Palo Alto Networks Features
Visibility into Applications, Users, and Content.
Port numbers, protocols, and IP addresses are useful for network devices, but they tell you nothing about what is on your network. Detailed information about the applications, users, and content traversing your network empowers you to quickly determine any risks they pose and quickly respond. Leveraging the rich context provided by Palo Alto Networks firewalls, our visualisation, analysis, and reporting tools let you quickly learn more about activity on your network and analyse incidents from a current or comparative perspective. Watch this video to see how much could be visible on your network.
Visibility into your applications, web traffic, threats, and data patterns.
Our Application Command Center (ACC) is an interactive, graphical summary of the applications, users, URLs, threats, and content traversing your network. It allows you to keep your finger on the pulse of what is going on. ACC provides a 10,000 foot view of what’s happening on your network, and with just a few clicks you can get a highly detailed view to learn more, including links to the specific policy that allowed a certain behaviour so you can tune it as needed.
Knowledge is power. Learning more about new or unfamiliar applications or threats that are displayed in ACC takes just a single click, which shows you:
- A description of the application or threat.
- An application’s key features and behavioral characteristics.
- Details on the users using an application.
- Details on those affected by a threat.
Additional data on traffic source and destination, security rules and zones provides a wider view of the application’s usage patterns, which helps you make a more informed decision on how to treat that traffic.
Visibility based on users and groups – not IP addresses.
Integration with a wide range of directory services allows our system to display detailed user information (along with their IP address), complementing the application and threat information you receive. You can add additional filters to learn more about application usage for individual users, along with the threats detected within your application traffic. In only minutes, ACC arms you with the data you need to make more informed security policy decisions and take action to reduce risk in your enterprise.
Comparative view into traffic and threat patterns.
App-Scope is a dynamic, customisable window into your network’s activity, presenting you with comparative statistics based upon different timeframes, applications, application categories, threat profiles and more. A standard feature in both our device web-interface and Panorama (centralized management), App-Scope reduces the amount of time you have to spend investigating unusual behaviour.
Detailed analysis of all your traffic and device activities.
Our log viewer provides a fine-grain view into your network activity. It summarises all traffic traversing the network – including apps, user information, and threats. The log viewer supports context and expression-based filtering, allowing you to quickly and easily monitor, analyse, and investigate security incidents The log viewer leverages our firewalls’ integration with user repositories, complementing application and threat views with user and group visibility. Logs can be sent automatically to your syslog server, while individual filter results are exportable to a CSV file for offline archival or further analysis.
Customised reporting for all traffic and device activities.
Using either your firewall’s individual device management interface or Panorama, you will appreciate fingertip access to powerful reporting and logging features that will help you quickly investigate and analyse security incidents, application usage and user behaviour. More than 50 predefined, customisable reports – incorporating elements you choose from other reports – are available. You can automate reports to run on a scheduled basis and have the results emailed or exported to a PDF or Excel spreadsheet.
Users: an integral component for secure application enablement policies.
Traditionally, security policies were applied based on IP addresses, but the increasingly dynamic nature of users and applications mean that IP addresses alone have become ineffective as a policy control element for safe application enablement. Our next-generation firewalls integrate with a wide range of enterprise directories and terminal services offerings, allowing you to:
- See who is using the applications on your network
- Set policy based on users
- Perform forensic analysis and generate reports on user activities
Visibility into user’s application activity.
Visibility into the application activity at a user level, not just at an IP address level, allows you to determine patterns of usage along with the associated business and security risks. With just a few clicks, you will gain visibility into the application bandwidth and session consumption, the associated threats, as well as the source and destination of the application traffic. With this knowledge, you can more proactively align application usage with your business unit requirements through safe application enablement policies.
User-based policy control.
Visibility into application usage means that you can quickly analyse the role and risk of applications, and who is using them, then translate that information into user-based safe application enablement policies. User-based policy controls can be assembled based on the application, which category and subcategory it belongs in, its underlying technology, or the application characteristics. Examples of user-based policies might include:
- Enable only the IT department to use tools such as SSH, telnet, and FTP on the standard port
- Allow the Help Desk Services group to use Yahoo Messenger
- Block the use of Facebook-apps for all users, allow Facebook for all users, but allow only marketing to use Facebook-posting
User-based Analysis, Reporting and Forensics.
