	US 12,348,513 B2
	Providing zero trust network security without modification of network infrastructure
Liron Levin, Kefar Sava (IL); Eran Yanay, Modiin (IL); and Dima Stopel, Herzliya (IL)
Assigned to Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed by Palo Alto Networks, Inc., Santa Clara, CA (US)
Filed on Mar. 8, 2024, as Appl. No. 18/600,176.
Application 18/600,176 is a division of application No. 16/939,589, filed on Jul. 27, 2020, granted, now 11,962,584.
Prior Publication US 2024/0214377 A1, Jun. 27, 2024
Int. Cl. H04L 9/40 (2022.01)

CPC H04L 63/0869 (2013.01) [H04L 63/0263 (2013.01); H04L 63/0823 (2013.01); H04L 63/166 (2013.01)]

20 Claims

1. A method comprising:

receiving, by a first entity at a first node in a network environment, an entity identifier and a host certificate from a second entity installed on a second node in the network environment, wherein the first entity was issued an intermediate certificate;

determining if the host certificate is valid based on at least one of a firewall policy enforced at the first node and the intermediate certificate, wherein determining if the host certificate is valid comprises determining if the host certificate is a non-expired certificate issued by a same issuing authority as the intermediate certificate and comprises a valid signature of a cloud provider;

determining if the entity identifier is valid based on a known network infrastructure of the network environment, wherein determining if the entity identifier is valid comprises determining whether the second entity is indicated in the known network infrastructure; and

based on determining that at least one of the host certificate and the entity identifier is not valid, blocking communications with the second entity.