THIRD PRELIMINARY DRAFT
NIST SP 1800-35B: Implementing a Zero Trust Architecture 36
content—the elements that run your business—become integral components of your enterprise’s zero
Towards that end, their Next Generation Firewall (including all hardware-based, VM, and containerized
form factors) and Prisma Access have consistent core capabilities fundamental for zero trust policy
enforcement—including User-ID, App-ID, and Device-ID.
▪ User-ID™ technology enables organizations to identify users in all locations, no matter their
device type or OS. Visibility into application activity—based on users and groups, instead of IP
addresses—safely enables applications by aligning usage with business requirements.
▪ App-ID™ technology enables organizations to accurately identify applications in all traffic
passing through the network, including applications disguised as authorized traffic, using
dynamic ports, or trying to hide under the veil of encryption. App-ID allows organizations to
understand and control applications and their functions, such as video streaming versus chat,
upload versus download, and screen-sharing versus remote device control.
▪ Device-ID™ technology enables organizations to enforce policy rules based on a device,
regardless of changes to its IP address or location. By providing traceability for devices and
associating network events with specific devices, Device-ID allows organizations to gain context
for how events relate to devices and write policies that are associated with devices, instead of
users, locations, or IP addresses, which can change over time.
All NGFW form factors and Prisma Access also include the following cloud-delivered security service
(CDSS) capabilities: Advanced Threat Prevention (ATP), Wildfire (WF) malware analysis, Advanced URL
Filtering (AURL), and DNS Security (DNS). These capabilities are supported by the GlobalProtect (GP)
remote access solution and can all be centrally managed by Panorama.
3.4.16.1 Next-Generation Firewall (NGFW)
The Palo Alto Networks Next-Generation Firewall (NGFW) is a machine learning (ML) powered network
security platform available in physical, virtual, containerized, and cloud-delivered form factors—all
managed centrally via Panorama. The Palo Alto Networks NGFWs inspect all traffic, including all
applications, threats, and content, and tie that traffic to the user, regardless of location or device type.
Built on a single-pass architecture, the Palo Alto Networks NGFW performs full-stack, single-pass
inspection of all traffic across all ports, providing complete context around the application, associated
content, and user identity to form the basis for zero trust security policy decisions.
Additional NGFWs, including cloud-delivered, software-based VMs (VM-Series), and container-based
(CN-Series), are anticipated to be used as part of the microsegmentation deployment model phase of
this project, deployed as PEPs deeper within each enterprise environment. Regardless of form factor,
any NGFW or Prisma Access instance can serve as a PEP, enabled by the core (User-ID, Application-ID,
Device-ID) technologies described above—helping organizations achieve common zero trust use cases
such as data center segmentation, user or application-based segmentation, or cloud transformation.