Capability Domains met by Palo Alto Networks

Establish System Access Requirements

Palo Alto Networks Next-Generation Firewalls (NGFWs) and services are designed to deny all and permit by exception. This enables agencies to define system access requirements based on operational requirements combined with least-privilege Zero Trust principles.

Control Internal System Access

Palo Alto Networks NGFWs provide both application and web perspective—App-ID and URL Filtering—to protect against a full spectrum of legal, regulatory, productivity, and resource utilization risks. App-ID enables visibility into applications on the network, so organizations can learn how applications work and understand their behavioral characteristics and relative risk. This knowledge allows creation and enforcement of security policy rules to enable, inspect, and shape desired applications as well as block unwanted ones. When policy rules to allow traffic are defined, App-ID begins to classify traffic without any additional configuration.

Control Remote System Access

For mobile or roaming users, Prisma Access and the GlobalProtect endpoint app provide user mapping information directly to the firewall. Every endpoint with GlobalProtect installed requires users to enter login credentials for VPN access to the firewall. This login information is added to the firewall’s User-ID mapping table for visibility and user-based security policy enforcement. Because GlobalProtect users must authenticate to gain network access, the IP-address-to-username mapping is explicitly known. This is the best solution for sensitive environments where certainty of user identity is critical.

Limit Data Access to Authorized Users & Processes

With our NGFWs, individual security policy rules determine whether to block or allow a session based on traffic attributes, such as source and destination security zone, source and destination IP address, application, user, and service.