Zero Trust Enterprise Overview

Introduction

Stories of security breaches that expose sensitive data are in the news every week. These events can result in significant personal impact on those who have information exposed, as well as a loss of trust and financial penalties for the compromised companies. New industry standards and government regulations are developing at a rapid pace, forcing organizations to constantly evaluate their security posture and increase the overall level of security.

Digital transformation is also driving changes that require a different approach to security. To accommodate the hybrid workforce, enterprises are transforming their cybersecurity infrastructure, migrating applications to cloud, while also looking to automate security operations. To access applications from anywhere, users require fast and convenient access to products and services from a wide variety of devices. This guide describes how you can implement Zero Trust principles and optimize your security practices.

The Implicit-Trust Problem

Implicit trust is a term used to describe the elimination of security controls in specific contexts, the most common being user location. For example, you might allow a user located inside the office full access to internal applications with only a single verification of identity, but from a remote location, the same user would require additional security controls—like two-factor authentication, threat prevention, and data loss prevention (DLP)—to access the same applications. Used in traditional security models, implicit trust is a vulnerability as dangerous as any other.

Corporate Network Implicit Trust

Traditional perimeter-based security wrongly assumes that all users and devices inside the corporate network can be trusted and that a full security stack at the internet edge is sufficient for securing corporate data. In this approach, implicit trust is granted in the private zone of the perimeter firewall. Only transaction flows destined to the public zone for internet and SaaS applications are considered untrusted and inspected.

Traditional perimeter-based security is no longer adequate for protecting an organization’s assets. Mobile devices moving on and off the corporate network, data and applications moving to the cloud, stealth malware, and attacks masquerading as legitimate applications or hiding in encrypted traffic have blurred the edges of the perimeter.

Attacks on sensitive data rarely use just a single exploit or compromised credential. Attackers use a composite of exploits, malware, compromised credentials, and other methods together to work their way from their beachhead in an organization to the target system. Often attackers use one method after another. Malware might supply a user’s credentials, which in turn provide limited access to their organization’s network. Once inside, the attacker moves around the private network and places other malware on privileged devices. The attacker eventually steals data, denies service, or encrypts the target system so that they can demand a ransom.

Remote Access Implicit Trust

Traditional virtual private networks (VPNs) for remote access also assume implicit trust, allowing user access to all corporate applications after the user authenticates into the corporate VPN. With implicit trust, you might apply one set of security controls when users access internet and SaaS applications via a remote access VPN, and you might apply a separate set of security controls when users access the same resources from the corporate network.

The Need for a Strategic Approach

Many traditional security policies are built around implicit trust, and these policies vary between locations, focusing on blocking what is considered a risk at each location. The use of disparate point solutions can result in threat and policy information that is siloed within the different enforcement points. Due to the manual correlation of the non-integrated solutions, coordinating a comprehensive security posture for protecting against breaches and data loss is slow and ineffective.

The biggest challenge for many organizations is defining a consistent security model that provides the required security controls holistically across the organization. Adopting a Zero Trust approach helps remedy the vulnerabilities associated with implicit trust in current security policies.

What is Zero Trust

The Zero Trust approach is based on the principle that no user, device, or transaction from inside or outside of the network can be trusted . The elimination of implicit trust promotes a consistent security policy regardless of the situation. The framework focuses on resource protection and the premise that trust is never granted implicitly but must be continually evaluated . In Zero Trust, authentication and authorization are critical, not just in the initial connection but at every stage of the digital interaction.

Traditional security models target the protection of the entire attack surface, which is difficult to identify and constantly evolving. In a Zero Trust framework, you define a protect surface , which is made up of the most critical and valuable data, assets, applications, and services (DAAS). Because it contains what is most critical to an organization’s operations, the protect surface is orders of magnitude smaller than the attack surface , and it is always knowable.

In Zero Trust, only known, allowed traffic can access the protect surface. Users have access to the data and applications they need in order to perform their tasks but nothing more. This is known as least-privileged access and enforced using a segmentation gateway implemented with a next-generation firewall (NGFW).

graph LR A[Traditional Security] --> B(Protect Entire Attack Surface); C[Zero Trust] --> D(Define Protect Surface - DAAS); D --> E(Control Access via Segmentation Gateway); E --> F(Apply Least Privilege); F --> G(Verify Everything, Trust Nothing); style B fill:#f9f,stroke:#333,stroke-width:2px style D fill:#ccf,stroke:#333,stroke-width:2px

Conceptual difference between traditional security and Zero Trust focus.

Zero Trust Frameworks

There are several standard frameworks that provide guidance on how to implement Zero Trust strategies.

Example frameworks include NIST 800-207 , Google’s BeyondCorp , and Microsoft’s Zero Trust framework . You can use the guidelines in these frameworks to evaluate your posture and formulate a strategy to secure your critical assets. These Zero Trust frameworks do not prescribe a specific product or technology but instead help you evaluate your specific protect surface. This evaluation is key to your identifying the right security controls to put in place.

NIST 800-207 defines a framework in which you grant access to a resource through a policy decision point and corresponding policy enforcement point. This architecture framework defines the following basic tenets as targets for a Zero Trust deployment:

• All data sources and computing services are considered resources.
• All communication is secured regardless of network location.
• Access to individual enterprise resources is granted on a per-session basis.
• Dynamic policy determines access to resources.
• The enterprise monitors and measures the integrity and security posture of all owned and associated assets.
• All resource authentication and authorization are dynamic and strictly enforced before access is allowed.
• The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications and uses it to improve its security posture.

NIST 800-207 recommends that you also develop a Zero Trust network architecture with the following assumptions:

• The entire enterprise private network is not considered an implicit trust zone.
• The enterprise might not own or configure devices on the network.
• No resource is inherently trusted.
• Not all enterprise resources are on enterprise-owned infrastructure.
• Remote enterprise subjects and assets cannot fully trust their local network connection.
• Assets and workflows moving between enterprise and non-enterprise infrastructure should have a consistent security policy and posture.

Google’s BeyondCorp principles are:

• Access to services must not be determined by the network from which you connect.
• Access to services is granted based on contextual factors from the user and their device.
• Access to services must be authenticated, authorized, and encrypted.

Microsoft’s Zero Trust framework defines the following guiding principles:

• Verify explicitly —Always authenticate and authorize based on all available data points.
• Use least-privileged access —Limit user access with just-in-time and just-enough-access.
• Assume breach —Minimize blast radius and segment access.

Common guidelines across frameworks:

• Validate users and verify device integrity.
• Secure the access and enforce least-privileged user and device access.
• Secure the transactions, prevent threats, and protect data.

Zero Trust Enterprise with the Palo Alto Networks Portfolio

The Palo Alto Networks Zero Trust Enterprise is a modern, strategic, platform-based approach to security. Zero Trust Enterprise is an end goal for security teams that want to implement zero trust principles, guide their security practices, and optimize their procurement across an entire enterprise.

Pillars and Capabilities

At its core, Zero Trust Enterprise is about eliminating all trust and verifying all digital transactions. In Zero Trust, authentication and authorization are critical, not just in the initial connection but at every stage of the digital interaction.

The Zero Trust Enterprise approach is organized into the following three pillars and security capabilities:

• Zero Trust for users —Requires strong authentication, device integrity verification, least-privileged access policies, and scanning of all transactions.
• Zero Trust for applications —Requires securing the development lifecycle, validating developer/admin identity and entitlements, enforcing least-privileged workload connectivity (microsegmentation), and continuous monitoring.
• Zero Trust for infrastructure —Requires securing IT/OT systems, POS, medical devices, etc. by verifying device identity (challenging for headless/IoT devices) and enforcing least-privileged access policies.

The tools and techniques might vary for each protect surface.

Table 1: Key Zero Trust Enterprise capabilities

Pillar	Identity validated	Device/workload	Access	Transaction
Zero Trust for users	Users, with strong authentication	Verifies user’s device integrity	Enforces least-privileged user access to data and applications	Scans all content for malicious activity and data theft
Zero Trust for applications	Developers, DevOps, and admins, with strong authentication	Verifies workload integrity	Enforces least-privileged access for workloads accessing other workloads	Scans all content for malicious activity and data theft
Zero Trust for infrastructure	All users who have access to infrastructure	Identifies all devices, including IoT devices	Enforces least-privileged access segmentation for native and third-party infrastructure	Scans all content within the infrastructure for malicious activity and data theft

graph TD subgraph "Zero Trust Enterprise Pillars" P1[Users] P2[Applications] P3[Infrastructure] end subgraph "Core Capabilities" C1[Validate Identity] C2[Verify Device/Workload] C3[Enforce Least Privilege Access] C4[Secure Transactions] end P1 --> C1; P1 --> C2; P1 --> C3; P1 --> C4; P2 --> C1; P2 --> C2; P2 --> C3; P2 --> C4; P3 --> C1; P3 --> C2; P3 --> C3; P3 --> C4; style P1 fill:#e0f2ff,stroke:#1890ff style P2 fill:#fffbe6,stroke:#ffc107 style P3 fill:#e8f5e9,stroke:#a5d6a7

Relationship between Zero Trust Pillars and Core Security Capabilities.

Platforms for Zero Trust

Using the network security platform, Prisma Cloud, and Cortex™ XDR solutions from Palo Alto Networks, you can implement Zero Trust strategies. These solutions are more secure, more consistent, and provide a simpler architecture by using cloud-delivered services. For Enterprise Identity and Access Management (IAM), Palo Alto Networks Cloud Identity Engine (CIE) integrates with many of the IAM solutions in the market. CIE is a cloudbased identity synchronization service that you can use to consistently authenticate and authorize your users, regardless of location and where the user identity stores live.

Table 2: Palo Alto Networks platforms for Zero Trust Enterprise

Pillar	Identity	Device/workload	Access	Transaction
Zero Trust for users	Enterprise IAM	Cortex XDR	Network security platform	Network security platform
Zero Trust for applications	Enterprise IAM/ Prisma Cloud	Cortex XDR/Prisma Cloud	Prisma Cloud & software NGFWs	Prisma Cloud & software NGFWs
Zero Trust for infrastructure	Enterprise IAM	Network security platform	Network security platform	Network security platform

Platforms for Zero Trust: Network Security Platform

The network security platform provides consistent protection and experience wherever users, devices and applications reside. It consists of NGFW, Prisma Access, and cloud-delivered security services.

NGFW (Next-Generation Firewall)

• PA-Series —Physical appliances.
• VM-Series —Virtualized firewalls for cloud/private environments.
• CN-Series —Containerized firewalls for Kubernetes.

Uses single-pass architecture for parallel processing and performance.

Prisma Access (SASE)

A cloud-hosted NGFW service (part of Prisma SASE) providing secure access for mobile users and remote sites to internet, SaaS, and private applications.

