F Palo Alto Firewalls Managed in the Future via Panorama or Strata Cloud Manager (SCM)? - The Network DNA: Networking, Cloud, and Security Technology Blog
Home / Paloalto / Panorama / SCM / Palo Alto Firewalls Managed in the Future via Panorama or Strata Cloud Manager (SCM)?

Palo Alto Firewalls Managed in the Future via Panorama or Strata Cloud Manager (SCM)?

May 20, 2026 , ,

Palo Alto Firewalls Managed in the Future via Panorama or Strata Cloud Manager (SCM)?

Published by THE NETWORK DNA  |  Updated 2025  |  10 Min Read

Quick Summary: Palo Alto Networks is actively shifting firewall management from the traditional on-premises Panorama platform toward its next-generation cloud-native solution — Strata Cloud Manager (SCM). This article dives deep into what this means for network security engineers, enterprise architects, and IT decision-makers.

<< Introduction: The Management Evolution in Palo Alto Networks

For over a decade, Palo Alto Networks Panorama has been the gold standard for centralized firewall management. Whether you managed 5 firewalls or 5,000, Panorama gave administrators a single pane of glass to push policies, view logs, and manage device groups across on-prem, hybrid, and cloud environments.

But times are changing. The rise of cloud-native architectures, zero-trust frameworks, and AI-driven security operations has pushed Palo Alto Networks to introduce Strata Cloud Manager (SCM) — a cloud-delivered, AI-powered management platform that promises to be the future of firewall and SASE management.

So, the million-dollar question every network security professional is asking is: Will Panorama be replaced by SCM? Should organizations migrate now? What are the differences?

Let us break it all down for you.

<< What is Palo Alto Panorama?

Panorama is Palo Alto Networks' on-premises (or VM-based) centralized management system. It allows security teams to:

  • Manage thousands of Next-Generation Firewalls (NGFWs) from a single interface
  • Push security policies, NAT rules, and security profiles centrally
  • Use Device Groups and Templates/Template Stacks for policy hierarchy
  • Aggregate logs and generate reports across all managed firewalls
  • Manage Prisma Access (GlobalProtect Cloud Service) in earlier versions
  • Integrate with SIEM tools, Cortex XSOAR, and third-party platforms

 Key Fact: Panorama is available as a physical appliance (M-Series), a virtual appliance, or a Panorama on AWS/Azure/GCP. It requires dedicated infrastructure, patching, and maintenance overhead.

☁️ What is Strata Cloud Manager (SCM)?

Strata Cloud Manager is Palo Alto Networks' next-generation, cloud-native management platform. Launched as part of the broader Strata by Palo Alto Networks portfolio, SCM is designed to unify the management of:

  • NGFW hardware and VM-Series firewalls
  • Prisma Access (SASE/cloud-delivered security)
  • Cloud-delivered security services (Advanced Threat Prevention, DNS Security, etc.)
  • Prisma SD-WAN
  • IoT Security, SaaS Security

SCM is accessible directly from the Palo Alto Networks hub (apps.paloaltonetworks.com) and requires no dedicated on-premises infrastructure. It leverages AI and ML to provide proactive security recommendations, configuration validation, and operational intelligence.

 Important: As of PAN-OS 11.x, Palo Alto Networks is actively positioning SCM as the strategic management platform for all next-generation firewalls, both hardware and cloud-native.

⚖️ Panorama vs. SCM: Head-to-Head Comparison

Feature / Criteria Panorama Strata Cloud Manager (SCM)
Deployment Type On-Premises / VM / Cloud-hosted 100% Cloud-native (SaaS)
Infrastructure Required Yes (M-500, VM, or Cloud VM) No dedicated infrastructure needed
AI/ML Integration Limited (via Cortex) Native AI-driven insights and recommendations
NGFW Management Yes (mature and feature-rich) Yes (evolving, features being added)
Prisma Access Management Partial (older versions) Full unified management
SD-WAN Management Limited Yes (Prisma SD-WAN integrated)
Licensing Model Per-device or appliance based Subscription-based (cloud)
Scalability Good (requires planning) Elastic (auto-scales in cloud)
Configuration Templates Template Stacks (mature) Snippets-based config (new approach)
Log Management On-premises log collectors Cloud-based log viewing (Strata Logging Service)
Zero Trust Support Manual implementation Built-in Zero Trust posture management
Future Investment Maintenance mode (eventually) Primary platform — actively developed

<< Why is Palo Alto Networks Pushing SCM Over Panorama?

Palo Alto Networks has been publicly transparent about its strategic direction: the future is cloud-delivered. Here are the core reasons SCM is being favored:

① Unified Platform for Hybrid Environments

Organizations today run a mix of physical NGFWs, VM-Series, CN-Series (container firewalls), and Prisma Access for remote users. Panorama can manage NGFWs well but doesn't natively unify the SASE layer. SCM bridges this gap by providing one interface for all security enforcement points.

