Best practice for securing internet facing DMVPN/SSL VPN hub?

Any best practices for securing a CSR1000v that acts as a DMVPN hub and the headend for Anyconnect SSL connections? Wondering if its possible to pass these connections through a Palo Alto VM?