ForeScout, the leading provider of Network Access Control (NAC), or what is also called Comply to Connect, recently announced an enhancement to their integration module for Palo Alto Networks Next-Generation Firewall (NGFW) that we think is worth talking about.

This new enhancement allows the ForeScout CounterACT® to dynamically exchange rich data visibility and contextual information about users (profiles) and devices (fixed, system or mobile) with the Palo Alto Networks NGFW without the use of an agent. This enhancement cuts out the middle man.

And because this unique and dynamic access is based in both user and device context, it allows the PaloAlto NGFW to direct users to the “need to know” information resources they have been granted access to whether the user is fixed at their corporate location or working from a remote location. They will have secure access to their defined set of information resources no matter where they are.

Here’s the technology behind the solution:

  1. The ForeScout Palo Alto Module allows CounterACT to “exchange” user profiles and contextual information about an organizations user with the Palo Alto NGFW.
  2. This exchange allows the NGFW to tag end points and dynamically assign them to predefined groups within the NGFW (based upon defined organizational policies and rules).
  3. This user is then segmented off to only receive collateral based upon that defined groups “need-to-know” basis.
  4. That user ID-to-device mapping and host profile information allows an organization to create granular access policies (build into the NGFW) based on user and device context, which provides the granular access required to allow organizations to define user based access within a “defined tenant” of a multi-tenant NGFW implementation.
  5. On top of that, the Palo Alto NGFW Embedded Wildfire module ensures the device is free of potential zero day exploits.

You can’t get much better than that these days.