Palo Alto Networks Product Overview Karsten Dindorp, Computerlinks.

Palo Alto Networks Product Overview

Karsten Dindorp, Computerlinks

© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 2 |

Applications Have Changed – Firewalls Have Not

• The gateway at the trust border is the right place to enforce policy control Sees all traffic Defines trust boundary

Collaboration / MediaSaaS Personal

• But applications have changed Ports ≠ Applications IP addresses ≠ Users Headers ≠ Content

Need to Restore Application Visibility & Control in the Firewall

© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 3 |

Stateful Inspection ClassificationThe Common Foundation of Nearly All Firewalls

• Stateful Inspection classifies traffic by looking at the IP header- source IP

- source port

- destination IP

- destination port

- protocol

• Internal table creates mapping to well-known protocols/ports- HTTP = TCP port 80

- SMTP = TCP port 25

- SSL = TCP port 443

- etc, etc, etc…

© 2009 Palo Alto Networks. Proprietary and Confidential.Page 4 |

Enterprise End Users Do What They Want• The Application Usage & Risk Report from Palo Alto Networks highlights actual behavior of 960,000

users across 60 organizations:- HTTP is the universal app protocol – 64% of BW, most HTTP apps not browser-based

- Video is king of the bandwidth hogs – 30x P2P filesharing

- Applications are the major unmanaged threat vector

• Business Risks: Productivity, Compliance, Operational Cost, Business Continuity and Data Loss

© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 5 |

Firewall “helpers” Is Not The Answer

• Complex to manage

• Expensive to buy and maintain

• Firewall “helpers” have limited view of traffic

• Ultimately, doesn’t solve the problem

Internet

© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 6 |

New Requirements for the Firewall

1. Identify applications regardless of port, protocol, evasive tactic or SSL

2. Identify users regardless of IP address

3. Scan application content in real-time (prevent threats and data leaks)

4. Granular visibility and policy control over application access / functionality

5. Multi-gigabit, in-line deployment with no performance degradation

The Right Answer: Make the Firewall Do Its Job

© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 7 |

Identification Technologies Transforming the Firewall

App-IDIdentify the application

User-IDIdentify the user

Content-IDScan the content

© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 8 |

Purpose-Built Architectures (PA-4000 Series)

Signature Match HW Engine• Palo Alto Networks’ uniform

signatures• Vulnerability exploits (IPS), virus,

spyware, CC#, SSN, and other signatures

Multi-Core Security Processor• High density processing for flexible

security functionality• Hardware-acceleration for

standardized complex functions (SSL, IPSec, decompression)

Dedicated Control Plane• Highly available mgmt• High speed logging and

route updates

10Gbps

Signature Match

RAM

RAM

RAM

RAM

Dual-coreCPU RAM

RAM

HDD

10 Gig Network Processor• Front-end network processing offloads

security processors• Hardware accelerated QoS, route

lookup, MAC lookup and NAT

CPU16

. .

SSL IPSec De-Compression

CPU1

CPU2

10Gbps

Control Plane Data Plane

RAM

RAMCPU3

QoS

Route, ARP, MAC

lookup

NAT

© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 9 |

PAN-OS Core Features

• Strong networking foundation: - Dynamic routing (OSPF, RIPv2)- Site-to-site IPSec VPN - SSL VPN- Tap mode – connect to SPAN port- Virtual wire (“Layer 1”) for true

transparent in-line deployment- L2/L3 switching foundation

• QoS traffic shaping- Max, guaranteed and priority - By user, app, interface, zone, and

more

• High Availability: - Active / passive - Configuration and session

synchronization- Path, link, and HA monitoring

• Virtualization:- All interfaces (physical or logical)

assigned to security zones- Establish multiple virtual systems to

fully virtualized the device (PA-4000 & PA-2000 only)

• Intuitive and flexible management- CLI, Web, Panorama, SNMP, Syslog

© 2008 Palo Alto Networks. Proprietary and Confidential.Page 10 |

Flexible Deployment OptionsApplication Visibility Transparent In-Line Firewall Replacement

• Connect to span port

• Provides application visibility without inline deployment

• Deploy transparently behind existing firewall

• Provides application visibility & control without networking changes

• Replace existing firewall

• Provides application and network-based visibility and control, consolidated policy, high performance

© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 11 |

Palo Alto Networks Next-Gen Firewalls

PA-4050• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 16 copper gigabit• 8 SFP interfaces

PA-4020• 2 Gbps FW• 2 Gbps threat prevention• 500,000 sessions• 16 copper gigabit• 8 SFP interfaces

PA-4060• 10 Gbps FW• 5 Gbps threat prevention• 2,000,000 sessions• 4 XFP (10 Gig) I/O• 4 SFP (1 Gig) I/O

PA-2050• 1 Gbps FW• 500 Mbps threat prevention• 250,000 sessions• 16 copper gigabit• 4 SFP interfaces

PA-2020• 500 Mbps FW• 200 Mbps threat prevention• 125,000 sessions• 12 copper gigabit• 2 SFP interfaces

PA-500• 250 Mbps FW• 100 Mbps threat prevention• 50,000 sessions• 8 copper gigabit

© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 12 |

PAN-OS 3.0 Summary of Features• Networking

- Quality of Service Enforcement- SSL VPN- IPv6 Firewall (Virtual Wire)- IPsec Multiple Phase 2 SAs- 802.3ad link aggregation- PA-2000 virtual systems licenses (+5)

• App-ID- Custom Web-based App-IDs- Custom App-ID Risk and Timeouts- CRL checking within SSL forward proxy

• Threat Prevention & URL Filtering- Dynamic URL Filtering DB- Increased signature capacity- Threat Exception List- CVE in Threat Profiles

• User Identification- Citrix/Terminal Server User ID- Proxy X-Forwarded-For Support

• Visibility and Reporting- User Activity Report

• Management- Multi-zone Rules- Automated Config Backup in Panorama- Role-based admins in Panorama- SNMP Enhancements

Custom community string Extended MIB support

- XML-based REST API- Ability to Duplicate Objects- Log Export Enhancements

Support for FTP Scheduler

- Custom Admin Login Banner- Web-based Tech Support Export- Database indexing- Configurable management I/O settings

© 2009 Palo Alto Networks. Proprietary and ConfidentialPage 13 | © 2007 Palo Alto Networks. Proprietary and ConfidentialPage 13 |

Demo