User information is pervasive throughout our firewall feature set – and that includes fine-grained forensic analysis and reporting. You can easily create log filters by clicking on a cell value, which can then be expanded with additional criteria using the expression builder. Informative reports on user activities can be generated using any one of the many pre-defined reports, or by creating a custom report from scratch, or by modifying a pre-defined report. Any of the reports – pre-defined or custom – can be exported to either CSV, PDF XML, or emailed on a scheduled basis.
Integration with any user repository.
Our firewalls can integrate with an extensive list of user repositories and terminal services offerings that are complemented by an XML API and an explicit challenge response mechanism. Integration points include:
- Directory services: Microsoft Active Directory, Microsoft Exchange, OpenLDAP, and eDirectory
- Terminal services: Citrix XenAPP and Microsoft Terminal Services
- XML API: Using the API, you can extract user data from nearly any non-standard repository including proxies, wireless controllers and network access control (NAC) appliances.
Wildfire:Protection from targeted and unknown threats.
Modern attackers are increasingly using targeted and new unknown variants of malware to sneak past traditional security solutions. To address this, Palo Alto Networks developed WildFire, which identifies new malware in minutes. By executing suspect files in a virtual environment and observing their behaviour, Palo Alto Networks identifies malware quickly and accurately, even if the malware sample has never been seen before.
Once a file is deemed malicious, WildFire automatically generates protections that are delivered to all WildFire subscribers within an hour of detection. A WildFire license provides your IT team with a wealth of forensics to see exactly who was targeted, the application used in the delivery, and any URLs that were part of the attack.
Sandbox analysis of unknown threats.
A growing number of network attacks are driven by sophisticated malware designed to avoid traditional antivirus controls. WildFire extends the capabilities of our next-generation firewalls to identify and block targeted and unknown malware by actively analysing it in a safe, cloud-based virtual environment. We directly observe the behaviour of the malicious malware, then WildFire automatically generates and distributes protections globally for the newly discovered malware.
DNS-based botnet signatures.
Malware networks are always in flux as bot-masters use new URLs to obscure the true destination of their command-and-control infrastructure. To counter this challenge, Palo Alto Networks passively analyses DNS queries to identify and block command-and-control messages from botnet-infected hosts on your network.
Behavioural botnet report.
Our behavioral botnet report correlates traffic anomalies and end-user behaviours to identify devices on your network that are likely to be infected by a botnet. The logic supporting the report tracks unknown or anomalous TCP and UDP, as well as a variety of potentially suspicious behaviours such as repeated download patterns, and the use of dynamic DNS and browsing anomalies. These factors are correlated to create a report that provides you with a list of users that are likely infected, and the behaviours that led to the diagnosis.
Enterprise- class IPS
Today’s attacks on your network use a combination of application vectors and exploits. Palo Alto Networks next-generation firewalls arm you with a two-pronged approach to stopping these attacks. Unwanted applications are blocked through App-ID, and the applications you choose to allow through are scanned for vulnerability exploits by our NSS-approved IPS engine.
Enable full IPS protection while maintaining performance.
We deliver predictable IPS performance to you through hardware acceleration, a uniform signature format and a single pass software architecture. Dedicated processing and memory for content inspection, as well as networking, security and management, provides the hardware acceleration necessary for predictable IPS performance.
- Dedicated processing means that key functions do not compete for processing cycles with your other security functions, which happens in a single CPU or ASIC/CPU hardware architecture.
- A uniform signature format eliminates redundant processes common to multiple scanning engine solutions (TCP reassembly, policy lookup, inspection, etc.).
- Single pass software means that your traffic is touched only once, no matter how many policy elements are in use.
Blocks a wide range of known and unknown vulnerability exploits.
Our rich set of intrusion prevention features blocks known and unknown network and application-layer vulnerability exploits from compromising and damaging your enterprise information resources. Vulnerability exploits, buffer overflows, and port scans are detected using proven threat detection and prevention (IPS) mechanisms, including:
- Protocol decoder-based analysis statefully decodes the protocol and then intelligently applies signatures to detect vulnerability exploits.
- Protocol anomaly-based protection detects non-RFC compliant protocol usage such as the use of overlong URI or overlong FTP login.
- Stateful pattern matching detects attacks across more than one packet, taking into account elements such as the arrival order and sequence.
- Statistical anomaly detection prevents rate-based DoS flooding attacks.
- Heuristic-based analysis detects anomalous packet and traffic patterns such as port scans and host sweeps.
- Other attack protection capabilities, such as blocking invalid or malformed packets, IP defragmentation and TCP reassembly, protect you against evasion and obfuscation methods used by attackers.
- Custom vulnerability or spyware phone home signatures that can be used in either anti-spyware or vulnerability protection profiles.
