Serving Information Simply

Time to Read

2 minutes

Palo Alto Firewall – Overview

  • Founded in 2005 by a world-class team with strong security and networking experience
  • Innovations: App-ID, User-ID, Content-ID
  • Builds next-generation firewalls that identify and control more than 850 applications; makes firewall strategic again
  • Global footprint: presence in 50+ countries, 24/7 support
  • The gateway at the trust border is the right place to enforce policy control

-Sees all traffi

-Defines trust boundary

PAN-OS Core Firewall Features

Visibility and control of applications, users and content complement core firewall features

 Strong networking foundation

 Dynamic routing (OSPF, RIPv2)

 Tap mode – connect to SPAN port

 Virtual wire (“Layer 1”) for true transparent in-line deployment

 L2/L3 switching foundation


 Site-to-site IPSec VPN


 QoS traffic shaping

 Max/guaranteed and priority

 By user, app, interface, zone, IP and scheduled

 Zone-based architecture

 All interfaces assigned to security zones for policy enforcement

 High Availability

 Active / passive

 Configuration and session synchronization

 Path, link, and HA monitoring

 Virtual Systems

 Establish multiple virtual firewalls in a single device (PA-4000 & PA-2000 Series only)

 Simple, flexible management

 CLI, Web, Panorama, SNMP, Syslog, XML API

Enterprise Device and Policy Management

Intuitive and flexible management

 CLI, Web, Panorama, SNMP, Syslog

 Role-based administration enables delegation of tasks to appropriate person

 Panorama central management application

 Shared policies enable consistent application control policies

 Consolidated management, logging, and monitoring of Palo Alto Networks devices

 Consistent web interface between Panorama and device UI

 Network-wide ACC/monitoring views, log collection, and reporting

All interfaces work on current configuration, avoiding sync issues

Addresses Three Key Business Problems

Identify and Control Applications

 Visibility of over 850 applications, regardless of port, protocol, encryption, or evasive tactic

 Fine-grained control over applications (allow, deny, limit, scan, shape)

 Fixes the firewall

 Prevent Threats

 Stop a variety of threats – exploits (by vulnerability), viruses, spyware

 Stop leaks of confidential data (e.g., credit card #, social security #)

 Stream-based engine ensures high performance

 Simplify Security Infrastructure

 Fix the firewall, rationalize security infrastructure

 Reduce complexity in architecture and operations

Palo Alto Networks Next-Gen Firewalls




10 Gbps FW

5 Gbps threat prevention

2,000,000 sessions

4 XFP (10 Gig) I/O

4 SFP (1 Gig) I/O




10 Gbps FW

5 Gbps threat prevention

2,000,000 sessions

16 copper gigabit

8 SFP interfaces



2 Gbps FW

2 Gbps threat prevention

500,000 sessions

16 copper gigabit

8 SFP interfaces



1 Gbps FW

500 Mbps threat prevention

250,000 sessions

16 copper gigabit

4 SFP interfaces




500 Mbps FW

200 Mbps threat prevention

125,000 sessions

12 copper gigabit

2 SFP interfaces



250 Mbps FW

100 Mbps threat prevention

50,000 sessions

8 copper gigabit

Single-Pass Parallel Processing (SP3) Architecture


Single Pass front


Single Pass

-Operations once per packet

-Traffic classification (app identification)

-User/group mapping

-Content scanning

– threats, URLs, confidential data

One policy

Parallel Processing

-Function-specific parallel processing hardware engines

-Separate data/control planes


Leave a Reply

Sanchit Agrawal

Blog Author


Discover more from Sanchit Gurukul

Subscribe now to keep reading and get access to the full archive.

Continue Reading

%d bloggers like this: