Zero Trust Enterprise Overview

Zero Trust Enterprise Title Graphic — Zero Trust Enterprise concept graphic.

Introduction

Stories of security breaches that expose sensitive data are in the news every week. These events can result in significant personal impact on those who have information exposed, as well as a loss of trust and financial penalties for the compromised companies. New industry standards and government regulations are developing at a rapid pace, forcing organizations to constantly evaluate their security posture and increase the overall level of security.

Digital transformation is also driving changes that require a different approach to security. To accommodate the hybrid workforce, enterprises are transforming their cybersecurity infrastructure, migrating applications to cloud, while also looking to automate security operations. To access applications from anywhere, users require fast and convenient access to products and services from a wide variety of devices. This guide describes how you can implement Zero Trust principles and optimize your security practices.

The Implicit-Trust Problem

Implicit trust is a term used to describe the elimination of security controls in specific contexts, the most common being user location. For example, you might allow a user located inside the office full access to internal applications with only a single verification of identity, but from a remote location, the same user would require additional security controls—like two-factor authentication, threat prevention, and data loss prevention (DLP)—to access the same applications. Used in traditional security models, implicit trust is a vulnerability as dangerous as any other.

Corporate Network Implicit Trust

Traditional perimeter-based security wrongly assumes that all users and devices inside the corporate network can be trusted and that a full security stack at the internet edge is sufficient for securing corporate data. In this approach, implicit trust is granted in the private zone of the perimeter firewall. Only transaction flows destined to the public zone for internet and SaaS applications are considered untrusted and inspected.

Diagram showing traditional perimeter security model — Figure 1: Traditional corporate-perimeter security model with implicit trust internally.

Traditional perimeter-based security is no longer adequate for protecting an organization’s assets. Mobile devices moving on and off the corporate network, data and applications moving to the cloud, stealth malware, and attacks masquerading as legitimate applications or hiding in encrypted traffic have blurred the edges of the perimeter.

Attacks on sensitive data rarely use just a single exploit or compromised credential. Attackers use a composite of exploits, malware, compromised credentials, and other methods together to work their way from their beachhead in an organization to the target system. Often attackers use one method after another. Malware might supply a user’s credentials, which in turn provide limited access to their organization’s network. Once inside, the attacker moves around the private network and places other malware on privileged devices. The attacker eventually steals data, denies service, or encrypts the target system so that they can demand a ransom.

Remote Access Implicit Trust

Traditional virtual private networks (VPNs) for remote access also assume implicit trust, allowing user access to all corporate applications after the user authenticates into the corporate VPN. With implicit trust, you might apply one set of security controls when users access internet and SaaS applications via a remote access VPN, and you might apply a separate set of security controls when users access the same resources from the corporate network.

Diagram showing traditional remote access security — Figure 2: Traditional remote-access security often grants broad access post-authentication.

The Need for a Strategic Approach

Many traditional security policies are built around implicit trust, and these policies vary between locations, focusing on blocking what is considered a risk at each location. The use of disparate point solutions can result in threat and policy information that is siloed within the different enforcement points. Due to the manual correlation of the non-integrated solutions, coordinating a comprehensive security posture for protecting against breaches and data loss is slow and ineffective.

The biggest challenge for many organizations is defining a consistent security model that provides the required security controls holistically across the organization. Adopting a Zero Trust approach helps remedy the vulnerabilities associated with implicit trust in current security policies.

What is Zero Trust

The Zero Trust approach is based on the principle that no user, device, or transaction from inside or outside of the network can be trusted . The elimination of implicit trust promotes a consistent security policy regardless of the situation. The framework focuses on resource protection and the premise that trust is never granted implicitly but must be continually evaluated . In Zero Trust, authentication and authorization are critical, not just in the initial connection but at every stage of the digital interaction.

Traditional security models target the protection of the entire attack surface, which is difficult to identify and constantly evolving. In a Zero Trust framework, you define a protect surface , which is made up of the most critical and valuable data, assets, applications, and services (DAAS). Because it contains what is most critical to an organization’s operations, the protect surface is orders of magnitude smaller than the attack surface , and it is always knowable.

In Zero Trust, only known, allowed traffic can access the protect surface. Users have access to the data and applications they need in order to perform their tasks but nothing more. This is known as least-privileged access and enforced using a segmentation gateway implemented with a next-generation firewall (NGFW).

Diagram illustrating the Zero Trust approach focusing on a protect surface — Figure 3: Zero Trust approach focuses on defining and protecting the critical 'protect surface'.

Zero Trust Frameworks

There are several standard frameworks that provide guidance on how to implement Zero Trust strategies.

Example frameworks include NIST 800-207 , Google’s BeyondCorp , and Microsoft’s Zero Trust framework . You can use the guidelines in these frameworks to evaluate your posture and formulate a strategy to secure your critical assets. These Zero Trust frameworks do not prescribe a specific product or technology but instead help you evaluate your specific protect surface. This evaluation is key to your identifying the right security controls to put in place.

NIST 800-207 defines a framework in which you grant access to a resource through a policy decision point and corresponding policy enforcement point. This architecture framework defines the following basic tenets as targets for a Zero Trust deployment:

• All data sources and computing services are considered resources.
• All communication is secured regardless of network location.
• Access to individual enterprise resources is granted on a per-session basis.
• Dynamic policy determines access to resources.
• The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
• All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
• The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.

NIST 800-207 recommends that you also develop a Zero Trust network architecture with the following assumptions:

• The entire enterprise private network is not considered an implicit trust zone.
• The enterprise might not own or configure devices on the network.
• No resource is inherently trusted.
• Not all enterprise resources are on enterprise-owned infrastructure.
• Remote enterprise subjects and assets cannot fully trust their local network connection.
• Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture.

Google’s BeyondCorp allows for single sign-on, access-control policies, access proxy, and user- and devicebased authentication and authorization. The BeyondCorp principles are:

• Access to services must not be determined by the network from which you connect.
• Access to services is granted based on contextual factors from the user and their device.
• Access to services must be authenticated, authorized, and encrypted.

Microsoft’s Zero Trust framework defines the following guiding principles for Zero Trust:

• Verify explicitly —Always authenticate and authorize based on all available data points, including user identity, location, device health, service or workload, data classification, and anomalies.
• Use least-privileged access —Limit user access with just-in-time and just-enough-access, risk-based adaptive policies, and data protection to help you secure both data and productivity.
• Assume breach —Minimize blast radius and segment access. Verify end-to-end encryption and use analytics to get visibility, drive threat detection, and improve defenses.

When comparing frameworks defined by standard bodies, analysts and security vendors, there is a common set of guidelines:

• Validate users and verify device integrity.
• Secure the access and enforce least-privileged user and device access to data and applications.
• Secure the transactions, prevent threats, and protect data.

