PALO ALTO INTRO

Palo Alto Networks Firewall Concepts

• Platform and Architecture

Ø  Firewall Platforms

Ø  Single-Pass Architecture

Ø  Control and Data Plane

The PA-200 Recommended Use

• Securing the medium-Enterprise
• Securing the branch offices of the small-enterprise

The PA-500 Recommended use

• Protect Medium-Enterprise network
• Protect Medium to large branch office.

The PA-2000 series recommended use

• Securing high-speed networks of medium-to-large branch enterprises.

 The PA-3000 Series Recommended use

• Protect medium-to-large branch Enterprise networks

The PA-4000 Series recommended Use:

• Protecting the network and datacenter in large Enterprise.

The PA-5000 Series recommended use:

• Protecting high-speed datacenters, server farms, and service provider environment.

Palo Alto Networks Next-Generation Firewall’s main strength is its Single Pass Parallel Processing (SP3) Architecture, which comprises two key components:

1. Single Pass Software
2. Parallel Processing Hardware

Figure 1.   Palo Alto Networks Firewall Single Pass Parallel Processing Architecture

SINGLE PASS SOFTWARE

Palo Alto Networks Next-Generation Firewall is empowered with Single Pass Software, which processes the packet to perform functions like networking, user identification (User-ID), policy lookup, traffic classification with application identification (App-ID), decoding, signature matching for identifying threats and contents, which are all performed once per packet as shown in the illustration below:

Figure 2: Palo Alto Networks Firewall - Single-Pass Architecture Traffic Flow

This processing of a packet in one go or single pass by Palo Alto Networks Next-Generation Firewall enormously reduces the processing overhead, other vendor firewalls using a different type of architecture produce a significantly higher overhead when processing packets traversing the firewall. It’s been observed that the Unified Threat Management (UTM), which processes the traffic using multi-pass architecture, results in process overhead, latency introduction and throughput degradation.

PARALLEL PROCESSING HARDWARE

PARALLEL PROCESSING HARDWARE

Palo Alto Networks Parallel Processing hardware ensures function-specific processing is done in parallel at the hardware level which, in combination with the dedicated Data plane and Control plane, produces stunning performance results. By separating the Data plane and Control plane, Palo Alto Networks is ensuring heavy utilization of either plane will not impact the overall performance of the Platform. At the same time, this means there is no dependency on either plane as each has its own CPU and RAM as illustrated in the diagram below:

The Control Plane is responsible for tasks such as management, configuration of Palo Alto Networks Next-Generation Firewall and it takes care of logging and reporting functions.

Palo Alto Networks Next-Generation Firewall offers processors dedicated to specific functions that work in parallel. The Data Plane in the high-end models contains three types of processors (CPUs) connected by high-speed 1Gbps busses.

The three type of processors are:

1. Security Matching Processor: Dedicated processor that performs vulnerability and virus detection.
2. Security Processor: Dedicated processor that performs hardware acceleration and handles security tasks such as SSL decryption, IPsec decryption and similar tasks.
3. Network Processor: Dedicated processor responsible for network functions such as routing, NAT, QOS, route lookup, MAC Lookup and network layer communications.

Single Pass Parallel Processing

With the help of Single Pass Parallel Processing approach, Palo Alto Firewalls are in position to

• Classify traffic with App-ID
• Can do both user and group mapping
• Perform content scanning like threats, URLs etc.
• Can make use of One Policy to process various tasks
• Can do Parallel Processing
• Can provide separate Data and Control plane

Single Pass

Operation once per packet

• Traffic classification (app identification)
• User/group mapping
• Content scanning – Threat ,URLS, confidential data.
•  One policy

Parallel Processing

Function-specific parallel processing hardware engines.

Separate data plane /control planes

Palo alto Network firewalls allows you to specify security policies based on a more accurate identification of each application seeking access to your network. Unlike traditional firewalls that identify applications only by protocol and port number, the firewall uses packet inspection and a library of application signatures to distinguish between applications that have the same protocol and port, and to identify potentially malicious applications that use non-standard ports.

The strength of Palo alto firewall is its SP3(Single pass parallel processing) engine. Each of the current protection feature in the device (Anti Virus, Spy ware, Data filtering and vulnerability protection ) utilize the same stream-based signature format. As a result, the SP3 engine can search for all of these risks simultaneously.

The advantage of providing a stream based engine is that the traffic is scanned as it crossed the box with minimal amount of buffering

Single Pass Architecture Engine.  The core functions of Palo alto  firewall include application ID , identifying different application . Content ID , scanning the content of the packet and User-ID identifying the user. These three criteria can be matched on the firewall security policy to allow traffic or deny traffic based upon the needs. Combining these three elements gives you a very granular control over your environment.  A security policy could be created to allow or deny different application based up on our application ID for different users based upon the user-ID. The traffic can be scanned for URL, data leakage,  using our content ID. Later on this blog we will take a deep dive on the application ID, content ID and user ID functions on the firewall.  How the configurations are done and what functions they have and how you can maximize the security of your network of taking advantage of these three functions.

While a seemingly trivial and obvious approach, security software that looks at traffic in a single pass is unique to the Palo Alto Networks next-generation firewall. This approach to processing traffic ensures that each particular task in performed only once on a set of traffic . Key processing tasks are.

• Networking and management functionality : at the foundation of all traffic processing is a common networking foundation with a common management structure.
• App-ID (Application identification): A combination of application signatures, protocol detection

and decryption, protocol decoding, and heuristics to identify applications. This application identification is carried through to the Content-ID functionality to scan and inspect application appropriate to their use as well as to the policy engine.

• Content-ID :  A single hardware-accelerated signature matching  engine that use a uniform signature format to scan traffic for date (credit card number, social security number, and custom patterns) and threats (vulnerability exploits – IPS, viruses, and spyware) plus a URL categorization engine to perform URL filtering.

• User-ID : Maps IP address to active directory users and users to group (roles) to enable visibility and policy enforcement by user and group.

• Policy engine: Based on the networking management , User-ID , APP-ID, and content ID information , the policy engine is able to use a enforce a single security policy to traffic.

