Sign in Get started

Palo Alto Strata Cloud Manager Optimization

Analyze and optimize SCM-managed policy sets with cloud-native visibility into shadowed rules, stale objects, and change-risk hotspots before deployment windows.

Start SCM Analysis View Optimization Platform

Cloud Policy Hygiene

Identify redundant, legacy, and low-value rule segments across SCM policy sets.

Security Gap Analysis

Spot mismatched intent and risky access patterns prior to rollout changes.

Actionable Cleanup Plan

Generate prioritized remediation guidance for engineering and change-approval workflows.

Optimization and Migration to Strata Cloud Manager

Strata Cloud Manager changes the shape of policy review. Instead of Panorama's device-groups and XML candidate configs, SCM delivers policy through a cloud-managed folder and snippet hierarchy where rules inherit down the tree. That inheritance is powerful, but it hides debt: a rule three folders deep can be permanently dead because a parent-folder rule already matches the traffic — something that is hard to see by eye. NetConverter parses the SCM policy into a vendor-neutral model and evaluates the effective rule base, surfacing shadowing, redundancy, over-permissive any-any-allows, and unused or duplicate address and service objects as a prioritized, exportable cleanup plan.

The same parsed model also drives migration toward SCM. When you bring a Cisco ASA, FortiGate, or Palo Alto PAN-OS / Panorama configuration in, NetConverter normalizes it once, then its SCM serializer transforms that model into Strata Cloud Manager REST API objects — tags, addresses, services, address-groups, service-groups, zones, security rules, and NAT rules — emitted in dependency-push order into a target folder you choose. Device-group intent from Panorama is mapped onto the SCM folder hierarchy, so the result is reviewable before you activate it. Cleaning up first and migrating from the same data means you carry intent forward, not technical debt.

Related: see the Panorama → Strata Cloud Manager migration guide, the optimization platform, Panorama vs. Strata Cloud Manager optimization, and Cisco ASA → Palo Alto migration.

Frequently Asked Questions

What does Strata Cloud Manager optimization check?
NetConverter analyzes SCM-managed policy for shadowed and redundant security rules across the folder hierarchy, over-permissive any-any-allow entries, unused address and service objects, and duplicate objects defined under different names. Because SCM inherits policy down a folder/snippet tree, NetConverter also surfaces rules that are effectively dead because a parent-folder rule already matches the traffic. Findings are returned as a prioritized, exportable cleanup plan.
Can NetConverter migrate a Panorama configuration to Strata Cloud Manager?
Yes. NetConverter normalizes the source configuration into a vendor-neutral model, then its SCM serializer transforms that model into Strata Cloud Manager REST API objects — tags, addresses, services, address-groups, service-groups, zones, security rules, and NAT rules — emitted in dependency-push order and targeted at an SCM folder you specify.
How does Strata Cloud Manager differ from Panorama as a migration target?
Panorama organizes policy with device-groups and templates and is configured via XML; Strata Cloud Manager uses a cloud-delivered folder and snippet hierarchy configured via REST API. When targeting SCM, NetConverter maps device-group intent onto SCM folders and produces structured API objects rather than a flat XML candidate config.
Does optimization push changes to SCM automatically?
Optimization is analysis-only — it reads policy and returns recommendations your team applies during a change window. Writes to SCM only occur when you run a migration that targets SCM, in which case the generated API objects are pushed into the folder you choose so the result is reviewable before activation.
Which source firewalls can be analyzed or migrated toward Strata Cloud Manager?
NetConverter parses Cisco ASA, FortiGate/FortiOS, and Palo Alto PAN-OS and Panorama configurations into the same vendor-neutral model. That model drives both the optimization analysis and the Strata Cloud Manager object output, so a clean-up pass and a migration toward SCM start from identical parsed data.