Offers Firewall-as-a-Service with elasticity and simplified deployment.

Cloud-Delivered Security Services

Integrated subscriptions enhancing NGFW/Prisma Access capabilities:

• Enterprise DLP: Protects sensitive data across networks, clouds, and users. Discovers, monitors, and protects data-at-rest and data-in-motion.
• Next-Generation CASB: Provides visibility and control over SaaS apps. Includes SaaS Security Inline (control access from network/endpoints) and SaaS Security API (secure sanctioned apps via API, scan data-at-rest).
• Threat Prevention: Protects against exploits, malware, spyware, C2 using Antivirus, Anti-Spyware, and Vulnerability Protection profiles.
• Advanced URL Filtering: Prevents web-based threats (phishing, malware) using real-time ML analysis, stopping zero-day web attacks.
• WildFire®: Cloud sandbox analyzing unknown files/URLs using dynamic/static analysis and ML, generating protections rapidly.
• DNS Security: Protects against threats using DNS (DGAs, tunneling, malicious domains) using ML and predictive analytics. Supports DNS sinkholing.
• IoT Security: Discovers, assesses risk, and enables policy enforcement for IoT devices using existing NGFWs as sensors via a cloud service.
• GlobalProtect™: Extends NGFW security to mobile users via VPN, providing visibility and endpoint posture assessment (HIP).

Platforms for Zero Trust: Prisma Cloud

Prisma Cloud is the Cloud Native Application Protection Platform (CNAPP), providing comprehensive security across the full application lifecycle and multi-cloud environments.

Cloud Code Security

Integrates security into the development pipeline ("Shift Left"):

• IaC Security: Scans Terraform, CloudFormation, Kubernetes manifests, etc., for misconfigurations and vulnerabilities.
• Secrets Scanning: Finds hardcoded credentials (passwords, API keys) in code and images.
• Container Image Scanning: Identifies vulnerabilities and compliance issues in container images during build.
• Repository Scanning: Analyzes code repositories for vulnerable open-source dependencies (SBOM generation).

Cloud Security Posture Management (CSPM)

Manages security posture of cloud infrastructure:

• Visibility, Compliance, Governance: Asset inventory, continuous monitoring against compliance frameworks (CIS, NIST, etc.), custom policy creation.
• Threat Detection: User and Entity Behavior Analytics (UEBA) via ML for anomalous activity; network anomaly detection (flow logs, port scans).
• Data Security: Extends Enterprise DLP and WildFire to scan cloud storage (e.g., S3) for sensitive data exposure and malware.

Cloud Workload Protection Platform (CWPP)

Secures running hosts, containers, and serverless functions:

• Prisma Cloud Compute (PCC): Module providing vulnerability management, compliance, runtime security, network visibility, WAAS.
• PCC Defenders: Agents deployed as Containers, on Hosts, or embedded in Serverless functions.
• Agentless Scanning: Option for VM risk/vulnerability assessment without agents.

Cloud Network Security

Provides network security adapted for cloud environments:

• Identity-Based Microsegmentation: Assigns cryptographic identities to workloads, enabling policy based on identity, not just IP. Discovers application flows and enforces segmentation.

Cloud Identity Security (CIEM)

Manages Cloud Infrastructure Entitlement Management:

• Discovers human/machine identities and analyzes entitlements/roles across clouds.
• Identifies overly permissive access and provides IAM governance.

Platforms for Zero Trust: Cortex XDR

Cortex XDR is the extended detection and response platform integrating network, endpoint, cloud, and third-party data to stop sophisticated attacks and simplify operations.

Endpoint Threat Prevention

The Cortex XDR agent provides:

• Next-Generation Antivirus (NGAV): AI-driven local analysis and behavior-based protection against malware and exploits.
• Host Firewall: Endpoint network access control.
• Disk Encryption Management: Manages BitLocker/FileVault.
• Device Control: Manages USB device access.

Visibility and Threat Detection

• ML-Driven Detection & UEBA: Profiles behavior to detect anomalies.
• Correlation & IoCs/BIoCs: Identifies threats using known indicators and behavioral rules.
• Asset Management: Identifies managed/unmanaged assets.
• Vulnerability Assessment: Identifies endpoint vulnerabilities.

Accelerated Investigations

• Incident Management: Smart alert grouping and scoring.
• Root Cause Analysis: Automatically shows attack sequence and origin.
• Live Terminal: Remote endpoint interaction for investigation/remediation.

Advanced Threat Hunting

• XQL (XDR Query Language): Powerful querying across all ingested data.
• Integrated Threat Intelligence: WildFire verdicts, AutoFocus, VirusTotal integration.
• Managed Threat Hunting: Optional 24/7 expert monitoring service.

Coordinated Response

• Search and Destroy: Find and delete files across endpoints.
• Script Execution: Run remediation scripts remotely.
• File Block/Quarantine: Block execution or isolate malicious files.
• Endpoint Isolation: Disable network connectivity.
• Cortex XSOAR Integration: Automate response via SOAR playbooks.

Zero Trust Ready Infrastructure

Palo Alto Networks provides flexibility with two primary reference architectures for implementing Zero Trust:

• Cloud-delivered network security (SASE solution)
• On-premises network security (NGFWs at the edge)

Both leverage the core NGFW platform and cloud-delivered security services.

SASE Reference Architecture

SASE converges networking (SD-WAN) and security services (delivered via Prisma Access) into a cloud-native platform. It provides secure access from anywhere without backhauling traffic, improving user experience and security consistency.

Key Components:

• Prisma Access: Cloud-delivered NGFW service.
• Prisma SD-WAN: Next-gen SD-WAN with cloud orchestration.

Benefits: Cloud-native delivery, scalability, line-rate security (single-pass), single vendor management.

graph TD subgraph User/Branch U[User/Mobile Device] B[Branch Office] end subgraph "Prisma SASE Cloud" PA[Prisma Access - Security Services] SDWAN[Prisma SD-WAN - Cloud Management] end subgraph Destinations DC[Data Center] Cloud[Public Cloud Apps] SaaS[SaaS Apps] Internet[Internet] end U -->|GlobalProtect| PA B -->|IPSec/ION| PA B -->|SD-WAN Fabric| SDWAN PA --> DC PA --> Cloud PA --> SaaS PA --> Internet SDWAN -.-> B style PA fill:#e0f2ff,stroke:#1890ff style SDWAN fill:#e0f2ff,stroke:#1890ff

Simplified SASE Architecture showing user/branch connecting through Prisma Access/SD-WAN to various destinations.

On-Premises Reference Architecture

Suitable for organizations with existing NGFW investments, local segmentation needs, or regulatory constraints preventing cloud use.

Uses on-premises NGFWs (PA-Series, VM-Series) at branches and central sites. NGFWs provide local security, segmentation, and SD-WAN capabilities. Mobile user access typically via GlobalProtect VPN terminating on central/regional NGFWs.

Benefits: Leverages existing hardware, provides deep internal segmentation, SD-WAN consolidation on NGFW, centralized Panorama management.

Implementing Zero Trust Enterprise: Five-Step Methodology

Implementing and maintaining Zero Trust follows an iterative, five-step methodology:

graph TD A["1. Define Protect Surface
(Identify DAAS)"] --> B["2. Map Transaction Flows"]; B --> C["3. Architect Zero Trust Network
(Standards & Designs)"]; C --> D["4. Create Zero Trust Policy
(Implementation)"]; D --> E["5. Monitor and Maintain"]; E --> A; style A fill:#e0f2ff,stroke:#1890ff style B fill:#fffbe6,stroke:#ffc107 style C fill:#e8f5e9,stroke:#a5d6a7 style D fill:#fff0f6,stroke:#eb2f96 style E fill:#f0f0f0,stroke:#8c8c8c

The Five-Step Methodology for Implementing Zero Trust.

Step 1: Define Protect Surface (Asset Discovery and Prioritization)

Identify the most critical and sensitive Data, Assets, Applications, and Services (DAAS) . Consider business impact and regulatory requirements (GDPR, HIPAA, PCI). Start with the most critical assets, often in the data center or cloud.

Tools/Methods:

• Industry standards/regulations.
• Business impact assessment.
• NGFWs in vwire/monitor mode + Traffic logs.
• IoT Security, User-ID, Device-ID, Cloud Identity Engine.
• SaaS Security API.
• Third-party asset discovery tools integrated with Cortex Data Lake.

Step 2: Map and Verify Transactions

Understand how the DAAS components interact with users and other resources. Map traffic flows related to the protect surface to determine where to place controls.

Tools/Methods:

• Existing network/application flow diagrams.
• NGFWs in vwire/monitor mode + Traffic/Threat logs.
• Application Dependency Mapping tools.
• Cortex Data Lake log analysis.

Verify transactions by inspecting allowed traffic using Security Profiles (Threat Prevention, URL Filtering, WildFire, DLP, File Blocking) and Decryption.

Step 3: Architect Zero Trust Network (Standards and Designs)

Select the right infrastructure (NGFW form factors, Prisma Access, Prisma Cloud) to provide security controls for your DAAS based on location and requirements. Deploy segmentation gateways (NGFWs) as close as possible to the resources they protect.

Key Locations:

• Campus (PA-Series, VM-Series)
• Private Data Center (PA-Series, VM-Series)
• Public Cloud (VM-Series, Prisma Cloud)
• Container Clusters (CN-Series, Prisma Cloud Microsegmentation)
• Branch (Prisma SASE or On-Prem NGFW with SD-WAN)
• Remote Locations (Prisma Access or GlobalProtect on NGFW)

Step 4: Create Zero Trust Policy (Implementation)

Translate the understanding from steps 1-3 into concrete security policies based on least-privileged access . Use the Kipling Method (Who, What, When, Where, Why, How) to define granular Layer 7 rules.

Leverage Palo Alto Networks Capabilities:

• Who: User-ID, Cloud Identity Engine, Dynamic User Groups (DUGs), Authentication Policy, MFA.
• What: App-ID, App-ID Cloud Engine (ACE), Service (application-default).
• When: Schedules.
• Where: Zones, Addresses, Dynamic Address Groups (DAGs).
• Why: Policy Naming, Tagging, Description.
• How: Device-ID, GlobalProtect HIP Profiles, Content-ID (Security Profiles).

Focus on explicit allow rules; traffic not explicitly allowed is implicitly denied.

Step 5: Monitor and Maintain

Zero Trust is an ongoing process. Continuously monitor, analyze logs, and refine policies.

• Log everything possible to Cortex Data Lake .
• Use Cortex XDR for behavioral analytics, threat detection, investigation, and response automation (via XSOAR integration).
• Use Prisma Cloud for cloud posture monitoring and anomaly detection.
• Keep Content Updates (Apps & Threats) current.
• Regularly run the Best Practice Assessment (BPA) tool.
• Review reports and logs ( Panorama , XDR, Prisma Cloud).
• Update policies as the business and threat landscape evolve.

