White Paper

Traps PCI Compliance
Compensating Controls for Increased Security
and Prevention of Advanced Threats
Palo Alto Networks: Traps PCI Compliance
Executive Summary
The theft of credit card data continues to grow at an alarming rate. Not only is it costly to credit card
companies and merchants, but it undermines consumer confidence. In response, the Payment Card
Industry has developed the PCI Data Security Standard (PCI DSS), which includes 12 requirements
for protecting cardholder data. Despite substantial investments made in securing their networks,
organizations are realizing that being PCI compliant does not mean an enterprise is protected
against advanced cyberattacks.
Palo Alto Networks® Traps Advanced Endpoint Protection is an innovative endpoint protection
technology that prevents exploits and malware, both known and unknown. Because PCI DSS
was established before advanced endpoint protection technology existed, the standard still calls
for outdated anti-virus scanning techniques without any ability to prevent unknown exploits.
Despite this fact, companies focused on not only compliance, but also strong security posture
are finding that Traps can be employed as a highly effective compensating control that not only
meets, but also exceeds, the original PCI DSS requirement, resulting in a much stronger security
and compliance posture. For example, prior to Traps technology, patching was the only way
to ensure protection from known vulnerabilities and there was no reliable method to protect
systems from unknown vulnerabilities or those with no available patch. The availability of Traps
allows PCI system operators to significantly enhance security and exceed PCI DSS requirements
by not only eliminating known vulnerabilities, but also protecting systems from exploitation of
unknown vulnerabilities.
Global Threat of Credit Card Fraud
Total global payment-card fraud losses were $11.3 billion in 2012, up nearly 15 percent from
the prior year, according to The Economist. The United States—the only country in which
counterfeit-card fraud is consistently growing—accounted for 47 percent of that amount,
according to the Nilson Report: card issuers lost $3.4 billion and merchants lost another
$1.9 billion.
As remote workforces tap in from points around the globe and enterprise borders dissolve,
companies are becoming more difficult to protect. Add in the growing sophistication of global
attackers and it’s clear that the number of threats and their potential costs are spiraling out of
control.
The good news is that recent technology developments have given rise to a new focus on threat
prevention, instead of threat detection and remediation. While innovative technologies like
Palo Alto Networks Traps work to proactively prevent exploits and malware, they are not
yet specifically recognized as security or control techniques as defined by PCI DSS, so broader
awareness and adoption is needed. Traps is a new, proven technology that can be used effectively
as a compensating control to provide added defense and enhance a company’s security posture.
Traps Overview
Traps is an advanced endpoint protection solution that prevents advanced attacks originating
from executables, data files or network-based exploits, known and unknown, before any
malicious activity can successfully run.
If an attack attempt is made, Traps will immediately block the attempt, terminate the process,
and notify both the user and the administrator that an attack was thwarted. Whenever a block
does occur, Traps will collect detailed forensics, including the offending process, the memory
state when it was prevented, and many other details, that are reported to the Endpoint Security
Manager (ESM).
By employing Traps as a compensating control, organizations can not only meet PCI requirements,
but far exceed compliance provisions through its automated and near-instantaneous security
controls for endpoint protection.
PAGE 2
Palo Alto Networks: Traps PCI Compliance
When Traps is deployed with Palo Alto Networks market-leading next generation firewall to form
an integrated Enterprise Security Platform, it supports PCI compliance in three ways:
• By providing an incomparably robust set of capabilities for micro-segmentation of the cardholder data environment (CDE) and effectively reducing the scope of all related compliance
activities.
• By enabling security and compliance teams to simultaneously satisfy numerous individual
requirements with a single, tightly integrated solution.
• By going above and beyond the minimum requirements to not only provide more effective
protection against today’s threats, but also deliver a future-proof solution capable of meeting
PCI DSS requirements even as they continue to evolve.
How Exploit Prevention Works
Many advanced threats work by placing malicious code in a seemingly innocuous data file. When
the file is opened, the malicious code leverages a vulnerability in the native application used to
view the file and the code executes. Because the application being exploited is allowed by IT
security policy, this type of attack will bypass whitelisting controls (See Appendix 2). What sets
Traps apart is the fact that it focuses on the core techniques used by all exploits. It turns out that
although there are many thousands of exploits, they all rely on a small set of core techniques that
change infrequently. Furthermore, each exploit needs to use a series of those techniques in order
to be successful. Traps renders these techniques ineffective by breaking that chain and blocking
the technique the moment it is attempted.
