Strata Cloud Manager
AIOps
Drawing on data collected through PAN-OS device telemetry, AIOps gives you an overview of the health and security of your next-generation firewall deployment to help you identify areas of improvement and close security gaps. AIOps derives health information from device telemetry metrics related to the operational status of your devices. For security information, AIOps analyzes the configuration of your devices against Palo Alto Networks best practices to point out any potential gaps in your security posture.
Starting in October 2024, Strata Cloud Manager has two licensing tiers:
Strata Cloud Manager Essentials (previous AIOps for NGFW Free )
Strata Cloud Manager Pro ( previous AIOps for NGFW Premium)
Two Different Onboarding Modes in SCM
You can onboard your NGFW to Strata Cloud Manager to either manage it or gain visibility/insights — these are two distinct modes.
Visibility / Telemetry Only (Monitoring)
This is what most SCM Essentials users do. The FW connects to SCM purely for telemetry, BPA, health insights, and AIOps.
✅ Local GUI still fully works — you can add/remove policies, change config, commit — everything as normal. SCM just reads/observes; it does not control the firewall config.
How to Tell Which Mode You're In
On the firewall CLI:
show system info | match cloud-mode
Or check Device → Setup → Management in the local GUI — if you see a "Cloud Management" section showing SCM as the manager
admin@PA-Lab>
admin@PA-Lab> show system info | match cloud
cloud-mode: non-cloud
admin@PA-Lab>
Strata Logging Service (SLS) is a cloud-based logging infrastructure that collects and stores security-related data generated by Palo Alto Networks products.
formerly known as Cortex Data Lake.
By normalizing and stitching together this enterprise data, SLS enables security automation, increased accuracy of security analysis, and artificial intelligence (AI)-based innovations for cybersecurity.
Strata Logging Service stores a variety of types of security-related data from products acting as sensors.
When you purchase Strata Logging Service, all registered firewalls in your support account receive a Strata Logging Service license. You will also receive an authentication code that will be used to activate your Strata Logging Service instance.
Configure Panorama for Strata Logging Service, you will need to complete a few preliminary steps. These steps include downloading and installing the Cloud Services Plugin and generating a one-time password (OTP) within the Strata Logging Service app.
Strata Cloud Manager (SCM) can be used with the following:
Prisma Access
NGFW
Could NGFW
VM NGFW
Prisma SDWAN
0. Activate Strata Cloud Manager, during the activation, create the tenant or choose an existing tenant.
1. Add device
Hub-Common Services > [Add Device]
2. Associate Products
Hub-Common Services > [Associate Products]
App-IDs and ports to which you must allow traffic to ensure that Panorama and the firewalls can successfully connect to Strata Logging Service
paloalto-logging-service (not necessary if you are using only device telemetry and do not have a Strata Logging Service license). TCP/444
paloalto-shared-services TCP/3978
(Content version earlier than 8290) panorama
Phased Migration of AIOps for NGFW Free to Strata Cloud Manager
https://live.paloaltonetworks.com/t5/aiops-for-ngfw-discussions/phased-migration-of-aiops-for-ngfw-free-to-strata-cloud-manager/td-p/1121741#:~:text=Starting%20March%2017%2C%202025%2C%20we,phased%20approach%20over%20several%20weeks.&text=The%20migration%20of%20AIOps%20for,purchased%20from%20Palo%20Alto%20Networks.
Strata Cloud Manager Paid Premium Instance
1. Turn on telemetry on the device(s).
2. Purchase license and click link in welcome email.
3. Go to Palo Alto Networks Hub to activate.
4. Launch Strata Cloud Manager on the hub.
5. Associate licenses.
Comments
Post a Comment