Your firewall is one of the most critical protection mechanisms for your network, so choosing the right firewall is an important step in establishing a secure network and maintaining PCI DSS compliance. The PCI Council does not maintain a list of approved firewall brands or models. However, The PCI DSS does have specific requirements that your firewall must support. If you are preparing to purchase a firewall to protect the perimeter of your cardholder data environment, keep the following feature requirements in mind:

Stateful Packet Inspection
For compliance with requirement 1.3.5 of the PCI DSS, a firewall must support stateful packet inspection (SPI). Stateful packet inspection allows “established” connections to communicate back into your cardholder data environment (CDE), and blocks unsolicited traffic. SPI works like a phone that only allows outbound calls. You can call other people, but they can’t call you. The only way they can talk to you is if you call them first. SPI protects your network from prying eyes and uninvited traffic. Don’t use a firewall to protect your CDE unless you can confirm that it supports SPI.

Firewall Zones
If you have any services that require outside access such as an Email server, VPN server, or web server then these servers must be placed in a demilitarized zone (DMZ) for compliance with requirement 1.3.1. In addition, all devices that store cardholder data must be located in an internal network zone segregated from the DMZ and other untrusted networks (Requirement 1.3.6). Firewalls that can segregate and protect multiple inside networks using a customizable access control list give you the best flexibility to meet these requirements.

Logs from your firewall need to be sent to a centralized, internal log server or media device (Requirement 10.5.4). The easiest way to meet this requirement is to use a firewall that can send logs to a syslog server for aggregation and analysis.

Intrusion Prevention/Intrusion Detection
Keep in mind that your CDE must also be protected with intrusion-prevention systems (IPS) or intrusion-detection systems (IDS) (PCI DSS Requirement 11.4). It is not required that the IPS/IDS be integrated in your firewall, but it can be, and many business-grade firewalls include it. Firewalls that include IPS or IDS protection can be used to meet this requirement in a simple and cost-effective way. If your IPS/IDS is not integrated into your firewall, make sure that you are able to mirror port traffic on your network switch so that your IDS can monitor traffic into and out of your CDE.