PALO ALTO NETWORKS: Technology Partner Solution Brief
ForeScout CounterACT Integration with
Palo Alto Networks® Next-Generation Firewall
Technology Segment: Authentication and Access Control
The Palo Alto Networks Technology
Partner Program includes a select
group of partners that deliver solutions
or products that interoperate with the
next-generation firewall.
HIGHLIGHTS
■ Eliminate Blind Spots
Obtain real-time intelligence about the devices and
users on your network, including BYOD, guest and
unmanaged endpoints, without the need for agents.
■ Enforce User-aware Application Access
Create and enforce next-generation firewall policies
based on real-time user identity information, regardless
of which device, IP address or location the user connects
from.
■ Enhance Network Security
Incorporate contextual information such as device
security posture into your next generation firewall
policies to protect your network from non-compliant
or unsanctioned devices.
■ Enable Continuous Monitoring and Mitigation
Reduce enterprise risk by ensuring that endpoints
have up-to-date security defenses. Continuously
monitor and mitigate security gaps on endpoints
connecting to your network.
SOLUTION OVERVIEW
ForeScout has partnered with Palo Alto Networks to deliver a
powerful solution that augments the capabilities of your next
generation firewalls with real-time user-to-device mapping and
device security posture from ForeScout CounterACT. With this join
solution, you gain superior visibility into corporate and personal
devices on the network, thereby allowing you to enforce firewall
policies and application access based on user identity and device
security posture.
ForeScout CounterACT and Palo Alto Networks next-generation firewalls work
together to leverage the best-of-breed capabilities of each solution. The joint solution
delivers real-time visibility of the devices on your network, user-aware access controls
and compliance monitoring and mitigation of endpoint security risks.
ForeScout CounterACT is a pervasive network security platform that delivers
real-time intelligence and policy-based controls for users and devices connected to
your network—managed and unmanaged, wired and wireless, corporate and personal,
PCs and handhelds. Combining CounterACT with your next-generation firewalls, you
gain unique capabilities such as:
• Real-time intelligence about the entities on your network devices, users,
operating systems and applications, including mobile and unmanaged
endpoints. CounterACT incorporates one of the most granular host
interrogation engines in the industry to gather detailed configuration
information about endpoints, without needing agents. It creates a detailed
catalog of connected users and devices, eliminating blind spots.
• CounterACT provides real-time user-to-device mapping information to your
next generation firewalls—for corporate and personal devices. CounterACT
detects devices as soon as they connect to the network and obtains username
information during the network access process. It communicates the user
login information to your next-generation firewalls. This allows you to
manage USER-ID policies in your next generation firewall based on user
identity, regardless of device type, IP address or location. Your firewall can
provision different levels of access based on users and groups, and it can
restrict specific users from certain parts of your network.

• When a device disconnects from the network, CounterACT
provides real-time user logoff information to your next-
generation firewalls. This makes your next-generation firewalls
aware of which devices and users have disconnected from your
network and eliminates the risk of device piggybacking.
• CounterACT provides real-time device security posture and
to your next generation firewalls. CounterACT can add non-
compliant devices to dynamic address groups in your next-
generation firewalls. By incorporating endpoint compliance
information into your firewall security policies, you can block
or restrict non-compliant devices from parts of your network.
4401 Great America Parkway
Santa Clara, CA 95054
Main: +1.408.753.4000
Sales: +1.866.320.4788
Support: +1.866.898.9087
www.paloaltonetworks.com
PALO ALTO NETWORKS: Technology Partner Solution Brief
• ForeScout CounterACT can ensure that endpoints on
your network are compliant with your security policies.
CounterACT can automatically fix most endpoint
compliance deficiencies, for example by updating
antimalware, prompting the patch management system to
update the device’s operating system, disabling unsanctioned
applications and enabling required applications. CounterACT
can also check for the presence and activity of endpoint
security agents and can dynamically install, enable or
configure the agents according to your security policy.
CounterACT physical or virtual appliances deploy out-of-band,
thereby adding no latency or potential for network failure.
CounterACT interoperates with your existing network
infrastructure and is vendor-agnostic. It provides real-time
visibility of devices and users as they connect to your network,
without the need for agents.
About ForeScout
ForeScout delivers pervasive network security by allowing
organizations to continuously monitor and mitigate security
exposures and cyber attacks. The company’s CounterACT
appliance dynamically identifies and assesses network users,
endpoints and applications to provide visibility, intelligence
and policy-based mitigation of security issues. ForeScout’s open
ControlFabric technology allows a broad range of IT security
products and management systems to share information and
automate remediation actions. Because ForeScout’s solutions are
easy to deploy, unobtrusive, flexible and scalable, they have been
chosen by more than 1,500 enterprises and government agencies.
Headquartered in Campbell, California, ForeScout offers its
solutions through its network of authorized partners worldwide.
Learn more at www.forescout.com.
About Palo Alto Networks
We are leading a new era in security by protecting thousands
of enterprise, government, and service provider networks from
cyber threats with our game-changing security platform that
natively brings together all key network security functions,
including a next-generation firewall, URL filtering, IDS/IPS, and
advanced threat protection. Because these functions are purposely
built into the platform from the ground up and they natively
share important information across the respective disciplines, we
ensure better security than legacy firewalls, UTMs, or point threat
detection products. With our platform, organizations can safely
enable the use of all applications critical to running their business,
maintain complete visibility and control, confidently pursue new
technology initiatives, and protect the organization from the most
basic to the most sophisticated cyber attacks—known and
unknown. Learn more at www.paloaltonetworks.com.
Copyright ©2014, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks,
the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of
Palo Alto Networks, Inc. All specifications are subject to change without notice.
Palo Alto Networks assumes no responsibility for any inaccuracies in this document
or for any obligation to update information in this document. Palo Alto Networks
reserves the right to change, modify, transfer, or otherwise revise this publication
without notice. PAN_TPSB_NGFW_ForeSource_101414