What’s special about the next generation firewalls from Palo Alto?

There has been a lot of buzz about the ‘Next Generation Firewalls’ from Palo Alto! So, we thought why not have a look at the differentiating features of their Firewall and see what’s unique about them. Read on….

Enterprise 2.0 does require Firewall 2.0! as the applications and threats these days are web based and hence very unpredictable.  Something more than the stateful packet inspection Firewalls, would be required.

The first and foremost thing that strikes readers is their focus on determining the exact application that is being used in the network (the ones passing the firewall, which is the gateway to the Internet). Usually, this is determined by looking at the port which they use to traverse the Firewall. But what if the applications use port hopping (use different ports at different times), and what if they hide themselves behind the port 80 (which is the generic port for http/ web based applications) or hide under an encrypted SSL stream?

So, Application ID’s have been developed for almost all the major web-based applications and they use this signature to determine the exact application by name, irrespective of  which ports are being used. Even encrypted content is decrypted, and checked for exact application type and categorized accordingly. So, you have application visibility across the network. Now what to do with this application visibility?

Allow or Deny, used to be the two favorite (and perhaps the only options) available with Firewalls. But here, you can still do that but what about a case where you need access to the application (eg. Facebook) but block certain features in it (eg. Facebook Chat)? You can do just that with Palo Alto Firewalls. Meaning, you can give access to the applications but block some of its features! But let us say, you still think the Facebook chat is a useful feature and is used by a lot of employees to do their day to day work. Now what? Allow it but continuously scan for spreading of any vulnerabilities through them. Ok, you think the chat feature is cool and are ready to allow it but you are concerned that it should not occupy a huge bandwidth and block other real-time latency sensitive applications, if a lot of people are going to use it simultaneously. What to do? Apply QoS rate shaping policies (per application) so that there is a maximum bandwidth cap each application could use and important ones always get their share!

All that is fine, but you think for certain users, there should be unrestricted but secure access without the QoS parameters. Sure, you can integrate your Firewall with directories like Active Directory/ LDAP etc, and recognize users directly by name (User ID) instead of their IP address. For certain groups of users, you can now create unique policies. The crucial thing about this is, the User ID (Name of employees) are well integrated with the Firewall system and hence allows you to create policies, do forensic analysis, reporting etc, based on the User ID – name (and not the IP address) which makes it simple and creates more visibility for customizing user policies based on an individual user/group of users by their names.

In fact, even if the users are not employees and do not log in to the domain, the captive portal still maps the IP addresses to user ID (login names) and reports them as such, to make reporting easier to understand & debug.

The single pass feature detects and blocks a wide range of viruses, malware, spyware, vulnerability exploits, etc with a single packet inspection process and common signature analysis for all types of threats. Even the IPS (Intrusion Prevention) functionalities are applied in the same step.

The URL filtering process is similar to UTM appliances, but they insist that the URL filtering categorization database be on the Firewall itself (instead of a cloud based model) to decrease delays due to latency. Also, they have an option of allowing the access to applications (that are prohibited) after issuing a warning. This, could be very useful to top-management personnel as they can access a blocked category website, if they feel its critical, without having to apply and get permissions from the IT department! They were warned and their activities are traceable.

A lot of Firewalls/ UTM’s have the content blocking feature (based on filename/ extension-type), but Palo Alto goes a step forward by actually identifying the file type based on its deep packet inspection (instead of just looking at file extensions). This is required because, content can be leaked out by changing the file names and their extensions. And there is yet another security feature which lets the administrators to block certain actions like File transfer etc, for particular applications, while still allowing access to the applications themselves. For example, in the above Facebook example, if a user attempts to share media/files over a chat session, they can be blocked from doing such actions by the Firewall.

Having a centralized policy management (In the Firewall device based at the head office) but still having this device synchronize with the various other Firewalls in the branches/ remote offices could be very helpful for distributed organizations, as they need to set the Firewall rules/ polices only once. The remote/ roaming user can get a VPN session established with the nearest firewall (to his location) so that the latency is minimum.

The Virtual Firewall feature combined with role based administration could be very useful if each department (or location) of a company wants to set and manage their own firewall rules/ policies but the Super-admin could still have complete network/ application/ user visibility with robust reporting.

Those are just some of the features supported by the Palo Alto Next Generation Firewall, and for a more comprehensive information, you could visit their official web-page. In case you live in India, and are looking to buy a Firewall/ UTM for your organization in India, do let us know using the contact form so that we could pass it on to our friends in the industry who are dealing with the Palo Alto Next Generation Firewalls in India for a hands on evaluation.


You can follow the latest Computer Networking/IT Products released for homes/small businesses & reviews by subscribing to this blog with your email address in the top right-hand sidebar box: ‘Follow by E-mail’. You can expect one mail per week (max).