I just finished up taking the PAN 201 and 205 classes. Had I known that these firewalls can do all that it does 2 years ago, I would have trained earlier. Where can you get a firewall that inspects traffic in real time, a single pass technology (Single Pass Parallel Processing), reviews packets up to 5 ways with App-ID before deciding what to do with it (worse case). This is just App-ID. There is still Content-ID and User-ID for policing traffic into and out of your network. Remember security is everyone’s job and watching what leaves your organization is just as important. You don’t want to be part of a botnet network. You don’t want your secret sauce leaving either.
The traffic is classified based on IP and port, next for review the signatures are then applied to the allowed traffic (so that’s two) then if the App-ID determines that encryption SSL or SSH is used you can write a decryption policy (if legally allowed). The fourth inspection is known protocol decoders for additional context based signatures to see if applications are tunneling traffic inside. This helps avoid salami attacks or data diddling. When traffic leaves in small chunks back to C&C, this known decoders helps very well. When that does not work there is heuristics used to see if the behavior of packets are normal and then it passes.
There are three paths traffic can take even when being analyzed. We start with FW session setup/slowpath or we could use FW Fast path, or or Application Identification. It can decrypt SSL and SSH traffic (Not HIPAA, banking financial) to determine if the content inside is legitimate or not and then it can toss or re-encrypt and send it on to destination. The firewall allows for a subscription based service to Wildfire for malware and threat protection and ….analysis. Hands free administration right there folks. Brightcloud offers the url filtering service. Wildfire for threat protection and sandboxing. Upload files for review up to 10 MB. There is so much to say about this firewall. It even has packet capture capability right there on a policy or filter to aid in troubleshooting connectivity or an incident. No more running out to the data center floor or waiting for an approved change. It has App-ID to look at applications and that they behave as they should. No more ports open and let that traffic just ride on in there. It will lay the smackdown on any traffic not adhering to signature or behavioral patterns. Does your Cisco or Checkpoint do that? Really? How well does it do that? What buffer? Did you say lag to analyze your traffic? Well sorry to hear that. Palo Alto appliance have dedicated hardware multi-core security processor, network processor, signature match processor, to do all that security.
Control plane works with and independently of the data plane. Reboot one and not the other or both. Have visibility while rebooting or leave the traffic run and reboot the management. No more waiting for off hours to make changes. There are 15 steps in the flow logic that all traffic may go through.
Heck, we haven’t even touched Global Protect (VPN) which can extend the corporate borders anywhere and provide more protection. Think about security and what would you like to do. You want to be safe, see it when it happens if it does right? Guard against future incidents right? This is the firewall for you. I have worked with many firewalls Checkpoint (used to be favorite) Juniper, and Cisco ASA (I tested in and past). Nothing compares to Palo Alto. If I were the other vendors I’d start looking for another job if I were them.
More to come on this story. Check it out for yourselves. Palo Alto Networks
For a good start into how this technology works take a look at this from Palo Alto
© 2013 Palo Alto Networks
Executive Summary: The Need for a Single-Pass Architecture
For many years, the goal of integrating threat preven
tion services into the firewall has been pursued as
a means of alleviating the need for additional devices
for functions such as IPS, network antivirus, and
more. The pursuit of integrating th
reat prevention functions into the firewall makes perfect sense – the
firewall is the cornerstone of
the security infrastructure.
Current integration iterations carr
y a variety of different labels – deep inspection, unified threat
management (UTM), deep packet
inspection, and others. Each of
these iterations share a common
problem, which is a lack of consistent and predictabl
e performance when security services are enabled.
Specifically, the firewall functions
are capable of performing at high
throughput and low latency, but
when the added security functions are enabled,
performance decreased while latency increased.
The Palo Alto Networks Single-Pass Parallel Proce
ssing (SP3) architecture addresses the integration and
performance challenges with a unique single-pass a
pproach to packet processing that is tightly
integrated with a purpose-built hardware platform.
By performing operations once per packet, the single-pass software
eliminates many redundant functions that plagu
e previous integration
attempts. As a packets
are processed, networking, policy lookup, a
pplication identification and decoding, and
signature matching for any and all threats
and content is only performed once. This
significantly reduces the amount of processing overhead required to perform multiple
functions in one security device. The single-pass software uses a stream-based, uniform
signature matching engine for content inspect
ion. Instead of using separate engines and
signature sets (requiring multi-
pass scanning) and instead of usin
g file proxies (requiring file
download prior to scanning), the single-pass arch
itecture scans traffic for all signatures once
and in a stream-based fashion to avoid the introduction of latency.
Parallel processing hardware:
The single-pass software is then integrated with a purpose-built
platform that uses dedicated processors and me
mory for the four key areas of networking,
security, content scanning and management. Th
e computing power within each platform has
been specifically chosen to perform the processi
ng intensive task of
full stack inspection at
The resulting combination delivers the horsepower
required to achieve consistent and predictable
performance at up to 20 Gbps of throughput, maki
ng the goal of integrated firewall and threat
prevention a realit