Can you test our Palo Alto firewall without causing downtime?

Yes. Sherlock Forensics tests your Palo Alto Networks firewall by simulating real attack traffic against it, not by modifying or disabling it. We deploy ShadowTap on your internal network to test how effectively your firewall detects and blocks threats. Your Palo Alto configuration remains untouched throughout the engagement. Standard validation costs $5,000 CAD.

What Palo Alto misconfigurations do you typically find?

The most common findings include overly permissive App-ID rules that allow unintended applications, SSL decryption not enabled or only partially deployed, zone protection profiles with default settings that do not block reconnaissance, GlobalProtect VPN split tunneling that bypasses inspection and Threat Prevention signatures running in alert-only mode instead of blocking. Most organizations have at least three of these issues.

Do you need access to our Panorama or firewall management interface?

For the Standard assessment, no. We test your firewall from the perspective of an attacker on your network using ShadowTap. For the Comprehensive assessment, read-only access to Panorama or the firewall management interface allows us to cross-reference our findings against your actual rule base and provide more specific remediation recommendations. We never modify your configuration.

How is this different from a Palo Alto Best Practice Assessment?

A Palo Alto Best Practice Assessment checks your configuration against vendor recommendations. Our validation tests whether your configuration actually stops attacks. These are fundamentally different approaches. A configuration can follow best practices and still fail to detect lateral movement, credential theft or encrypted tunnel exfiltration. We test with real attack techniques, not compliance checklists.

Palo Alto Networks Validation

You Run Palo Alto. Does Your Configuration Actually Stop Attacks?

10,000 rules. How many work?

Sherlock Forensics offers Palo Alto Networks security validation starting at $5,000 CAD. We test whether your Palo Alto firewall configuration actually stops real attack techniques. Using our ShadowTap platform, we simulate an internal attacker, test App-ID enforcement, attempt SSL decryption bypasses, probe zone protection boundaries and validate GlobalProtect VPN security. You receive a detailed report showing what your firewall blocked, what it missed and specific configuration changes to close the gaps. Comprehensive validation with full internal and external testing is available at $12,000 CAD.

Purchase Validation Book a Scoping Call

Common Misconfigurations

What We Find in Palo Alto Deployments

Overly Permissive App-ID Rules

App-ID is powerful when configured correctly. In practice, most rule bases contain broad "any" application rules that negate the purpose of application-aware filtering. Legacy rules migrated from older firewalls often bypass App-ID entirely. We test whether your App-ID rules actually restrict application traffic or just log it.

SSL Decryption Bypasses

Without SSL decryption, your Palo Alto cannot inspect over 80% of modern web traffic. Many organizations enable decryption partially, leaving entire categories of traffic uninspected. Certificate pinning exceptions, decryption exclusion lists and performance concerns create gaps that attackers exploit for command-and-control and data exfiltration.

Zone Protection Defaults

Zone protection profiles defend against reconnaissance, flood attacks and packet-based exploits. Default profiles are often too permissive or not applied to all zones. We test whether your zone protection actually blocks port scans, SYN floods and malformed packets or whether an attacker can map your internal network without triggering a single alert.

GlobalProtect VPN Weaknesses

GlobalProtect extends your perimeter to remote users. Split tunneling configurations, weak authentication settings, outdated HIP profiles and missing certificate validation create entry points. We test whether a compromised remote endpoint can pivot through GlobalProtect into your internal network.

Threat Prevention in Alert-Only Mode

Palo Alto Threat Prevention includes IPS, anti-malware and anti-spyware capabilities. Many organizations deploy these in alert-only mode during initial rollout and never switch to blocking. Your logs show threats detected, but nothing was actually stopped. We verify whether Threat Prevention actively blocks malicious traffic.

Wildfire Submission Gaps

Wildfire provides cloud-based malware analysis, but only for traffic it receives. If SSL decryption is incomplete, if certain file types are excluded or if Wildfire is not configured on all security profiles, malware can enter your network without analysis. We test Wildfire coverage across protocols and file types.

Our Process

What We Test

Internal Attack Simulation

We deploy ShadowTap on your internal network, simulating an attacker who has bypassed the perimeter. This tests your Palo Alto's internal segmentation, east-west traffic inspection and micro-segmentation policies. Your firewall protects the front door. We test the windows, the basement and the hallway.

Rule Base Effectiveness

We generate traffic designed to test specific rule categories: application control, URL filtering, file blocking, data loss prevention and threat prevention. Each test maps to a specific rule or profile in your configuration, so you know exactly which rules work and which do not.

Evasion Techniques

We test whether your Palo Alto detects traffic that uses evasion techniques: encrypted channels, protocol tunneling, domain fronting, DNS exfiltration and fragmented payloads. These are the techniques real attackers use to bypass next-generation firewalls.

Frequently Asked Questions

Palo Alto Validation FAQs

Can you test our Palo Alto firewall without causing downtime?: Yes. We test your firewall by simulating attack traffic against it, not by modifying or disabling it. Your Palo Alto configuration remains untouched throughout the engagement. ShadowTap operates as a device on your network, generating traffic that your firewall should detect and block. Standard validation costs $5,000 CAD.
What Palo Alto misconfigurations do you typically find?: The most common findings include overly permissive App-ID rules, SSL decryption not fully deployed, zone protection profiles with default settings, GlobalProtect VPN split tunneling that bypasses inspection and Threat Prevention signatures running in alert-only mode. Most organizations have at least three of these issues.
Do you need access to Panorama or the firewall management interface?: For the Standard assessment, no. We test from the attacker's perspective using ShadowTap. For the Comprehensive assessment, read-only access to Panorama allows us to cross-reference our findings against your rule base and provide more specific remediation guidance. We never modify your configuration.
How is this different from a Palo Alto Best Practice Assessment?: A Best Practice Assessment checks your configuration against vendor recommendations. Our validation tests whether your configuration actually stops attacks. A configuration can follow best practices and still fail to detect lateral movement or encrypted exfiltration. We test with real attack techniques, not compliance checklists.

Validate Your Investment

10,000 rules. Time to find out how many actually work.

Standard Palo Alto Validation: $5,000 CAD. Comprehensive Validation with ShadowTap internal testing, lateral movement simulation and executive report: $12,000 CAD.

Purchase Validation

Ready to Test Your Palo Alto?

Tell us about your Palo Alto deployment and we will scope a validation assessment. Free scoping call, fixed-price quote, testing typically completed within 5-10 business days.

Call 604.229.1994

Phone: 604.229.1994
Burnaby Office: Burnaby, BC, Canada
Coquitlam Office: Coquitlam, BC, Canada
Related Pages: All Vendor Validations · ShadowTap Platform · NDR Validation