Zero Trust Approaches: Zero Trust for Users

Securing user access by eliminating implicit trust and verifying identity, device posture, access rights, and transactions.

graph TD A[User Access Request] --> B{Validate Identity}; B -- Strong Auth / MFA --> C{Verify Device Integrity}; C -- HIP / XDR Agent --> D{Enforce Least Privilege Access}; D -- NGFW / Prisma Access Policy --> E{Secure Transaction}; E -- Inspect / Prevent Threats --> F[Grant/Deny Access]; style B fill:#e0f2ff style C fill:#fffbe6 style D fill:#e8f5e9 style E fill:#fff0f6

High-level flow for Zero Trust User Access.

1. User Identity Validation

• User-ID: Map users to IPs using high-fidelity sources (GlobalProtect, API, Captive Portal).
• Authentication Policy & MFA: Enforce strong authentication before policy evaluation.
• Credential Phishing Prevention: Use URL Filtering and credential submission detection.
• Cloud Identity Engine (CIE): Centralize identity information from multiple IdPs.

2. User-Device Integrity

• Cortex XDR Agent: Provides NGAV, exploit protection, host firewall, disk encryption, device control.
• GlobalProtect HIP: Collects endpoint posture (OS, patches, AV state, disk encryption, custom checks) for policy enforcement.

3. Least-Privileged User Access

• Private Applications: Enforce policies on perimeter NGFWs (Data Center/IaaS).
• SSL Decryption: Essential for visibility. Use SSL Forward Proxy (outbound) and SSL Inbound Inspection.
• SaaS Applications: Use Next-Gen CASB (SaaS Security Inline for access control, SaaS Security API for data-at-rest security in sanctioned apps).

4. Secure User Transactions

• NGFW Threat Prevention: Apply security profiles (Threat Prevention, WildFire, URL Filtering, DNS Security, DLP, File Blocking) to allowed traffic.
• SaaS Security API Policies: Enforce content and activity policies within sanctioned SaaS apps with automated remediation.

Zero Trust Approaches: Zero Trust for Applications

Securing applications by removing implicit trust between workloads and enforcing security throughout the development lifecycle.

graph TD A[Application Lifecycle: Code --> Build --> Deploy --> Run] --> B{Secure Inputs}; B -- Validate Dev/Admin Identity --> C{Verify Workload Integrity}; C -- Vulnerability Mgmt / Compliance --> D{Enforce Least Privilege Access}; D -- Microsegmentation --> E{Secure Transactions}; E -- Inspect / Prevent Threats --> F[Protected Application]; style B fill:#e0f2ff style C fill:#fffbe6 style D fill:#e8f5e9 style E fill:#fff0f6

High-level flow for Zero Trust Application Security.

1. User Identity Validation (Devs/Admins)

• Use strong authentication (MFA) for access to development environments and cloud infrastructure (via NGFW/Prisma Access).
• Use Prisma Cloud CIEM to validate and enforce least-privilege cloud entitlements.

2. Workload Integrity (Prisma Cloud CWPP)

• Scan code, IaC templates, container images, and repositories using Prisma Cloud Cloud Code Security .
• Deploy PCC Defenders or use agentless scanning for runtime vulnerability management, compliance, and threat protection (including WAAS).

3. Least-Privileged Workload Access (Segmentation)

• Implement coarse-grained Network Segmentation using NGFWs (PA/VM/CN-Series).
• Implement fine-grained Identity-Based Microsegmentation with Prisma Cloud for workload-level control independent of network topology.
• Use CN-Series firewalls for Layer 7 segmentation within Kubernetes clusters.

4. Secure Data and Transactions

• Apply NGFW Security Profiles (Threat Prevention, WildFire, DLP) to inter-workload traffic inspected by VM-Series or CN-Series firewalls.
• Leverage Prisma Cloud Defender Runtime Defense for threat detection and prevention directly on the workload.

Zero Trust Approaches: Zero Trust for Infrastructure

Securing critical infrastructure (IT/OT, POS, medical devices, etc.) by verifying identity, segmenting access, and securing transactions.

1. User Identity Validation

• Restrict access typically to IT admins or specific third parties.
• Enforce Role-Based Access Control (RBAC) and MFA via NGFW Authentication Policies.

2. Identify Devices (IoT Security)

Palo Alto Networks IoT Security uses NGFWs/Prisma Access as sensors to:

• Discover and classify IoT/OT devices using ML.
• Assess risks and vulnerabilities.
• Provide policy recommendations based on risk/behavior.
• Leverage NGFW threat prevention with device context.
• Detect anomalies and enable response.

3. Secure Infrastructure Access (Device-ID & Segmentation)

• Use Device-ID (derived from IoT Security) in policies to control access based on device attributes, not just IP.
• Segment high-risk infrastructure (especially IoT) into separate network zones protected by NGFWs to limit lateral movement.

4. Secure Transactions

• Place NGFWs close to critical infrastructure segments.
• Apply relevant NGFW Security Subscriptions (Threat Prevention, WildFire, DNS Security, URL Filtering, DLP, File Blocking) to inspect traffic to/from infrastructure components.

Zero Trust Enterprise: Summary

Breaches and data loss have serious consequences. Zero Trust eliminates implicit trust and continuously validates interactions, focusing on protecting critical resources (the protect surface).

The Palo Alto Networks Zero Trust Enterprise approach provides a strategic framework using an integrated platform:

• Segmentation Gateways: NGFWs (PA, VM, CN-Series) and Prisma Access defend the protect surface.
• Contextual Policy: App-ID, User-ID, and Device-ID enable granular, context-aware access control.
• Cloud Security: Prisma Cloud secures cloud-native infrastructure and applications (CSPM, CWPP, Code Security, CIEM, Network Security).
• SaaS Security: Next-Gen CASB (SaaS Security Inline & API) provides visibility and control for SaaS apps.
• Endpoint Security: Cortex XDR provides advanced endpoint protection, detection, and response.
• Centralized Data: Cortex Data Lake aggregates logs and telemetry for analysis and ML.

Implementing Zero Trust simplifies operations, enhances security posture, and aids compliance by applying consistent, least-privilege policies across the entire enterprise.

Certificate Authentication: Certificate Profiles

Certificate profiles define user and device authentication parameters for various firewall features including Authentication Portal, MFA, GlobalProtect, IPSec VPNs, administrative web interface access, and more.

They specify which CA certificates are trusted, how revocation is checked (CRL/OCSP), and how usernames might be extracted from certificates.

Configuration Steps:

Obtain CA Certificates: Ensure the CA certificate(s) that signed the client/server certificates you intend to validate are present on the firewall ( Device > Certificate Management > Certificates ).
Create Profile:
- Navigate to Device > Certificate Management > Certificate Profile and click Add .
- Enter a descriptive Name (e.g., `GP-Client-Cert-Validation`, `Admin-WebUI-Cert-Auth`).
- (Multi-VSYS) Select the appropriate Location .
Assign CA Certificates:
- Click Add in the CA Certificates table.
- Select the relevant CA Certificate or Import it. Add all necessary CAs in the chain (Root, Intermediates).
- (Optional) Configure Default OCSP URL or OCSP Verify CA Certificate if needed.
Configure Username Extraction:
- Select the Username Field :
  - Subject: Use Common Name (CN).
  - Subject Alt: Use Email or Principal Name from SAN.
  - None: Do not extract username (use if another auth method provides it).
Configure Revocation Checking (CRL/OCSP):
- Check Use CRL and/or Use OCSP (Both recommended for fallback).
- Set appropriate Receive Timeout values.
- Set Certificate Status Timeout (overall timeout).
- Configure Blocking Behavior:
  - Block sessions if certificate status is unknown: Blocks if status is explicitly 'unknown'.
  - Block sessions if certificate status cannot be retrieved within timeout: Recommended for security. Blocks if no response received.
  - Block sessions if the certificate was not issued to the authenticating device: (GlobalProtect Only) Compares cert attribute to client Host ID.
  - Block sessions with expired certificates: Highly recommended.
Click OK and Commit .

Understand the components of a Certificate Profile: Trusted CAs, Username Field selection, and Revocation Checking options (CRL/OCSP, blocking behaviors).

Certificate Authentication: Web UI Admin Access

Enhance security by configuring certificate-based authentication for administrator access to the firewall's web interface. This method replaces traditional username/password logins with client certificate verification.

Enabling certificate-based authentication for *any* administrator disables username/password logins for *all* administrators accessing the web interface.

Configuration Steps:

Generate/Import CA Certificate: Ensure the CA certificate that will sign admin client certificates is on the firewall and trusted.
Configure Certificate Profile: Create a profile ( Device > Certificate Management > Certificate Profile ).
- Add the CA certificate.
- Set Username Field to Subject (typically).
- Configure revocation checking.
Apply Certificate Profile Globally: Go to Device > Setup > Management > Authentication Settings . Select the created Certificate Profile .
Configure Administrator Accounts: For each admin ( Device > Administrators ):
- Ensure the Name matches the username extracted from their certificate (e.g., the Subject CN).
- Check Use only client certificate authentication (Web) .
- Assign Administrator Type/Role.
Issue & Distribute Client Certificates: Generate client certs signed by the CA, ensuring the username field matches the firewall admin account name. Export as P12/PFX.
Install Client Certificates: Admins import the P12/PFX into their browser.
Commit Changes: Commiting Step 3 disables password login and likely restarts the web service. Have your cert ready!
Verify Access: Browser should prompt for certificate selection upon accessing the Web UI, granting access without a password prompt.

sequenceDiagram participant AdminBrowser as Admin's Browser participant FirewallWebUI as Firewall Web UI participant FirewallAuth as Firewall Auth Process participant CertProfile as Certificate Profile participant AdminAccountDB as Firewall Admin Accounts AdminBrowser->>FirewallWebUI: HTTPS Request Note over FirewallWebUI: Cert Profile applied globally FirewallWebUI-->>AdminBrowser: Request Client Certificate AdminBrowser->>AdminBrowser: User Selects Client Cert (p12 installed) AdminBrowser->>FirewallWebUI: Send Client Certificate FirewallWebUI->>FirewallAuth: Verify Certificate using CertProfile FirewallAuth->>CertProfile: Check Signature against Trusted CA? CertProfile-->>FirewallAuth: Signature OK FirewallAuth->>CertProfile: Check Revocation? (CRL/OCSP) CertProfile-->>FirewallAuth: Status OK FirewallAuth->>CertProfile: Get Username Field (e.g., Subject) CertProfile-->>FirewallAuth: Use Subject CN FirewallAuth->>FirewallAuth: Extract Username from Cert Subject CN FirewallAuth->>AdminAccountDB: Find account matching Username AND 'Cert Auth Only' flag set? AdminAccountDB-->>FirewallAuth: Match Found! FirewallAuth-->>FirewallWebUI: Authentication Success FirewallWebUI-->>AdminBrowser: Grant UI Access

Sequence diagram illustrating the Web UI certificate authentication flow.

Certificate Authentication: GlobalProtect Requirements

Specific certificate attributes are necessary for successful GlobalProtect authentication using certificates.

Server Certificate (Portal/Gateway) Requirements:

• Extended Key Usage (EKU): Must include Server Authentication (1.3.6.1.5.5.7.3.1) .
• Subject Alternative Name (SAN):
- Must contain at least one entry.
- The exact FQDN or IP address used by clients to connect *must* be present in the SAN list. [Gotcha!]
• Type: Must be an End-Entity certificate, not a CA.
• Private Key: Firewall must possess the private key.
• Chain: Full chain (Intermediate/Root CAs) should be trusted by the client OS or provided during TLS handshake.

Client Certificate (User/Machine) Requirements:

• Extended Key Usage (EKU): Must include Client Authentication (1.3.6.1.5.5.7.3.2) .
• Subject Common Name (CN): Generally should not be empty (See Troubleshooting section).
• Private Key: Client device must possess the private key.
• Chain: Must be signed by a CA trusted by the firewall (configured in the Certificate Profile).

Memorize the required EKUs (Server Auth, Client Auth) and the SAN requirement for server certificates for GP troubleshooting.

Certificate Authentication: GlobalProtect Examples

Example: Certificate-Only Authentication

Configure GlobalProtect clients to authenticate using *only* a client certificate, without any user credential prompt.

Certificates & Profiles: Ensure Server/Client certs meet requirements. Create a Certificate Profile extracting the username (e.g., from Subject CN). Create an SSL/TLS profile using the server cert.
Portal Config: Network > GlobalProtect > Portals > [Portal Config] > Authentication Tab . Add Client Authentication: Set Auth Profile to None , select the Certificate Profile.
Portal Agent Config: Agent > [Agent Config] > App Tab . Disable 'Save User Credentials' and 'Enable Single Sign-On (SSO)'.
Gateway Config: Network > GlobalProtect > Gateways > [Gateway Config] > Authentication Tab . Add Client Authentication: Set Auth Profile to None , select the Certificate Profile.
Client Cert Installation: Install Root CA (Trusted Roots) and Client Cert+Key (Personal store - User or Computer) on the client machine.
Commit & Verify: Commit firewall changes. GP client should connect without credential prompts.

Example: iOS Certificate Authentication (Using Apple Configurator)

Deploying certificates to iOS often requires MDM or tools like Apple Configurator.

Firewall Config: Set up Portal/Gateway, Certificate Profile, SSL/TLS Profile as needed.
Apple Configurator Profile: Create a profile, add Root/Intermediate CAs & Client Cert (.p12) under Certificates payload. Add a VPN payload (Type: Custom SSL, Identifier: net.paloaltonetworks.GlobalProtect.vpn, Server: Portal Address, User Auth: Certificate, Identity Credential: Client Cert, Provider Bundle ID: net.paloaltonetworks.GlobalProtect.client). Deploy to device.
Trust Root CA on iOS: Crucial! Go to Settings > General > About > Certificate Trust Settings and enable Full Trust for the server's Root CA.
Connect: Launch the GP app.

Certificate Authentication: GlobalProtect Troubleshooting

Issue: Empty CN in Client Certificate

Symptom: GP connection fails. Firewall counters show `proxy_client_cert_parse_error`. Packet diags show `pan_x509_parse_dn() failed`.

Cause: Client cert has empty Subject CN. Problematic on PAN-OS < 8.1. On 8.1+, may fail if SAN exists but isn't marked critical.

Resolution: Re-issue cert with non-empty CN, or ensure SAN is present and critical (PAN-OS 8.1+).

Empty Subject CNs can cause obscure failures.

Issue: Kerberos SSO & Cert Auth Conflict

Symptom: GP fails when Client Auth requires "User Credentials AND Client Certificate Required" and Kerberos SSO is used. System logs show error: Authentication failed. Username in client cert (...) is different from the input (...) .

Cause: Firewall compares username from Kerberos ticket with username extracted from certificate (via Cert Profile setting 'Subject'/'Subject Alt'). Mismatch causes failure.

Resolution: Edit the Certificate Profile used for GP Client Auth. Change Username Field to None . Commit.

When combining credential auth (Kerberos) and certificate validation, set Username Field to 'None' in the Certificate Profile.

Issue: "Valid client certificate is required" Error (GP User Cert)

Symptom: GP connection fails with error "Valid client certificate is required", specifically when using a User certificate (not Machine cert). GP logs show errors like `pre-login error message: Valid client certificate is required` and `Portal required client certificate is not found`.

Cause: This often occurs when the Certificate Profile assigned to the GP Portal/Gateway has the option "Block session if certificate was not issued to the authenticating device" checked. This setting compares the certificate's serial number (or another attribute) with the device's Host ID (e.g., Windows Machine GUID). This check is appropriate for Machine certificates but typically fails for User certificates.

Resolution: Edit the Certificate Profile ( Device > Certificate Management > Certificate Profile ) used by the GP Portal/Gateway.

Uncheck the box "Block session if certificate was not issued to the authenticating device" .

Click OK and Commit.

Ensure the "Block session if certificate was not issued..." setting in the Certificate Profile is unchecked when authenticating GlobalProtect users with User certificates.

Interactive Quiz: Zero Trust & Certificate Auth

Test your understanding of Palo Alto Networks Zero Trust concepts and Certificate Authentication.

1. What is the core principle of the Zero Trust security model?

Trust all internal network traffic by default. Eliminate implicit trust and continuously validate every interaction. Focus security primarily on the network perimeter. Grant access based solely on user location.

2. In the Zero Trust methodology, what is the "protect surface"?

The entire network infrastructure, including all endpoints. Only the external-facing applications and servers. The most critical and valuable data, assets, applications, and services (DAAS) within an organization. The security tools deployed, such as firewalls and endpoint agents.

3. Which Palo Alto Networks platform primarily focuses on securing cloud-native applications across their lifecycle (code, build, deploy, run)?

Prisma Cloud Cortex XDR Network Security Platform (NGFW/Prisma Access) Panorama

4. What is the primary function of the Palo Alto Networks IoT Security subscription?

To provide VPN connectivity for IoT devices. To encrypt communication between IoT devices. To manage firmware updates for IoT devices. To discover, classify, assess risk, and enable policy enforcement for IoT devices using the NGFW.

5. What is the recommended first step in the five-step methodology for implementing Zero Trust?

Create Zero Trust Policy Define Protect Surface (Asset Discovery and Prioritization) Architect Zero Trust Network Monitor and Maintain

6. Which Palo Alto Networks technology allows policy creation based on application identity, regardless of port or protocol?

App-ID User-ID Device-ID Content-ID

7. Which cloud-delivered security service uses ML and sandboxing to analyze unknown files and URLs for threats?

DNS Security Enterprise DLP WildFire Advanced URL Filtering

8. What is the primary purpose of Prisma Cloud's Identity-Based Microsegmentation?

To scan container images for vulnerabilities. To manage user access entitlements in the cloud. To provide network segmentation using VPCs/VNets. To enforce fine-grained network access control between cloud workloads based on cryptographic identity, independent of IP addresses.

9. Cortex XDR integrates data from which sources to provide extended detection and response?

Only Endpoint agents. Network, Endpoint, Cloud, and Third-Party data. Only Network firewalls. Only Cloud logs.

10. What is a key benefit of using the Palo Alto Networks Cloud Identity Engine (CIE)?

It simplifies identity management by synchronizing user/group info from multiple IdPs into a unified source for enforcement points. It replaces the need for Active Directory or other LDAP servers. It provides endpoint protection against malware. It performs SSL decryption for cloud applications.

11. What must be configured within a Certificate Profile to specify which CAs are trusted to sign certificates for validation?

Username Field OCSP/CRL Settings CA Certificates list Certificate Status Timeout

12. Enabling certificate-based authentication for the Web UI requires configuring which two main components?

An SSL/TLS Service Profile and an Authentication Profile. A Server Profile (RADIUS) and User-ID Agent. GlobalProtect Portal and Gateway settings. A Certificate Profile and applying it globally in Management Authentication Settings.

13. For GlobalProtect certificate authentication, if the server certificate's Subject Alternative Name (SAN) *does not* contain the FQDN used by clients, what is the likely outcome?

Clients will receive a certificate validation error and fail to connect. The connection will succeed, but authentication will fallback to username/password. The firewall will automatically use the Common Name (CN) instead. Performance will be degraded, but the connection will work.

14. Which EKU (Extended Key Usage) is required for a client certificate used for authentication (e.g., GlobalProtect User Cert, Admin Web UI Cert)?

Server Authentication Client Authentication Email Protection Any Purpose

15. In a Certificate Profile, what is the purpose of the "Block sessions if certificate status cannot be retrieved within timeout" option?

To block connections if the certificate itself is expired. To block connections if the OCSP response indicates the certificate status is 'unknown'. To block connections if the firewall cannot reach the CRL/OCSP server to get any status update within the specified time. To limit the number of simultaneous sessions using certificates.

16. When using Apple Configurator to deploy a GlobalProtect profile with certificate authentication to iOS, which VPN 'Connection Type' is selected?

L2TP IPSec IKEv2 Custom SSL

17. A user connecting to GlobalProtect with a valid User certificate gets the error "Valid client certificate is required." The Certificate Profile is correctly assigned. What setting within the Certificate Profile is the most likely cause for this specific error when using a User certificate?

"Block session if certificate was not issued to the authenticating device" is checked. "Use OCSP" is unchecked. The "Username Field" is set to "None". "Block sessions with expired certificates" is unchecked.

18. What is the primary difference between Network Segmentation and Identity-Based Microsegmentation?

Network Segmentation uses firewalls, while Microsegmentation uses endpoint agents only. Network Segmentation applies only to on-premise, while Microsegmentation applies only to cloud. Network Segmentation relies on network constructs (VLANs, Zones, IP subnets), while Microsegmentation relies on workload identity independent of the network. Network Segmentation inspects traffic, while Microsegmentation only controls access.

19. Which Zero Trust principle is most directly addressed by using features like App-ID, User-ID, and Device-ID in security policies?

Assume Breach Verify Explicitly Use Least Privilege Access Secure All Communication

20. In the Zero Trust five-step methodology, which step involves analyzing logs, running assessments like the BPA, and refining policies based on monitoring?

Step 1: Define Protect Surface Step 2: Map Transaction Flows Step 4: Create Zero Trust Policy Step 5: Monitor and Maintain