Citrix is announcing Tuesday that its NetScaler SDX platform can host Palo Alto Networks‘ VM-Series virtualized firewalls and security appliances.

It’s the continuation of the companies’ partnership. Last year, they announced that their hardware platforms could work together — but that essentially meant putting a Citrix box next to a Palo Alto Networks box.

OK, there was more to it than that, but Tuesday’s announcement gets more involved. It means the SDX — whose job is normally to host virtual instances of Citrix’s application delivery controllers (ADCs) — can also spin up Palo Alto’s next-generation firewalls in virtual form. The Palo Alto instances run in their own virtual machines running Palo Alto’s PAN-OS.

The result can be firewalls and load balancing applied per tenant or even per user. An enterprise running IT-as-a-service, for instance, could accommodate the different needs of different departments. “You want to have the ability to customize the ADC and the firewalling for different groups,” says Danelle Au, Palo Alto director of marketing.

Palo Alto describes its products as “next-generation” firewalls, and they do live up the name, says Graham Melville, a Citrix director of product marketing. That’s why Citrix wants to have this partnership rather than just using its own firewalls. Palo Alto brings in some more fine-grained capabilities that can target the varying security requirements of an enterprise cloud deployment.

“Even within a specific application, it’s about what they can do within that application,” says Graham Melville, a Citrix director of product marketing. “Some of it might just be policies — you might want to have some people look at Facebook and other people not at all.”