What's New in ASMS A33.20

Release date: January 2026

We’re thrilled to announce the release of ASMS A33.20, a major upgrade that takes automation, compliance, and application-centric visibility to the next level. This version delivers broader context, deeper insight, and smarter workflows—helping you reduce risk, accelerate remediation, and strengthen governance across complex hybrid and multi-cloud networks.

Highlights in this release include:

Risk Profile | Application Awareness Risk analysis now accounts for business application context, ensuring priorities align with what matters most to your organization.
Automation from Reports Take action directly from analytics. Open change requests from the Disabled Rules Report to quickly remediate findings.
CIS Baseline Compliance for Palo Alto Networks Panorama Out-of-the-box assessments now include CIS Baseline for Palo Alto Networks.
Application Recertification Gain a centralized view to review, renew, or revoke application access and eliminate stale connectivity.
Enhanced Support for Time Objects in Edit Work Order FireFlow now supports time-based objects in the Work Order recommendation, enabling precise, time-bound policy changes across supported NGFWs.
Algo Our reimagined chat assistant that provides fast, natural-language access to core ASMS functionality directly in Microsoft Teams.

Devices & Orchestration

Palo Alto Networks

Palo Alto NGFWs managed by Strata Cloud Manager (SCM)

Firewall Analyzer now supports integration with Strata Cloud Manager (SCM), providing support for policy visibility, Traffic Simulation Queries, and risk analysis and more for Palo Alto NGFWs. See Palo Alto Strata Cloud Manager.
Logical Routers

Aligned with Palo Alto’s architecture, Firewall Analyzer now supports Logical Routers, which are part of the Advanced Routing Engine, enabling broader production use cases and extended support. See Inter-VR/LR routing / Inter-VSYS support.

FortiManager

Policy Blocks

ASMS now supports FortiManager Policy Blocks visibility and analytics. Policy Blocks are reusable groups of firewall rules designed to represent specific functionality or operational logic. See Note: Policy Block Rules (FortiManager v6.2.0+).
FortiManager | Modify Rule with ActiveChange

You can now use ActiveChange to automatically implement changes in the rule modifications workflow for your FortiManager devices.

Cisco FMC | Prefilter Policy

ASMS now supports Cisco FMC Prefilter Policy visibility and analytics.

Google Cloud

Load Balancer Support

You can now view Google Cloud Load Balancers on the ASMS map. Supported types include network load balancers with passthrough enabled, both external and internal.
Traffic Simulation Query Support

ASMS map now includes Google Cloud support and enables Traffic Simulation Queries. You can also choose a VPC object as the source and/or destination for your simulations. See Google Cloud Projects in AFA.
Network Firewall Policy Support in FireFlow

FireFlow now supports Google Cloud Network Firewall Policy and provides work order recommendations for traffic change requests. See Note for Google Cloud NGFW Policy.

Enhanced Support for Time Objects in Edit Work Order

FireFlow now supports time-based objects in the Work Order recommendation for selected NGFW brands. Work Order recommendations now include the rule’s associated time object field. You can change its value directly in FireFlow via the Edit Work Order. See Support for Time Objects in Edit Work Order.

Mixed Objects in Change Requests

Change requests now support mixed objects (IPs and FQDNs) to match real-world policy semantics and simplify approvals.

Security Estate Visibility

Risk Profile | Application Awareness

Risk evaluations can now consider business application context, prioritizing exposures that truly matter. You can create services groups that include both services and applications. See Customize risk and compliance management.

CIS Baseline Compliance for Palo Alto Networks Panorama

Assess and track baseline conformance out-of-the-box. See (Optional) Configure device details.

Automation from Reports

Now you can automate rule removal straight from the Disable Rules Report of the Policy Optimization page. See Automate rule removal change requests from the Disabled Rules report.

User Interface Enhancements

Refreshed navigation and ergonomics: New top and side bars, improved Device Tree, and streamlined login for faster daily workflows.

The Extended Baseline Compliance Add-on

The Extended Baseline Compliance Add-on is an open-source GitHub tool that integrates directly with ASMS. It retrieves baseline compliance data and enriches it with trusted vulnerability intelligence sources. The add-on also provides Cisco End-of-Life and End-of-Sale monitoring. Together, it delivers a unified, automated view of device compliance, risk, and lifecycle status. Export everything to Excel for deeper analysis and executive-ready documentation. See AlgoSec Extended Baseline Compliance Add-on.

Application Connectivity

Application Recertification

Recertification grid: Central view to review and renew application access. See Recertification tab.
Flow recertification: Validate individual flows and remove stale access quickly.
Status in AFA: You can now display in Firewall Analyzer the certification status of rules that are linked to flows.

AI-Based Application Discovery (via AFA)

Leverage Firewall Analyzer data to suggest candidate applications, accelerating onboarding applications to AppViz. See AI-Driven Application Discovery in AppViz.

ACE App Analyzer - AppViz Integration | Import Cloud Applications

Deeper integration with ACE Cloud App Analyzer improves lineage, mapping, and context for cloud-native applications. See Import applications discovered by ACE Cloud App Analyzer.

ObjectFlow | Associate Objects to Applications

You can now see which applications are using a specific network object to close the loop between policy artifacts and business context.

Platform

Algo

AlgoSec Algo is your AI-powered security policy management assistant. It delivers fast, natural-language access to core ASMS functionality directly in Microsoft Teams so you can stay in your workflow without switching tools. See Welcome to Algo.

ASMS Deployment Updates

ASMS is now in Beta for deployment on AWS HA nodes and on Nutanix AHV. See Supported deployments per architecture structure.

Report Performance and Storage Optimization Improvements

Release 33.20 introduces report performance and storage optimizations by migrating Network Object static HTML files to dynamic pages backed by a compressed SQLite database. This change significantly reduces storage usage (up to 72% for large devices) and improves UI responsiveness.

Security Updates

Platform hardening and dependency updates to keep your deployment resilient and compliant.

AlgoSec Cloud Enterprise (ACE)

Azure Unified Onboarding to ASMS is now GA (ACE ↔ ASMS)

Add your Azure subscription in ACE and get synchronized onboarding in ASMS, inheriting role-based access and reusing existing scripts/APIs. See Simultaneously onboard Azure subscriptions into ACE and ASMS.

AWS

TSQ for accounts/VPCs with no assets: Run targeted security queries even when asset inventory is sparse.
Enhanced VM scan: Deeper agentless scanning of EBS volumes across regions for vulnerabilities, malware, and exposed secrets. See Cloud App Analyzer Application Discovery.