② AI-Driven Security Posture Management

SCM includes built-in AI Security Posture Management (AI-SPM) capabilities. It can analyze your configuration, detect security gaps, recommend best practices, and even predict operational issues before they become outages — something Panorama cannot do natively.

③ Elimination of Management Infrastructure Overhead

Panorama requires dedicated hardware or VM maintenance, patching, high availability setup, and licensing. SCM eliminates this burden entirely — no appliances, no patching cycles, and no HA configurations needed for the management plane.

④ Subscription Economy and Licensing Simplification

As the industry moves toward subscription-based security services, SCM aligns with Palo Alto's PAN-OS Cloud Managed and Software NGFW licensing models that do not require separate Panorama licenses.

⑤ Zero Trust Network Access (ZTNA) 2.0 Integration

SCM is tightly integrated with Palo Alto's ZTNA 2.0 framework, making it ideal for organizations adopting Zero Trust architecture holistically — from perimeter to endpoint to cloud workload.

* Current Limitations of Strata Cloud Manager

SCM is powerful, but it's important to be honest about where it still lags behind Panorama (as of 2025):

  • Feature Parity: Panorama still has more mature features for large-scale enterprise NGFW management. Some advanced Panorama features like complex template variable overrides, certain log forwarding configurations, and older PAN-OS version support are still being built into SCM.
  • Internet Dependency: SCM requires a reliable internet connection to the Palo Alto cloud. Air-gapped environments or highly regulated networks (DoD, SCIF, etc.) may not qualify for SCM.
  • Learning Curve: Administrators experienced with Panorama's Device Group and Template Stack model will need to relearn SCM's Snippets and Configuration Scope methodology.
  • Migration Complexity: Migrating existing Panorama configurations to SCM is not yet a one-click operation. It requires planning, tool assistance, and testing.
  • Older PAN-OS Support: SCM management is optimized for PAN-OS 10.2+ and best with PAN-OS 11.x. Older firmware-based firewalls may still require Panorama.

* Is Panorama Being Deprecated or End-of-Life?

Short Answer: Not immediately — but the writing is on the wall.

As of 2025, Palo Alto Networks has not officially announced an End-of-Life (EoL) date for Panorama. However, the company's public roadmap, product announcements, and partner briefings strongly suggest that:

  • New features and innovations will primarily be invested in SCM
  • Panorama will continue to receive security patches and critical bug fixes
  • Enterprise customers on Panorama will be encouraged to migrate to SCM over the next 2-4 years
  • New Palo Alto NGFW deployments will increasingly default to Cloud-Managed (SCM) mode

⚠️ Advisory: If you are designing a new NGFW deployment today, seriously evaluate SCM as your management platform. If you have a large existing Panorama deployment, plan for migration in your 2025-2027 roadmap.

* Panorama to SCM Migration: What to Expect

Palo Alto Networks provides migration tooling and professional services support for organizations moving from Panorama to SCM. Here is a high-level migration approach:

1
Assessment & Inventory

Identify all Panorama-managed devices, PAN-OS versions, Device Groups, Templates, and log forwarding profiles. Verify SCM compatibility with each device firmware version.

2
Pilot Deployment

Onboard 2-5 non-critical firewalls to SCM in parallel with Panorama. Validate that policies, objects, and templates translate correctly into SCM's Snippets model.

3
Configuration Export & Import

Use Palo Alto's migration tools or professional services to export Panorama configurations and import them into SCM. Validate address objects, security zones, and NAT policies.

4
Logging Migration

Redirect log forwarding from local Panorama Log Collectors to Strata Logging Service (cloud-based). Ensure SIEM integrations are updated accordingly.

5
Full Cutover & Panorama Decommission

Once all devices are onboarded to SCM and validated, decommission Panorama. Retain Panorama for read-only archive access if required by compliance.

* Key Use Cases: When to Choose SCM vs. Panorama Today

Scenario Panorama SCM
New greenfield NGFW deployment (2025) ✔ Recommended
Existing large Panorama deployment (500+ firewalls) ✔ Continue + plan migration Evaluate gradually
Prisma Access + NGFW hybrid management ✔ Recommended
Air-gapped / classified network environment ✔ Recommended ☐ Not feasible
MSP / MSSP multi-tenant management ✔ Panorama MSP mode SCM Multi-tenant (evolving)
Zero Trust network architecture project Manual ZT implementation ✔ Recommended
PAN-OS 9.x / 10.0 firewalls still in use ✔ Supported ☐ Limited support

* SCM's AI-Powered Features: The Real Game Changer

One of the biggest differentiators SCM brings to the table is its native artificial intelligence and machine learning capabilities. These are not bolt-on features — they are deeply integrated into the platform:

1. AI Security Posture Management

SCM continuously analyzes your firewall configurations against Palo Alto Networks best practices and threat intelligence. It flags misconfigurations, overly permissive rules, and security gaps with actionable remediation steps.