DoS/DDoS attack protection.
Palo Alto Networks next-generation firewalls protect you from denial of service (DoS) attacks using a policy-based approach that ensures accurate detection. You can deploy DoS protection policies based on a combination of elements including type of attack, or by volume (both aggregate and classified), with response options including allow, alert, activate, maximum threshold and drop. Specific types of DoS attacks covered include:
- Flood protection—Protects you against SYN, ICMP, UDP, and other IP-based flooding attacks.
- Reconnaissance detection—Allows you to detect and block commonly used port scans and IP address sweeps that attackers run to find potential targets.
- Packet-based attack protection—Protects you from large ICMP packets and ICMP fragment attacks.
Market leading threat discovery and research.
Our intrusion prevention engine is supported by a team of seasoned signature developers. Our team is highly active in the threat prevention community, performing ongoing research and working closely with software vendors – both informally and formally – through programs such as the Microsoft Active Protections Program (MAPP). As a member of MAPP, we have priority access to Microsoft’s monthly and out-of-band security update releases.
By receiving vulnerability information early, Palo Alto Networks can develop and deliver signatures to you in a synchronised manner to ensure that you are fully protected. Signature updates are delivered on a weekly schedule or emergency basis. To date, our team has been credited with the discovery of numerous critical and high severity vulnerabilities in both Microsoft and Adobe applications.
Data filtering & file blocking
The application function level control, file blocking by type, and data filtering features of our next-generation firewalls allow you to implement a range of policies that help balance permitting the use of personal or non-work related applications, with the business and security risks of unauthorised file and data transfer.
Enabling applications while blocking unapproved or dangerous files by type.
Our next-generation firewalls give you the ability to control the flow of a wide range of file types by looking deep within the payload to identify the file type (as opposed to looking only at the file extension), to determine if a file transfer is allowed by your policy. You can implement file blocking by type on a per application basis. This enables you to do things like approve a specific webmail application like Gmail, and allow attachments, but block the transfer of specific file types.
Enabling or denying the use of file transfer functions.
Function level control over file transfer represents another policy option that helps you balance application use with policy control. You can establish policies to allow IM or webmail application usage, but deny a related file transfer function.
Prevent data loss with pattern-based content identification.
Rounding out our filtering features is the ability to identify and control the transfer of sensitive data patterns such as credit card numbers, social security numbers or custom data patterns in application content or attachments.
Mobile devices are a part of nearly every modern network. As a result, security teams need to deliver protection and policy enforcement to a myriad of new devices and applications. The Palo Alto Networks next-generation firewall extends comprehensive application visibility and control and vulnerability protection to mobile devices.
GlobalProtect enables organisations to deliver consistent security everywhere by extending the protection of the next-generation firewall to users wherever they go. It automatically establishes a VPN connection to the network, providing both convenience and security to laptop, smartphone and tablet users.
Mobile Application Policy Enforcement.
App-ID includes coverage of a broad range of mobile applications, allowing your firewall administrators to set granular policies on the types of applications permitted for use in mobile environments.
With GlobalProtect, you can create policies based on device type with the next-generation firewall. For example, provide laptops with access to a corporate application, while limiting access from a tablet.
Mobile Platform Threat Prevention.
The threat prevention capabilities of the next-generation firewall provide you with comprehensive protection against dangers to mobile platforms. By providing protection at the firewall, you can make mobile devices safe to use by removing threats before they reach the device. Vulnerability protection guards against a number of risks to iOS and Android devices, such as mobile malware, blocking access to unauthorised app stores, and blocking operating system and application exploits.
Control Web Activity with URL Filtering.
The perfect complement to the policy-based application control provided by App-ID is our on-box URL filtering database, which gives you total control over related web activity. By addressing your lack of visibility and control from both an application and web perspective, App-ID and URL Filtering together protect you from a full spectrum of legal, regulatory, productivity, and resource utilisation risks.
On-box URL database maximises performance and flexibility.
URL filtering is enabled through local lookups, as well as querying our master database in the cloud. Local lookups ensure maximum inline performance and minimal latency for the most frequently accessed URLs, while cloud lookups provide coverage for the latest sites. Our combination of application control and URL filtering allow you to implement flexible policies to control employee and network activity.
- Control web browsing based on category or through customised white or blacklists.
- Specify your group-based web browsing policies with user repository integration provided by User-ID.
- Enable SSL decryption policies by allowing encrypted access to specific web sites about topics your employees enjoy – like health, finance, and shopping – while decrypting traffic to all other sites such as blogs, forums, and entertainment sites.
- Enable bandwidth control for designated categories by creating QoS policies for specified URL categories.
Customisable URL database and categories.
To account for your unique traffic patterns, on-device caches store the most recently accessed URLs. Devices can also automatically query a master database in the cloud for URL category information when a URL is not found on-device. Lookup results are automatically inserted into the cache for future activity. You can also create custom URL categories.
Customisable end-user notifications.
There are multiple ways to inform your end users that they are trying to visit a web page that does not adhere to your corporate policy:
- Customisable block page: A page informing a user that they are violating policy can include your corporate logo, references to the username, IP address, the URL attempting to be accessed, and the category of the URL.
- URL filtering block and continue: Users accessing a page that potentially violates your URL filtering policy see a block page with a “Warning and Continue” button.
- URL filtering override: Requires a user to correctly enter a password in order to bypass the block page and continue surfing.
Flexible, policy-based control over web usage.
To complement the application visibility and control enabled by our App-ID, you can use URL categories as a match criteria for your policies. Instead of creating policies limited to either ‘allow all or block’ all behaviour, URL as a match criteria permits exception-based behaviour. This increases your flexibility and gives you more granular policy enforcement capabilities. Examples of how URL categories can be used in your policy include:
- Identify and allow exceptions to your general security policies for users who may belong to multiple groups within Active Directory (e.g., deny access to malware and hacking sites for all users, yet allow access to users that belong to the security group).
- Allow access to streaming media category, but apply QoS to control your bandwidth consumption.
- Prevent file download/upload for URL categories that represent higher risk (e.g., allow access to unknown sites, but prevent upload/download of executable files from unknown sites to limit malware propagation).
- Apply SSL decryption policies that allow encrypted access to finance and shopping categories, but decrypts and inspects traffic to all other categories.
Network-based Malware Protection.
The broadening use of social media, messaging and other non-work related applications introduce a variety of vectors for viruses, spyware, worms and other types of malware. Palo Alto Networks next-generation firewalls allow you to block unwanted applications with App-ID, and then scan allowed applications for malware.
Broad-based protection against a range of malware.
Our antivirus engine detects and blocks viruses, spyware phone home, spyware download, botnet, worms and trojans. Additional features, above and beyond protecting your network from a wide range of threats, include:
- Inline, stream-based protection against malware embedded within compressed files and web content
- DNS-based botnet analysis to reveal rapidly evolving malware networks and malicious websites
- Leverages SSL decryption within App-ID to block viruses embedded in SSL traffic
Stream-based scanning dramatically reduces latency.
The Palo Alto Networks antivirus engine uses stream-based scanning to inspect your traffic as soon as the first packets of a file are received. This eliminates the performance and latency issues associated with a traditional proxy- or file-based approach. As with IPS, a uniform signature format is used for virus scanning, which eliminates redundant processes common to multiple scanning engine solutions (TCP reassembly, policy lookup, inspection, etc.), while the single pass software means that your traffic is touched only once, no matter how many policy elements are in use.
Continual malware research and updates.
Signatures for all types of malware are generated directly from millions of live virus samples delivered to Palo Alto Networks by leading third-party research organizations around the world. Our threat team analyses the samples and quickly eliminates duplicates and redundancies. New signatures for new malware variants are then generated (using our uniform signature format) and delivered to you through daily scheduled or emergency updates.
Protect your network from threats propagated by drive-by downloads.
Unsuspecting users can inadvertently download malware merely by visiting their favourite web page and clicking on an image. This increasingly popular malware delivery mechanism is known as ‘drive-by downloads.’ Palo Alto Networks next-generation firewalls control this threat to you by identifying malware downloads and sending a warning to your user to ensure that the download is desired.
Our flexible networking architecture includes dynamic routing, switching, and VPN connectivity, which enables you to easily deploy Palo Alto Networks next-generation firewalls into nearly any networking environment.
Integrate into any architecture with our flexible networking architecture.
L2/L3 networking: Our firewalls use a L2/L3 architecture that leverages zone-based security enforcement, which enables deployments in switched and routed environments.
- Dynamic routing: Support for OSPF, RIP and BGP combined with full 802.1Q VLAN support is provided for both layer 2 and layer 3 deployments, so all of your services can be enabled while seamlessly integrating with your existing routing or VLAN architecture.
- Virtual Wire: Virtual Wire gives you a true transparent mode by logically binding two ports together, and passing all your traffic to the other port, without any switching or routing. Full inspection and control for all traffic is enabled with zero impact on your surrounding devices, and no networking protocol configuration is required. Multiple Virtual Wire pairs can be configured to support multiple network segments.
Multicast traffic routing participation.
Multicast support includes identification and control of multicast traffic, as well as the ability to participate in multicast routing and group management through PIM-SM, PIM-SSM and IGMP support.
To optimise computing resources, enterprises are moving towards supporting virtualised applications with different risk levels on a single server. In these environments, virtualized firewalls are critical to deliver security for your communications within the virtualised server.
The Palo Alto Networks VM-Series is a virtualised next-generation firewall featuring our PAN-OSTM operating system. The VM-Series identifies, controls and safely enables intra-host traffic and comes with the following unique virtualisation security features.
Dynamic Address Objects to Track Virtual Machines.
Our dynamic address objects feature gives you the ability to tie security policies to virtual machine instantiation and movement. As you instantiate or move virtual machines, your safe application enablement policies can still be enforced without any manual policy changes. Virtual applications are protected from unapproved access, known and unknown threats, and possible data loss. This ensures that your applications are delivered quickly to meet your business demands without impacting regulatory compliance mandates.
Orchestration Software Integration to Automate Security WorkFlows.
Our powerful XML management API enables external cloud orchestration software to connect over an encrypted link to manage and configure our firewalls. This complete, fully-documented REST-based API allows your configuration parameters to be seen, set and modified programmatically to make security part of your data center workload flow.
Threat Protection and Hypervisor Security.
Palo Alto Networks next-generation firewalls protect you from the new threat landscape with a complete, integrated threat protection solution. Content-ID includes IPS, anti-malware, URL filtering and content blocking to control known threats. WildFire provides automated sandbox analysis of suspicious files to reveal unknown and targeted malware, and our Behavioral Botnet Report identifies unique patterns of botnet infections in your network. In addition, the ability to address remotely exploitable hypervisor vulnerabilities is part of our vulnerability protection framework.
Identify & Control Encrypted Traffic.
Take control of your SSL and SSH encrypted traffic and ensure it is not being used to conceal unwanted activity or dangerous content. Using policy-based decryption and inspection, you can confirm that SSL and SSH are being used for business purposes only, instead of to spread threats or unauthorised data transfer.
Identify, control and inspect inbound SSL traffic.
Identify, control and inspect outbound SSL traffic.
Identify and control SSH traffic.
Safely enabling applications, users and content in IPv6 environments.
Our next-generation firewalls allow you to deploy consistent, safe application enablement policies across IPv6, IPv4 and mixed environments.
Consistent user-based policies across IPv6 and IPv4 environments.
If you are implementing an IPv6 infrastructure, you can deploy the same user-based enablement policies that you have in your IPv4 environments. Your IPv6-based applications and content can be classified, monitored, enabled, inspected and logged, just like they are in your IPv4 environments. IPv6 user information is captured from all of the User-ID supported repositories and terminal services, as well from captive portal and our XML API. In addition, our SSL encrypted User-ID-to-firewall communications protocol supports IPv6.
Flexible deployment options simplify network integration.
Support for virtual wire, layer 2, or layer 3 deployment modes – for both IPv6 and IPv4 environments – gives you flexible network integration options. Additional networking features include:
- Stateless Address Auto-configuration (SLAAC) informs hosts of the IPv6 prefixes needed for address configuration
- NAT64 translates source and destination IP headers between IPv6 and IPv4
- IPv6 over IPsec between IPv4 endpoints
- High availability control, data link and path monitoring
Management and administrative consistency between IPv6 and IPv4.
- Management services we support include: RADIUS, Syslog, DNS, User-ID agents, LDAP, SNMP, SCP, FTP, SSH, URL filtering service, Panorama (device-to-Panorama connectivity), and service route configuration
- Administrative services we support include: admin authentication sources, NTP, Panorama, logging and alerting (syslog, SNMP, email), and PBF next-hop monitoring of IPv6
Standards-based VPN Connectivity.
Secure site-to-site and remote user connectivity is a critical infrastructure component. Every Palo Alto Networks next-generation firewall platform allows you to easily and securely communicate between sites using standards-based IPSec VPN connections. Remote user communications are protected through a rich set of VPN features.
Secure site-to-site connectivity through IPSec VPN.
Consistent Security Everywhere.
- Mac OS X
Secure Application Enablement.
