No ratings yet
Dobt
2 pages
FortiOS 7.0 AWS Administration Guide
No ratings yet
FortiOS 7.0 AWS Administration Guide
185 pages
SD Wan
No ratings yet
SD Wan
6 pages
Paloalto Networks-NetSec-Pro - Unlocked
No ratings yet
Paloalto Networks-NetSec-Pro - Unlocked
9 pages
Cloud NGFW For Azure
No ratings yet
Cloud NGFW For Azure
394 pages
Paloalto Networks-NetSec-Pro - Unlocked
No ratings yet
Paloalto Networks-NetSec-Pro - Unlocked
10 pages
Palo Alto Network Partner Eval Tool Overview
No ratings yet
Palo Alto Network Partner Eval Tool Overview
2 pages
FortiOS 7.2 AWS Administration Guide
No ratings yet
FortiOS 7.2 AWS Administration Guide
216 pages
Pa 3200 Series
No ratings yet
Pa 3200 Series
4 pages
Pse Strata P Studyguide (001-041)
No ratings yet
Pse Strata P Studyguide (001-041)
41 pages
PaloAlto Portfolio-Product-Brochure
No ratings yet
PaloAlto Portfolio-Product-Brochure
13 pages
Licenses and Updates
No ratings yet
Licenses and Updates
6 pages
Pa 800
No ratings yet
Pa 800
4 pages
Palo Alto Guide
No ratings yet
Palo Alto Guide
135 pages
FortiOS 7.4 AWS Administration Guide
100% (1)
FortiOS 7.4 AWS Administration Guide
221 pages
Services Programs Lab Requirements
No ratings yet
Services Programs Lab Requirements
14 pages
STRM Administration Guide: Security Threat Response Manager
No ratings yet
STRM Administration Guide: Security Threat Response Manager
382 pages
Strata Logging Service
No ratings yet
Strata Logging Service
4 pages
Imperva SecureSphere v13.0 WAF On AWS Deployment Kit BYOL Configuration Guide
No ratings yet
Imperva SecureSphere v13.0 WAF On AWS Deployment Kit BYOL Configuration Guide
6 pages
043 Kathara Lab BGP Prefix Filtering
No ratings yet
043 Kathara Lab BGP Prefix Filtering
49 pages
CST 303 Computer Networks Module 3 Updated
No ratings yet
CST 303 Computer Networks Module 3 Updated
28 pages
CN Unit 5 Notes
No ratings yet
CN Unit 5 Notes
68 pages
Chapter 2
No ratings yet
Chapter 2
23 pages
1 - CCNA New Questions Part 15
No ratings yet
1 - CCNA New Questions Part 15
77 pages
DevOps For Beginners - Docker, Cloud, K8s, CI - CD
No ratings yet
DevOps For Beginners - Docker, Cloud, K8s, CI - CD
7 pages
Pa 1400 Hardware Reference
No ratings yet
Pa 1400 Hardware Reference
48 pages
I-Raised-Him-Modestly-But-He-Came-Back-Obsessed-With-Me Available All Format
100% (2)
I-Raised-Him-Modestly-But-He-Came-Back-Obsessed-With-Me Available All Format
67 pages
cm8100 10g Datasheet
No ratings yet
cm8100 10g Datasheet
5 pages
Camera Configuration Tool User Guide en
No ratings yet
Camera Configuration Tool User Guide en
46 pages
Unit 3
No ratings yet
Unit 3
42 pages
STAGES
No ratings yet
STAGES
30 pages
Assignment On ITA Spring 2025
No ratings yet
Assignment On ITA Spring 2025
8 pages
VMware VSensor Deployment Guide - 2024 - May - 14
No ratings yet
VMware VSensor Deployment Guide - 2024 - May - 14
19 pages
All Unit MCQ 3
No ratings yet
All Unit MCQ 3
25 pages
Unit IV Computer Networks Questions With Answers
No ratings yet
Unit IV Computer Networks Questions With Answers
2 pages
DCA IMIL Commands v28
No ratings yet
DCA IMIL Commands v28
5 pages
Windows Server Hardening Guide
No ratings yet
Windows Server Hardening Guide
59 pages
Deviser+tc601 Ds 160916
No ratings yet
Deviser+tc601 Ds 160916
2 pages
Ecy-S1000 SP
No ratings yet
Ecy-S1000 SP
4 pages
Cds Notes Module 2
No ratings yet
Cds Notes Module 2
7 pages
Wireshark 2025
No ratings yet
Wireshark 2025
5 pages
7.0.3 Lab Install The Csr1000v VM
No ratings yet
7.0.3 Lab Install The Csr1000v VM
5 pages
3.3.12 Packet Tracer - VLAN Configuration
No ratings yet
3.3.12 Packet Tracer - VLAN Configuration
3 pages
Shahul Ccna CV
No ratings yet
Shahul Ccna CV
2 pages
1 s2.0 S2542660519302288 Main
No ratings yet
1 s2.0 S2542660519302288 Main
19 pages
Mobile Computing Technology Applications and Service Creation 2nd Edition Hasan Et Al. Talukder PDF Download
No ratings yet
Mobile Computing Technology Applications and Service Creation 2nd Edition Hasan Et Al. Talukder PDF Download
81 pages
Module 4-Commununication Stack
No ratings yet
Module 4-Commununication Stack
181 pages
Alfresco Installation On CentOS 7
No ratings yet
Alfresco Installation On CentOS 7
7 pages