Zero Trust Enterprise with the Palo Alto Networks Portfolio

The Palo Alto Networks Zero Trust Enterprise is a modern, strategic, platform-based approach to security. Zero Trust Enterprise is an end goal for security teams that want to implement zero trust principles, guide their security practices, and optimize their procurement across an entire enterprise.

Pillars and Capabilities

At its core, Zero Trust Enterprise is about eliminating all trust and verifying all digital transactions. In Zero Trust, authentication and authorization are critical, not just in the initial connection but at every stage of the digital interaction.

The Zero Trust Enterprise approach is organized into the following three pillars and security capabilities:

• Zero Trust for users —Step one of any Zero Trust effort requires strong authentication for verifying user identity. Complementing strong authentication with the verification of user device integrity provides another layer of security by ensuring the user’s device software has not been compromised. After the user identity and device security have been verified, least-privileged access policies ensure controlled network access to critical data and applications. Finally, to achieve Zero Trust, scanning of all transactions protects against malicious activity.
• Zero Trust for applications —To secure private data centers and cloud applications, organizations must remove all implicit trust and enforce cybersecurity checks across the entire application development lifecycle. To ensure least-privileged access to applications and infrastructure, the identity and entitlements granted to the developers, DevOps, and admins must be validated. Workloads accessing other workloads should mutually verify identity and apply least-privileged connectivity for the application. To prevent lateral movement of malware, you should enforce microsegmentation. You should continuously monitor workloads for misconfigurations, vulnerabilities, and indicators of compromise.
• Zero Trust for infrastructure —All critical infrastructure, IT/OT systems, points of sale, medical devices, supply chains, and more must be secured with a Zero Trust approach. The main difference between the Zero Trust approaches for users and infrastructure is the constraint that IoT devices are headless and most have limited authentication capabilities. To accurately verify the identity of the device in order to create least-privileged access policies, additional inspection is required.

The tools and techniques for enforcing Zero Trust Enterprise capabilities might vary for each protect surface. For example, although you can use an inline NGFW in order to secure all user transactions to an application in a private data center, for visibility into in-cloud transactions from the internet, a SaaS application might require an API-based approach.

The following table summarizes the security capabilities required for each of the three Zero Trust Enterprise pillars.

Table 1: Key Zero Trust Enterprise capabilities

Pillar	Identity validated	Device/workload	Access	Transaction
Zero Trust for users	Users, with strong authentication	Verifies user’s device integrity	Enforces least-privileged user access to data and applications	Scans all content for malicious activity and data theft
Zero Trust for applications	Developers, DevOps, and admins, with strong authentication	Verifies workload integrity	Enforces least-privileged access for workloads accessing other workloads	Scans all content for malicious activity and data theft
Zero Trust for infrastructure	All users who have access to infrastructure	Identifies all devices, including IoT devices	Enforces least-privileged access segmentation for native and third-party infrastructure	Scans all content within the infrastructure for malicious activity and data theft

graph TD subgraph "Zero Trust Enterprise Pillars" P1[Users] P2[Applications] P3[Infrastructure] end subgraph "Core Capabilities" C1[Validate Identity] C2[Verify Device/Workload] C3[Enforce Least Privilege Access] C4[Secure Transactions] end P1 --> C1; P1 --> C2; P1 --> C3; P1 --> C4; P2 --> C1; P2 --> C2; P2 --> C3; P2 --> C4; P3 --> C1; P3 --> C2; P3 --> C3; P3 --> C4; style P1 fill:#e0f2ff,stroke:#1890ff style P2 fill:#fffbe6,stroke:#ffc107 style P3 fill:#e8f5e9,stroke:#a5d6a7

Relationship between Zero Trust Pillars and Core Security Capabilities.

Platforms for Zero Trust: Network Security Platform

The network security platform provides consistent protection and experience wherever users, devices and applications reside. The network security platform is offered as a cloud-delivered Secure Access Services Edge (SASE) solution or with on-premises hardware and software. The network security platform consists of NGFW, Prisma Access, and a set of cloud-delivered security services.

Diagram of the Network Security Platform — Figure 4: Network security platform components.

NGFW (Next-Generation Firewall)

Powered by the Palo Alto Networks operating system, PAN-OS®, the Palo Alto Networks NGFW gives you complete visibility, threat protection, and control of applications in use by all users, in all of your locations, all the time. The NGFWs have three flexible deployment options:

• PA-Series —Physical appliance NGFWs for various locations requiring high-speed/high-density connectivity.
• VM-Series —Virtualized form-factor NGFWs for public and private cloud environments.
• CN-Series —Containerized NGFWs for securing Kubernetes clusters.

Each NGFW performs multiple security functions with a single-pass architecture . This parallel processing system applies all elements of threat protection with a single packet scan, increasing performance and flexibility.

Diagram of Single-Pass Architecture — Figure 5: Key processes of single-pass architecture.

Prisma Access (SASE)

Also powered by PAN-OS, Prisma Access is a cloud-hosted NGFW service (part of Prisma SASE) that provides secure access to internet, SaaS, and private applications for mobile users and remote sites. It offers Firewall-as-a-Service capabilities, inspecting all traffic.

Prisma Access provides elasticity and simplifies security deployment for distributed organizations.

Diagram of Prisma Access Architecture — Figure 6: Prisma Access cloud-delivered security.

Cloud-Delivered Security Services

Integrated with NGFWs and Prisma Access, these subscription services coordinate intelligence and provide protection across attack vectors:

Enterprise DLP: Discovers, monitors, and protects sensitive data across multiple enforcement points.
Next-Generation CASB: Provides visibility and control over sanctioned and unsanctioned SaaS applications (SaaS Security Inline and SaaS Security API).
Threat Prevention: Blocks exploits, malware, spyware, and C2 using Antivirus, Anti-Spyware, and Vulnerability Protection profiles.
Advanced URL Filtering: Prevents web-based threats, including phishing and malware delivery, using real-time analysis and ML.
WildFire®: Cloud-based threat analysis and sandboxing service for unknown files and URLs, generating protections automatically.
DNS Security: Protects against threats using DNS, such as DGA, tunneling, and malicious domains, leveraging ML and predictive analytics.
IoT Security: Discovers, assesses risk, and enables policy enforcement for IoT devices using existing NGFWs as sensors.
GlobalProtect™: Extends NGFW security policies to mobile users, providing VPN access and endpoint posture assessment (HIP).

graph LR subgraph "Network Security Platform (NGFW / Prisma Access)" Policy[Policy Engine - App-ID, User-ID, Device-ID] Services[Cloud-Delivered Services] end subgraph "Cloud-Delivered Security Services" DLP[Enterprise DLP] CASB[Next-Gen CASB] TP[Threat Prevention] URLF[Advanced URL Filtering] WF[WildFire Analysis] DNS[DNS Security] IoT[IoT Security] GP[GlobalProtect Support] end Policy --> Services Services --> DLP Services --> CASB Services --> TP Services --> URLF Services --> WF Services --> DNS Services --> IoT Services --> GP style Policy fill:#e0f2ff,stroke:#1890ff style Services fill:#fffbe6,stroke:#ffc107

Relationship between the core NGFW/Prisma Access platform and its integrated cloud-delivered security services.

Platforms for Zero Trust: Prisma Cloud

Prisma Cloud is Palo Alto Networks' Cloud Native Application Protection Platform (CNAPP), providing comprehensive security and compliance coverage across the full application lifecycle and hybrid/multi-cloud environments.

Diagram of Prisma Cloud platform capabilities — Figure 14: Prisma Cloud platform capabilities.

It integrates security into development workflows and protects applications at runtime.

Cloud Code Security

Shifts security left, integrating into developer toolchains:

• IaC Security: Scans Infrastructure-as-Code templates (Terraform, CloudFormation, etc.) for misconfigurations and vulnerabilities.
• Secrets Scanning: Detects hardcoded secrets (passwords, API keys) in code and images.
• Container Image Scanning: Identifies vulnerabilities and compliance issues in container images.
• Repository Scanning: Scans code repositories for vulnerabilities in open-source dependencies (Software Bill of Materials - SBOM).

Cloud Security Posture Management (CSPM)

Provides visibility, compliance monitoring, and threat detection for cloud infrastructure:

• Visibility, Compliance, Governance: Asset inventory, continuous compliance monitoring against standards (CIS, NIST, PCI, HIPAA), and custom frameworks.
• Threat Detection: User and Entity Behavior Analytics (UEBA) using ML to detect anomalous activity; network anomaly detection.
• Data Security: Integrates Enterprise DLP and WildFire to scan cloud storage (like S3) for sensitive data exposure and malware.

Cloud Workload Protection Platform (CWPP)

Secures running hosts, containers, and serverless functions:

• Components: Console (centralized management) and Defender (agent deployed on workloads).
• Capabilities: Vulnerability management, compliance checks, runtime protection (process monitoring, file integrity, network visibility), Web Application and API Security (WAAS).
• Agentless Scanning: Option to scan VM risks without installing an agent.

Cloud Network Security

Addresses challenges of dynamic cloud networking:

• Identity-Based Microsegmentation: Assigns cryptographic identities to workloads, allowing policies based on identity rather than ephemeral IP addresses. Reduces attack surface and enables tracking across environments. Discovers application flows and enforces policies based on learned behavior or declarative rules.

Cloud Identity Security (CIEM)

Manages Cloud Infrastructure Entitlement Management:

• Discovers human and machine identities across clouds.
• Analyzes entitlements, roles, and policies to identify overly permissive access.
• Provides visibility and governance for IAM risks.

Platforms for Zero Trust: Cortex XDR

Cortex XDR is Palo Alto Networks' extended detection and response platform, integrating data from network, endpoint, cloud, and third-party sources to detect and stop sophisticated attacks while simplifying security operations.

Diagram of Cortex XDR Capabilities — Figure 16: Cortex XDR overview.

Endpoint Threat Prevention

The Cortex XDR agent provides multi-layered protection on endpoints:

• Next-Generation Antivirus (NGAV): Uses AI and behavioral analysis to block known and unknown malware and exploits.
• Host Firewall: Controls network access on the endpoint.
• Disk Encryption Management: Manages native OS encryption (BitLocker, FileVault).
• Device Control: Manages USB device access to prevent malware introduction and data loss.

Diagram showing Cortex XDR Agent Protection Layers — Figure 23: Cortex XDR Agent protection capabilities.

Visibility and Threat Detection

Consolidates and analyzes data from multiple sources:

• ML-Driven Detection: Profiles user/endpoint behavior to detect anomalies.
• Correlation, IoC & BIOC Rules: Identifies threats using known indicators and behavioral patterns across the environment.
• Asset Management: Identifies managed and unmanaged assets on the network.
• Vulnerability Assessment: Identifies and prioritizes endpoint vulnerabilities.

Accelerated Investigations

Simplifies incident analysis for security teams:

• Incident Management: Intelligently groups related alerts and scores incidents to reduce alert fatigue.
• Root Cause Analysis: Automatically identifies the cause and sequence of events for alerts.
• Live Terminal: Allows direct remote interaction with endpoints for investigation and remediation (running commands/scripts, managing files/processes).

Advanced Threat Hunting

Enables proactive threat discovery:

• XQL (XDR Query Language): Powerful query language for searching across all collected data.
• Integrated Threat Intelligence: Leverages WildFire verdicts and integrates with external TI feeds (AutoFocus, VirusTotal).
• Managed Threat Hunting: Optional service providing 24/7 monitoring by Palo Alto Networks experts.

Coordinated Response

Enables rapid containment and remediation from a single console:

• Search and Destroy: Find and delete malicious files across endpoints.
• Script Execution: Run remediation scripts on endpoints.
• File Block/Quarantine: Prevent execution or isolate malicious files.
• Endpoint Isolation: Disable network access on compromised endpoints (except to Cortex XDR).
• Cortex XSOAR Integration: Automate response actions using SOAR playbooks.

Zero Trust Ready Infrastructure

Not all Zero Trust networks are created equal. For securing access to distributed applications and data, Palo Alto Networks provides flexibility with the following two reference architectures:

• Cloud-delivered network security (SASE solution)
• On-premises network security (NGFWs at the edge)

Both options provide industry-leading security subscriptions, such as DLP, WildFire threat prevention, and SaaS Security. They also provide high-performing connectivity services for networks and mobile users. You can choose to deploy one or a combination of both solutions.

SASE Reference Architecture

SASE is the convergence of security services and software-defined WAN (SD-WAN) services in a cloud-based solution. A SASE solution integrates these services seamlessly and provides secure access to applications and data no matter where they reside or from where they are being accessed. The solution provides that access from anywhere and provides security services along the path from the user to the application or data without unnecessary redirects, such as through a centralized data center. This reduces latency and improves the user experience. Security is improved because users no longer “turn off the VPN” to get the performance they want from their applications.

Prisma SASE includes the following main components:

• Prisma Access —A NGFW delivered as a cloud-native service. Use this for securing mobile-user and remote-site access to internet, SaaS, and public-cloud services.
• Prisma SD-WAN —Next-generation, software-defined, application-aware wide-area networking combined with cloud-orchestration. Use this for secure data transport between sites and private cloud services.

The capabilities of the Palo Alto Networks SASE solution include:

• Cloud-native, cloud-based delivery —Over 100 points of presence worldwide reduces latency, enhancing the user experience, and includes support of in-country or in-region resources and regulatory requirements.
• Scalability —Quickly and easily onboard users without overloading your existing infrastructure or needing to acquire and deploy additional resources. Bring new sites online quickly with the Prisma SD-WAN ION device.
• Line-rate security —Prisma Access’s single-pass architecture provides a suite of security services without adding the latency that you would have when daisy-chaining security products.
• Single vendor management —The components of Palo Alto Networks SASE solution work together seamlessly. There is no need to figure out how to piece together various products from multiple vendors using multiple APIs and orchestration applications.

Diagram of Cloud-Delivered SASE Infrastructure — Figure 17: Cloud-delivered, Zero Trust–ready infrastructure (SASE).

graph TD subgraph User/Branch U[User/Mobile Device] B[Branch Office] end subgraph "Prisma SASE Cloud" PA[Prisma Access - Security Services] SDWAN[Prisma SD-WAN - Cloud Management] end subgraph Destinations DC[Data Center] Cloud[Public Cloud Apps] SaaS[SaaS Apps] Internet[Internet] end U -->|GlobalProtect| PA B -->|IPSec/ION| PA B -->|SD-WAN Fabric| SDWAN PA --> DC PA --> Cloud PA --> SaaS PA --> Internet SDWAN -.-> B style PA fill:#e0f2ff,stroke:#1890ff style SDWAN fill:#e0f2ff,stroke:#1890ff

Simplified SASE Architecture showing user/branch connecting through Prisma Access/SD-WAN to various destinations.

On-Premises Reference Architecture

Some customers might prefer an on-premises solution for the following reasons:

• An already existing investment in NGFWs in their branch and central locations
• Requirements for local segmentation inside the network
• Regulatory restrictions that prevent the use of cloud services for specific locations or verticals

The on-premises network security solution offers self-managed and self-deployed capabilities. Application-aware policy determines how the local LAN traffic flows and whether outbound traffic is sent to the corporate WAN tunnels or directly to the internet. The local NGFW performs the Layer 7 traffic inspection, access control, threat prevention, and security services when accessing internet-based applications and data. Access for mobile users is provided by VPN tunnels (from the GlobalProtect client on the endpoint), which are terminated on a GlobalProtect gateway at the central site or a regional access site.

The capabilities of the Palo Alto Networks on-premises solution include:

• SD-WAN integration in NGFW —This model consolidates SD-WAN and security functions on a single device at remote sites and data center.
• Line-rate security —The NGFW single-pass architecture provides a suite of security services without adding the latency that you would have when daisy-chaining security products.
• Panorama management —Use a single management platform for all PAN-OS solutions.

Diagram of On-Premises ZT Infrastructure — Figure 18: On-premises, Zero Trust–ready infrastructure using NGFWs.

Implementing Zero Trust Enterprise: Five-Step Methodology

The Palo Alto Networks portfolio provides the tools, technologies, and products you need to turn your Zero Trust strategy into a practical implementation. Achieving Zero Trust is often perceived as costly and complex, but it does not have to be when using the right infrastructure. With Palo Alto Networks, Zero Trust capabilities are built in your existing architecture and do not require you to rip and replace existing technology. As you begin planning your Zero Trust implementation, you should understand the five-step methodology and apply the concepts.

You implement and maintain Zero Trust by using a simple, iterative, five-step methodology. This guided process helps identify where you are and where to go next. Palo Alto Networks professional services and certified partners can assist you with personalized consulting resources for implementing Zero Trust Enterprise in your environment.

graph TD A[1 Define Protect Surface - Identify DAAS] --> B(2 Map Transaction Flows); B --> C(3 Architect Zero Trust Network); C --> D(4 Create Zero Trust Policy); D --> E(5 Monitor and Maintain); E --> A; style A fill:#e0f2ff,stroke:#1890ff style B fill:#fffbe6,stroke:#ffc107 style C fill:#e8f5e9,stroke:#a5d6a7 style D fill:#fff0f6,stroke:#eb2f96 style E fill:#f0f0f0,stroke:#8c8c8c

The Five-Step Methodology for Implementing Zero Trust.

1. Define Protect Surface (Asset Discovery and Prioritization)

The Zero Trust Enterprise security model protects your most sensitive assets by controlling access and verifying all transactions. Because the most critical and sensitive data typically resides on resources within the private data center or public cloud, you typically start the design of Zero Trust at these locations and then migrate towards the user.

There are a considerable number of standards and regulations (such as GDPR, HIPAA, and PCI) that can help you define how data and applications are categorized. When identifying the protect surface, you should assess the business impact to your organization if sensitive data gets exposed.

When defining the protect surface, you need to consider all critical DAAS (Data, Applications, Assets, Services) in your environment:

• Data —Payment card information, protected health information, personally identifiable information, and intellectual property
• Applications —Off-the-shelf or custom software
• Assets —Networking equipment, point-of-sale terminals, medical equipment, manufacturing assets, and IoT devices
• Services —DNS, DHCP, and identity stores

2. Map Transaction Flows

To apply Zero Trust most effectively, you need to understand the application flows within your organization. The way traffic moves across the network, specific to the data in the protect surface, determines how it should be protected. This understanding comes from scanning and mapping the transaction flows inside your network in order to determine how various DAAS components interact with other resources on your network. It is a common practice to approximate flows by documenting what you know about specific resource interactions, even without having a complete picture. This information still provides valuable data so that you do not arbitrarily implement controls with insufficient insight. You can also deploy NGFWs in monitor mode in order to gather precise data about traffic flows and applications without disrupting the network.

After you understand how your systems work, the flow maps tell you where you need to insert controls. To become familiar with the process, tools and operations, start with a small, non-critical protect surface. You should then prioritize mission-critical DAAS. As you move through the steps in this methodology, you gather more information about what works for your situation, which allows you to enable more granularity in your design as you move your security controls closer to your most important assets.

3. Architect Zero Trust Network (Standards and Designs)

Zero Trust is not a product; however, there are products that work well in Zero Trust environments, along with many that do not. Selecting the right infrastructure, one that provides the required security controls for your DAAS, is key when enabling Zero Trust policies across your locations.

The Palo Alto Networks NGFWs offer flexibility in covering your deployment location needs (Campus, Private Data Center, Public Cloud, Container Clusters, Branch, Remote Locations) due to the variety of consumption options such as the PA-Series, VM-Series, CN-Series, and Prisma Access.

Diagram showing various Zero Trust deployment options — Figure 19: Zero Trust deployment options across different locations.

4. Create Zero Trust Policy (Implementation)

The concept of least-privileged access forms the basis of a Zero Trust security policy. For one resource to talk to another, a specific policy must allow that traffic. The Kipling Method of creating policy enables Layer 7 policy for granular enforcement so that only known-allowed traffic or legitimate application communication is allowed in your network.

With the Kipling Method, you can easily write policies by answering:

• Who —User or group? (User-ID)
• What —Data or service? (Destination/Application)
• When —Time restrictions? (Schedule)
• Where —Source/Destination Zone/Location? (Zones, Addresses)
• Why —Business justification? (Policy Naming/Tagging)
• How —Application and device? (App-ID, Device-ID/HIP)

Leverage NGFW capabilities like App-ID , User-ID , and Device-ID as building blocks for your policy.

5. Monitor and Maintain

The last step in this iterative process is to monitor and maintain your network. This means analyzing internal and external logs through Layer 7 and focusing on verifying the operation of Zero Trust policies. Inspecting and logging all traffic on your network is a pivotal facet of Zero Trust. It is important to send the system as much telemetry data as possible about your environment.

All telemetry generated by Palo Alto Networks endpoint, network, and cloud security technologies is sent to Cortex Data Lake , where the data is stitched together to enable ML and analytics. NGFW data from all sources is also consolidated into a singular view under Panorama .

Cortex XDR takes advantage of Cortex Data Lake to create profiles of users and devices, acting as a baseline of normal use, allowing detection of threats based on anomalies. Prisma Cloud provides public cloud security and compliance monitoring.

Zero Trust Approaches: Zero Trust for Users

The Zero Trust for users approach allows you to secure user access to critical data and applications by removing all implicit trust and verifying all digital transactions. The Zero Trust for users security controls are:

• Identity —Use strong authentication to validate users
• Device/workload —Verify user device integrity.
• Access —Enforce least-privileged user access to data and applications.
• Transaction —Scan all content for malicious activity and data theft.

User Identity Validation

Implementing Zero Trust for users must start by using strong authentication to verify user identity. A Zero Trust Enterprise needs to be able to allow or block access to data and applications based on verified user identity. To protect against stolen credentials, you should use multifactor authentication (MFA) against all critical assets.

User-ID

User-ID enables security teams to define policy rules on NGFWs in order to safely enable applications and control access based on users or groups of users. High-fidelity sources (GlobalProtect, API integrations, Captive Portal) are essential for Zero Trust.

Authentication Policy

Authentication policy enables you to authenticate users before evaluating the security policy, useful for validating User-ID or enforcing MFA before allowing access to sensitive applications, transparently to the application.

Diagram showing MFA Authentication Flow — Figure 20: MFA authentication flow for sensitive data access.

Credential-Based Attack Protection

Configure URL filtering to block known phishing sites and enable credential phishing protection on the NGFW to detect users submitting corporate credentials to untrusted sites.

Diagram showing Credential Phishing Prevention — Figure 21: Phishing prevention using URL Filtering and Credential Detection.

Identity Management (Cloud Identity Engine)

Palo Alto Networks Cloud Identity Engine (CIE) simplifies identity management by pulling user/group info from multiple sources (on-prem AD, cloud IdPs like Okta, Azure AD) and providing a unified view to enforcement points (NGFW, Prisma Access, etc.).

Diagram showing User-ID with Cloud Identity Engine — Figure 22: User-ID with Cloud Identity Engine integrating multiple IdPs.

User-Device Integrity

Complementing strong user authentication with verification of user-device integrity provides another layer of security.

Cortex XDR Agent Protection

The Cortex XDR agent provides NGAV, exploit prevention, host firewall, disk encryption management, and device control to secure the endpoint.

GlobalProtect Host Information Profile (HIP)

GlobalProtect builds a HIP containing device posture information (Managed/Unmanaged, Certificates, OS/Patch Level, Anti-Malware/Firewall State, Disk Encryption, Custom Checks) which can be used in security policies on the NGFW/Prisma Access to enforce device compliance for access.

Least-Privileged User Access

Enforce access control policies based on verified identity and device posture, granting access only to necessary applications and data.

Private Applications (Data Center / IaaS)

Use perimeter NGFWs (PA-Series, VM-Series) at the edge of the data center or in a security VPC/VNet in the cloud to enforce least-privileged access policies for north-south traffic.

Diagram showing Private Data Center and IaaS Perimeter Security — Figure 24: Private data center and IaaS perimeter security with NGFWs.

Visibility into Encrypted Traffic (SSL Decryption)

Decrypting SSL/TLS traffic is essential for visibility and threat inspection.

SSL Inbound Inspection: Decrypts traffic to internal servers (requires server private key on firewall).
SSL Forward Proxy: Decrypts outbound traffic initiated by internal users (requires clients to trust a firewall-issued certificate).

Diagram explaining SSL Forward Proxy — Figure 25: SSL Forward Proxy decryption process.

SaaS Applications (Next-Gen CASB)

Next-generation CASB (SaaS Security Inline and API) provides visibility and control for SaaS usage:

SaaS Security Inline: Uses NGFW/Prisma Access logs and App-ID Cloud Engine (ACE) to discover SaaS usage, assess risk, and enforce inline controls (allow/block, control functions like upload/download).
SaaS Security API: Connects directly to sanctioned SaaS apps (via API) to discover data-at-rest, assess exposure/risk, scan for sensitive content (DLP) and malware (WildFire), and apply remediation actions (quarantine, change sharing, notify).

Diagram of SaaS Security API integration — Figure 26: SaaS Security API integration with sanctioned SaaS applications.

Diagram of SaaS Security Inline functionality — Figure 27: SaaS Security Inline providing visibility and inline control.

Secure User Transactions

Scan all allowed traffic for threats and data loss using cloud-delivered security services on the NGFW/Prisma Access platform (Threat Prevention, WildFire, URL Filtering, DNS Security, DLP, File Blocking).

Diagram of NGFW Threat Protections — Figure 28: NGFW threat protections applied to user traffic.

SaaS Security API also secures transactions *within* sanctioned SaaS apps by enforcing content and activity policies with automatic remediation options.

Zero Trust Approaches: Zero Trust for Applications

The Zero Trust for applications approach allows you to secure applications by removing all implicit trust and securing all transactions between workloads. The security controls are:

• Identity —Validate developers, DevOps, and admins with strong authentication.
• Device/Workload —Verify workload integrity.
• Access —Enforce least-privileged access for workloads accessing other workloads.
• Transaction —Scan all content for malicious activity and data theft.

User Identity Validation (Devs/Admins)

Secure access for developers, DevOps, and admins managing application environments:

Use strong authentication (MFA recommended) via NGFW/Prisma Access policies.
Validate cloud entitlements using Prisma Cloud Cloud Identity Security (CIEM) to prevent overly permissive roles for infrastructure access.

Workload Integrity (Prisma Cloud CWPP)

Secure hosts, containers, and serverless functions throughout the application lifecycle:

Use Prisma Cloud Compute (PCC) module for vulnerability management, compliance checks, and runtime security.
Integrate security into the CI/CD pipeline (Shift Left) using Prisma Cloud Cloud Code Security to scan IaC, container images, and repositories.
Deploy PCC Defenders (Container, Host, Serverless) or use agentless scanning for runtime protection and visibility.
Utilize Prisma Cloud Web Application and API Security (WAAS) for protection against OWASP Top 10 threats.

Least-Privileged Workload Access (Segmentation)

Prevent lateral movement by enforcing microsegmentation:

Network Segmentation: Use NGFWs (PA-Series, VM-Series, CN-Series) to create coarse-grained isolation between application environments based on sensitivity levels (Low, Moderate, High) using Zones and Dynamic Address Groups.
Prisma Cloud Identity-Based Microsegmentation: Provides fine-grained, identity-based segmentation decoupled from the network. Assigns cryptographic identities to workloads, discovers communication patterns, and allows policy enforcement based on identity, preventing lateral movement even if IP addresses change.
CN-Series NGFW for Kubernetes: Deploy containerized firewalls within Kubernetes clusters for Layer 7 visibility and threat prevention for pod-to-pod (east-west) traffic.

Combining network segmentation with microsegmentation offers robust defense-in-depth.

Secure Data and Transactions

Scan traffic between workloads for threats and data loss:

NGFW Threat Prevention: Apply security subscriptions (Threat Prevention, WildFire, DLP, etc.) on NGFWs segmenting application traffic (VM-Series, CN-Series).

Prisma Cloud Defender Runtime Defense: Provides threat-based active protection, blocking malware execution, exploit attempts, and suspicious network activity directly on the workload.

Zero Trust Approaches: Zero Trust for Infrastructure

The Zero Trust for infrastructure approach allows you to secure critical infrastructure (IT/OT systems, POS, medical devices, etc.) by removing all implicit trust and verifying all digital transactions. The security controls are:

• Identity —Validate all users with access to infrastructure.
• Device/Workload —Identify all devices, including IoT devices.
• Access —Enforce least-privileged access segmentation for native and third-party infrastructure.
• Transaction —Scan all content within the infrastructure for malicious activity and data theft.

User Identity Validation

Restrict access to infrastructure components (routers, switches, building controls, OT systems) typically to IT admins or specific third-party vendors. Use role-based access control and MFA via NGFW Authentication Policy to secure this access.

Identify Devices (IoT Security)

IoT devices pose significant risks due to their volume, lack of inherent security, and difficulty in patching. Palo Alto Networks IoT Security , delivered as a cloud service leveraging existing NGFWs/Prisma Access as sensors, addresses this:

• Discovery & Profiling: Identifies and classifies IoT/OT devices using ML and enhanced logs.
• Risk Assessment: Evaluates vulnerabilities and provides risk-based policy recommendations.
• Policy Enforcement: Enables creation of Device-ID based policies on the NGFW to reduce attack surface.
• Threat Prevention: Leverages NGFW security subscriptions (Threat Prevention, WildFire, etc.) with device context.
• Anomaly Detection: Uses ML to detect unknown threats and enables response actions.

Diagram of IoT Security Solution — Figure 30: IoT Security solution architecture.

Secure Infrastructure Access (Device-ID & Segmentation)

Device-ID , derived from IoT Security, allows creating granular policies based on device attributes (type, model, OS) rather than just IP addresses. This enables:

Controlling access *from* specific device types (e.g., allow security cameras only to talk to the VMS).
Controlling access *to* specific devices (e.g., allow only authorized users/systems to access PLCs).

Segment IoT devices, especially high-risk ones, into their own network zones protected by an NGFW to limit lateral movement if compromised.

Secure Transactions

Because IoT devices often cannot run endpoint security, the network becomes the primary enforcement point. Place NGFWs as close as possible to critical infrastructure segments.

NGFW Threat Prevention

Apply all relevant cloud-delivered security subscriptions on the NGFW segmenting the infrastructure:

• Antivirus and WildFire (for file transfers if applicable)
• Anti-spyware (to detect C2 from compromised devices)
• URL Filtering (to block malicious sites devices might try to reach)
• DNS Security (critical for blocking DGA-based C2 and tunneling)
• Data Loss Prevention (if devices handle sensitive data)
• File blocking

Zero Trust Enterprise: Summary

Breaches and data loss have serious consequences for organizations and their customers. Zero Trust is based on the principle that no user, device, or transaction from inside or outside of the network can be trusted. The implicit trust in traditional security models is a vulnerability as dangerous as any other. The elimination of implicit trust promotes a consistent security policy across all situations. The Zero Trust framework focuses on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.

The Palo Alto Networks Zero Trust Enterprise approach is a modern, platform-based security strategy—a strategic framework guiding security practices and procurement across an entire Enterprise. With the following Palo Alto Networks portfolio capabilities and functionality, you can implement an end-to-end Zero Trust model in your environment:

• NGFWs and cloud-native security products act as segmentation gateways. These products are available in a variety of form factors so that you can defend your protect surface wherever it is located, on-premises or in the cloud.
• App-ID, User-ID, and Device-ID provide reliable identification of your users, applications, and devices beyond traditional IP address or protocol/port identification. You can use these context-based security capabilities in order to create granular access-control policies that follow your users and devices as they move across your network.
• Prisma Cloud enables cloud security posture management, data security, and cloud workload protection, allowing comprehensive visibility and threat detection across your organization’s hybrid, multi-cloud infrastructure.
• SaaS Security and Prisma Cloud Data Security inspect asset accessibility and risk through API integrations into the public cloud storage services and SaaS applications.
• Cortex XDR Agent advanced endpoint protection stops threats on the endpoint and coordinates enforcement with cloud and network security in order to prevent successful cyber-attacks.
• Cortex Data Lake serves as the central cloud-based repository for all security platform data and logs.

Certificate Authentication: Certificate Profiles

Certificate profiles define user and device authentication parameters for various firewall features including Authentication Portal, MFA, GlobalProtect, IPSec VPNs, administrative web interface access, and more.

They specify which CA certificates are trusted, how revocation is checked (CRL/OCSP), and how usernames might be extracted from certificates.

Configuration Steps:

Obtain CA Certificates: Ensure the CA certificate(s) that signed the client/server certificates you intend to validate are present on the firewall ( Device > Certificate Management > Certificates ).
Create Profile:
- Navigate to Device > Certificate Management > Certificate Profile and click Add .
- Enter a descriptive Name .
- (Multi-VSYS) Select the appropriate Location .
Assign CA Certificates:
- Click Add in the CA Certificates table.
- Select the relevant CA Certificate or Import it. Add all necessary CAs in the chain (Root, Intermediates).
- (Optional) Configure Default OCSP URL or OCSP Verify CA Certificate if needed.
Configure Username Extraction:
- Select the Username Field :
  - Subject: Use Common Name (CN).
  - Subject Alt: Use Email or Principal Name from SAN.
  - None: Do not extract username (use if another auth method provides it).
Configure Revocation Checking (CRL/OCSP):
- Check Use CRL and/or Use OCSP (Both recommended for fallback).
- Set appropriate Receive Timeout values.
- Set Certificate Status Timeout (overall timeout).
- Configure Blocking Behavior:
  - Block sessions if certificate status is unknown: Blocks if status is explicitly 'unknown'.
  - Block sessions if certificate status cannot be retrieved within timeout: Recommended for security. Blocks if no response received.
  - Block sessions if the certificate was not issued to the authenticating device: (GlobalProtect Only) Compares cert attribute to client Host ID.
  - Block sessions with expired certificates: Highly recommended.
Click OK and Commit .