The increased visibility into applications, users and content delivered by Palo Alto Networks simplifies figuring out which applications are traversing your network, who is using them, and the potential security risks. Armed with this data, you can apply secure enablement policies with a range of responses that are more finely tuned than the traditional ‘allow or deny’ approach.
Balancing protection and enablement with fine-grained policy enforcement.
- Allow or deny
- Allow based on schedule, users, or groups
- Apply traffic shaping through QoS
- Allow certain application functions such as file transfer within instant messaging
- Allow, but scan for viruses and other threats
- Decrypt and inspect
- Apply policy-based forwarding
- Any combination of the above
Mixing next-generation policy criteria like applications, application functions, users, groups and regions, with traditional policy criteria such as source, destination and IP address, allows you to deploy the appropriate policy.
Selectively filter applications to quickly create policy control lists.
- Underlying technology
- Behavioural characteristic (file transfer capabilities, known vulnerabilities, ability to evade detection, propensity to consume bandwidth, and malware transmission/propagation)
Additional application details you will receive include a description of the application, the commonly used ports, and a summary of the individual application characteristics. Using the application browser allows you to quickly research an application and immediately translate the results into a security policy.
Stop threats and unauthorised file/data transfer.
The same levels of fine-grained control that you can apply to a specific set of applications can also be extended to threat prevention. Using a very targeted approach, you can apply:
- Antivirus and antispyware policies to allowed webmail applications
- IPS policies can be applied to Oracle database traffic
- Data filtering profiles can be enabled for file transfer within instant messaging
Traffic shaping ensures business applications are not bandwidth starved.
Secure application enablement may entail allowing bandwidth intensive applications such as streaming media. You can strike an appropriate balance by using QoS policies that ensure your business-critical applications are not starved of bandwidth by non-work related applications.
- Guaranteed, maximum and priority bandwidth can be applied across eight traffic queues
- Your policies can be applied to physical interface, IPSec VPN tunnels, applications, users, source, destination and more
- Diffserv marking is supported, enabling application traffic to be controlled by a downstream or upstream networking device
Flexible, policy-based control over web usage.
To complement the application visibility and control enabled by our App-ID, you can use URL categories as a match criteria for your policies. Instead of creating policies limited to either ‘allow all or block’ all behaviour, the ability to use URL category as a match criteria permits exception-based behaviour. This increases your flexibility and gives you more granular policy enforcement capabilities. Examples of how URL categories can be used in your policy include:
- Identify and allow exceptions to your general security policies for users who may belong to multiple groups within Active Directory (e.g., deny access to malware and hacking sites for all users, yet allow access to users that belong to the security group)
- Allow access to streaming media category, but apply QoS to control your bandwidth consumption
- Prevent file download/upload for URL categories that represent higher risk (e.g., allow access to unknown sites, but prevent upload/download of executable files from unknown sites to limit malware propagation)
- Apply SSL decryption policies that allow encrypted access to finance and shopping categories, but decrypts and inspects traffic to all other categories
Systematically identify and control unknown traffic.
Use the application control features built into Palo Alto Networks next-generation firewalls to systematically identify, investigate and manage unknown traffic on your network in a systematic way. You will notice a dramatic reduction in the risks posed to you by unknown traffic.
Redundancy & Resiliency
Palo Alto Networks next-generation firewalls support a series of redundancy and resiliency features that ensure your firewall will continue to provide the secure application enablement you need to keep your business running.
Stateful Active/Active or Active/Passive high availability.
- Active/passive:The active device continuously synchronises its configuration and session information with the identically configured passive device. A heartbeat connection between the two identically configured devices ensures seamless failover if the active device goes down.
- Active/active:Firewalls in an active/active configuration continuously synchronise their configuration and session information. If either device fails, a heartbeat connection signals the other device to take over all of your operations. This ensures session continuity if a device or network fails. To better support asymmetrically routed environments, you can deploy two devices in an HA configuration with either virtual wire interfaces or layer 3 interfaces. App-ID and Content-ID are fully supported in asymmetric environments. Active/active also incorporates flexible layer 3 deployment options supporting load-sharing and interface IP failover.
Built-in resiliency and component redundancy.
The PA-5000 Series supports several levels of hardware component redundancy with dual power supplies and dual, solid-state hard disk drives that are hot swappable. The single fan tray is also hot swappable. The PA-4000 Series also supports hot-swappable dual power supplies.
Device Management Flexibility
Our firewall management philosophy is to make administrative tasks such as report generation, log queries, policy creation, and ACC browsing easy to execute and consistent, no matter which mechanism – web interface, Panorama, CLI or API – you use.