The Control Plane and Data plane:

• The control plane is used for management function. The control plane has its own dual core CPU or single core CPU depending upon the hardware platform and has its own dedicated RAM and its own hard drive. The control plane is used for management function for logging , reporting.

• The date plane is the traffic forwarding plane . The data plane has separate chip set on some or more platform and these are like virtual or dedicated hardware . The data  plane can be broken down into three major functions . The three functions are the signature processor, security processor and network processor.

The signature match processor is designed to inspect traffic based on the signatures which are already build with regular expression.  To look for vulnerability and look for threats to identify sensitive data leakage like CCN(Credit card number), SSN(Social security numbers).

The security processor contains hardware accelerator for matching against security policies , for application ID , for User –ID , SSL decryption  , decompression,  and IPSEC VPN tunnel.

The network processor is for traffic forwarding for routing lookup, NAT functionality , MAC lookup, QOS,  or traffic shaping . On some of hardware platform the signature match processor and the network processor are dedicated hardware components and on other platforms these are virtualized components

With Palo alto networks single pass parallel processing architecture , hardware acceleration is provided for each of the major functionality blocks.

• Network task( per packet routing flow, flow lookups, stats counting, NAT and similar functions) are performed on a dedicated network processor.
• User-ID , APP-ID and policy engine all occur on multicar (up to 16 cores) security processor with hardware acceleration for encryption, decryption, and decompression.
• Content-ID performs the signature lookup via a dedicated FPGA with dedicated memory.
• Management functionality is provided via a dedicated control plane processor that drives the configuration management, logging and reporting without touching data processing hardware .

Flow logic of the Next-Generation Firewall:

This section could be called the life of the packet in Palo alto firewall. Here you can see every processor happens when the packets passes through the firewall. From the initial packet processing to the pos-policy processing when the traffic is forwarded from the interface of the device. I will explain each of the component in subsequent section . The flow logic to through the Palo alto firewall allows us to accomplish our single pass parallel processing (SP3) allowing the packets to process single time and detect all the components we need to determine whether to allow or deny the traffic. Also performs the NAT’ing functionality  and traffic forwarding . The below picture is central to understanding how aplo alto firewall works .

As the packet enters the firewall  the devices identifies where the packet came from and where is destined to . The device look through source zone not the interface where the packet is coming from and the destination zone where the packet is being forwarded to.

The above diagram is a simplified version of the flow logic of a packet travelling through a Palo Alto Networks firewall. The course will reference this diagram to address where specific concepts fit into the packet processing sequence. 

APP-ID & USER-ID – FEATURES THAT SET PALO ALTO APART FROM THE COMPETITION

App-ID and User-ID are two really interesting features not found on most competitors’ firewalls and really help set Palo Alto Networks apart from the competition. Let’s take a look at what App-ID and User-ID are and how they help protect the enterprise network.

APP-ID: APPLICATION-BASED POLICY ENFORCEMENT

App-ID is the biggest asset of Palo Alto Networks Next-Generation Firewalls. Traditional firewalls block traffic based on protocol and/or ports, which years ago seemed to be the best way of securing the network perimeter, however this approach today is inadequate as applications (including SSL VPNs) can easily bypass a port-based firewall by hopping between ports or using well-known open ports such as tcp-http (80) or tcp/udp-dns (53) normally found open.

A traditional firewall that allows the usage of TCP/UDP port 53 for DNS lookups, will allow any application using that port to pass through without asking second questions. This means that any application can use port 53 to send/receive traffic, including evasive applications like BitTorrent for P2P file sharing, which is quite dangerous:

Figure 2. Palo Alto Network’s App-ID effectively blocks unwanted BitTorrent traffic

With App-ID, Palo Alto Networks Next-Generation Firewalls uses multiple identification mechanisms to determine the exact identity of applications traversing the network. Following is the order in which traffic is examined and classified:

1. Traffic is classified based on the IP Address and port
2. Signatures are then applied to the allowed traffic to identify the application based on unique application properties and related transaction characteristics.
3. For evasive applications which cannot be identified though advance signature and protocol analysis Palo Alto Networks Next-Generation Firewalls applies heuristics or behavioral analysis to determine the identity of the application.

Using the above process Palo Alto Networks Next-Generation Firewalls are very successful in identifying DNS traffic not only at the port level but also at the Application level, making it extremely difficult for an evasive application like BitTorrent to use any open ports and pass through the firewall undetected.

USER IDENTIFICATION (USER-ID)

User-ID is one more key determining factor that places Palo Alto Networks Next-Generation Firewalls apart from the competition.

Traditionally, security policies and rules were applied based on IP addresses. However, these days both the users and applications have a dynamic nature which means that IP addresses alone have become inefficient for monitoring and controlling user activity. A single user might access the network from multiple devices (laptops, tablets, smartphones, servers).

Thanks to the User-ID feature of the Palo Alto Networks Next-Generation Firewalls administrators are able to configure and enforce firewall policies based on users and user groups instead of network zones and addresses.

The Palo Alto Networks Next-Generation Firewall can communicate with many directory servers, such as Microsoft Active Directory, eDirectory, SunOne, OpenLDAP, and most other LDAP-based directory servers to provide user and group information to the firewall. With this powerful feature, large organizations are able to create security policies that are user or group based, without worrying about IP addresses associated to them.

THREAT PREVENTION

Palo Alto Networks Next-Generation Firewalls are very effective in preventing threats and they do offer real-time threat prevention from viruses, worms, spyware, and other malicious traffic can be varied by application and traffic source.

APPLICATION COMMAND CONTROL (ACC)

Palo Alto Networks Next-Generation Firewalls offer the most interactive graphical summary of the applications, URLs, users, threats, and content traversing the network. The ACC makes use of the firewall logs to provide the visibility of the traffic patterns, information on threats, user activity, Rule usage and many other information in an interactive graphical form:

Figure 3. Palo Alto Application Command Center provides maximum visibility on network traffic (click to enlarge)

Below is a list of the configuration options available for Ethernet (physical) interfaces:

• Tap Mode
• Virtual Wire
• Layer 2
• Layer 3
• Aggregate Interfaces
• HA

Following are the Logical interface options available:

• VLAN
• Loopback
• Tunnel
• Decrypt Mirror

Palo Alto Networks Next-Generation Firewalls have four main types of Zones namely as shown in the screenshot below:

• Tap Zone. Used in conjunction with SPAN/RSPAN to monitor traffic.
• Virtual Wire. Also known as Transparent Firewall.
• Layer 2. Used when switching between two or more networks.
• Layer 3. Used when routing between two or more networks. Interfaces must be assigned an IP address.

TAP MODE DEPLOYMENT OPTION

TAP Mode deployment allows passive monitoring of the traffic flow across a network by using the SPAN feature (also known as mirroring).

A typical deployment would involve the configuration of SPAN on Cisco Catalyst switches where the destination SPAN port is the switch port to which our Palo Alto Firewall connects, as shown in the diagram below:

The advantage of this deployment model is that it allows organizations to closely monitor traffic to their servers or network without requiring any changes to the network infrastructure.

During the configuration of SPAN it is important to ensure the correct SPAN source and SPAN Destination ports are configured while also enabling Tap mode at the Firewall.

Tap mode offers visibility of application, user and content, however, we must be mindful that the firewall is unable to control the traffic as no security rules can be applied in this mode. Tap mode simply offers visibility in the ACC tab of the dashboard. The catch here is to ensure that the tap interface is assigned to a security zone.

VIRTUAL WIRE  (V-WIRE) DEPLOYMENT OPTION

Virtual Wire, also know as V-Wire, deployment options use Virtual Wire interfaces. The great thing about V-Wire deployment is that the firewall can be inserted into an existing topology without requiring any changes to the existing network topology.

The V-Wire deployment options overcome the limitations of TAP mode deployment, as engineers are able to monitor and control traffic traversing the link. A Virtual Wire interface supports App-ID, User-ID, Content-ID, NAT and decryption.

LAYER 2 DEPLOYMENT OPTION

Palo Alto Networks Next Generation Firewall can also be deployed in Layer 2 mode. In this mode switching is performed between two or more network segments as shown in the diagram below:

In Layer 2 deployment mode the firewall is configured to perform switching between two or more network segments. Traffic traversing the firewall is examined, as per policies, providing increased security and visibility within the internal network.

In this mode the firewall interfaces are capable of supporting Access or Trunk Links (802.1Q trunking) and do not participate in the Spanning Tree topology. Any BPDUs received on the firewall interfaces are directly forwarded to the neighboring Layer 2 switch without being processed. Routing traffic between VLAN networks or other networks can be achieved via a default Gateway which is usually a Layer 3 switch supporting InterVLAN routing, a Firewall security appliance, or even Router-on-a-Stick design.

LAYER 3 DEPLOYMENT OPTION

Layer 3 deployment mode is a popular deployment setup. In this mode the firewall routes traffic between multiple interfaces, each of which is configured with an IP address and security zone. The Firewall interfaces can also be configured to obtain their IP address via a DHCP server and can be used to manage the security appliance.

The diagram above shows a typical Layer 3 deployment setup where the Firewall routes and controls traffic between three different IP networks. Similar to other setup methods, all traffic traversing the Firewall is examined and allowed or blocked according to the security policies configured.

CONCLUSION

In this article we examined a few of the different deployment modes available for Palo Alto firewalls. We talked about Tap mode, Virtual Wire mode, Layer 2 and Layer 3 deployment modes

Features and Benefits

The Palo Alto Networks next-generation firewalls provide granular control over the traffic allowed to access your network. The primary features and benefits include:

• Application-based policy enforcement (App-ID™)—Access control according to application type is far more effective when application identification is based on more than just protocol and port number. The App-ID service can block high risk applications, as well as high risk behavior, such as file-sharing, and traffic encrypted with the Secure Sockets Layer (SSL) protocol can be decrypted and inspected.
• User identification (User-ID™)—The User-ID feature allows administrators to configure and enforce firewall policies based on users and user groups instead of or in addition to network zones and addresses. The firewall can communicate with many directory servers, such as Microsoft Active Directory, eDirectory, SunOne, OpenLDAP, and most other LDAP-based directory servers to provide user and group information to the firewall. You can then use this information for secure application enablement that can be defined per user or group. For example, the administrator could allow one organization to use a web-based application but not allow any other organizations in the company to use that same application. You can also configure granular control of certain components of an application based on users and groups (see User Identification ).
• Threat prevention—Threat prevention services that protect the network from viruses, worms, spyware, and other malicious traffic can be varied by application and traffic source (see Objects > Security Profiles ).
• URL filtering—Outbound connections can be filtered to prevent access to inappropriate web sites (see Objects > Security Profiles > URL Filtering ).
• Traffic visibility—Extensive reports, logs, and notification mechanisms provide detailed visibility into network application traffic and security events. The Application Command Center (ACC) in the web interface identifies the applications with the most traffic and the highest security risk (see Monitor ).
• Networking versatility and speed—The Palo Alto Networks firewall can augment or replace your existing firewall and can be installed transparently in any network or configured to support a switched or routed environment. Multigigabit speeds and a single-pass architecture provide these services to you with little or no impact on network latency.
• GlobalProtect—The GlobalProtect™ software provides security for client systems, such as laptops that are used in the field, by allowing easy and secure login from anywhere in the world.
• Fail-safe operation—High availability (HA) support provides automatic failover in the event of any hardware or software disruption (see Device > Virtual Systems ).
• Malware analysis and reporting—The WildFire™ cloud-based analysis service provides detailed analysis and reporting on malware that passes through the firewall. Integration with the AutoFocus™ threat intelligence service allows you to assess the risk associated with your network traffic at organization, industry, and global levels.
• VM-Series firewall—A VM-Series firewall provides a virtual instance of PAN-OS® positioned for use in a virtualized data center environment and is ideal for your private, public, and hybrid cloud computing environments.
• Management and Panorama—You can manage each firewall through an intuitive web interface or through a command-line interface (CLI) or you can centrally manage all firewalls through the Panorama™ centralized management system, which has a web interface very similar to the web interface on Palo Alto Networks firewalls.

Palo Alto Networks Next-Generation Firewall Features

Every one of our next-generation firewalls comes with a set of features that enable you to secure your network like you've never done before. Palo Alto Networks firewalls include important security, integration, networking, and management features.

Find out how our innovative features will help you be more proactive, instead of reactive, and do your job even better.

• Security Features
• Networking & Integration Features
• Management Features

Security Features

Safely enabling applications based on users and groups are just a few of the many features that every Palo Alto Networks next-generation firewall supports. A flexible networking foundation facilitates integration into nearly any network. IPsec and SSL VPN deliver enterprise-wide connectivity. Stateful high-availability ensures that your network is always protected.

• Application Visibility
• User Visibility
• APT Prevention
• IPS
• Data Filtering
•  

Application Visibility:

Visibility into Applications, Users, and Content

Port numbers, protocols, and IP addresses are useful for network devices, but they tell you nothing about what is on your network. Detailed information about the applications, users, and content traversing your network empowers you to quickly determine any risks they pose and quickly respond. Leveraging the rich context provided by Palo Alto Networks firewalls, our visualization, analysis, and reporting tools let you quickly learn more about activity on your network and analyze incidents from a current or comparative perspective.

Visibility into your applications, web traffic, threats, and data patterns

Our Application Command Center (ACC) is an interactive, graphical summary of the applications, users, URLs, threats, and content traversing your network. It allows you to keep your finger on the pulse of what is going on. ACC provides a 10,000 foot view of what's happening on your network, and with just a few clicks you can get a highly detailed view to learn more, including links to the specific policy that allowed a certain behavior so you can tune it as needed.

Knowledge is power. Learning more about new or unfamiliar applications or threats that are displayed in ACC takes just a single click, which shows you:

• A description of the application or threat.
• An application's key features and behavioral characteristics.
• Details on the users using an application.
• Details on those affected by a threat.

Additional data on traffic source and destination, security rules and zones provides a wider view of the application's usage patterns, which helps you make a more informed decision on how to treat that traffic.

Visibility based on users and groups – not IP addresses

Integration with a wide range of directory services allows our system to display detailed user information (along with their IP address), complementing the application and threat information you receive. You can add additional filters to learn more about application usage for individual users, along with the threats detected within your application traffic. In only minutes, ACC arms you with the data you need to make more informed security policy decisions and take action to reduce risk in your enterprise.

Comparative view into traffic and threat patterns

App-Scope is a dynamic, customizable window into your network's activity, presenting you with comparative statistics based upon different timeframes, applications, application categories, threat profiles and more. A standard feature in both our device web-interface and Panorama (centralized management), App-Scope reduces the amount of time you have to spend investigating unusual behavior.

Detailed analysis of all your traffic and device activities

Our log viewer provides a fine-grain view into your network activity. It summarizes all traffic traversing the network – including apps, user information, and threats. The log viewer supports context and expression-based filtering, allowing you to quickly and easily monitor, analyze, and investigate security incidents  The log viewer leverages our firewalls' integration with user repositories, complementing application and threat views with user and group visibility. Logs can be sent automatically to your syslog server, while individual filter results are exportable to a CSV file for offline archival or further analysis.

Customized reporting for all traffic and device activities

Using either your firewall's individual device management interface or Panorama, you will appreciate fingertip access to powerful reporting and logging features that will help you quickly investigate and analyze security incidents, application usage and user behavior. More than 50 predefined, customizable reports - incorporating elements you choose from other reports - are available. You can automate reports to run on a scheduled basis and have the results emailed or exported to a PDF or Excel spreadsheet.

User Visibility:

Users: an integral component for secure application enablement policies

Traditionally, security policies were applied based on IP addresses, but the increasingly dynamic nature of users and applications mean that IP addresses alone have become ineffective as a policy control element for safe application enablement. Our next-generation firewalls integrate with a wide range of enterprise directories and terminal services offerings, allowing you to:

• See who is using the applications on your network
• Set policy based on users
• Perform forensic analysis and generate reports on user activities

Visibility into User’s Application Activity

Visibility into the application activity at a user level, not just at an IP address level, allows you to determine patterns of usage along with the associated business and security risks. With just a few clicks, you will gain visibility into the application bandwidth and session consumption, the associated threats, as well as the source and destination of the application traffic. With this knowledge, you can more proactively align application usage with your business unit requirements through safe application enablement policies.

User-based Policy Control

Visibility into application usage means that you can quickly analyze the role and risk of applications, and who is using them, then translate that information into user-based safe application enablement policies. User-based policy controls can be assembled based on the application, which category and subcategory it belongs in, its underlying technology, or the application characteristics. Examples of user-based policies might include:

• Enable only the IT department to use tools such as SSH, telnet, and FTP on the standard port
• Allow the Help Desk Services group to use Yahoo Messenger
• Block the use of Facebook-apps for all users, allow Facebook for all users, but allow only marketing to use Facebook-posting

User-based Analysis, Reporting and Forensics

User information is pervasive throughout our firewall feature set - and that includes fine-grained forensic analysis and reporting. You can easily create log filters by clicking on a cell value, which can then be expanded with additional criteria using the expression builder. Informative reports on user activities can be generated using any one of the many pre-defined reports, or by creating a custom report from scratch, or by modifying a pre-defined report. Any of the reports – pre-defined or custom – can be exported to either CSV, PDF XML, or emailed on a scheduled basis.

Integration with any user repository

Our firewalls can integrate with an extensive list of user repositories and terminal services offerings that are complemented by an XML API and an explicit challenge response mechanism. Integration points include:  

• Directory services: Microsoft Active Directory, Microsoft Exchange, OpenLDAP, and eDirectory
• Terminal services: Citrix XenAPP, Microsoft Terminal Services, and an XML API for non-standard terminal services environments 
• Syslog Listener natively harvests user information from Blue Coat Proxy, Citrix Access Gateway, Aerohive AP, Cisco ASA, Juniper SA Net Connect, and the Juniper Infranet Controller
• XML API: In cases where the syslog listener is not applicable, XML API allows you to integrate user information into your security policies from other user directories, and authentication mechanisms

APT Prevention:

WildFire: Protection from targeted and unknown threats

Modern attackers are increasingly using targeted and new unknown variants of malware to sneak past traditional security solutions. To address this, Palo Alto Networks developed WildFire, which identifies new malware in minutes. By executing suspect files in a virtual environment and observing their behavior, Palo Alto Networks identifies malware quickly and accurately, even if the malware sample has never been seen before.

Once a file is deemed malicious, WildFire automatically generates protections that are delivered to all WildFire subscribers within an hour of detection. A WildFire license provides your IT team with a wealth of forensics to see exactly who was targeted, the application used in the delivery, and any URLs that were part of the attack.

Sandbox analysis of unknown threats

Advanced cyber attacks are employing stealthy, persistent methods to evade traditional security measures. WildFire identifies unknown malware, zero-day exploits, and Advanced Persistent Threats (APTs) through dynamic analysis in a scalable cloud-based, virtual environment. We directly observe the behavior of the malicious malware and exploits, then WildFire automatically generates and distributes protections globally in as little as 30 minutes.

DNS-based intelligence

DNS traffic exists in nearly every organization, creating an overwhelming ocean of data security teams often ignore, or do not have the tools to properly analyze. Knowing this, cyber attackers are increasingly abusing DNS to mask their command-and-control (C2) activity in order to deliver additional malware or steal valuable data. Malicious domain names controlled by attackers enable the rapid movement of command-and-control centers from point to point, bypassing traditional security controls such as blacklists or web reputation. Palo Alto Networks addresses this by:

• Allowing opt-in passive DNS monitoring, creating a database of malicious domains and infrastructure across our global customer base. This intelligence is used by PAN-DB URL filtering, DNS-based command-and-control signatures, and WildFire to prevent future attacks.
• Enabling customers to create local a DNS sinkhole, re-directing malicious queries to an address of your choosing to quickly identify and block compromised hosts on the local network.

Behavioral botnet report

Our behavioral botnet report correlates traffic anomalies and end-user behaviors to identify devices on your network that are likely to be infected by a botnet. The logic supporting the report tracks unknown or anomalous TCP and UDP, as well as a variety of potentially suspicious behaviors such as repeated download patterns, and the use of dynamic DNS and browsing anomalies. These factors are correlated to create a report that provides you with a list of users that are likely infected, and the behaviors that led to the diagnosis.

IPS:

Today's attacks on your network use a combination of application vectors and exploits. Palo Alto Networks next-generation firewalls arm you with a two-pronged approach to stopping these attacks. Unwanted applications are blocked through App-ID, and the applications you choose to allow through are scanned for vulnerability exploits by our NSS-approved IPS engine.

Enable full IPS protection while maintaining performance

We deliver predictable IPS performance to you through hardware acceleration, a uniform signature format and a single pass software architecture. Dedicated processing and memory for content inspection, as well as networking, security and management, provides the hardware acceleration necessary for predictable IPS performance.

• Dedicated processing means that key functions do not compete for processing cycles with your other security functions, which happens in a single CPU or ASIC/CPU hardware architecture.
• A uniform signature format eliminates redundant processes common to multiple scanning engine solutions (TCP reassembly, policy lookup, inspection, etc.).
• Single pass software means that your traffic is touched only once, no matter how many policy elements are in use.

Blocks a wide range of known and unknown vulnerability exploits

Our rich set of intrusion prevention features blocks known and unknown network and application-layer vulnerability exploits from compromising and damaging your enterprise information resources. Vulnerability exploits, buffer overflows, and port scans are detected using proven threat detection and prevention (IPS) mechanisms, including:

• Protocol decoder-based analysis statefully decodes the protocol and then intelligently applies signatures to detect vulnerability exploits.
• Protocol anomaly-based protection detects non-RFC compliant protocol usage such as the use of overlong URI or overlong FTP login.
• Stateful pattern matching detects attacks across more than one packet, taking into account elements such as the arrival order and sequence.
• Statistical anomaly detection prevents rate-based DoS flooding attacks.
• Heuristic-based analysis detects anomalous packet and traffic patterns such as port scans and host sweeps.
• Passive DNS monitoring to globally identify and build protections for compromised domains and infrastructure, and local DNS sinkholing to re-direct malicious requests to an address of your choosing for discovery and blocking of infected hosts.
• Other attack protection capabilities, such as blocking invalid or malformed packets, IP defragmentation and TCP reassembly, protect you against evasion and obfuscation methods used by attackers.
• Custom vulnerability or spyware phone home signatures that can be used in either anti-spyware or vulnerability protection profiles.

DoS/DDoS attack protection

Palo Alto Networks next-generation firewalls protect you from denial of service (DoS) attacks using a policy-based approach that ensures accurate detection. You can deploy DoS protection policies based on a combination of elements including type of attack, or by volume (both aggregate and classified), with response options including allow, alert, activate, maximum threshold and drop. Specific types of DoS attacks covered include:

• Flood protection—Protects you against SYN, ICMP, UDP, and other IP-based flooding attacks.
• Reconnaissance detection—Allows you to detect and block commonly used port scans and IP address sweeps that attackers run to find potential targets.
• Packet-based attack protection—Protects you from large ICMP packets and ICMP fragment attacks.

Market leading threat discovery and research

Our intrusion prevention engine is supported by a team of seasoned signature developers. Our team is highly active in the threat prevention community, performing ongoing research and working closely with software vendors - both informally and formally - through programs such as the Microsoft Active Protections Program (MAPP). As a member of MAPP, we have priority access to Microsoft's monthly and out-of-band security update releases.

By receiving vulnerability information early, Palo Alto Networks can develop and deliver signatures to you in a synchronized manner to ensure that you are fully protected. Signature updates are delivered on a weekly schedule or emergency basis. To date, our team has been credited with the discovery of numerous critical and high severity vulnerabilities in both Microsoft and Adobe applications.

Data Filtering & File Blocking:

The application function level control, file blocking by type, and data filtering features of our next-generation firewalls allow you to implement a range of policies that help balance permitting the use of personal or non-work related applications, with the business and security risks of unauthorized file and data transfer.

Enabling applications while blocking unapproved or dangerous files by type

Our next-generation firewalls give you the ability to control the flow of a wide range of file types by looking deep within the payload to identify the file type (as opposed to looking only at the file extension), to determine if a file transfer is allowed by your policy. You can implement file blocking by type on a per application basis. This enables you to do things like approve a specific webmail application like Gmail, and allow attachments, but block the transfer of specific file types.

Enabling or denying the use of file transfer functions

Function level control over file transfer represents another policy option that helps you balance application use with policy control. You can establish policies to allow IM or webmail application usage, but deny a related file transfer function.

Prevent data loss with pattern-based content identification

Rounding out our filtering features is the ability to identify and control the transfer of sensitive data patterns such as credit card numbers, social security numbers or custom data patterns in application content or attachments.

Networking & Integration Features

Safely enabling applications based on users and groups are just a few of the many features that every Palo Alto Networks next-generation firewall supports. A flexible networking foundation facilitates integration into nearly any network. IPsec and SSL VPN deliver enterprise-wide connectivity. Stateful high-availability ensures that your network is always protected.

Networking

Virtualization Security

IPv6

Decryption

VPN

Networking:

Our flexible networking architecture includes dynamic routing, switching, and VPN connectivity, which enables you to easily deploy Palo Alto Networks next-generation firewalls into nearly any networking environment.

Integrate into any architecture with our flexible networking architecture

L2/L3 networking: Our firewalls use a L2/L3 architecture that leverages zone-based security enforcement, which enables deployments in switched and routed environments.

• Dynamic routing: Support for OSPF, RIP and BGP combined with full 802.1Q VLAN support is provided for both layer 2 and layer 3 deployments, so all of your services can be enabled while seamlessly integrating with your existing routing or VLAN architecture.
  
• Virtual Wire: Virtual Wire gives you a true transparent mode by logically binding two ports together, and passing all your traffic to the other port, without any switching or routing. Full inspection and control for all traffic is enabled with zero impact on your surrounding devices, and no networking protocol configuration is required. Multiple Virtual Wire pairs can be configured to support multiple network segments.

Multicast traffic routing participation

Multicast support includes identification and control of multicast traffic, as well as the ability to participate in multicast routing and group management through PIM-SM, PIM-SSM and IGMP support.

Virtualization Security:

The VM-Series supports the exact same next-generation firewall and advanced threat prevention features available in our physical form factor appliances, allowing you to safely enable applications flowing into, and across your private, public and hybrid cloud computing environments. Automation features and an API enable you to dynamically update security policies as your VM environment changes, eliminating potential security lag. The VM-Series supports the following hypervisors: VMWare ESXi and NSX, Citrix SDX, KVM (Centos/RHEL), Ubuntu, Amazon Web Services.

Enable Applications, Block Known and Unknown Threats

With the VM-Series next-generation firewall and threat prevention, you can implement the same level of protection available for your physical network. Allow and control applications based on the identity, not the port. Inspect all traffic into and across the cloud for known and unknown threats. Isolate mission critical applications and data using Zero Trust principles of never trust, always verify.

Automated Tracking of VM Context Changes

VM Monitoring polls your virtualization environments for virtual machine inventory and attribute changes, collecting this context in the form of tags that are then used in Dynamic Address Groups to dynamically create or update security policies.

Dynamic Policy Creation and Update

Dynamic Address Groups automates policy creation using tags (from VM Monitoring) as an identifier for virtual machines instead of static object definitions such as an IP address. As you add, remove or change your VM, your security policies are dynamically updated, eliminating any security policy lag associated with VM changes.

Customization and 3rd Party Tool Integration

The fully-documented REST-based API allows you to collect VM changes and programmatically make security part of your cloud computing workflow using customized tools or cloud orchestration tools such as OpenStack or CloudStack.

Decryption:

Identify & Control Encrypted Traffic

Take control of your SSL and SSH encrypted traffic and ensure it is not being used to conceal unwanted activity or dangerous content. Using policy-based decryption and inspection, you can confirm that SSL and SSH are being used for business purposes only, instead of to spread threats or unauthorized data transfer.

Identify, control and inspect inbound SSL traffic

Policy-based identification, decryption, and inspection of inbound SSL traffic (from outside clients to internal servers) can be applied to ensure that applications and threats are not hiding within SSL traffic. A server certificate and private key are installed on Palo Alto Networks next-generation firewalls to handle decryption. By default, SSL decryption is disabled.

Identify, control and inspect outbound SSL traffic

Policy-based identification, decryption and inspection of outbound SSL traffic (from users to the web) can be applied to make sure that applications and threats are not hiding within SSL traffic. Our firewalls use a 'man-in-the-middle' approach in which device certificates are installed in the user's browser. By default, SSL decryption is disabled.

Offload SSL traffic for additional analysis and archiving.

If your organization requires comprehensive data capture for forensic and historical purposes or data leak prevention (DLP) functionality, you can use port mirroring to forward a copy of SSL traffic to a 3rd party solution such as NetWitness or Solera more granular analysis or archiving purposes. Supported only on the PA-5000 Series and the PA-3000 Series. 

Simplify SSL certificate signing and management process.

You can utilize dedicated hardware security modules (HSM) to manage the certificate signing functions for SSL forward proxy, SSL inbound inspection, and the master key storage functions. HSM support is generally required when FIPS 140-2 Level 3 protection for CA keys is required.

• Supported HSMs: SafeNet Luna SA and Thales Nshield Connect.
• Platforms supported: PA-5000 Series, PA-4000 Series, PA-3000 Series, VM-Series and the M-100 management appliance.

Identify and control SSH traffic.

Our enterprise security platform gives you policy-based identification and control of SSH tunneled traffic. A 'man-in-the-middle' approach is used to detect port forwarding or X11 forwarding within SSH as an SSH-tunnel, while regular shell, SCP and SFTP access to the remote machine is reported as SSH. By default, SSH control is disabled.

VPN:

Standards-based VPN Connectivity

Secure site-to-site and remote user connectivity is a critical infrastructure component. Every Palo Alto Networks next-generation firewall platform allows you to easily and securely communicate between sites using standards-based IPSec VPN connections. Remote user communications are protected through a rich set of VPN features.

Secure site-to-site connectivity through IPSec VPN

Standards-based IPSec VPN connectivity, combined with application visibility and control, protects communications between two or more Palo Alto Networks devices and/or another vendor's IPSec VPN device.

Large-Scale VPN

If you have a lot of branch offices or retail stores, you may need to deploy site-to-site VPN across a number of locations. Large-Scale VPN automatically configures your key VPN tunnel settings, making it easy for staff at your branch office to deploy new firewalls. When a new firewall is brought online, it will use an available Internet connection to authenticate with a GlobalProtect Portal and pick up the latest VPN settings to maintain ongoing, secure communications.

Consistent Security Everywhere

GlobalProtect lets remote users access your network by automatically establishing either an SSL-or IPSec-based VPN connection, depending on location and configuration. This remote access connection is authenticated through one of several mechanisms: local DB, RADIUS, LDAP, Active Directory, Kerberos or Smartcards. Once a secure connection is established, users are protected by the same security policies as your on-site users. GlobalProtect secures users on a range of platforms, including:

• Windows
• Mac OS X
• Linux
• iOS
• Android

Management Features

Safely enabling applications based on users and groups are just a few of the many features that every Palo Alto Networks next-generation firewall supports. A flexible networking foundation facilitates integration into nearly any network. IPsec and SSL VPN deliver enterprise-wide connectivity. Stateful high-availability ensures that your network is always protected.

Policy Control

Redundancy

Device Management

Virtual Systems

Policy Control:

Secure Application Enablement

The increased visibility into applications, users and content delivered by Palo Alto Networks simplifies figuring out which applications are traversing your network, who is using them, and the potential security risks. Armed with this data, you can apply secure enablement policies with a range of responses that are more finely tuned than the traditional 'allow or deny' approach.

Balancing protection and enablement with fine-grained policy enforcement

App-ID graphically displays the applications that are traversing your network. It allows you to see who is using applications and the potential security risks. This information empowers you to quickly deploy application-, application function-, and port-based enablement policies in a systematic and controlled manner. Your policies may range from open (allow), to moderate (enabling certain applications or functions, then scan, or shape, schedule, etc.), to closed (deny). Examples may include:

• Allow or deny
• Allow based on schedule, users, or groups
• Apply traffic shaping through QoS
• Allow certain application functions such as file transfer within instant messaging
• Allow, but scan for viruses and other threats
• Decrypt and inspect
• Apply policy-based forwarding
• Any combination of the above

Mixing next-generation policy criteria like applications, application functions, users, groups and regions, with traditional policy criteria such as source, destination and IP address, allows you to deploy the appropriate policy.

Selectively filter applications to quickly create policy control lists

Our application browser allows you to add dynamic application filters to your security policy using a wide range of criteria including:

• Category
• Subcategory
• Underlying technology
• Behavioral characteristic (file transfer capabilities, known vulnerabilities, ability to evade detection, propensity to consume bandwidth, and malware transmission/propagation)

Additional application details you will receive include a description of the application, the commonly used ports, and a summary of the individual application characteristics. Using the application browser allows you to quickly research an application and immediately translate the results into a security policy.

Stop threats and unauthorized file/data transfer

The same levels of fine-grained control that you can apply to a specific set of applications can also be extended to threat prevention. Using a very targeted approach, you can apply:

• Antivirus and antispyware policies to allowed webmail applications
• IPS policies can be applied to Oracle database traffic
• Data filtering profiles can be enabled for file transfer within instant messaging

Traffic shaping ensures business applications are not bandwidth starved

Secure application enablement may entail allowing bandwidth intensive applications such as streaming media. You can strike an appropriate balance by using QoS policies that ensure your business-critical applications are not starved of bandwidth by non-work related applications.

• Guaranteed, maximum and priority bandwidth can be applied across eight traffic queues
• Your policies can be applied to physical interface, IPSec VPN tunnels, applications, users, source, destination and more
• Diffserv marking is supported, enabling application traffic to be controlled by a downstream or upstream networking device

Flexible, policy-based control over web usage

To complement the application visibility and control enabled by our App-ID, you can use URL categories as a match criteria for your policies. Instead of creating policies limited to either 'allow all or block' all behavior, the ability to use URL category as a match criteria permits exception-based behavior. This increases your flexibility and gives you more granular policy enforcement capabilities. Examples of how URL categories can be used in your policy include:

• Identify and allow exceptions to your general security policies for users who may belong to multiple groups within Active Directory (e.g., deny access to malware and hacking sites for all users, yet allow access to users that belong to the security group)
• Allow access to streaming media category, but apply QoS to control your bandwidth consumption
• Prevent file download/upload for URL categories that represent higher risk (e.g., allow access to unknown sites, but prevent upload/download of executable files from unknown sites to limit malware propagation)
• Apply SSL decryption policies that allow encrypted access to finance and shopping categories, but decrypts and inspects traffic to all other categories

Systematically identify and control unknown traffic

Every network has a small amount of unknown traffic. Usually, unknown traffic comes from an internal, custom developed application. In other cases, it is an unidentified commercial application, or, worst case, a threat. Regardless of the amount of unknown traffic, it is a concern for you.

Use the application control features built into Palo Alto Networks next-generation firewalls to systematically identify, investigate and manage unknown traffic on your network in a systematic way. You will notice a dramatic reduction in the risks posed to you by unknown traffic.

Redundancy & Resiliency:

Palo Alto Networks next-generation firewalls support a series of redundancy and resiliency features that ensure your firewall will continue to provide the secure application enablement you need to keep your business running.

Stateful Active/Active or Active/Passive high availability

Active/passive and active/active high availability are supported by our firewalls, complete with session and configuration synchronization. Active/passive high availability supports traditional network designs in which all network traffic passes through a single firewall. Active/active high availability enables application control and threat prevention if you have an asymmetric environment.

• Active/passive: The active device continuously synchronizes its configuration and session information with the identically configured passive device. A heartbeat connection between the two identically configured devices ensures seamless failover if the active device goes down.
  
• Active/active: Firewalls in an active/active configuration continuously synchronize their configuration and session information. If either device fails, a heartbeat connection signals the other device to take over all of your operations. This ensures session continuity if a device or network fails. To better support asymmetrically routed environments, you can deploy two devices in an HA configuration with either virtual wire interfaces or layer 3 interfaces. App-ID and Content-ID are fully supported in asymmetric environments. Active/active also incorporates flexible layer 3 deployment options supporting load-sharing and interface IP failover.

Built-in resiliency and component redundancy

When your network experiences heavy traffic, our data plane and control plane physically separate to ensure that firewall management access is always available to you, irrespective of your traffic or management load. The data plane houses dedicated processing and memory for networking, security and content inspection; the control plane houses dedicated management processing and memory.

The PA-5000 Series supports several levels of hardware component redundancy:

• Dual hot swappable power supplies
• Dual, solid-state cold swappable hard disk drives
• Single, swappable fan tray

The PA-4000 Series also supports dual hot-swappable power supplies.

Device Management:

Our firewall management philosophy is to make administrative tasks such as report generation, log queries, policy creation, and ACC browsing easy to execute and consistent, no matter which mechanism - web interface, Panorama, CLI or API - you use.

Intuitive and efficient policy management workflow

The familiar look and feel of our policy editor, combined with drag-and-drop objects and rule tagging, will allow you to establish a policy management workflow that suits your administrative processes.

• The policy-browser allows you to quickly create policies that include application, user, and traffic specific threat prevention (IPS, Antivirus, Anti-spyware, etc.), thereby eliminating the duplicate data entry common in other offerings.
• Object drag-and-drop reduces administrative effort by allowing you to reuse the policy objects (users, applications, services or IP addresses) that you have already created.
• Rule tagging allows you to “tag” rules with common names (e.g., DMZ, perimeter, datacenter) so that you can easily search and manage those rules as needed.

Granular control over administrative access

If you have delegated specific sets of tasks to individual staff members, our role-based administration will allow you to designate any of the firewall's features and corresponding capabilities to be fully enabled, read-only or disabled (hidden from view) for specific administrators. For example:

• Your operations staff can be given access to the firewall and networking configuration.
• Your security administrators can be granted control over security policy definition, the log viewer and reporting.
• You can allow key individuals full CLI access, while for others the CLI may be disabled.

All administrative activities are logged so you can see the time of occurrence, the administrator, the management interface used (web interface, CLI, Panorama and the API), and the command or action taken along with the result.

Centralized management of your Palo Alto Networks firewalls

Panorama provides centralized management for multiple Palo Alto Networks next-generation firewalls, enabling you to:

• Browse ACC, view logs, and generate reports across all your firewalls from a central location.
• Use device group and templates to centrally manage your firewall configurations, regardless of location.
• Manage device licenses and updates for software, content, and clients (SSL VPN, GlobalProtect).

By using the same user interface as our individual firewalls, Panorama eliminates the learning curve associated with switching from one mechanism to another. Regardless of the task at hand, the steps you may need to take will be the same.

Industry standard management tools and APIs

A rich set of industry standard management interfaces, combined with a helpful set of APIs, allows you to integrate with existing third-party solutions for superior policy/configuration management, log analysis, reporting and more.

• APIs: A REST management API and a User-ID XML API give you a powerful set of tools to streamline operations and integrate with existing, internally developed applications and repositories.
• Syslog and SNMP v2/3: All logs can be sent to your syslog server for archival and analysis purposes, while SNMP v2/3 support enables integration with a wide range of third-party tools.
• Netflow: Export your IP traffic flow information to a Netflow connector. Separate template records are defined for IPv4, IPv4 with NAT, and IPv6 traffic, while PAN-OS specific fields for App-ID and User-ID can be optionally exported. Netflow integration is not supported on the PA-4000 Series.

In addition to our management interfaces and APIs, the Palo Alto Networks Technology Partner Program makes information available to you on many leading management, reporting and analysis vendors.

Virtual Systems:

Scalable Firewall Services With Virtual Systems

Virtual systems are unique and distinct next-generation firewall instances within a single Palo Alto Networks firewall. Instead of deploying many individual firewalls, security service providers and enterprises can deploy a single pair of firewalls (high availability) and enable a series of virtual firewall instances (virtual systems). Each virtual system is an independent (virtual) firewall within your firewall that is managed separately and cannot be accessed or viewed by other users.

Managed services for customers, business groups, or departments

The flexibility and efficiencies of virtual systems offer security service providers and enterprises very attractive ways to enhance business efficiencies. These include:

• Improved scalability due to fewer devices
• Adding customers
• Lower capital and operational expenditures

Two ways service providers or enterprises use virtual systems is for multi-tenant managed services delivery, or as separate firewall instances within an enterprise network

• Multi-tenant managed services: Within a managed services environment, it's very cost-effective to have a single device support distinct firewall instances. This allows you to deliver security services to multiple customers with just a single device. The breadth of functionality and configuration flexibility we provide lets each customer select from a menu of service offerings, each of which can be enabled and disabled quickly and effectively. Role-based administration allows you to enable your customer to have access to certain functions (such as logging and reporting), while hiding or providing 'read only' (policy editor) access to other functions.
  
• Departmental services: If you're a large organization, certain technical or compliance requirements may dictate that departmental traffic be protected by a unique firewall instance. On an internal network, a single firewall instance with virtual systems support is extremely cost-effective. Each department can be assigned security services from the 'menu,' and then billed back for those services to demonstrate a return on investment. Just like in a managed services environment, you can allow department staff to have either 'read only' or full access to certain firewall functions while the device is centrally managed by IT.

Protecting network resources through segmentation

Network segmentation is considered to be a network security best practice because it enables your IT department to isolate and more effectively protect critical data. By creating a virtual firewall for a segment of your network, you can protect key content from unapproved access as well as threats and possible data loss. Virtual systems are just one way that you can easily segment your network with Palo Alto Networks.

Granular, role-based administrative control

Each virtual system is a self-contained, fully operational Palo Alto Networks firewall, complete with separate management interfaces. This ensures that other customers or departments can only see or modify their own policies. Within each virtual system, role-based administrative access control allows you to delegate feature-level administrative access (enabled, read-only, or disabled and hidden from view) to different staff. Using role-based administration, service providers can build a menu of services to selectively enable, while enterprises can delegate access to key individuals as needed.