The Traps agent injects itself into each process as it is started. If the process attempts to execute
any of the core attack techniques, the corresponding Exploit Prevention Module (EPM) prevents
that exploit, kills the process, and reports all of the details to the Endpoint Security Manager.
Traps
Forensic data
is collected
Process is
terminated
SAFE!
User/admin
is notified
PDF
Document is
opened by user
Reported
to ESM
Traps seamlessly
injected into
processes
Process is protected
as exploit attempt is
trapped
Traps triggers
immediate actions
Attack is blocked
before any successful
malicious activity
Figure 1: Traps blocks a core set of techniques to stop advanced attacks before they happen
The collection of detailed forensics and reports by the Endpoint Security Manager results in better
visibility and an understanding of attacks that were prevented.
Malware Prevention
In addition to preventing exploits hiding in data files, Traps employs a comprehensive approach to
the prevention of malicious executables. Malicious executables can be inadvertently downloaded
and run by users without their knowledge. In order to prevent executable malware, Traps focuses
on core techniques, as it does for exploits embedded in data files, plus two additional methods:
policy-based restrictions and integration with the WildFire™ threat intelligence cloud. When
combined, these methods offer unparalleled malware prevention. The process works as follows:
1. Policy-Based Restrictions: Organizations can easily set up policies restricting specific
execution scenarios.
PAGE 3
Palo Alto Networks: Traps PCI Compliance
2. WildFire Inspection: Traps queries the WildFire threat cloud with a hash to assess the file’s
standing within the global threat community.
3. Malware Techniques Mitigation: Traps implements technique-based mitigations that
prevent attacks by blocking techniques such as thread injection.
Traps is an integral part of the Palo Alto Networks Enterprise Security Platform, which provides
unparalleled protection of cardholder data. It includes network segmentation capabilities,
application and user identification, advanced threat prevention, and coverage for multiple PCI
requirements resulting in a level of protection for cardholder data that goes beyond the baseline
capabilities specified in the PCI DSS.
Traps Advanced Endpoint Prevention: Compensating Controls for PCI Compliance
According to the Verizon 2014 PCI Compliance Report , payment card data remains one of the easiest
types of data to convert to cash—which is why 74 percent of attacks on retail, accommodation, and
food services companies target precisely this type of information.
Organizations are challenged to meet PCI DSS compliance commitments and oftentimes there
may be areas where they are unable to meet requirements. Many companies are not aware of
the fact that if an organization is unable to meet the requirements as they are explicitly written,
compensating controls may be used to comply with PCI DSS standards with the added benefit of
achieving higher levels of security than prescribed.
According to the PCI Security Standards Council , these are the criteria for a compensating
control:
“Compensating controls may be considered when an entity cannot meet a requirement explicitly
as stated, due to legitimate technical or documented business constraints, but has sufficiently
mitigated the risk associated with the requirement through implementation of other controls.
Compensating controls must:
1. Meet the intent and rigor of the original stated PCI DSS requirement;
2. Provide a similar level of defense as the original PCI DSS requirement;
3. Be ‘above and beyond’ other PCI DSS requirements (not simply in compliance with other
PCI DSS requirements); and
4. Be commensurate with the additional risk imposed by not adhering to the PCI DSS
requirement.”
Compensating controls can play a critical role in building a strong security program. For example,
in order to protect payment card information wherever it is collected or stored, Traps can be
employed as a highly effective compensating control that not only meets the original PCI DSS
requirement, but goes above and beyond what is mandated.
PAGE 4
Palo Alto Networks: Traps PCI Compliance
Strengthening Security and Compliance Posture with Traps
Palo Alto Networks Traps provides Advanced Endpoint Protection to support organizations
in their efforts to achieve PCI compliance. Traps is an integral part of the Palo Alto Networks
Enterprise Security Platform, which also includes a next-generation firewall and the WildFire threat
intelligence cloud. Working in concert, this platform provides comprehensive compliance capability
as summarized in the table below.
[Note: See Appendix 1 for additional details on how Palo Alto Networks Enterprise Security
Platform addresses PCI security requirements.]
While every scenario will be different, below are a few examples showing the use of compensating
controls to meet specific PCI requirements.
