PALO ALTO NETWORKS: Technology Partner Solution Brief ForeScout CounterACT Integration with Palo Alto Networks® Next-Generation Firewall Technology Segment: Authentication and Access Control The Palo Alto Networks Technology SOLUTION OVERVIEW Partner Program includes a select ForeScout has partnered with Palo Alto Networks to deliver a powerful solution that augments the capabilities of your next generation firewalls with real-time user-to-device mapping and device security posture from ForeScout CounterACT. With this join solution, you gain superior visibility into corporate and personal devices on the network, thereby allowing you to enforce firewall policies and application access based on user identity and device security posture. group of partners that deliver solutions or products that interoperate with the next-generation firewall. HIGHLIGHTS Eliminate Blind Spots Obtain real-time intelligence about the devices and users on your network, including BYOD, guest and unmanaged endpoints, without the need for agents. ■ Enforce User-aware Application Access Create and enforce next-generation firewall policies based on real-time user identity information, regardless of which device, IP address or location the user connects from. ■ Enhance Network Security Incorporate contextual information such as device security posture into your next generation firewall policies to protect your network from non-compliant or unsanctioned devices. ■ Enable Continuous Monitoring and Mitigation Reduce enterprise risk by ensuring that endpoints have up-to-date security defenses. Continuously monitor and mitigate security gaps on endpoints connecting to your network. ■ ForeScout CounterACT and Palo Alto Networks next-generation firewalls work together to leverage the best-of-breed capabilities of each solution. The joint solution delivers real-time visibility of the devices on your network, user-aware access controls and compliance monitoring and mitigation of endpoint security risks. ForeScout CounterACT is a pervasive network security platform that delivers real-time intelligence and policy-based controls for users and devices connected to your network—managed and unmanaged, wired and wireless, corporate and personal, PCs and handhelds. Combining CounterACT with your next-generation firewalls, you gain unique capabilities such as: • Real-time intelligence about the entities on your network devices, users, operating systems and applications, including mobile and unmanaged endpoints. CounterACT incorporates one of the most granular host interrogation engines in the industry to gather detailed configuration information about endpoints, without needing agents. It creates a detailed catalog of connected users and devices, eliminating blind spots. • CounterACT provides real-time user-to-device mapping information to your next generation firewalls—for corporate and personal devices. CounterACT detects devices as soon as they connect to the network and obtains username information during the network access process. It communicates the user login information to your next-generation firewalls. This allows you to manage USER-ID policies in your next generation firewall based on user identity, regardless of device type, IP address or location. Your firewall can provision different levels of access based on users and groups, and it can restrict specific users from certain parts of your network. PALO ALTO NETWORKS: Technology Partner Solution Brief • ForeScout CounterACT can ensure that endpoints on your network are compliant with your security policies. CounterACT can automatically fix most endpoint compliance deficiencies, for example by updating antimalware, prompting the patch management system to update the device’s operating system, disabling unsanctioned applications and enabling required applications. CounterACT can also check for the presence and activity of endpoint security agents and can dynamically install, enable or configure the agents according to your security policy. CounterACT physical or virtual appliances deploy out-of-band, thereby adding no latency or potential for network failure. CounterACT interoperates with your existing network infrastructure and is vendor-agnostic. It provides real-time visibility of devices and users as they connect to your network, without the need for agents. • When a device disconnects from the network, CounterACT provides real-time user logoff information to your nextgeneration firewalls. This makes your next-generation firewalls aware of which devices and users have disconnected from your network and eliminates the risk of device piggybacking. • CounterACT provides real-time device security posture and to your next generation firewalls. CounterACT can add noncompliant devices to dynamic address groups in your nextgeneration firewalls. By incorporating endpoint compliance information into your firewall security policies, you can block or restrict non-compliant devices from parts of your network. About ForeScout ForeScout delivers pervasive network security by allowing organizations to continuously monitor and mitigate security exposures and cyber attacks. The company’s CounterACT appliance dynamically identifies and assesses network users, endpoints and applications to provide visibility, intelligence and policy-based mitigation of security issues. ForeScout’s open ControlFabric technology allows a broad range of IT security products and management systems to share information and automate remediation actions. Because ForeScout’s solutions are easy to deploy, unobtrusive, flexible and scalable, they have been chosen by more than 1,500 enterprises and government agencies. Headquartered in Campbell, California, ForeScout offers its solutions through its network of authorized partners worldwide. Learn more at www.forescout.com. About Palo Alto Networks We are leading a new era in security by protecting thousands of enterprise, government, and service provider networks from cyber threats with our game-changing security platform that natively brings together all key network security functions, including a next-generation firewall, URL filtering, IDS/IPS, and advanced threat protection. Because these functions are purposely built into the platform from the ground up and they natively share important information across the respective disciplines, we ensure better security than legacy firewalls, UTMs, or point threat detection products. With our platform, organizations can safely enable the use of all applications critical to running their business, maintain complete visibility and control, confidently pursue new technology initiatives, and protect the organization from the most basic to the most sophisticated cyber attacks—known and unknown. Learn more at www.paloaltonetworks.com. 4401 Great America Parkway Santa Clara, CA 95054 Main:+1.408.753.4000 Sales: +1.866.320.4788 Support:+1.866.898.9087 www.paloaltonetworks.com Copyright ©2014, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks, the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of Palo Alto Networks, Inc. All specifications are subject to change without notice. Palo Alto Networks assumes no responsibility for any inaccuracies in this document or for any obligation to update information in this document. Palo Alto Networks reserves the right to change, modify, transfer, or otherwise revise this publication without notice. PAN_TPSB_NGFW_ForeSource_101414