Palo Alto Networks

Comprehensive security best practices including administrative access, security policy, decryption, DoS protection, zero trust, and Panorama management.

Security configuration baseline for PAN-OS firewalls. Covers management plane, authentication, logging, threat prevention, and zone protection.

DoD security requirements for Palo Alto firewalls covering management access, logging, security policies, and threat prevention settings.

NIST guidance on firewall deployment and policy. Palo Alto App-ID and User-ID provide application-aware security aligned with NIST recommendations.

NIST SP 800-207 §2: "Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location." §3.1.2: "An enterprise may choose to implement a ZTA based on placing individual or groups of resources on a unique network segment protected by a gateway security component...the enterprise places infrastructure devices such as next generation firewalls (NGFWs) to act as PEPs protecting each resource." Palo Alto NGFWs implement zero trust with User-ID, App-ID, and micro-segmentation capabilities aligned with NIST ZTA tenets.

SOC 2 CC6.6: "The entity implements logical access security measures to protect against threats from sources outside its system boundaries." Palo Alto NGFWs provide comprehensive boundary protection through App-ID-based traffic inspection, threat prevention profiles, and zone-based security policies that directly implement CC6.6 requirements for external threat protection. Source: AICPA Trust Services Criteria.

ISO 27001:2022 A.8.20: "Networks and network devices shall be secured, managed and controlled to protect information in systems and applications." Palo Alto NGFWs implement comprehensive network security controls including application-aware filtering, intrusion prevention, URL filtering, and encrypted traffic inspection as required by A.8.20. Source: ISO/IEC 27001:2022 Annex A.

CCM IVS-09: "Configure network segmentation to isolate sensitive data and systems." CCM IVS-01: "Establish, document, approve, communicate, apply, evaluate and maintain policies and procedures for infrastructure and virtualization security." Palo Alto micro-segmentation capabilities, zone-based policies, and GlobalProtect VPN directly implement CCM IVS controls for network security and segmentation. Source: CSA Cloud Controls Matrix v4.0.