Palo Alto Networks Product Overview Karsten Dindorp, Computerlinks

Palo Alto Networks Product Overview

Karsten Dindorp, Computerlinks

© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 2 |

Applications Have Changed – Firewalls Have Not

• The gateway at the trust border is the right place to enforce policy control Sees all traffic Defines trust boundary

Collaboration / MediaSaaS Personal

• But applications have changed Ports ≠ Applications IP addresses ≠ Users Headers ≠ Content

Need to Restore Application Visibility & Control in the Firewall


Stateful Inspection ClassificationThe Common Foundation of Nearly All Firewalls

• Stateful Inspection classifies traffic by looking at the IP header- source IP

- source port

- destination IP

- destination port

- protocol

• Internal table creates mapping to well-known protocols/ports- HTTP = TCP port 80

- SMTP = TCP port 25

- SSL = TCP port 443

- etc, etc, etc…

© 2009 Palo Alto Networks. Proprietary and Confidential.Page 4 |

Enterprise End Users Do What They Want• The Application Usage & Risk Report from Palo Alto Networks highlights actual behavior of 960,000

users across 60 organizations:- HTTP is the universal app protocol – 64% of BW, most HTTP apps not browser-based

- Video is king of the bandwidth hogs – 30x P2P filesharing

- Applications are the major unmanaged threat vector

• Business Risks: Productivity, Compliance, Operational Cost, Business Continuity and Data Loss


Firewall “helpers” Is Not The Answer

• Complex to manage

• Expensive to buy and maintain

• Firewall “helpers” have limited view of traffic

• Ultimately, doesn’t solve the problem

Internet


New Requirements for the Firewall

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Scan application content in real-time (prevent threats and data leaks)

4. Granular visibility and policy control over application access / functionality

5. Multi-gigabit, in-line deployment with no performance degradation

The Right Answer: Make the Firewall Do Its Job


Identification Technologies Transforming the Firewall

App-IDIdentify the application

User-IDIdentify the user

Content-IDScan the content


Purpose-Built Architectures (PA-4000 Series)

Signature Match HW Engine• Palo Alto Networks’ uniform

signatures• Vulnerability exploits (IPS), virus,

spyware, CC#, SSN, and other signatures

Multi-Core Security Processor• High density processing for flexible

security functionality• Hardware-acceleration for

standardized complex functions (SSL, IPSec, decompression)

Dedicated Control Plane• Highly available mgmt• High speed logging and

route updates

10Gbps

Signature Match

RAM

RAM

RAM

RAM

Dual-coreCPU RAM

RAM

HDD

10 Gig Network Processor• Front-end network processing offloads

security processors• Hardware accelerated QoS, route

lookup, MAC lookup and NAT

CPU16

. .

SSL IPSec De-Compression

CPU1

CPU2

10Gbps

Control Plane Data Plane

RAM

RAMCPU3

QoS

Route, ARP, MAC

lookup

NAT


PAN-OS Core Features

• Strong networking foundation: - Dynamic routing (OSPF, RIPv2)- Site-to-site IPSec VPN - SSL VPN- Tap mode – connect to SPAN port- Virtual wire (“Layer 1”) for true

transparent in-line deployment- L2/L3 switching foundation

• QoS traffic shaping- Max, guaranteed and priority - By user, app, interface, zone, and

more

• High Availability: - Active / passive - Configuration and session

synchronization- Path, link, and HA monitoring

• Virtualization:- All interfaces (physical or logical)

assigned to security zones- Establish multiple virtual systems to

fully virtualized the device (PA-4000 & PA-2000 only)

• Intuitive and flexible management- CLI, Web, Panorama, SNMP, Syslog

© 2008 Palo Alto Networks. Proprietary and Confidential.Page 10 |

Flexible Deployment OptionsApplication Visibility Transparent In-Line Firewall Replacement

• Connect to span port

• Provides application visibility without inline deployment

• Deploy transparently behind existing firewall

• Provides application visibility & control without networking changes

• Replace existing firewall

• Provides application and network-based visibility and control, consolidated policy, high performance


Palo Alto Networks Next-Gen Firewalls

PA-4050• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 16 copper gigabit• 8 SFP interfaces

PA-4020• 2 Gbps FW• 2 Gbps threat prevention• 500,000 sessions• 16 copper gigabit• 8 SFP interfaces

PA-4060• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 4 XFP (10 Gig) I/O• 4 SFP (1 Gig) I/O

PA-2050• 1 Gbps FW• 500 Mbps threat prevention• 250,000 sessions• 16 copper gigabit• 4 SFP interfaces

PA-2020• 500 Mbps FW• 200 Mbps threat prevention• 125,000 sessions• 12 copper gigabit• 2 SFP interfaces

PA-500• 250 Mbps FW• 100 Mbps threat prevention• 50,000 sessions• 8 copper gigabit


PAN-OS 3.0 Summary of Features• Networking

- Quality of Service Enforcement- SSL VPN- IPv6 Firewall (Virtual Wire)- IPsec Multiple Phase 2 SAs- 802.3ad link aggregation- PA-2000 virtual systems licenses (+5)

• App-ID- Custom Web-based App-IDs- Custom App-ID Risk and Timeouts- CRL checking within SSL forward proxy

• Threat Prevention & URL Filtering- Dynamic URL Filtering DB- Increased signature capacity- Threat Exception List- CVE in Threat Profiles

• User Identification- Citrix/Terminal Server User ID- Proxy X-Forwarded-For Support

• Visibility and Reporting- User Activity Report

• Management- Multi-zone Rules- Automated Config Backup in Panorama- Role-based admins in Panorama- SNMP Enhancements

Custom community string Extended MIB support

- XML-based REST API- Ability to Duplicate Objects- Log Export Enhancements

Support for FTP Scheduler

- Custom Admin Login Banner- Web-based Tech Support Export- Database indexing- Configurable management I/O settings

© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 13 | © 2007 Palo Alto Networks. Proprietary and ConfidentialPage 13 |

Demo

Documents

Palo Alto Networks Product Overview Karsten Dindorp, Computerlinks