Palo Alto Firewall – Overview

  • Founded in 2005 by a world-class team with strong security and networking experience
  • Innovations: App-ID, User-ID, Content-ID
  • Builds next-generation firewalls that identify and control more than 850 applications; makes firewall strategic again
  • Global footprint: presence in 50+ countries, 24/7 support
  • The gateway at the trust border is the right place to enforce policy control

-Sees all traffi

-Defines trust boundary


PAN-OS Core Firewall Features

Visibility and control of applications, users and content complement core firewall features

 Strong networking foundation

 Dynamic routing (OSPF, RIPv2)

 Tap mode – connect to SPAN port

 Virtual wire (“Layer 1”) for true transparent in-line deployment

 L2/L3 switching foundation

 VPN

 Site-to-site IPSec VPN

 SSL VPN

 QoS traffic shaping

 Max/guaranteed and priority

 By user, app, interface, zone, IP and scheduled

 Zone-based architecture

 All interfaces assigned to security zones for policy enforcement

 High Availability

 Active / passive

 Configuration and session synchronization

 Path, link, and HA monitoring

 Virtual Systems

 Establish multiple virtual firewalls in a single device (PA-4000 & PA-2000 Series only)

 Simple, flexible management

 CLI, Web, Panorama, SNMP, Syslog, XML API


Enterprise Device and Policy Management

Intuitive and flexible management

 CLI, Web, Panorama, SNMP, Syslog

 Role-based administration enables delegation of tasks to appropriate person

 Panorama central management application

 Shared policies enable consistent application control policies

 Consolidated management, logging, and monitoring of Palo Alto Networks devices

 Consistent web interface between Panorama and device UI

 Network-wide ACC/monitoring views, log collection, and reporting

All interfaces work on current configuration, avoiding sync issues


Addresses Three Key Business Problems

Identify and Control Applications

 Visibility of over 850 applications, regardless of port, protocol, encryption, or evasive tactic

 Fine-grained control over applications (allow, deny, limit, scan, shape)

 Fixes the firewall

 Prevent Threats

 Stop a variety of threats – exploits (by vulnerability), viruses, spyware

 Stop leaks of confidential data (e.g., credit card #, social security #)

 Stream-based engine ensures high performance

 Simplify Security Infrastructure

 Fix the firewall, rationalize security infrastructure

 Reduce complexity in architecture and operations


Palo Alto Networks Next-Gen Firewalls

 

PA-4060

PA-4060

10 Gbps FW

5 Gbps threat prevention

2,000,000 sessions

4 XFP (10 Gig) I/O

4 SFP (1 Gig) I/O

 

PA-4050

PA-4050

10 Gbps FW

5 Gbps threat prevention

2,000,000 sessions

16 copper gigabit

8 SFP interfaces

PA-4020

PA-4020

2 Gbps FW

2 Gbps threat prevention

500,000 sessions

16 copper gigabit

8 SFP interfaces

PA-2050

PA-2050

1 Gbps FW

500 Mbps threat prevention

250,000 sessions

16 copper gigabit

4 SFP interfaces

 

PA-2020

PA-2020

500 Mbps FW

200 Mbps threat prevention

125,000 sessions

12 copper gigabit

2 SFP interfaces

PA-500

PA-500

250 Mbps FW

100 Mbps threat prevention

50,000 sessions

8 copper gigabit


Single-Pass Parallel Processing (SP3) Architecture

 

Single Pass front

 

Single Pass

-Operations once per packet

-Traffic classification (app identification)

-User/group mapping

-Content scanning

– threats, URLs, confidential data

One policy

Parallel Processing

-Function-specific parallel processing hardware engines

-Separate data/control planes

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Website Powered by WordPress.com.

Up ↑

%d bloggers like this: