North-south traffic refers to the flow of data in and out of a network, typically between internal

resources and the internet. To secure this type of traffic, Palo Alto Networks recommends specific

CDSS subscriptions in addition to DNS Security:

A . SaaS Security

SaaS Security is designed for monitoring and securing SaaS application usage but is not essential for

handling typical north-south traffic.

B . Advanced WildFire

Advanced WildFire provides cloud-based malware analysis and sandboxing to detect and block zero-

day threats. It is a critical component for securing north-south traffic against advanced malware.

C . Enterprise DLP

Enterprise DLP focuses on data loss prevention, primarily for protecting sensitive data. While

important, it is not a minimum recommendation for securing north-south traffic.

D . Advanced Threat Prevention

Advanced Threat Prevention (ATP) replaces traditional IPS and provides inline detection and

prevention of evasive threats in north-south traffic. It is a crucial recommendation for protecting

against sophisticated threats.

E . Advanced URL Filtering

Advanced URL Filtering prevents access to malicious or harmful URLs. It complements DNS Security

to provide comprehensive web protection for north-south traffic.

Key Takeaways:

Advanced WildFire, Advanced Threat Prevention, and Advanced URL Filtering are minimum

recommendations for NGFWs handling north-south traffic, alongside DNS Security.

SaaS Security and Enterprise DLP, while valuable, are not minimum requirements for this use case.

Reference:

Palo Alto Networks NGFW Best Practices

Cloud-Delivered Security Services