Understand the components of a Certificate Profile: Trusted CAs, Username Field selection, and Revocation Checking options (CRL/OCSP, blocking behaviors).

Certificate Authentication: Web UI Admin Access

Enhance security by configuring certificate-based authentication for administrator access to the firewall's web interface. This method replaces traditional username/password logins with client certificate verification.

Enabling certificate-based authentication for *any* administrator disables username/password logins for *all* administrators accessing the web interface.

Configuration Steps:

Generate/Import CA Certificate: Ensure the CA certificate that will sign admin client certificates is on the firewall and trusted.
Configure Certificate Profile: Create a profile ( Device > Certificate Management > Certificate Profile ).
- Add the CA certificate.
- Set Username Field to Subject (typically).
- Configure revocation checking.
Apply Certificate Profile Globally: Go to Device > Setup > Management > Authentication Settings . Select the created Certificate Profile .
Configure Administrator Accounts: For each admin ( Device > Administrators ):
- Ensure the Name matches the username extracted from their certificate (e.g., the Subject CN).
- Check Use only client certificate authentication (Web) .
- Assign Administrator Type/Role.
Issue & Distribute Client Certificates: Generate client certs signed by the CA, ensuring the username field matches the firewall admin account name. Export as P12/PFX.
Install Client Certificates: Admins import the P12/PFX into their browser.
Commit Changes: Commiting Step 3 disables password login and likely restarts the web service. Have your cert ready!
Verify Access: Browser should prompt for certificate selection upon accessing the Web UI, granting access without a password prompt.

sequenceDiagram participant AdminBrowser as Admin's Browser participant FirewallWebUI as Firewall Web UI participant FirewallAuth as Firewall Auth Process participant CertProfile as Certificate Profile participant AdminAccountDB as Firewall Admin Accounts AdminBrowser->>FirewallWebUI: HTTPS Request Note over FirewallWebUI: Cert Profile applied globally FirewallWebUI-->>AdminBrowser: Request Client Certificate AdminBrowser->>AdminBrowser: User Selects Client Cert (p12 installed) AdminBrowser->>FirewallWebUI: Send Client Certificate FirewallWebUI->>FirewallAuth: Verify Certificate using CertProfile FirewallAuth->>CertProfile: Check Signature against Trusted CA? CertProfile-->>FirewallAuth: Signature OK FirewallAuth->>CertProfile: Check Revocation? (CRL/OCSP) CertProfile-->>FirewallAuth: Status OK FirewallAuth->>CertProfile: Get Username Field (e.g., Subject) CertProfile-->>FirewallAuth: Use Subject CN FirewallAuth->>FirewallAuth: Extract Username from Cert Subject CN FirewallAuth->>AdminAccountDB: Find account matching Username AND 'Cert Auth Only' flag set? AdminAccountDB-->>FirewallAuth: Match Found! FirewallAuth-->>FirewallWebUI: Authentication Success FirewallWebUI-->>AdminBrowser: Grant UI Access

Sequence diagram illustrating the Web UI certificate authentication flow.

Certificate Authentication: GlobalProtect Requirements

Specific certificate attributes are necessary for successful GlobalProtect authentication using certificates.

Server Certificate (Portal/Gateway) Requirements:

• Extended Key Usage (EKU): Must include Server Authentication (1.3.6.1.5.5.7.3.1) .
• Subject Alternative Name (SAN):
- Must contain at least one entry.
- The exact FQDN or IP address used by clients to connect *must* be present in the SAN list. [Gotcha!]
• Type: Must be an End-Entity certificate, not a CA.
• Private Key: Firewall must possess the private key.
• Chain: Full chain (Intermediate/Root CAs) should be trusted by the client OS or provided during TLS handshake.

Client Certificate (User/Machine) Requirements:

• Extended Key Usage (EKU): Must include Client Authentication (1.3.6.1.5.5.7.3.2) .
• Subject Common Name (CN): Generally should not be empty (See Troubleshooting section).
• Private Key: Client device must possess the private key.
• Chain: Must be signed by a CA trusted by the firewall (configured in the Certificate Profile).

Memorize the required EKUs and the SAN requirement for server certificates for GP troubleshooting.

Certificate Authentication: GlobalProtect Examples

Example: Certificate-Only Authentication

Configure GlobalProtect clients to authenticate using *only* a client certificate, without a username/password prompt.

Certificates & Profiles: Ensure Server/Client certs meet requirements. Create a Certificate Profile extracting the username (e.g., from Subject CN). Create an SSL/TLS profile using the server cert.
Portal Config: Network > GlobalProtect > Portals > [Portal Config] > Authentication Tab . Add Client Authentication: Set Authentication Profile to None , select the Certificate Profile.
Portal Agent Config: Agent > [Agent Config] > App Tab . Disable 'Save User Credentials' and 'Enable Single Sign-On (SSO)'.
Gateway Config: Network > GlobalProtect > Gateways > [Gateway Config] > Authentication Tab . Add Client Authentication: Set Authentication Profile to None , select the Certificate Profile.
Client Cert Installation: Install Root CA (Trusted Roots) and Client Cert+Key (Personal store - User or Computer) on the client machine.
Commit & Verify: Commit firewall changes. GP client should connect without credential prompts.

Example: iOS Certificate Authentication (Using Apple Configurator)

Deploying certificates to iOS often requires MDM or tools like Apple Configurator.

Firewall Config: Set up Portal/Gateway, Certificate Profile, SSL/TLS Profile as needed.
Apple Configurator Profile:
- Create a new profile.
- Add Root CA, Intermediate CAs (if any), and Client Cert (.p12 format) under Certificates payload.
- Add a VPN payload:
  - Type: Custom SSL
  - Identifier: net.paloaltonetworks.GlobalProtect.vpn
  - Server: Portal Address
  - User Authentication: Certificate
  - Identity Credential: Select the deployed Client Cert.
  - Provider Bundle Identifier: net.paloaltonetworks.GlobalProtect.client
- Save and deploy the profile (.mobileconfig) to the iOS device.
Trust Root CA on iOS: Crucial Step! Go to Settings > General > About > Certificate Trust Settings on the iOS device and enable Full Trust for the server's Root CA.
Connect: Launch the GP app; it should use the deployed profile and certificate.