Compliance Capabilities
PCI DSS Requirements v3.0
Next
Gen FW
WildFire
Traps
Requirement 1: Install and maintain a firewall configuration to protect cardholder data
Requirement 2: Do not use vendor-supplied defaults for system passwords
and other security parameters
Requirement 3: Protect stored cardholder data
Requirement 4: Encrypt transmission of cardholder data across open,
public networks
Requirement 5: Protect all systems against malware and regularly update
anti-virus software or programs
Requirement 6: Develop and maintain secure systems and applications
Requirement 7: Restrict access to cardholder data by business need to know
Requirement 8: Identify and authenticate access to system components
Requirement 9: Restrict physical access to cardholder data
Requirement 10: Track and monitor all access to network resources
and cardholder data
Requirement 11: Regularly test security systems and processes
Requirement 12: Maintain a security policy that addresses information security for
all personnel
Requirement 1: Install and Maintain a Firewall Configuration
to Protect Cardholder Data
(Sub Requirements 1.3.5, 1.4)
While this PCI requirement category focuses on firewall protection, Traps does provide a capability to
recognize and prevent an exploit from launching with the intent of collecting or sending unauthorized
outbound traffic from the data environment or changing personal firewall configuration on end
devices. This capability, when combined with Palo Alto Networks next-generation firewalls, provides
an organization with a solution that explicitly meets additional sub-requirements.
PAGE 5
Palo Alto Networks: Traps PCI Compliance
Palo Alto Networks portfolio of hardware and virtual next-generation firewalls enable definitive
least privileges access control (i.e., deny all applications, users, and content except for that
which is necessary) for all networks involving cardholder data. Palo Alto Networks supports all
sub-requirements pertaining to DMZ implementations intended to prohibit direct public access
between the Internet and any CDE system.
Requirement 2: Do Not Use Vendor-Supplied Defaults for System Passwords
and Other Security Parameters
(Sub Requirements 2.2.2, 2.2.3, 2.2.4, 2.2.5)
The intent behind Requirement 2 is to implement sufficient preventive controls to reduce the
attack surface. These controls include changing vendor passwords; enabling only necessary
services, protocols, daemons; and removing unnecessary functionality, such as scripts, drivers,
features, subsystems, file systems, and web servers. For a relatively complex cardholder
data environment, there are potentially thousands of instances in which unnecessary services,
unnecessary functionality, and unsecure services could operate. Furthermore, unknown vulnerabilities
in services that have been deemed necessary can be exploited resulting in a security breach. Given
the many threat vectors and attack points, the chance of these preventive controls breaking
down is very high. As a result, organizations face elevated risks since it only takes one unsecure
service to be running for a well-crafted attack to compromise a system.
Traps provides an automated preventive control capability to reduce risks associated with
threat vectors or attack points. The unique approach employed by Traps ensures that even if
unnecessary services are running, vulnerabilities in those services cannot be exploited. Traps
will block the exploit technique and prevent any malicious activities from occurring. Insightful
forensics evidence is collected to support incident response processes or further investigative
activities. With Traps operating in the CDE, organizations can reduce their risk to a level more
in line with the business’ risk tolerance position.
Requirement 3: Protect Stored Cardholder Data
(Sub Requirements 3.6.2, 3.6.3, 3.6.7)
This requirement focuses on reducing the amount of cardholder data stored and ensuring that
stored data is appropriately masked and encrypted. Despite rigorous encryption techniques,
the cardholder data must often exist in an unencrypted state in memory, which has become a
frequent point of attack. Furthermore, encryption keys must be properly protected, which poses
challenges for many businesses. Not only do businesses need to store, protect, back up and
track keys, they must also deal with interoperability issues, a lack of management standards,
and multiple locations where encryption is employed, whether endpoint devices, databases, or
storage systems. Given these management challenges, encryption alone may be sufficient to meet
compliance requirements, but often does not provide adequate security for cardholder data.
Compromising the storage and distribution of encryption keys or making unauthorized key
substitutions places the organization at risk. Furthermore, encryption alone does not protect
against malware that scrapes the unencrypted cardholder data from memory. Traps prevents
exploits and malware from launching malicious code that would try to compromise encryptions
keys or cardholder data. By preventing exploits and malware, businesses are in a better position
to protect stored cardholder data and the related encryption keys. If key management processes
do break down, Traps provides an effective compensating control for PCI DSS Section 3.6.