Intuitive and efficient policy management workflow.
The familiar look and feel of our policy editor, combined with drag-and-drop objects and rule tagging, will allow you to establish a policy management workflow that suits your administrative processes.
- The policy-browser allows you to quickly create policies that include application, user, and traffic specific threat prevention (IPS, Antivirus, Anti-spyware, etc.), thereby eliminating the duplicate data entry common in other offerings.
- Object drag-and-drop reduces administrative effort by allowing you to reuse the policy objects (users, applications, services or IP addresses) that you have already created.
- Rule tagging allows you to “tag” rules with common names (e.g., DMZ, perimeter, datacenter) so that you can easily search and manage those rules as needed.
Granular control over administrative access.
If you have delegated specific sets of tasks to individual staff members, our role-based administration will allow you to designate any of the firewall’s features and corresponding capabilities to be fully enabled, read-only or disabled (hidden from view) for specific administrators. For example:
- Your operations staff can be given access to the firewall and networking configuration.
- Your security administrators can be granted control over security policy definition, the log viewer and reporting.
- You can allow key individuals full CLI access, while for others the CLI may be disabled.
All administrative activities are logged so you can see the time of occurrence, the administrator, the management interface used (web interface, CLI, Panorama and the API), and the command or action taken along with the result.
Centralised management of your Palo Alto Networks firewalls.
Panorama provides centralised management for multiple Palo Alto Networks next-generation firewalls, enabling you to:
- Browse ACC, view logs, and generate reports across all your firewalls from a central location.
- Use device group and templates to centrally manage your firewall configurations, regardless of location.
- Manage device licenses and updates for software, content, and clients (SSL VPN, GlobalProtect).
By using the same user interface as our individual firewalls, Panorama eliminates the learning curve associated with switching from one mechanism to another. Regardless of the task at hand, the steps you may need to take will be the same.
Industry standard management tools and APIs.
A rich set of industry standard management interfaces, combined with a helpful set of APIs, allows you to integrate with existing third-party solutions for superior policy/configuration management, log analysis, reporting and more.
- APIs: A REST management API and a User-ID XML API give you a powerful set of tools to streamline operations and integrate with existing, internally developed applications and repositories.
- Syslog and SNMP v2/3: All logs can be sent to your syslog server for archival and analysis purposes, while SNMP v2/3 support enables integration with a wide range of third-party tools.
- Netflow: Export your IP traffic flow information to a Netflow connector. Separate template records are defined for IPv4, IPv4 with NAT, and IPv6 traffic, while PAN-OS specific fields for App-ID and User-ID can be optionally exported. Netflow integration is not supported on the PA-4000 Series.
In addition to our management interfaces and APIs, the Palo Alto Networks Technology Partner Program makes information available to you on many leading management, reporting and analysis vendors.
Scalable Firewall Services With Virtual Systems.
Virtual systems are unique and distinct next-generation firewall instances within a single Palo Alto Networks firewall. Instead of deploying many individual firewalls, security service providers and enterprises can deploy a single pair of firewalls (high availability) and enable a series of virtual firewall instances (virtual systems). Each virtual system is an independent (virtual) firewall within your firewall that is managed separately and cannot be accessed or viewed by other users.
Managed services for customers, business groups, or departments.
The flexibility and efficiencies of virtual systems offer security service providers and enterprises very attractive ways to enhance business efficiencies. These include:
- Improved scalability due to fewer devices
- Adding customers
- Lower capital and operational expenditures
Two ways service providers or enterprises use virtual systems is for multi-tenant managed services delivery, or as separate firewall instances within an enterprise network
- Multi-tenant managed services: Within a managed services environment, it’s very cost-effective to have a single device support distinct firewall instances. This allows you to deliver security services to multiple customers with just a single device. The breadth of functionality and configuration flexibility we provide lets each customer select from a menu of service offerings, each of which can be enabled and disabled quickly and effectively. Role-based administration allows you to enable your customer to have access to certain functions (such as logging and reporting), while hiding or providing ‘read only’ (policy editor) access to other functions.
- Departmental services: If you’re a large organisation, certain technical or compliance requirements may dictate that departmental traffic be protected by a unique firewall instance. On an internal network, a single firewall instance with virtual systems support is extremely cost-effective. Each department can be assigned security services from the ‘menu,’ and then billed back for those services to demonstrate a return on investment. Just like in a managed services environment, you can allow department staff to have either ‘read only’ or full access to certain firewall functions while the device is centrally managed by IT.
Protecting network resources through segmentation.
Network segmentation is considered to be a network security best practice because it enables your IT department to isolate and more effectively protect critical data. By creating a virtual firewall for a segment of your network, you can protect key content from unapproved access as well as threats and possible data loss. Virtual systems are just one way that you can easily segment your network with Palo Alto Networks.
Granular, role-based administrative control.
Each virtual system is a self-contained, fully operational Palo Alto Networks firewall, complete with separate management interfaces. This ensures that other customers or departments can only see or modify their own policies. Within each virtual system, role-based administrative access control allows you to delegate feature-level administrative access (enabled, read-only, or disabled and hidden from view) to different staff. Using role-based administration, service providers can build a menu of services to selectively enable, while enterprises can delegate access to key individuals as needed.
The centralised management features in Panorama will minimise the administrative efforts and operational costs associated with your deployment of our next-generation firewalls in multiple locations – either internally or globally. Panorama allows your team to centrally manage all device aspects including configuration and policy deployment, visibility into applications, users and content as well as logging and reporting.
Global device management.
Using a combination of Device Groups and Templates, your team can quickly configure one of our firewalls remotely and then deploy new or updated global policies that co-exist with local policies. The combination of global and local policies allows you to ensure compliance with internal or regulatory requirements, while local device rules maintain both security and flexibility. Granular role-based administration complements shared-policies by allowing you to assign specific tasks to different members of your team, thereby ensuring appropriate separation of roles and responsibilities.
Centralised visibility, logging and reporting.
With the same look and feel as the web interface, Panorama gives you visibility into the applications, users and content traversing your devices along with granular logging and reporting – all at both a global or individual device level.
- Visibility: With the same look and feel as the web interface, Application Command and Control (ACC) in Panorama gives you a global or individual device view into the applications, users and content traversing your network. The end result is that you will know more about the traffic and activity on your network and can make more informed security policy decisions.
- Logging: For either an individual device, or all devices, Panorama administrators can quickly view log activities using dynamic log filtering by clicking on a cell value and/or using the expression builder to define the filter criteria. Results can be saved for future queries or exported for further analysis.
- Reporting: Predefined reports can be used as-is, customised, or grouped together as one report to suit specific requirements. In addition to ad hoc reporting, custom and predefined reports can be scheduled and exported in a variety of formats.
Software, Content and Licensing Management.
Panorama allows you to take the systematic approach of first qualifying a change to the firewall in a controlled environment, then delivering it to the production firewalls. From a centralised location, you can manage software updates, content (application updates, antivirus signatures, threat signatures, URL filtering database, etc.) and firewall licenses.
Logging & Reporting
Traffic Monitoring: Logging, Reporting, and Forensic Analysis.
Security best practices dictate that you strike a balance between being proactive, continually learning and adapting to protect your corporate assets, and being reactive and investigating, analysing and reporting on security incidents. ACC and the policy editor allow you to proactively deploy application enablement policies, while a rich set of monitoring and reporting tools enable you to analyse and report on the applications, users and content traversing your network.
Real-time traffic analysis and forensics.
Our firewall maintains logs for WildFire, configurations, system, alarms, traffic flows, threats, URL filtering, data filtering, and Host Information Profile (HIP) matches. You can quickly analyse network activity by clicking on a cell value and adding multiple criteria using the expression builder – the results can be stored for future use or exported to CSV for additional analysis. In addition, all logs can be sent to a syslog server for analysis by a wide range of third party solutions.
Fully customisable reporting.
Available as a standard feature, our reporting features allow you to generate informative reports using 40+ predefined reports, or by using report builder, which lets you assemble a fully customised report that can be saved, exported to PDF/CSV or XML and scheduled to run, and then be emailed. A few of the standard reports include:
- Behavioral botnet report: Data regarding unknown applications, IRC traffic, malware sites, dynamic DNS, and newly created domains is analysed with the results displaying a list of potentially infected hosts that can be investigated as members of a botnet.
- PDF Summary report: A fully customisable one-page summary report that includes data for the top five in each category as well as trend charts that are not available in other reports.
- User-activity report: Allows you to generate a time-based report that shows application and web browsing activity for specific users.
- App-Scope: Complementing the real-time view of applications and content provided by ACC, App-scope provides a dynamic, user-customisable view of application, traffic and threat activity over time.
Integration with Security Event and Incident Management (SIEM) tools.
Our firewall allows you to send all the logs to a syslog server for archival and analysis purposes. In addition, we have a wide range of proven technology partnerships with nearly all of the SEIM vendors.