Certificate Authentication: GlobalProtect Troubleshooting

Issue: Empty CN in Client Certificate

Symptom: GP connection fails. Firewall counters show `proxy_client_cert_parse_error`. Packet diags show `pan_x509_parse_dn() failed` or similar parsing errors.

Cause: Client certificate has an empty Subject Common Name (CN). This was problematic on PAN-OS < 8.1. On 8.1+, it might fail if the SAN extension exists but isn't marked critical (violates RFC 5280).

Resolution: Re-issue the client certificate with a non-empty CN, or ensure SAN is present and marked critical if using 8.1+ and empty CN is required.

Empty CNs are a common source of obscure certificate authentication failures, especially with older PAN-OS versions.

Issue: Kerberos SSO & Cert Auth Conflict

Symptom: GP fails when Client Auth requires "User Credentials AND Client Certificate Required" and Kerberos SSO is used. System logs show error: Authentication failed. Username in client cert (...) is different from the input (...) .

Cause: The Certificate Profile is set to extract a username (Subject/Subject Alt), and the firewall compares this to the username obtained from Kerberos SSO. If they differ, authentication fails.

Resolution: Edit the Certificate Profile used in the GP Portal/Gateway Client Authentication settings. Change the Username Field to None . Commit.

When combining credential-based auth (like Kerberos) with certificate validation, set the Certificate Profile's Username Field to 'None' so the firewall relies on the credential username and uses the certificate only for validation.

Interactive Quiz: Zero Trust & Certificate Auth

Test your understanding of Palo Alto Networks Zero Trust concepts and Certificate Authentication.

1. What is the core principle of the Zero Trust security model?

Trust all internal network traffic by default. Eliminate implicit trust and continuously validate every interaction. Focus security primarily on the network perimeter. Grant access based solely on user location.

2. In the Zero Trust methodology, what is the "protect surface"?

The entire network infrastructure, including all endpoints. Only the external-facing applications and servers. The most critical and valuable data, assets, applications, and services (DAAS) within an organization. The security tools deployed, such as firewalls and endpoint agents.

3. Which Palo Alto Networks platform primarily focuses on securing cloud-native applications across their lifecycle (code, build, deploy, run)?

Prisma Cloud Cortex XDR Network Security Platform (NGFW/Prisma Access) Panorama

4. What is the primary function of the Palo Alto Networks IoT Security subscription?

To provide VPN connectivity for IoT devices. To encrypt communication between IoT devices. To manage firmware updates for IoT devices. To discover, classify, assess risk, and enable policy enforcement for IoT devices using the NGFW.

5. What is the recommended first step in the five-step methodology for implementing Zero Trust?

Create Zero Trust Policy Define Protect Surface (Asset Discovery and Prioritization) Architect Zero Trust Network Monitor and Maintain

6. Which Palo Alto Networks technology allows policy creation based on application identity, regardless of port or protocol?

App-ID User-ID Device-ID Content-ID

7. Which cloud-delivered security service uses ML and sandboxing to analyze unknown files and URLs for threats?

DNS Security Enterprise DLP WildFire Advanced URL Filtering

8. What is the primary purpose of Prisma Cloud's Identity-Based Microsegmentation?

To scan container images for vulnerabilities. To manage user access entitlements in the cloud. To provide network segmentation using VPCs/VNets. To enforce fine-grained network access control between cloud workloads based on cryptographic identity, independent of IP addresses.

9. Cortex XDR integrates data from which sources to provide extended detection and response?

Only Endpoint agents. Network, Endpoint, Cloud, and Third-Party data. Only Network firewalls. Only Cloud logs.

10. What is a key benefit of using the Palo Alto Networks Cloud Identity Engine (CIE)?

It simplifies identity management by synchronizing user/group info from multiple IdPs into a unified source for enforcement points. It replaces the need for Active Directory or other LDAP servers. It provides endpoint protection against malware. It performs SSL decryption for cloud applications.

11. What is the primary function of a Certificate Profile on a Palo Alto Networks firewall?

To generate server certificates for the firewall. To store private keys securely. To define trusted CAs and certificate validation settings (revocation, username extraction) for features like GP or Admin Auth. To configure SSL/TLS protocol versions.

12. When configuring Certificate-Based Authentication for the Web UI, what happens immediately after committing the change that applies the Certificate Profile in Authentication Settings?

All users are immediately logged out but can log back in with passwords. Only the committing administrator needs a certificate immediately. The firewall automatically generates client certificates for all administrators. The management web server likely restarts, terminating sessions, and ALL subsequent Web UI logins require a valid client certificate.

13. In a Certificate Profile, what does setting the 'Username Field' to 'Subject' typically instruct the firewall to do?

Extract the username from the Common Name (CN) field of the certificate's Subject. Extract the username from the Subject Alternative Name (SAN) extension. Ignore the certificate for username information and rely on another method. Use the certificate's serial number as the username.

14. Which Extended Key Usage (EKU) is typically required for a GlobalProtect Portal/Gateway server certificate?

Client Authentication Server Authentication Code Signing IPsec Tunnel

15. What is a critical requirement for the Subject Alternative Name (SAN) extension in a GlobalProtect Portal/Gateway server certificate?

It must contain the exact FQDN or IP address that clients use to connect. It must contain the administrator's email address. It must be marked as 'critical'. It is optional if the Common Name matches the connection address.

16. When configuring GlobalProtect for certificate-only authentication (no user credentials prompt), what should the 'Authentication Profile' typically be set to in the Portal and Gateway authentication settings?

A profile pointing to the Local User Database. A profile using SAML authentication. None The same Certificate Profile used for validation.

17. Which certificate store on a Windows client machine should a user's client certificate (with private key) typically be imported into for GlobalProtect 'user-logon' or 'on-demand' connections?

Computer Account - Trusted Root Certification Authorities Current User - Personal Computer Account - Personal Current User - Trusted Root Certification Authorities

18. On an iOS device using GlobalProtect with certificate authentication, what extra step is often required after deploying the configuration profile containing the certificates?

Manually enabling "Full Trust" for the server's Root CA in Settings > General > About > Certificate Trust Settings. Restarting the iOS device twice. Re-installing the GlobalProtect app. Entering the certificate password in the GlobalProtect app settings.

19. If GlobalProtect fails with the error "Username in client cert is different from the input" when using Kerberos SSO and Certificate Authentication together, what is the likely misconfiguration?

The Kerberos server profile is incorrect. The client certificate has expired. The SSL/TLS Service Profile is missing. The Certificate Profile's 'Username Field' is set to 'Subject' or 'Subject Alt' instead of 'None'.

20. On PAN-OS 8.0 and earlier, what issue might arise if a client certificate used for GlobalProtect authentication has an empty Subject Common Name (CN)?

The firewall automatically uses the email address from SAN. The connection succeeds but logs a warning. The firewall may fail to parse the certificate, leading to authentication failure. GlobalProtect prompts the user to manually enter a username.