Platform arhcitecture

__________________________________________________________________________________

Platforms and Architecture

So, We can start by reviewing the firewalls one by one. Palo Alto PA-200 The above is the entry level firewall. I have two in my lab. The key is everything here runs on the CPUs. There are two one for management and one for Data Plane. Palo Alto PA-500 A step above but still uses CPUs. Palo Alto PA-2000 I've bundled both since they are similar. The 2050 has more interfaces and twice the throughput. Both of the above have a relatively weak Management CPU. So commiting configurations will take a while. So they cost less but you need patience with them. Palo Alto PA-3000 The keys for this firewall are. Dedicated HA ports   HA1 and HA2 The Network Processing and the security processing share the same CPUs. PA-3050 This one has a dedicated Network FPGA field programmable gate array PA-4000 PA 4000s have been EOL. So I can't be bothered with them. PA-5000 I tried to condense three models into one slide. So the 5020 is nice. The 5050 and 5060 have 10G ports. PA-7000 The 5060 was taken as is and made into a line card for the Chassis. This is not mentioned in the ACE training but the numbers will be the same for the NPC line card. This Chassis will probably be included in the next revision of the training. Virtual FIrewalls These firewalls enable you to use an ESXi as the basis of the firewall. Technically also. KVM (Centos/RHEL) Ubuntu Amazon Web Services    1000-HV Palo Alto Appliances. Palo alto also has appliances. The M-100 enables you to run Panorama on it. You can also run Panorama as a Virtual Device using ESXi Palo Alto WildFire appliance Normally wildfire runs in the cloud. Due to security issues some companies want a local wildFire in their datacenter/cloud. So this device is it. That is it on the hardware itself.!!!!! Now, The key features you can discuss in Palo Alto. The Separation of Control plane and dataplane. If you recall from the hardware slides. Each firewall has a separate CPU at least for the management{control plane}  and the data plane. Even the virtual Firewalls on the Hypervisors require you to have 2 CPUs so you can split this. So Control plane runs independently of the data plane. That means you can manage it and traffic will still flow. The Architecture of Palo Alto firewalls. So Signature match is done in parallel. The stream passes and is scanned for "signatures"  or patterns. Security Processing requires computation to calculate keys for SSL, IPSEC, opening SSL and setting up sessions. This is a simple CPU set of tasks. The actual rules are processed here too and the logs are created. So report & Enforce. Network processing does networking, like NAT and QoS. So as you can see, different items can leverage the single pass other items can leverage parallel processing. Single Pass * Classifying the traffic  { APP-ID}    = indentify the APPs * User mapping  {USER-ID}   =    identify the users * Content Scanning  {CONTENT-ID}     =   open the data and scan the content Parallel Processing. * The Management plane runs on its own CPU ** The Security, Content, Networking run on different CPUs. How the packet flows. This is a "simplified" diagram. Memorize it. Packet comes in, the source zone is applied on it. The destination is figured out using routing/switching. Based on the destination the Destination zone is determined. If NAT will be done, it will be calculated. Check if the ports are allowed.     -  for example only port 80 is allowed, so this enables you to drop all other. Create the session. Check if encrypted If it is then unencrypt Check if the application is ovverriden !! -  Application override label something as an APP {you create this} Apply application ID based on Palo Alto database of APPs. Check what the security policy says. If policy is enable check if there is a PROFILE attached to the policy. SSL re-encrypt NAT apply Forward..... If you want more details. https://live.paloaltonetworks.com/docs/DOC-1628

_______________________________________________________________________________________

Palo Alto Networks Next-Generation Firewall’s main strength is its Single Pass Parallel Processing (SP3) Architecture, which comprises two key components:

1. Single Pass Software
2. Parallel Processing Hardware

Figure 1.   Palo Alto Networks Firewall Single Pass Parallel Processing Architecture

SINGLE PASS SOFTWARE

Palo Alto Networks Next-Generation Firewall is empowered with Single Pass Software, which processes the packet to perform functions like networking, user identification (User-ID), policy lookup, traffic classification with application identification (App-ID), decoding, signature matching for identifying threats and contents, which are all performed once per packet as shown in the illustration below:

Figure 2: Palo Alto Networks Firewall - Single-Pass Architecture Traffic Flow

This processing of a packet in one go or single pass by Palo Alto Networks Next-Generation Firewall enormously reduces the processing overhead, other vendor firewalls using a different type of architecture produce a significantly higher overhead when processing packets traversing the firewall. It’s been observed that the Unified Threat Management (UTM), which processes the traffic using multi-pass architecture, results in process overhead, latency introduction and throughput degradation.

The diagram below illustrates the multi-pass architecture process used by other vendors’ firewalls, clearly showing differences to the Palo Alto Networks Firewall architecture and how the processing overhead is produced: