Falco Configuration Monitoring

In-depth Palo Alto Networks configuration audits coupled with quick access to subject matter experts.

Request A Demo
A screenshot of a sample Falco report showing a firewall with 80% of checks passing

Improve the Hygiene of Your Security Rulebase

An illustration of a highly connected technical diagram
An illustration of a highly connected technical diagram

Identify Misconfigurations and Vulnerabilities Before Attackers Do

Secure Workflows Throughout Your Organization

An illustration of a highly connected technical diagram

Choose The Tier That's Right For Your Org

Our introductory tier available for free to all current CITE members.


  • Automated PAN Config Audits
  • Panorama Support
  • PAN-OS Vulnerability Scanning
All the reporting features, plus a support entitlement to fix any discovered issues.

Everything in the Lite tier plus:

  • Email Notifications for Config Regressions
  • Per-VSYS Reporting
  • 2 Tickets/Month Entitlement*
  • Hourly Config Backups
  • Scheduled Report Setup
A custom solution tailored to fit your needs. Our white-glove service.

Everything in the Standard tier plus:

  • Access to 160+ pre-built lists using our EDL Service
  • SSL Decryption Setup
  • Customized Digital Scepter involvement with your team
Explore plans in more detail
Lite Standard Enterprise
Automated PAN Configuration Audits
Panorama Support
Emailed Configuration Reports Monthly Weekly Weekly
Config Scan Interval Weekly Hourly Hourly
PAN-OS Version Upgrade Review
PAN-OS Vulnerability Scanning
Email Notifications for Config Regressions
Per-VSYS Reports
2 Tickets/Month Entitlement *
Hourly Config Backups †
Scheduled Report Setup
Access to 160+ pre-built lists using our EDL Service
Critical System Log Monitoring
SSL Decryption Setup ‡
Customized Digital Scepter involvement with your firewall management team

* Open up to two tickets per month with Digital Scepter's support engineers (see terms and conditions), can be used for remote threat support, PAN-OS upgrades, configuration assistance or support questions, User-ID environment reviews, change reviews and more. Tickets are limited to four hours per ticket.

† We retain the latest 100 configuration versions for each device

‡ See service description in Falco Service Agreement

Response Times
Ticket Urgency Lite Standard Enterprise
Critical N/A < 8 hours < 8 hours
High N/A < 2 days < 2 days
Normal N/A < 4 days < 4 days
Case Severity Levels
Critical Product is down and critically affects your production environment
High There is something broken, but production systems are not impacted to the extent of a critical issue
Normal Everything else

Why Choose Falco?

Over a decade of experience

Digital Scepter has extensive experience installing, configuring and managing Palo Alto Networks next generation firewalls (Strata). Falco applies this expertise to monitor your firewall configurations and report on the security posture of your entire firewall fleet. You’ll receive regular easy-to-read reports which give you important information at a glance, along with a result history chart to show how your configurations are improving. It’s easy to make a plan of attack to improve your firewall security posture with the built in remediation recommendations. Upgrade to Falco or Falco Plus to access the world renowned Digital Scepter support service and use your monthly ticket quota to work on improving your firewall or for assistance with maintenance issues.

You already have the best firewall, now take advantage of it

Even the best technology is worthless if it isn’t configured right. Maintaining a secure firewall configuration is a continuous process of review and revision in order to meet your unique security and availability needs. Falco's detailed reports allow you to maximize the value of the hardware and licenses you've already purchased.


Firewall Configuration Audit Reports

Traditionally, performing a detailed health check is a manual process that doesn’t scale past a few devices. Falco can scan you entire configuration in under a second and immediately highlight the most important issues that need addressing.

The service continuously monitors your firewall configuration via the built-in API and sends you detailed reports on a regular basis. The report structure mirrors the UI layout on the firewalls to aid reviewers with remediation efforts.

Configuration Regression Alerting

When a check that was previously passing fails the Falco service can optionally send you a regression notification email. In the email, you’ll find details of exactly what changed along with a full report at the time of the regression. Often times misconfigurations can go undetected for a long time until they cause trouble. With regression emails enabled you'll be alerted if the configuration change you just made introduced a potential issue.

Panorama Support

In addition to connecting directly to firewalls, Falco can connect to Panoramas and scan all connected devices. As firewalls are added and removed from Panorama, they will be automatically added and removed from your reports. Falco also has a series of Panorama-specific checks to make sure your Panorama is configured correctly.

Multi-VSYS Support

If you are providing firewalls as a service, Falco can optionally treat all VSYS on a firewall as separate devices. This allows you to send a report to the operators of each VSYS that only contains information relevant to them. Each report will contain only the checks that are relevant to that VSYS. Configuration regression notifications are also per-VSYS capable.

First Class Support

Falco comes by default with up to two tickets per month. These can be used to have more immediate access to experts that can fix your firewall problems quickly to minimize unplanned outages. They can also be used for configuration changes, planning, OS upgrades and more. The service agreement has complete details on the ticket entitlements.

PAN-OS Vulnerability Scanning

One of the most critical maintenance tasks is patching infrastructure to stay ahead of the latest known vulnerabilities, and firewalls are no different. Palo Alto publishes a list of all known vulnerabilities for the PAN-OS platform but determining which affect your firewalls is left up to you.

With Falco, outstanding vulnerabilities are just another check. When a vulnerability that affects one of your devices is published you’ll get a regression email from the Falco service with all the details. You’ll never have to manually cross-reference your firewall versions with the vulnerability database ever again.

Hourly Configuration Backups

Every time there is a change to the configuration on a firewall or Panorama a new config version is created and saved. Every hour Falco will download all the configuration versions it can, keeping the latest one hundred revisions. In the event of a hardware failure you can quickly restore a replacement device or an on-site-spare with the config backups we keep.

These backups are optional, and can be disabled if you'd prefer to handle this yourself.

Managed EDL Service

External Dynamic Lists, or EDLs, or a powerful tool in your Palo Alto Networks firewall that allow you to use a list hosted on an external server as an object in your rulebase. Our EDL service tracks many of the most popular cloud services and allows you to easily block or allow these in your rulebase. Gone are the days of manually maintaining address groups with hundreds or thousands of networks that frequently change.

SSL Decryption Setup

Decryption is the bread and butter of the Palo Alto Networks platform. Without it traffic visibility is severely limited which in turn means that you can't get the most out of your investment. Falco Plus customers can take advantage of our vast experience getting SSL Decryption running. We have a tried-and-true SSL Decryption project plan that can be customized for your organization.

Customized Involvement

Falco Plus customers can customize a firewall management schedule to deploy regular skilled engineer time on your firewall. Whether you want a once a monthly review meeting or a weekly work session we can make it happen.