Network Security Services: NGFW, SASE, ZTNA, NAC, and Microsegmentation

Zero Trust is a policy model, not a single product swap. We implement it in phases mapped to the CISA Zero Trust Maturity Model v2.0 pillars: identity-aware access via Cisco ISE 3.4 for network enforcement (802.1X/EAP-TLS) and SAML 2.0 or OIDC federation via Okta, Azure AD, or a compatible enterprise IdP for cloud application access;

then east-west microsegmentation using Illumio Core, Akamai Guardicore Segmentation, VMware NSX-T 4.2, or Cisco ACI EPG contracts; then ZTNA for remote users via Zscaler ZPA, Palo Alto Prisma Access ZTNA, Cisco Secure Access, or Netskope Private Access to replace legacy VPN tunnels.

Each phase is scoped independently with a fixed-fee SOW so the organization controls pace and budget.

Existing perimeter controls remain active until the replacement policy layer is validated and the legacy tunnel has been decommissioned for the relevant user cohort.

SASE (Secure Access Service Edge) converges network connectivity (SD-WAN) and cloud-delivered security (SWG, CASB, ZTNA, FWaaS) into a single vendor stack — most often Palo Alto Prisma Access with Prisma SD-WAN, Cisco+ Secure Connect, or Cato Networks. SSE (Security Service Edge, as defined in Gartner’s 2021 taxonomy) is the security-only subset, without the SD-WAN component — a practical starting point when the WAN is already under contract.

Zscaler Zero Trust Exchange and Netskope Intelligent SSE are the SSE-only market leaders.

If an organization already runs Fortinet Secure SD-WAN, FortiSASE preserves a single-pane management plane.

If the environment is Meraki MX-based, Cisco+ Secure Connect is the natural extension. We recommend based on contract timelines, existing capital, and actual traffic mix — not on vendor partnership revenue.

Threat intelligence integration is in scope. We configure STIX/TAXII feed ingestion into supported NGFW platforms — Palo Alto Networks Advanced WildFire and Advanced Threat Prevention (with context surfaced through Cortex XDR), Fortinet FortiGuard, and Cisco Talos via Cisco Secure Firewall (FTD/FMC, enriched through Cisco XDR). Correlation with SIEM uses syslog over TCP (RFC 6587, commonly port 514) or encrypted TLS syslog per RFC 5425 on TCP 6514.

For organizations running Splunk, Microsoft Sentinel, or Google Chronicle, we produce integration playbooks and data-source onboarding documentation.

MITRE ATT&CK v15 coverage mapping is included as a deliverable so the security team has an auditable technique-ID gap analysis at handoff.

Active threat hunting, SOC staffing, or managed SIEM operations are scoped separately under managed services.

Yes, both are standard deliverable components. NIST CSF 2.0 (released February 2024) added the Govern function alongside the original five — Identify, Protect, Detect, Respond, Recover — making governance structure and accountability an explicit framework output.

We map each security control deployed (NGFW zone policy, microsegmentation rule, ZTNA policy, SIEM data source) to the relevant CSF 2.0 subcategory and cross-reference to CISA Zero Trust Maturity Model v2.0 pillars (Identity, Devices, Networks, Applications and Workloads, Data).

MITRE ATT&CK v15 coverage mapping is included as a deliverable for NGFW and SASE deployments: each detection rule and feed integration is tagged against ATT&CK technique IDs so the security team has an auditable gap analysis at handoff.

CIS Controls v8.1 mapping is available as an additional deliverable.

Post-quantum readiness assessment (NIST FIPS 203/204/205 alignment) is available as an add-on scope item.

The single most common NGFW sizing mistake is designing against the datasheet firewall-throughput headline rather than the threat-protection throughput with TLS decrypt active. Platforms without dedicated security silicon see a 50-70% throughput reduction under full TLS decrypt/re-encrypt load —

a PA-5450 rated at 189 Gbps threat prevention, a FortiGate 4201F rated at 600 Gbps firewall throughput, and a Cisco Secure Firewall 4225 each publish separately measured numbers for firewall-only, threat-protection, and TLS-inspection throughput.

Active/Active HA clustering adds synchronous state sync consuming backplane bandwidth and reduces effective throughput by a further 10-15%.

