As cyberattacks rise and threats grow more sophisticated, nine out of ten organizations are turning to Zero Trust to boost security posture. But achieving Zero Trust requires advanced network security controls which have historically been difficult to implement at scale, requiring extensive manual effort and risking operational disruption.
The integration between Palo Alto Networks and Zero Networks changes that. By combining Palo Alto’s Next-Gen Firewalls (NGFW) with Zero’s effortless microsegmentation, the integration enables granular critical asset control and advanced network security without added complexity.
We’ll take a closer look at how the integration works and break down its value in real-world threat scenarios – read on to learn more and watch the video.
How Microsegmentation and Next-Gen Firewalls Work Together
Microsegmentation contains threats once they're inside the network by immediately blocking lateral movement for East-West protection. NGFWs deliver strong perimeter defense and threat prevention, enhancing North-South protection.
Together, these solutions result in a proactive, layered defense – the combination provides the gold standard in North-South and East-West traffic protection, delivering benefits like:
- Automated microsegmentation that implements in days – without disrupting operations – and enforces granular network controls
- Layered, holistic network security built to block lateral movement and thwart ransomware
- Dynamic, hands-off policy management for IT and OT systems across on-prem, cloud, and hybrid environments
Integration in Action: A Step-by-Step Overview
The integration of Palo Alto Networks’ NGFWs with Zero Networks’ agentless microsegmentation allows Zero to automatically discover, tag, and group network assets into shared dynamic address groups, synchronizing with Palo Alto for precise Layer 7 inspection, application identification, and data loss prevention (DLP).
Here’s how the integration works from setup to enforcement:
1. Establishing the Connection
- Generate an API token from the Zero Networks portal under Settings > API.
- In the Firewall Vendors section, add Panorama using the Panorama IP, Zero Networks API key, and Panorama API key.
- Download the provided Python script, which contains all necessary credentials.
- Transfer the script to the Zero Networks Trust Server, which acts as a secure proxy between the internal network and the Zero Networks app.
2. Asset Discovery and Grouping
- Zero Networks continuously scans the environment, automatically discovering resources and assigning them to groups based on traffic behavior and other attributes.
- These dynamic address groups are synced to Panorama, allowing firewalls to stay updated as the network changes.
3. Policy Enforcement via Palo Alto Networks’ NGFWs
- In Panorama, users can create policies using the discovered groups (e.g., “client” as the source, “servers” as the destination).
- Security profiles like Threat Prevention and Data Filtering can be attached to these rules.
- Once committed, these policies are pushed to VM-Series firewalls, which automatically enforce Layer 7 controls without manual tagging or rule writing.
How the Integration Blocks Real-World Threats
The joint solution between Palo Alto Networks and Zero Networks offers real-time enforcement that adapts as the network evolves – without manual intervention. To bring the integration’s value into focus, find out how it enhances security in real-world scenarios.
Blocking Malicious Web Traffic
Scenario: A user accesses a legitimate application hosted on a web server. However, a malicious actor injects a script into the URL to probe for vulnerabilities – a classic cross-site scripting (XSS) attempt.
Solution: The Threat Prevention Security Service enabled for this traffic on Palo Alto’s NGFW detects malicious code being injected and drops the packet. The firewall traffic log shows the traffic between client and server group, and the threat log shows the vulnerability detected for the traffic between client and server – the session is reset, and the exploit attempt is neutralized.
Preventing Malicious File Downloads
Scenario: An employee connects to an internal FTP server and unknowingly attempts to download a malicious file.
Solution: Because data filtering policies are applied automatically through dynamic address groups, the firewall inspects the file and blocks the download. The session is terminated before the file can be delivered.
Enforcing Least Privilege by Default for Simplified Zero Trust Security
Scenario: A new client machine is added to the environment, creating a window of opportunity for attackers.
Solution: Dynamic address groups, created automatically by Zero Networks based on observed behavior, ensure that security policies are always up to date – new client machines are automatically grouped and governed by existing policies, no need to manually update firewall rules.
Get Adaptive Protection with a Simplified Security Architecture
Together, Palo Alto Networks and Zero Networks deliver a unified solution for advanced network security, enabled by automation and dynamic policy enforcement. The integration prevents lateral movement, blocks malicious activity, and adapts security policies to changes in the environment – all while reducing operational complexity.
Find out how you can gain robust protection against sophisticated cyber threats while simplifying your security architecture – get in touch to learn more about the joint solution from Palo Alto Networks and Zero Networks.