PAGE 6
Palo Alto Networks: Traps PCI Compliance
Requirement 5: Use and Regularly Update Anti-Virus Software or Programs
(Sub Requirements 5.1, 5.1.1, 5.2. 5.3)
Traditional anti-virus/anti-malware (AV/AM) software has varying degrees of effectiveness.
AV/AM software is designed to detect and remove malicious software from a system before
disrupting computer operation, gathering sensitive information, or gaining access to a system
or application. However, these tools have been shown to detect only a fraction of the advanced
attacks targeting cardholder data environments. AV/AM identification techniques, whether
signature-based, heuristic-based, or behavioral-based, have known limitations such as timely
protection against new attacks, potential system performance impacts, and potential high rate
of false positives. Also, security operation teams are simply overwhelmed by the sheer volume
of malware attacks. As a result, the probability is extremely high that malware and exploits will
bypass tradition AV/AM products.
Traps uses an innovative approach to prevent malware and exploits from wreaking havoc and
can run alongside traditional AV/AM software. Instead of focusing on the millions of individual
attacks themselves, Traps is designed to proactively stop all attacks targeting endpoints by
automatically blocking a core set of techniques that every attacker must link together in
order to execute an exploit. Traps also integrates with the WildFire threat intelligence cloud,
leveraging real-time threat intelligence from thousands of WildFire customers. The efficacy of
the anti-exploit and anti-malware capabilities employed by Traps far exceeds traditional AV/
AM products. However, since the requirements still call for obsolete techniques like periodic
AV scanning, Traps will be considered a compensating control for this requirement until the
regulation is updated to reflect the current state of technology. Some customers will choose to
run Traps alongside a free AV solution supplied by the OS vendor in order to maximize both
security and compliance.
Requirement 6: Develop and Maintain Secure Systems and Applications
(Sub Requirements 6.2, 6.4)
Within organizations, software vulnerabilities are discovered at an alarming rate. Patches
become available after the vulnerability has been in existence for months or years and inevitably
take time to thoroughly test and deploy. PCI DSS requires both prompt remediation of critical
software vulnerabilities (Section 6.2) and responsible testing and change management (Section
6.4). These can be conflicting priorities in some circumstances. Furthermore, patches are merely
an after-the-fact remedy for a risk that has likely been in place for a long period of time.
Exploit and malware prevention is the only true preventive control.
An organization running Traps on the critical systems in scope for PCI is in a very different
position from most organizations. Although the standard only requires protection from known
vulnerabilities, an organization running Traps is also protected from unknown vulnerabilities and
should develop a vulnerability risk assessment policy that reflects this enhanced environment. In
particular, patches that would be deemed “critical” for most organizations may not be “critical”
for an organization running Traps. This is because an assessment of whether the vulnerability
poses “an imminent threat to the environment” would result in a determination that the system
is actually not vulnerable due to Traps protection.
Given that Traps provides comprehensive protection from exploitation of vulnerabilities, both
known and unknown, it exceeds the core PCI requirement, albeit using a method not prescribed
by the standard.
PAGE 7
Palo Alto Networks: Traps PCI Compliance
Software
Deployed
Exploits
Begin
Vulnerability
Discovered
Public
Announcement
of Vulnerability
Patch
Deployed
Patch
Released
Protected by Traps Exploit
and Malware Prevention
Protected by
Vendor Patch
Figure 3: Exploit and malware prevention provide broader risk reduction than patching alone
As shown on the timeline above, vulnerabilities exist from the time the software is put into use.
From that point until a patch is installed, the system is at risk. By implementing the exploit
and malware prevention in Traps, this risk is virtually eliminated. This makes Traps the ideal
compensating control for PCI DSS Section 6.2.
Conclusion
Fig 3 - Exploit and malware prevention provide broader risk reduction than patching alone.
With data breaches on the rise, it’s clear that simply being PCI DSS compliant does not guarantee
protection of sensitive cardholder data. Organizations are realizing that if they cannot meet PCI
DSS requirements as stated, compensating controls are an effective way to meet and exceed PCI
requirements while improving security posture.
In this regard, Palo Alto Networks Traps Advanced Endpoint Protection, working together with
the Enterprise Security Platform, is an invaluable solution that delivers:
• Definitive, least privileges access control and other essential security capabilities for effectively
segmenting off the cardholder data environment and thereby reducing the scope and cost of
achieving PCI DSS compliance;
• Support for a considerable cross-section of the PCI DSS requirements; and,
• Capabilities that go above and beyond the standard’s baseline specifications to more thoroughly protect cardholder data—and the remainder of an organization’s computing environment—
from the latest generations of unknown malware and advanced threats.
For more information regarding the Palo Alto Networks enterprise security platform and its
component technologies, please visit www.paloaltonetworks.com.
PAGE 8
Palo Alto Networks: Traps PCI Compliance
Appendix 1: PCI Security Requirements Supported by Palo Alto Networks Enterprise
Security Platform
The Palo Alto Networks Enterprise Security Platform is an integrated, next-generation solution that
is designed from the ground up to reduce an organization’s attack surface, and prevent the most
sophisticated cyberattacks from achieving their objectives. It is comprised of three core elements: a
Next-Generation Firewall, Threat Intelligence Cloud and Advanced Endpoint Protection.
The table below outlines how Palo Alto Networks Enterprise Security Platform supports many of the
individual requirements specified in the PCI DSS.
PCI DSS REQUIREMENT
REQUIREMENT 1:
Install and maintain a
firewall configuration to
protect cardholder data
REQUIREMENT 2:
Do not use vendor
supplied defaults for
system passwords
and other security
parameters
REQUIREMENT 3:
SUPPORTED
SUB-REQUIREMENTS
1.2, 1.2.1, 1.2.3, 1.3,
1.3.1, 1.3.2, 1.3.3, 1.3.4,
1.3.5, 1.3.6, 1.3.7, 1.3.8,
1.4
The Palo Alto Traps Advanced End Protection prevents an exploit from executing unauthorized processes used to extract
data from any CDE system
2.2.2, 2.2.3,2.2.4,2.2.5,
2.3
3.6.2, 3.6.3, 3.6.7
Encrypt transmission of
cardholder data across
open, public networks
5.1,5.1.1, 5.2, 5.3
The Palo Alto Networks Traps Advanced Endpoint Protection
provides a much-needed complement to legacy anti-virus
solutions that are largely incapable of providing protection
against unknown malware, Zero Day exploits, and advanced
persistent threats (APTs).
6.2, 6.3, 6.5, 6.6
As a fully application-aware solution, the Palo Alto Networks
Enterprise Security Platform is capable of preventing a wide
range of application-layer attacks that have, for example,
taken advantage of improperly coded or configured web apps.
Protect all systems
against malware
and regularly update
anti-virus software or
programs
Develop and maintain
secure systems and
applications
PAGE 9
Traps prevents exploit and malware from launching malicious
code that would try to compromise encryption keys while
stored or being distributed.
Standards-based IPSec VPNs are supported for secure site-tosite connectivity, while GlobalProtect delivers secure remote
access for individual users via either an SSL or IPSec-protected connection. With its unique application, user, and content
identification technologies, the Palo Alto Networks solution
is also able to thoroughly and reliably control the use of
potentially risky end-user messaging technologies, e.g., email,
instant messaging, and chat, down to the level of individual
functions such as those that allow messages but disallow attachments and file transfers.
REQUIREMENT 4:
REQUIREMENT 6:
All components of the Palo Alto Networks Enterprise Security
Platform require user authentication, and implement strong
encryption for all non-console and remote administration
sessions, whether the component is accessed directly or via
the corresponding central management system.
Traps’ technique mitigation engine provides an excellent preventive control to identify and block malicious activities when
existing controls (such as remove unnecessary or unsecure
services) fail.
Protect stored cardholder data
REQUIREMENT 5:
DESCRIPTION OF CAPABILITIES
Palo Alto Networks next generation firewall and network
products support all sub-requirements pertaining to DMZ
implementations intended to prohibit direct public access
between the Internet and any CDE system.
Palo Alto Networks: Traps PCI Compliance
PCI DSS REQUIREMENT
REQUIREMENT 7:
SUPPORTED
SUB-REQUIREMENTS
7.2, 7.2.1, 7.2.3
Standards-based IPSec VPNs are supported for secure
site-to-site connectivity, while GlobalProtect delivers secure
remote access for individual users via either an SSL or IPSecprotected connection. With its unique application, user, and
content identification technologies, the Palo Alto Networks
solution is also able to thoroughly and reliably control the
use of potentially risky end-user messaging technologies,
e.g., email, instant messaging, and chat, down to the level of
individual functions such as those that allow messages but
disallow attachments and file transfers.