Correct sizing starts with measured current flow, projects TLS decrypt coverage percentage (typically 60-85% for most environments, with certificate-pinned mobile apps and trading flows as documented bypasses), and applies the vendor’s threat-protection throughput figure adjusted for HA mode.

We produce the sizing model as part of every NGFW refresh engagement deliverable.

ZTNA fronts HTTP-based applications well. Non-HTTP legacy applications — SSH, RDP, thick-client database protocols, SMB file shares — require a ZTNA platform that supports arbitrary TCP and UDP tunneling through its connector architecture. Zscaler ZPA, Palo Alto Prisma Access ZTNA, Cisco Secure Access, and Netskope Private Access each support non-HTTP protocols through their private-access connectors, with varying levels of protocol-aware enforcement.

Applications that require broadcast or multicast (some legacy ERP systems, legacy voice protocols) usually cannot be fronted by ZTNA without additional modernization and retain legacy VPN access during a transition period.

The migration deliverable includes an application-by-application inventory with ZTNA-fit rating (green, yellow, red), the rationale per application, and a sequencing plan that decommissions VPN access only when the replacement path is validated.

No application moves to ZTNA-only without user-acceptance testing against business function requirements.

Design, deployment, and validation are in the fixed-fee SOW scope. Ongoing policy operations — writing new rules as applications onboard, investigating policy violations, re-tuning the label model as the environment evolves — are delivered under a separate managed services engagement with defined SLA tiers.

On Illumio Core and Akamai Guardicore Segmentation deployments, we run the discovery phase in monitor-only mode for a minimum 30-day window, review application dependencies with the application owners, and move to enforcement in stages tied to business criticality.

VMware NSX-T 4.2 distributed firewall and Cisco ACI EPG contracts follow the same monitor-then-enforce pattern.

A microsegmentation deployment that skips the monitor phase is a production outage waiting for a trigger — we do not ship engagements that way.

The fixed-fee SOW covers the defined scope. If the assessment uncovers a finding outside that scope — an unremediated PCI DSS 4.0 Requirement 1.3 segmentation failure, a HIPAA Security Rule §164.312 access-control gap, a CMMC 2.0 Level 2 control not mapped to an existing technology, or a CISA ZT pillar stuck at Traditional where the organization expected Advanced — we document the finding in the assessment report with a clear description, risk rating, and framework mapping.

We then issue a separate change-order estimate for any additional WFHS scope, and where the finding requires a third-party auditor (C3PAO for CMMC Level 2, QSA for PCI) or a licensed specialty contractor, we refer to the appropriate provider.

The client is never billed above the SOW total without a signed change order first.

That is the operational definition of a fixed-fee engagement.

Palo Alto App-ID classifies traffic regardless of port, protocol, encryption (SSL or SSH), or other evasive tactics used by the application. PAN-OS 11.x runs classification through three mechanisms in sequence: application signatures, known-protocol decoders that apply context-based signatures to catch tunneled applications, and heuristics for evasive traffic that signatures and decoders cannot identify on their own.

When SSL Forward Proxy or SSL Inbound Inspection policy is in place, decrypted session data feeds App-ID so TLS-encrypted flows get classified the same way cleartext flows do.

The result: a policy built on “facebook-chat” or “ms-rdp” enforces on the actual application, not a port number that anything can squat on.

SSL Forward Proxy inspects outbound traffic from internal users to the internet — the NGFW acts as a trusted intermediary, decrypts the session, inspects, and re-encrypts. SSL Inbound Inspection covers traffic entering internal servers, where the firewall holds the server’s certificate and private key to decrypt sessions destined for your data center. Both modes are policy-based, so selective decryption (excluding regulated categories like banking and healthcare) is standard.

PAN-OS 11.x supports PFS via DHE and ECDHE key exchange algorithms in both modes.

SSH Proxy inspects SSH tunnels but is not supported by Strata Cloud Manager. We design decryption policy to match your compliance posture, exclusion categories, and PA-5400 or PA-7500 throughput envelope.

SSL Forward Proxy splits the session into two TLS connections: one with the client, one with the server. The firewall picks one of two forward-proxy certificates based on server-certificate validation. If the server certificate is signed by a CA the NGFW trusts, the client receives a certificate issued by the SSL Forward Trust Certificate.

If the server certificate is signed by an untrusted CA, the client receives an impersonation certificate signed by the SSL Forward Untrust Certificate, and the browser displays a not-trusted warning.

The impersonation certificate contains extensions copied from the original but is not the actual server certificate.

PAN-OS cannot decrypt sessions that use client authentication or pinned certificates, and HA does not sync decrypted session state.

PAN-OS 11.x builds User-to-IP mappings through six documented mechanisms. Server Monitoring via the PAN-OS Integrated User-ID Agent or the Windows User-ID Agent pulls login events from Active Directory, Exchange, and domain controllers. Authentication Portal handles non-domain-joined clients such as Linux hosts. Syslog Monitoring ingests authentication events from wireless controllers, 802.1X devices, Apple Open Directory, proxy servers, and NAC platforms.

HTTP Header Insertion can embed the username and domain in outgoing HTTP traffic so downstream devices identify the user.

Terminal Server Agent handles Citrix and multi-user environments. The XML API supports programmatic mapping from custom identity systems. The output: security policy enforces on user and group rather than just IP address.

PAN-OS supports two firewalls in an HA pair or up to 16 firewalls in an HA cluster with synchronized configuration and session state. Active/passive and active/active are both supported with session sync. Active/active runs in virtual wire and Layer 3 only — not Layer 2 — while active/passive supports all three.

Four failover triggers are documented: Link Monitoring (monitored interfaces fail), Path Monitoring (specified destinations unreachable), Heartbeat Polling (peer misses hello messages), and Packet Path Health Monitoring (critical chip or software failure).

Active/active does not provide load balancing on its own — traffic distribution requires ECMP, multiple ISPs, or an upstream load balancer — and it does not support DHCP client; only the primary can run DHCP Relay.

NIST SP 800-207 Section 2.1 defines seven tenets. All data sources and computing services are treated as resources. All communication is secured regardless of network location. Access is granted on a per-session basis. Access is determined by dynamic policy. The enterprise monitors and measures integrity and security posture of all owned and associated assets. All resource authentication and authorization are dynamic and strictly enforced before access is allowed.

The enterprise collects as much information as possible about the current state of assets, network infrastructure, and communications, and uses it to improve posture.

SP 800-207 also defines three logical components — Policy Engine, Policy Administrator, and Policy Enforcement Point — that implement those tenets in real deployments.

NIST released CSF 2.0 on February 26, 2024 — the first major update since the 2014 original. CSF 2.0 adds Govern as a sixth function, joining the original five: Identify, Protect, Detect, Respond, and Recover. Govern treats cybersecurity as a major source of enterprise risk that senior leaders should consider alongside finance and reputation. Scope expanded from critical-infrastructure operators to all organizations, including schools, nonprofits, and small businesses.

Supporting resources now include Quick-Start Guides, Success Stories, the CSF 2.0 Reference Tool, and the Cybersecurity and Privacy Reference Tool (CPRT) catalog cross-referencing over 50 cybersecurity documents.

We map Govern-function gaps to concrete artifacts — policy ownership, risk-register inputs, and board-level reporting cadence — during security architecture engagements.

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The framework is split across three matrices: Enterprise (Windows, Linux, macOS, cloud), Mobile (iOS and Android), and ICS (industrial control systems).

The Enterprise matrix contains 14 tactics representing strategic objectives: Reconnaissance, Resource Development, Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, and Impact.

Techniques are specific methods, and many have sub-techniques — “Command and Scripting Interpreter” alone has 13 sub-techniques including PowerShell, Python, and JavaScript.

We use ATT&CK mappings to tie detection content in Cortex XDR, FortiAnalyzer, or SIEM rules back to real adversary behavior.

TLS 1.3 is defined in IETF RFC 8446 and materially changes how NGFW decryption works. The cipher-suite concept was redesigned to separate authentication and key-exchange mechanisms from the record-protection algorithm — only AEAD algorithms are retained. Static RSA and Diffie-Hellman cipher suites were removed; all key exchange now provides forward secrecy. All handshake messages after the ServerHello are encrypted via the new EncryptedExtensions message.

EdDSA signatures were adopted, RSA padding moved to RSASSA-PSS, and HKDF was introduced as the underlying key-derivation primitive.

Session resumption merges the legacy session ID and session ticket into a unified Pre-Shared Key system. For NGFW deployments, TLS 1.3 means SSL Forward Proxy sizing must assume mandatory PFS and zero visibility into encrypted handshake extensions without decryption.

IPsec architecture is defined in IETF RFC 4301. Transport Mode operates between host endpoints and protects next-layer protocols without modifying the original IP header — the security-protocol header appears after the IP header, before application data. It is typical for end-to-end host security.

Tunnel Mode encapsulates an entire IP packet inside a new IP header and is mandatory for security gateways. AH provides integrity, data-origin authentication, and optional anti-replay protection across selected IP-header portions plus payload.

ESP provides the same authentication as AH plus confidentiality via encryption.

Using ESP without integrity is NOT RECOMMENDED per the RFC, AH is now optional, and ESP is preferred. The SPD holds ordered policy with PROTECT, BYPASS, and DISCARD actions; the SAD stores parameters for established SAs.

IKEv2 is defined in IETF RFC 7296 and uses three exchanges. IKE_SA_INIT is the initial exchange that establishes the IKE Security Association — it negotiates cryptographic algorithms, exchanges nonces, and performs Diffie-Hellman key exchange. IKE_AUTH authenticates both parties and establishes the first Child SA,

with messages encrypted and integrity-protected using keys derived from IKE_SA_INIT. CREATE_CHILD_SA creates additional Child SAs and rekeys both IKE and Child SAs, optionally carrying fresh Diffie-Hellman values for forward secrecy.

SKEYSEED is derived from the DH exchange, with separate SK_e (encryption) and SK_a (integrity) keys per direction and SK_d for subsequent Child SA keying.

RFC 7296 explicitly states there is no reason to negotiate an SA lifetime — each endpoint manages its own timeout locally.

The EAP framework (IETF RFC 3748) supports multiple authentication methods over data-link layers without requiring IP connectivity. Participants include the Authenticator, Peer/Supplicant, NAS (switch or AP acting as pass-through), and Backend Authentication Server — typically RADIUS on Cisco ISE 3.4+ or Aruba ClearPass 6.12+.

Initial EAP method types include Identity, MD5-Challenge, OTP, GTC, and Expanded Types. EAP-TLS (RFC 5216, updated by RFC 9190 for TLS 1.3) adds certificate-based mutual authentication and key derivation — both peer and server present X.509 certificates during the TLS handshake, so there is no shared password to phish.

Key derivation produces a 64-octet MSK, a 64-octet EMSK, and per-direction 64-octet IVs via the TLS PRF with label “client EAP encryption,” keeping the TLS master secret protected.

Advanced WildFire runs static and dynamic analysis engines plus intelligent runtime memory analysis. It uses machine learning to analyze and block malicious files with AI-Powered Security Models and applies deep learning to identify sophisticated and previously unseen malware, including AI-generated threats.

Supported file types include PE (portable executable) files with inline ML detection, Mach-O files for macOS analysis, OOXML Office documents, and EML email files — WildFire analyzes the entirety of a single email in plain text format.

Regional cloud availability covers Spain, Saudi Arabia, Israel, South Korea, Qatar, France, Taiwan, Indonesia, Poland, and Switzerland, plus Government and Public Sector clouds.

Organizations select specific regions where macOS samples process to meet data-residency requirements for GDPR, HIPAA, or export-controlled workloads.

Advanced Threat Prevention delivers exploit, malware, and command-and-control protection through layered detection. Signature-Based Detection uses traditional threat signatures via the Threat Vault for known threats. Inline Machine Learning adds cloud-based deep-learning analysis for emerging threats — notably, it can detect unknown C2 developed using the open-source Sliver C2 framework via specialized neural-network models that examine encrypted TLS patterns.

Local Deep Learning runs fast, on-box deep-learning analysis of zero-day and evasive threats on firewalls running PAN-OS 11.2 and later.

C2 detection also includes real-time behavioral analysis of suspicious communication patterns in encrypted channels, DNS-based C2 prevention using predictive analytics, and Exfiltration Shield protection against DNS relaying attacks that abuse legitimate web services.

Panorama is Palo Alto’s centralized management platform, built to manage all your firewalls whether they sit at the perimeter, in a data center, or in the cloud. Core capabilities include centralized policy and firewall management, device groups and templates for organizing distributed deployments, both a management server and a dedicated log collector role, and API-driven Dynamic Address Groups that automate policy workflows for server additions, moves, and deletions.

Panorama Interconnect extends management to tens of thousands of firewalls for hyperscale deployments.

It ships as virtual or physical appliances, with cloud deployment on AWS and Google Cloud Platform. Panorama 12.1 is the current feature set. For distributed environments, we design device-group hierarchy and template stacks so global policy inherits correctly to each regional firewall.

Prisma Access is cloud-delivered security providing consistent enforcement for users at headquarters, branch offices, and on the road. Palo Alto Networks deploys and manages the underlying security infrastructure globally. Remote Networks protect branch locations via cloud-based NGFWs using static routes, BGP, or a combination, with all remote-network locations fully meshed.

Mobile Users run the GlobalProtect app on Windows, macOS, iOS, Android, Chrome OS, and Linux, with Host Information Profile reporting for device compliance; clientless VPN and explicit proxy are also supported.

The platform delivers threat prevention, malware prevention, URL filtering, SSL decryption, and application-based policy.

Encryption is end-to-end between Mobile User and Remote Network Security Processing Nodes. Service Connections, the ZTNA Connector, and MU-SPNs/RN-SPNs provide private-app access and dynamic regional scaling.

The Fortinet Security Fabric is an integrated architecture spanning Fortinet products and third-party tools. FortiOS 7.4+ admin documentation lists the integrated stack: FortiGate 600F, 1000F, and 3200F firewalls plus FortiGate-5000/6000/7000 chassis for service-provider scale; FortiManager and FortiAnalyzer for centralized management and logging; FortiSwitch, FortiAP, and FortiWiFi on the network side; FortiClient, FortiProxy, and FortiWeb for endpoint and web security; and platform features including SD-WAN and ZTNA.

Shared intelligence flows through centralized dashboards, FortiView monitors, coordinated threat intelligence feeds, real-time session tracking, and security-event correlation.

We design Security Fabric deployments around device-registration topology, Security Rating baselines, and automation stitches so policy drift gets caught before it becomes an audit finding.

FortiGate on FortiOS 7.4+ supports both Basic ZTNA configuration and tiered deployment via Full versus Simple ZTNA policies. FortiClient EMS is central — it establishes device identity and trust context that FortiGate enforces. Authentication supports SSL certificate-based methods to secure the connection and complement identity verification. Documentation explicitly covers access control for unmanageable and unknown devices, giving admins granular handling for non-compliant or unidentified endpoints rather than binary allow/deny.

Gateway patterns documented include HTTPS and TCP forwarding access proxies, SSH access proxies, application gateways with SAML authentication, IPv6-based access scenarios, and inline CASB for SaaS controls.

For production rollouts, we sequence EMS tags, ZTNA rules, and posture checks so a tag change instantly re-evaluates access without user re-auth.

Cortex XDR is the first detection and response platform to natively integrate network, endpoint, and cloud data to stop sophisticated attacks. Three data domains integrate natively: endpoint (EDR) data, network (NDR) data, and cloud-telemetry data. Behavioral analytics drive detection, root-cause-analysis-driven investigation narrows the scope of incidents, and enforcement-tool integration enables rapid containment — isolate an endpoint, block an IOC across NGFWs, or revoke a session token.

Compatibility matrices cover Mac, Windows, and Linux endpoints; cloud workloads; Kubernetes clusters; and mobile platforms.

For security operations teams running Cortex XDR alongside Palo Alto NGFW, Cisco Secure Firewall 4200, or FortiGate 3200F, we build ingestion and enforcement-action playbooks so a single detection can close the loop across all three control planes.

NIST SP 800-207 defines three logical ZTA components, and the mapping to real products is what gets a design shipped. The Policy Engine evaluates policies, signals, and identity context to decide whether to allow, deny, or revoke access — commonly Cisco ISE 3.4+, Aruba ClearPass 6.12+, or a Zscaler Zero Trust Exchange policy tier.

The Policy Administrator executes the decision by creating, modifying, or terminating sessions — the authorization-push layer that sends a RADIUS CoA, a session-termination API call, or a dynamic VLAN reassignment.

The Policy Enforcement Point enforces access between the requester and the resource — usually an NGFW like PA-5400 or FortiGate 1000F, a ZTNA broker, or an identity-aware proxy.

We architect all three layers together so the design survives the first audit, not just the first demo.