2. Predictive Health Insights

Using telemetry from millions of Palo Alto devices globally, SCM can predict hardware failures, resource exhaustion, and policy conflicts before they cause downtime — a true AIOps capability.

3. Automated Policy Optimization

SCM identifies unused, shadowed, or redundant security policy rules across your firewall estate and recommends cleanup actions — something that typically takes weeks of manual analysis in Panorama.

4. Natural Language Policy Creation (Future)

Palo Alto Networks has hinted at natural language-driven policy creation in SCM — where admins type plain English requests like "allow marketing team access to Salesforce" and SCM translates them into precise security policies using AI.

* Expert Recommendations for 2025 and Beyond

Based on Palo Alto Networks' product direction, field engineering insights, and industry analyst reports, here are actionable recommendations:

 For New Deployments: Deploy all new NGFW and Prisma Access environments under SCM. Take advantage of cloud-native management from day one and avoid building Panorama technical debt.

 For Existing Panorama Users: Start a phased SCM pilot in Q1 2025. Onboard your DMZ or branch firewalls first, learn SCM's operational model, and build internal expertise before migrating core data center firewalls.

 For MSSPs: Watch SCM's multi-tenancy evolution closely. Panorama remains strong for multi-tenant management today, but Palo Alto Networks is actively building SCM multi-tenant capabilities that will eventually surpass Panorama's MSP features.

 For Government / Regulated Industries: Continue with Panorama for air-gapped environments. Monitor FedRAMP-authorized SCM availability for compliance-eligible cloud deployments.

 For Training and Certifications: Study both Panorama and SCM for current PCNSE and PCCSE certifications. SCM knowledge will become increasingly important in future certification exams and job requirements.

⁉️ Frequently Asked Questions (FAQs)

Q: Can I use both Panorama and SCM at the same time?

A: Yes. A single NGFW can be managed by only one management platform at a time. However, you can run some firewalls under Panorama and others under SCM during a phased migration. You cannot dual-manage the same firewall simultaneously.

Q: Does SCM require a separate license?

A: SCM management is included with Palo Alto's cloud-managed firewall subscriptions. For existing NGFWs with traditional licenses, check with your Palo Alto account team about SCM entitlements tied to your active subscriptions.

Q: Is SCM suitable for small businesses with just 2-3 firewalls?

A: Absolutely. In fact, SCM is even more appealing for small teams that cannot afford the overhead of maintaining a dedicated Panorama instance. The cloud-based model eliminates infrastructure costs entirely.

Q: Will Panorama skills become obsolete?

A: Not immediately. Panorama knowledge will remain relevant through at least 2027-2028 given the large installed base. However, actively learning SCM now puts you ahead of the industry curve and increases your market value as a security engineer.

Q: How does SCM handle firewall configuration backups?

A: SCM maintains configuration history in the cloud with version control capabilities. This is actually an improvement over Panorama's manual backup process, providing automatic versioning and rollback options.

* Conclusion: The Future is SCM — But Panorama Isn't Dead Yet

The trajectory is clear: Strata Cloud Manager is the future of Palo Alto Networks firewall management. It offers a cloud-native, AI-powered, unified management experience that Panorama simply cannot match in the long run. However, Panorama remains a battle-tested, feature-rich platform that will continue to serve enterprise environments — especially those with complex on-premises requirements, regulated industries, or air-gapped deployments — for the foreseeable future.

The smart approach for 2025 is a strategic coexistence with a clear migration roadmap. Organizations should begin SCM adoption now with new projects and lower-risk environments while managing the controlled sunset of Panorama over the next 2-4 years.

Network security professionals who master both platforms today — understanding Panorama's depth while embracing SCM's cloud-native capabilities — will be the most valuable assets in the security industry as this management paradigm shift accelerates.

* Ready to Evaluate SCM for Your Organization?

Visit apps.paloaltonetworks.com to access Strata Cloud Manager and start your free evaluation. Contact your Palo Alto Networks partner for a migration assessment tailored to your environment.

Tags: Palo Alto Firewall Management, Panorama vs SCM, Strata Cloud Manager, Palo Alto SCM, NGFW Management 2025, Panorama Migration, Palo Alto Networks Future, Cloud Managed Firewall, PAN-OS Management, Zero Trust Firewall, Prisma Access Management, Palo Alto AI Security, Network Security Management, PCNSE Study, Firewall Automation

© 2026 THE NETWORK DNA | This article is for educational purposes. Product features may change. Always refer to official Palo Alto Networks documentation for the latest information.