All scripts
compliance
Expert
5–15 min

PCI-DSS Network Segmentation Verifier

Verify CDE isolation: ACL/firewall rules blocking CDE↔non-CDE, segmentation testing, wireless isolation, split-DNS check and log forwarding — mapped to PCI DSS 4.0 requirements.

Cisco
Palo Alto
Fortinet
Open in GeneratorOpen in Platform
You're viewing a preview

The full script, parameters, and execution console are available with a free account.

Already have access? Sign in →

Capabilities

  • CDE↔non-CDE rule verification
  • Active segmentation test (probe)
  • Wireless isolation check
  • Split-DNS verification
  • Log forwarding to SIEM
  • PCI DSS 4.0 requirement map
  • Scored report

Required inputs

Parameters the script accepts. Defaults shown; some are vendor- or context-gated.

ParameterTypeDefaultNotes
CDE subnets (comma)
cde_subnets
string10.50.0.0/16
Run live segmentation probe
probe
boolfalse
Required SIEM host
siem_host
stringsiem.corp.local

Hint 1Name your vendors and OS versions

Mention the exact platforms you run (Cisco, Palo Alto, Fortinet) so the generated compliance logic uses the right CLI/NETCONF syntax.

Hint 2State your real thresholds

Provide concrete values for CDE subnets (comma), Run live segmentation probe, Required SIEM host instead of the defaults — they shape what counts as a fault.

Hint 3Prioritize the checks you need

This tool can cDE↔non-CDE rule verification and active segmentation test (probe). Ask for the subset relevant to your incident to keep output focused.

Hint 4Describe your inventory format

Tell the assistant whether your device list is CSV, YAML, or JSON and which columns it has, so parsing matches your data.

Sample inventory schema

Authoritative shape of the device/policy data this script consumes.

No bundled inventory sample. The script accepts standard device lists (CSV/YAML) with hostname, mgmt IP, vendor, and credentials.

Expected output

Reference terminal output the script should produce — used as a stylistic and structural target.

terminal
[2026-06-12] INFO  PCI DSS 4.0 segmentation verification (CDE 10.50.0.0/16)...
REQ        CHECK                          RESULT
1.3.1      CDE inbound restricted          PASS
1.3.2      CDE outbound restricted         FAIL (10.50→10.0 any allowed) ←
1.4        Wireless isolated from CDE       PASS
10.5.4     Logs forwarded to SIEM           PASS
Summary: 11 pass · 1 fail · CDE NOT fully isolated