8.1, 8.1.1, 8.1.3, 8.1.4,
8.1.6,
Native capabilities and tight integration with Active Directory
and other identity stores support a wide range of authentication policies, including: use of unique user IDs, immediate
revocation for terminated users, culling of inactive accounts,
lockout following a specified number of failed login attempts,
lockout duration, idle session timeouts, and password
reset and minimum strength requirements. Support is also
provided for several forms of multi-factor authentication,
including tokens and smartcards.
Restrict access to
cardholder data by
business need to know
REQUIREMENT 8:
Identify and authenticate
access to system
components
8.1.7, 8.1.8, 8.2, 8.2.1,
8.2.3,
8.2.4, 8.2.5, 8.3, 8.5,
8.6, 8.7
REQUIREMENT 9:
DESCRIPTION OF CAPABILITIES
n/a
n/a
10.1, 10.2, 10.2.1,
10.2.2, 10.2.3,
The Palo Alto Networks Enterprise Security Platform maintains extensive logs/audit trails for WildFire, configurations,
system changes, alarms, traffic flows, threats, URL filtering,
data filtering, and Host Information Profile (HIP) matches.
The solution also supports both daily and periodic review of
log data with both native, customizable reporting capabilities
and the ability to write log data to a syslog server for archival
and analysis by third-party solutions (including popular security event and information management systems, such as
Splunk). Traps records endpoint activity, including processes
launched and the user name for each process launched.
Restrict physical access
to cardholder data
REQUIREMENT 10:
Track and monitor
all access to network
resources and
cardholder data
10.2.4, 10.2.5, 10.2.6,
10.2.7, 10.3,
10.3.1, 10.3.2, 10.3.3,
10.3.4,
10.3.5, 10.3.6, 10.4,
10.6, 10.6.1,
10.6.2, 10.6.3,
REQUIREMENT 11:
11.3.3, 11.4, 11.5
The Palo Alto Networks Enterprise Security Platform fully
inspects all allowed communication sessions for threat
identification and prevention. A single unified threat engine
delivers NSS Labs Recommended intrusion prevention (IPS),
stream-based anti-virus prevention, and blocking of unapproved file types and data. Traps, along with the cloud-based
WildFire engine, extends these capabilities further by identifying new or modified files in order to prevent unknown and
targeted malware and exploits.
n/a
n/a
Regularly test security
systems and processes
REQUIREMENT 12:
Maintain a security
policy that addresses
information security for
all personnel
PAGE 10
Palo Alto Networks: Traps PCI Compliance
Appendix 2: Why Whitelisting Alone Cannot Prevent Advanced Threats
Many new products have been developed in attempts to combat the increasingly sophisticated
and targeted threats facing organizations today. One approach taken by some products is
application whitelisting. This approach is based on the premise that if you create a list of
applications that are specifically allowed and then prevent any other file from executing, you can
achieve maximum protection for the endpoint. While this basic functionality can be useful to
reduce the attack surface, it is by no means a comprehensive approach to endpoint security.
Attackers will circumvent application whitelisting by exploiting applications that are on the
approved list. Once the application has been successfully exploited, the attacker can run malicious
code while keeping all of the activity in memory. This means that no new files are created and no
new executables attempt to run, rendering the whitelisting software completely ineffective against
this type of attack.
Traps provides multiple layers of protection. Basic whitelisting can be done in addition to
more advanced whitelist/blacklist and dynamic analysis via the Wildfire threat intelligence
cloud. In addition, the unique anti-exploitation capabilities of Traps will prevent exploitation
of applications that are allowed to run. The combination of these techniques makes for an
unparalleled approach to advanced endpoint protection.
4401 Great America Parkway
Santa Clara, CA 95054
Main:+1.408.753.4000
Sales:
+1.866.320.4788 Support:+1.866.898.9087
www.paloaltonetworks.com
Copyright ©2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks,
the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of
Palo Alto Networks, Inc. All specifications are subject to change without notice.
Palo Alto Networks assumes no responsibility for any inaccuracies in this document
or for any obligation to update information in this document. Palo Alto Networks
reserves the right to change, modify, transfer, or otherwise revise this publication
without notice. PAN_WP_TPCIC_011515